extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorwall 1.4.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-18 15:16:33 +00:00
parent f4237467b6
commit f3790a541b
67 changed files with 16988 additions and 17079 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
STABLE/INSTALL
View File

@ -1,4 +1,4 @@
Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002 Shoreline Firewall (Shorewall) Version 1.4 - 3/14/2003
----- ---- ----- ----
----------------------------------------------------------------------------- -----------------------------------------------------------------------------
@ -28,7 +28,7 @@ o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at: To do this, I strongly advise you to follow the instructions at:
http://shorewall.sf.net/shorewall_quickstart_guide.htm http://www.shorewall.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh". Debian, then type "./install.sh".
@ -36,7 +36,7 @@ o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>" init scripts and type "./install.sh <init script directory>"
o Start the firewall by typing "shorewall start" o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to o If the install script was unable to configure Shoreline Firewall to
start audomatically at boot, see the HTML documentation contains in the start automatically at boot, see the HTML documentation contains in the
"documentation" directory. "documentation" directory.
Upgrade: Upgrade:

2
STABLE/blacklist
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Blacklist File # Shorewall 1.4 -- Blacklist File
# #
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #

70
STABLE/changelog.txt
View File

@ -1,22 +1,66 @@
Changes since 1.3.13 Changes since 1.3.14
1. Fix 'shorewall add' bug. 1. All versions changed to 1.4.
2. Add OLD_PING_HANDLING option 2. Rework of error message generation to make the 'firewall' script
smaller.
3. Allow adding alias labels under ADD_IP_ALIASES=Yes. 3. Deimplemented MERGE_HOSTS=No.
4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes. 4. Generate error for <dev>:<integer> name in interfaces file.
5. Use the routing table to generate list of subnets to be masqueraded 5. Deimplement old ping handling.
when an interface name appears in the SUBNET column of
/etc/shorewall/masq.
6. Restore $dev.$vid naming of VLAN interfaces. 6. Deimplement 'routestopped' interface/hosts option.
7. Updated copyrights for 2003. 7. Strip comments from potentially large files while the firewall is
still up and running during 'restart'.
8. Added support for openvpn tunnels on arbitrary ports 8. Disallow the old port forwarding/redirection syntax.
9. Corrected rule number calculation problem in 'shorewall add' command 9. Reorganize shorewall.conf.
processing.
10. Added support for LOG target.
11. Move firewall and version (one more time....)
12. Add late DNS reply rule to the common chain.
12. Corrected rule number calculation problem in 'shorewall add' command
processing.
13. Update Documentation for 1.4
14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.
19. Don't detect loopback simply by name.
20. Removed trailing white space from all files.
21. Improved parsing of comma-separated lists.
22. Add ECN Removal support
23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.
25. Restore 'check' command support.
26. Remove unused function find_interface_broadcasts()
27. Remove stale comments in the params file.
28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).

12
STABLE/common.def
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def # Shorewall 1.4 -- /etc/shorewall/common.def
# #
# This file defines the rules that are applied before a policy of # This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file, # DROP or REJECT is applied. In addition to the rules defined in this file,
@ -14,14 +14,12 @@
# #
run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 139 -j REJECT
run_iptables -A common -p tcp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p tcp --dport 135 -j reject
############################################################################ ############################################################################
# UPnP # UPnP
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
# AUTH -- Silently reject it so that connections don't get delayed. # AUTH -- Silently reject it so that connections don't get delayed.
# #
run_iptables -A common -p tcp --dport 113 -j reject run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

4430
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1410
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

366
STABLE/documentation/IPIP.htm
View File

@ -1,196 +1,248 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body> <meta http-equiv="Content-Type"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> content="text/html; charset=windows-1252">
<tr> <title>GRE/IPIP Tunnels</title>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">GRE and IPIP Tunnels</font></h1> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
</td>
</tr> <meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<h3><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk</h3> <h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE when used over the internet; use them at your own risk</h3>
tunnels were introduced in shorewall version 1.2.0_Beta2.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux Advanced Routing <p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
and Shaping HOWTO</a> work fine with Shorewall. Shorewall also includes a tunnel networks.</p>
script for automating tunnel configuration. If you have installed the RPM, the
tunnel script may be found in the Shorewall documentation directory (usually <p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
/usr/share/doc/shorewall-&lt;version&gt;/).</p> Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
also includes a tunnel script for automating tunnel configuration. If you
have installed the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2> <h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p> <p>Suppose that we have the following situation:</p>
<p align="center">
<img border="0" src="images/TwoNets1.png" width="745" height="427"></p> <p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able to height="427">
communicate with the systems in the 10.0.0.0/8 network. This is accomplished </p>
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file
and the /etc/shorewall/tunnel script that is included with Shorewall.</p> <p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by <p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall tarball; if you install using the RPM, the file is in your Shorewall documentation
documentation directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p> directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type' <p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p> parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare it in
/etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table> <p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote> </blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone. In
/etc/shorewall/interfaces:</p> <p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><b>ZONE</b></td> <tr>
<td><b>INTERFACE</b></td> <td><strong>ZONE</strong></td>
<td><b>BROADCAST</b></td> <td><strong>DISPLAY</strong></td>
<td><b>OPTIONS</b></td> <td><strong>COMMENTS</strong></td>
</tr> </tr>
<tr> <tr>
<td>vpn</td> <td>vpn</td>
<td>tosysb</td> <td>VPN</td>
<td>10.255.255.255</td> <td>Remote Subnet</td>
<td>&nbsp;</td> </tr>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p> <p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><b>TYPE</b></td> <tr>
<td><b>ZONE</b></td> <td><b>TYPE</b></td>
<td><b>GATEWAY</b></td> <td><b>ZONE</b></td>
<td><b>GATEWAY ZONE</b></td> <td><b>GATEWAY</b></td>
</tr> <td><b>GATEWAY ZONE</b></td>
<tr> </tr>
<td>ipip</td> <tr>
<td>net</td> <td>ipip</td>
<td>134.28.54.2</td> <td>net</td>
<td>&nbsp;</td> <td>134.28.54.2</td>
</tr> <td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP <p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p> encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
<p>In the tunnel script on system A:</p> <p>In the tunnel script on system A:</p>
<blockquote> <blockquote>
<p>tunnel=tosysb<br> <p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br> myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br> myip=192.168.1.1<br>
hisip=10.0.0.1<br> hisip=10.0.0.1<br>
gateway=134.28.54.2<br> gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p> subnet=10.0.0.0/8</p>
</blockquote> </blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b> <p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p> zone. In /etc/shorewall/interfaces:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><b>ZONE</b></td> <tr>
<td><b>INTERFACE</b></td> <td><b>ZONE</b></td>
<td><b>BROADCAST</b></td> <td><b>INTERFACE</b></td>
<td><b>OPTIONS</b></td> <td><b>BROADCAST</b></td>
</tr> <td><b>OPTIONS</b></td>
<tr> </tr>
<td>vpn</td> <tr>
<td>tosysa</td> <td>vpn</td>
<td>192.168.1.255</td> <td>tosysa</td>
<td>&nbsp;</td> <td>192.168.1.255</td>
</tr> <td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p> <p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><b>TYPE</b></td> <tr>
<td><b>ZONE</b></td> <td><b>TYPE</b></td>
<td><b>GATEWAY</b></td> <td><b>ZONE</b></td>
<td><b>GATEWAY ZONE</b></td> <td><b>GATEWAY</b></td>
</tr> <td><b>GATEWAY ZONE</b></td>
<tr> </tr>
<td>ipip</td> <tr>
<td>net</td> <td>ipip</td>
<td>206.191.148.9</td> <td>net</td>
<td>&nbsp;</td> <td>206.191.148.9</td>
</tr> <td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p>And in the tunnel script on system B:</p> <p>And in the tunnel script on system B:</p>
<blockquote> <blockquote>
<p>tunnel=tosysa<br> <p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br> myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br> myip=10.0.0.1<br>
hisip=192.168.1.1<br> hisip=192.168.1.1<br>
gateway=206.191.148.9<br> gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p> subnet=192.168.1.0/24</p>
</blockquote> </blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they are
secured so that root can execute them. </p>
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and <p>You can rename the modified tunnel scripts if you like; be sure that they
the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic are secured so that root can execute them. </p>
in both directions, you can use the policy file:</p>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tr> <tbody>
<td><strong>SOURCE</strong></td> <tr>
<td><strong>DEST</strong></td> <td><strong>SOURCE</strong></td>
<td><strong>POLICY</strong></td> <td><strong>DEST</strong></td>
<td><strong>LOG LEVEL</strong></td> <td><strong>POLICY</strong></td>
</tr> <td><strong>LOG LEVEL</strong></td>
<tr> </tr>
<td>loc</td> <tr>
<td>vpn</td> <td>loc</td>
<td>ACCEPT</td> <td>vpn</td>
<td>&nbsp;</td> <td>ACCEPT</td>
</tr> <td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr> </tbody>
<td>vpn</td> </table>
<td>loc</td> </blockquote>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table> <p>On both systems, restart Shorewall and run the modified tunnel script
</blockquote> with the "start" argument on each system. The systems in the two masqueraded
<p>On both systems, restart Shorewall and subnetworks can now talk to each other</p>
run the modified tunnel script with the &quot;start&quot; argument on each
system. The systems in the two masqueraded subnetworks can now talk to each
other</p>
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
</body> </body>
</html> </html>

220
STABLE/documentation/Install.htm
View File

@ -15,13 +15,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,191 +30,163 @@
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm installed. If this happens, simply use the --nodeps option to rpm (rpm
-ivh --nodeps &lt;shorewall rpm&gt;).</li> -ivh --nodeps &lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
RESTORE NETWORK CONNECTIVITY.</b></font></li> RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball <p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type <li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li> your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started <li>If the install script was unable to configure Shorewall to be
automatically at boot, see <a started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
and you have entries in the /etc/shorewall/hosts file then please check and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details. You can check your rules and host file for 1.3 compatibility using details.</p>
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs </b>If you are installing version 1.2.0 and have one of the 1.2.0
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby <p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>   </p>
</li> </li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li> and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li> <li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p> and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. You can check your rules and host file for 1.3 compatibility for details. </p>
using the "shorewall check" command after installing the latest version
of 1.3.</p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li> directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
necessary.</li> <li>Restart the firewall by typing "shorewall restart"</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering installation <a name="LRP_Upgrade"></a>If you already have a running Bering
and wish to upgrade to a later version of Shorewall:<br> installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match <p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a your setup. In most cases, the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p> contain all of the information you need.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul> </ul>
<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

123
STABLE/documentation/MAC_Validation.html
View File

@ -13,99 +13,100 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface All traffic from an interface or from a subnet on an interface
or from a subnet on an interface can be verified to originate from a defined can be verified to originate from a defined set of MAC addresses. Furthermore,
set of MAC addresses. Furthermore, each MAC address may be optionally each MAC address may be optionally associated with one or more IP addresses.
associated with one or more IP addresses. <br> <br>
<br> <br>
<b>You must have the iproute package (ip utility) installed to use MAC <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</b><br>
- module name ipt_mac.o).</b><br> <br>
<br> There are four components to this facility.<br>
There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a <li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li> verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses with interfaces and to optionally associate IP addresses
MAC addresses.</li> with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
determines the disposition of connection requests that fail MAC verification. and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty value requests that fail verification are to be logged. If set the the empty
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br> value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
</li> not logged.<br>
</li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this by INTERFACE. It is not necessary to use the Shorewall MAC format in
column although you may use that format if you so choose.</li> this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses <li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,maclist<br> dmz eth1 192.168.2.255<br> net eth3 206.124.146.255 blacklist<br> - texas 192.168.9.255<br> loc ppp+<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my As shown above, I use MAC Verification on my local zone.<br>
local zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and Suppose now that I add a second ethernet segment to my local zone
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and and gateway that segment via a router with MAC address 00:06:43:45:C6:15
IP address 192.168.1.253. Hosts in the second segment have IP addresses and IP address 192.168.1.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router by the router so that traffic's MAC address will be that of the router
(00:06:43:45:C6:15) and not that of the host sending the traffic. (00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 1/7/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

2858
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

537
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -12,128 +12,124 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
as a transparent proxy as described at <a run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
in the local zone, that zone must be defined ONLY by its interface -- no in the local zone, that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being routed /etc/shorewall/hosts file entries. That is because the packets being routed
to the Squid server still have their original destination IP addresses.<br> to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
on your firewall.<br> server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
server.<br> /etc/shorewall/conf file<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
/etc/shorewall/conf file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li> the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li> local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li> DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests
those to your own EXCEPT those to your
http server (206.124.146.177) own http server (206.124.146.177)
to a Squid transparent to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
@ -144,75 +140,75 @@ DMZ</a></li>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local 192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br> zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
@ -223,152 +219,113 @@ zone to the internet.<br>
</table> </table>
<br> <br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br> <li>Alternativfely, you can have the following policy:<br>
<br> <br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
@ -389,7 +346,7 @@ zone to the internet.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
@ -406,90 +363,130 @@ zone to the internet.<br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<br> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br> command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a <a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br> size="2">2003 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

116
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -16,7 +16,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base
target="main"> target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
@ -26,52 +26,55 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a <li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a
<li> <a href="errata.htm">Errata</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a <li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
@ -79,19 +82,19 @@
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
@ -99,7 +102,7 @@
</ul> </ul>
</li> </li>
@ -110,41 +113,42 @@
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News
<li> <a Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
@ -152,16 +156,8 @@ from Users</a></li>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
</p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

121
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -16,8 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base
target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -26,53 +26,54 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="sourceforge_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a <li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
@ -80,19 +81,20 @@
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
@ -100,7 +102,8 @@
</ul> </ul>
</li> </li>
@ -110,55 +113,55 @@
<ul> <ul>
<li> <a href="News.htm">News <li> <a href="News.htm">News
Archive</a></li> Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font> <font <input type="text" name="words" size="15"></font><font size="-1"> </font>
face="Arial" size="-1"> <input type="hidden" name="format" <font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

341
STABLE/documentation/configuration_file_basics.htm
View File

@ -17,80 +17,82 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2> <h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several <li>/etc/shorewall/shorewall.conf - used to set
firewall parameters.</li> several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set <li>/etc/shorewall/params - use this file to set
shell variables that you will expand in other files.</li> shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall
high-level policy.</li> high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones <li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li> in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where <li>/etc/shorewall/masq - directs the firewall
to use many-to-one (dynamic) Network Address Translation where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li> (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall <li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are <li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li> exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 <li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li> and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets <li>/etc/shorewall/tcrules - defines marking of
for later use by traffic control/shaping or policy routing.</li> packets for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and <li>/etc/shorewall/tunnels - defines IPSEC, GRE
IPIP tunnels with end-points on the firewall system.</li> and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted <li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li> IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning <li>/etc/shorewall/init - commands that you wish to execute at the
of a "shorewall start" or "shorewall restart".</li> beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the <li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li> completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning <li>/etc/shorewall/stop - commands that you wish to execute at the
of a "shorewall stop".</li> beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the <li>/etc/shorewall/stopped - commands that you wish to execute at
completion of a "shorewall stop".<br> the completion of a "shorewall stop".</li>
</li> <li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul> </ul>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments
the end of any line, again by delimiting the comment from the at the end of any line, again by delimiting the comment from
rest of the line with a pound sign.</p> the rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -101,7 +103,7 @@ rest of the line with a pound sign.</p>
<h2><a name="Continuation"></a>Line Continuation</h2> <h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash <p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p> ("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
@ -112,77 +114,77 @@ rest of the line with a pound sign.</p>
<p align="left"> </p> <p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned. start as a result of DNS problems then don't say that you were not forewarned.
<br> <br>
</b></p> </b></p>
<p align="left"><b>    -Tom<br> <p align="left"><b>    -Tom<br>
</b></p> </b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS configuration files may be specified as either IP addresses or DNS
Names.<br> Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as they DNS names in iptables rules aren't nearly as useful as
first appear. When a DNS name appears in a rule, the iptables utility they first appear. When a DNS name appears in a rule, the iptables
resolves the name to one or more IP addresses and inserts those addresses utility resolves the name to one or more IP addresses and inserts
into the rule. So changes in the DNS-&gt;IP address relationship that those addresses into the rule. So changes in the DNS-&gt;IP address
occur after the firewall has started have absolutely no effect on the relationship that occur after the firewall has started have absolutely
firewall's ruleset. </p> no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p> <p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall <li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall <li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your startup scripts try to start your firewall before <li>If your Name Server(s) is(are) down then your firewall
starting your DNS server then your firewall won't start.<br> won't start.</li>
</li> <li>If your startup scripts try to start your firewall
<li>Factors totally outside your control (your ISP's router before starting your DNS server then your firewall won't start.<br>
is down for example), can prevent your firewall from starting.</li> </li>
<li>You must bring up your network interfaces prior to starting <li>Factors totally outside your control (your ISP's router
your firewall.<br> is down for example), can prevent your firewall from starting.</li>
</li> <li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
</ul> </ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum <p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing imposed by Shorewall to insure backward compatibility with existing
configuration files.<br> configuration files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li> <li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li> file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li> <li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply for These restrictions are not imposed by Shorewall simply
your inconvenience but are rather limitations of iptables.<br> for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
@ -197,14 +199,14 @@ no white space following the "!".</p>
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br> Valid: routefilter,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routefilter,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li> there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear <li>Entries in a comma-separated list may appear
in any order.</li> in any order.</li>
</ul> </ul>
@ -216,14 +218,14 @@ in any order.</li>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local if you want to forward the range of tcp ports 4000 through 4100 to
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br> the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
@ -232,112 +234,115 @@ the high port number, a value of 65535 is assumed.<br>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as In GNU/Linux, MAC addresses are usually written as
a series of 6 hex numbers separated by colons. Example:<br> a series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255      inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br> Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0      RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br> frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0      TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br> carrier:0<br>
     collisions:30394 txqueuelen:100<br>      collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br> (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>      Interrupt:11 Base address:0x1800<br>
<br> <br>
Because Shorewall uses colons as a separator for address Because Shorewall uses colons as a separator for
fields, Shorewall requires MAC addresses to be written in another address fields, Shorewall requires MAC addresses to be written
way. In Shorewall, MAC addresses begin with a tilde ("~") and in another way. In Shorewall, MAC addresses begin with a tilde
consist of 6 hex numbers separated by hyphens. In Shorewall, the ("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br> the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p> </p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and The <a href="starting_and_stopping_shorewall.htm">shorewall start
restart</a> commands allow you to specify an alternate configuration and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory rather than the corresponding files in /etc/shorewall. The alternate
need not contain a complete configuration; those files not in the alternate directory need not contain a complete configuration; those files not in
directory will be read from /etc/shorewall.</p> the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from <li> copying the files that need modification
/etc/shorewall to a separate directory;</li> from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig start or shorewall restart command (e.g., <i><b>shorewall -c
restart</b></i> ).</li> /etc/testconfig restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

537
STABLE/documentation/download.htm
View File

@ -17,14 +17,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -32,404 +32,408 @@
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>The documentation in HTML format is included in the .rpm and in the
packages below.</p> .tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of might also want to download the .tgz so you will have a copy
the documentation).</li> of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory which
can be obtained using the following command:<br> can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory <li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li> name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li> </li>
</ul> </ul>
<p>Once you have verified the version, check the <font <p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have if there are updates that apply to the version that you have
downloaded.</p> downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p> State site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td valign="top">SourceForge<br>
<td><b>DOMAIN</b></td> </td>
<td><b>HTTP</b></td> <td valign="top">sf.net<br>
<td><b>FTP</b></td> </td>
</tr> <td valign="top"><a
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br> Download.md5sums<br>
</a><a </a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a .samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br> Download.md5sums<br>
</a><a target="_blank" </a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a .samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br> Download.md5sums<br>
</a><a </a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a .samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br> Download.md5sums<br>
</a><a target="_blank" </a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
.samples</a><a .samples</a><a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br> Download.md5sums<br>
</a><a </a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a .samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a target="_blank" </a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank" .samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br> href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td> <a <td> <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a <a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a </a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank" Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a target="_blank" </a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank" Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td> </a></td>
</tr> </tr>
<tr> <tr>
<td>Paris, France</td> <td>Paris, France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br> href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br> href="http://france.shorewall.net/pub/LATEST.tgz">Download
<a .tgz</a> <br>
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br> <a
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download </a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a .samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br> href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td> </a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a </a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br> .samples</a><br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br> Download .rpm</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br> .md5sums<br>
</a><a </a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples" href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br> target="_blank">Download .samples</a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a <td> <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
@ -439,19 +443,14 @@ can be obtained using the following command:<br>
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there Shorewall component. There's no guarantee that what you find there
will work at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a <p align="left"><font size="2">Last Updated 3/6/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

703
STABLE/documentation/errata.htm
View File

@ -5,7 +5,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.4 Errata</title>
@ -16,20 +16,22 @@
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -38,691 +40,202 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>When the instructions say to install a corrected
time and plan to use the .tgz and install.sh script, you can untar firewall script in /usr/share/shorewall/firewall, you may
the archive, replace the 'firewall' script in the untarred directory rename the existing file before copying in the new file.</b></p>
with the one you downloaded below, and then run install.sh.</b></p> </li>
</li> <li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
href="#V1.3">Problems in Version 1.3</a></b></li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and
iptables</a></b></li> RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.<br>
</li>
</ul>
These four problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.13</h3>
<ul>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of
insertion too big".<br>
</li>
</ul>
All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message
and Shorewall fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this
problem. Thanks go to Roger Aich who analyzed this problem and provided
a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the client
won't be able to obtain an IP address
lease from that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be
installed in /var/lib/shorewall
as described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in
/var/lib/pub/shorewall/firewall as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this
case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more
than one interface in /etc/shorewall/interfaces then
depending on the option, Shorewall may ignore all but
the first appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options:
dhcp, dropunclean, logunclean, norfc1918, routefilter,
multi, filterping and noping. An additional bug has been
found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr> <hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
None.
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a <p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably, RedHat
RedHat released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level which corrects a problem with parsing of the --log-level specification
specification while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 this iptables RPM</a>. If you are already running a 1.2.5 version
version of iptables, you will need to specify the --oldpackage of iptables, you will need to specify the --oldpackage option to
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf; or </li>
</li> <li>if you are running
<li>if you are running Shorewall 1.3.6 you may install
Shorewall 1.3.6 you may install <a
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will /etc/shorewall/nat entries of the following form will result
result in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column. Kernel support
support for LOCAL=yes has never worked properly and 2.4.18-10 has for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
disabled it. The 2.4.19 kernel contains corrected support under a it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 - <p><font size="2"> Last updated 2/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

715
STABLE/documentation/errata_3.html Normal file
View File

@ -0,0 +1,715 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by
your system initialization scripts to start Shorewall during
boot. It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a
href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
<li>The firewall fails to start in the case where you have "eth0 eth1"
in /etc/shorewall/masq and the default route is through eth1.<br>
</li>
</ul>
These problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.13</h3>
<ul>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br>
</li>
</ul>
All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects
this problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this
problem. Thanks go to Roger Aich who analyzed this problem and provided
a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved
your connection problems. Beginning with version 1.3.10, it is safe
to save the old version of /usr/lib/shorewall/firewall before copying
in the new one since /usr/lib/shorewall/firewall is the real script
now and not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the
client won't be able to obtain an IP address
lease from that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be
installed in /var/lib/shorewall as
described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in
/var/lib/pub/shorewall/firewall as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in
this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than
one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first
appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options:
dhcp, dropunclean, logunclean, norfc1918, routefilter,
multi, filterping and noping. An additional bug has been
found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem
by installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

200
STABLE/documentation/mailing_list.htm
View File

@ -25,50 +25,49 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle" align="left">
align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img alt="(Postfix Logo)" href="http://www.postfix.org/"> <img
height="66" width="124" border="0" align="right" src="images/small-picture.gif" align="right" border="0" width="115"
src="images/postfix-white.gif"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -76,17 +75,16 @@
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
@ -94,29 +92,29 @@
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or <li>to verify that the sender's domain has an A or MX
MX record in DNS.</li> record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet get a <i>(explitive deleted)</i> life instead of trying to rid the planet
@ -126,14 +124,14 @@ to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br> will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
<i>Received:</i> headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -146,13 +144,13 @@ will be bounced by the list server.<br>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -162,47 +160,47 @@ will be bounced by the list server.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30" name="words"
name="words" value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's mailing lists or you can use secure access (SSL) and accept the server's
certificate when prompted by your browser.<br> certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also posted
to this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -222,37 +220,37 @@ list may be found at <a
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -265,36 +263,33 @@ list may be found at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter password reminder, or change your subscription options enter
your subscription email address:". Enter your email address your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -308,6 +303,9 @@ your subscription email address:". Enter your email address
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

179
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

176
STABLE/documentation/ping.html
View File

@ -13,128 +13,163 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest change Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) coming in Shorewall version 1.4.0. <br>
was added to /etc/shorewall/shorewall.conf. The value of that option determines
the overall handling of ICMP echo requests (pings).<br>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In order to accept ping requests from zone z1 to zone z2 where the policy
just like any other connection request. In order to accept ping requests for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT and z1 form:<br>
is not the firewall zone, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example: <br> Example: <br>
<br> <br>
To permit ping from the local zone to the firewall:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
If you would like to accept 'ping' by default even when the relevant If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br> already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br> you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example:<br> Example:<br>
<br> <br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2> </h2>
There are several aspects to the old Shorewall Ping management:<br> There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are <li>Ping requests being forwarded to another system. Included here
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
routing.</li> and simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the <li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li> ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 1. Accept pings from the net to the dmz (pings are responded to Example 1. Accept pings from the net to the dmz (pings are responded
with an ICMP echo-reply):<br> to with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 2. Drop pings from the net to the firewall<br> Example 2. Drop pings from the net to the firewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the If no applicable rule is found, then the policy for the source to the
destination is applied.<br> destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded to <li>If the relevant policy is ACCEPT then the request is responded
with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol> </ol>
@ -143,6 +178,7 @@ destination is applied.<br>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br> <br>
<br> <br>

9
STABLE/documentation/ports.htm
View File

@ -184,13 +184,8 @@ to a server with IP address a.b.c.d in zone z2:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case) and your <p>Note that my rules only cover NFS using UDP (the normal case). There
milage may vary depending on the software you are using (I'm using RH8.0 is lots of additional information at  <a
on both ends). In particular, the local port range in my server starts at
32768 (It's 32768 - 61000; I could probably get away with just opening those
ports).<br>
<br>
There is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote> </blockquote>

667
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,16 +7,17 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -27,11 +28,12 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
@ -47,9 +49,22 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><a
color="#ffffff">Shorewall 1.3 - <font href="http://www.shorewall.net" target="_top"><img border="1"
size="4">"<i>iptables made easy"</i></font></font></h1> src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
@ -61,17 +76,16 @@
<div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br> <div align="center"><a href="http://1.3/index.htm" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</td> </div>
</td>
</tr> </tr>
@ -92,11 +106,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -120,10 +135,12 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <p>The Shoreline Firewall, more commonly known as "Shorewall", is
that can be used on a dedicated firewall system, a multi-function a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
gateway/router/server or on a standalone GNU/Linux system.</p> firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -137,27 +154,28 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the
of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free
Foundation.<br> Software Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A warranty of MERCHANTABILITY or FITNESS FOR
PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
You should have received
a copy of the GNU General Public License
along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
@ -183,165 +201,165 @@ Ave, Cambridge, MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and </a>Jacques Nilo
Eric Wolzak have a LEAF (router/firewall/gateway and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.14 called <i>Bering</i> that features
and Kernel-2.4.20. You can find their work at: Shorewall-1.3.14 and Kernel-2.4.20. You can find
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> their work at: <a
</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2> <h2>News</h2>
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
<h2></h2>
<p><b>3/7/2003 - Shorewall 1.4.0 RC2 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p> </b><b> </b></p>
Shorewall 1.4 represents Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial the next step in the evolution of Shorewall. The main thrust of the
release is simply to remove the cruft that has accumulated in Shorewall initial release is simply to remove the cruft that has accumulated in
over time. <br> Shorewall over time. <br>
<br> <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
Function from 1.3 that has been omitted from this version include:<br> Function from 1.3 that has been omitted from this version
include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br> <br>
</li> </li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br> in /etc/shorewall/interfaces now generate an error.<br>
<br> <br>
</li> </li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br> of the 'noping' or 'filterping' interface options.<br>
<br> <br>
</li> </li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces <li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
no longer accepted.<br> longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br> supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br> <br>
</li> </li>
<li>The icmp.def file has been removed.<br> <li>The icmp.def file has been removed.<br>
</li> </li>
</ol> </ol>
Changes for 1.4 include:<br> Changes for 1.4 include:<br>
<ol> <ol>
<li>The /etc/shorewall/shorewall.conf file has been completely <li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br> reorganized into logical sections.<br>
<br> <br>
</li> </li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br> <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>The firewall script, common functions file and version file <li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br> are now installed in /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in the <li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br> common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you 1.4 no longer unconditionally accepts outbound ICMP packets. So if
want to 'ping' from the firewall, you will need the appropriate rule or you want to 'ping' from the firewall, you will need the appropriate rule
policy.<br> or policy.<br>
<br> <br>
</li> </li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br> <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br> now support the 'maclist' option.<br>
<br> <br>
</li> </li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) <li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br> file. To use this facility:<br>
<br> <br>
   a) You must be running kernel 2.4.20<br> a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br> b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br> http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br> c) You must have iptables 1.2.7a installed.<br>
<br> <br>
</li> </li>
<li>The /etc/shorewall/params file is now processed first so that <li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li> variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol> </ol>
You may download the release candidate from:<br> <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a
comma-separated list could appear in the second column while the code
only supported a single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. 802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate
limited.</li>
<li>The firewall fails to start in the case
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
is through eth1.</li>
</ul>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p> <p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
@ -350,165 +368,143 @@ may now be turned off on a host or network basis using the new /etc/shorewall/e
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added
When set to Yes, Shorewall ping handling is as it has always been (see to shorewall.conf. When set to Yes, Shorewall ping handling is
http://www.shorewall.net/ping.html).<br> as it has always been (see http://www.shorewall.net/ping.html).<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via When OLD_PING_HANDLING=No, icmp echo (ping) is handled
rules and policies just like any other connection request. The FORWARDPING=Yes via rules and policies just like any other connection request.
option in shorewall.conf and the 'noping' and 'filterping' options The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
in /etc/shorewall/interfaces will all generate an error.<br> 'filterping' options in /etc/shorewall/interfaces will all generate
<br> an error.<br>
</li> <br>
<li>It is now possible to direct Shorewall to create a </li>
"label" such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes <li>It is now possible to direct Shorewall to create
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead a "label" such as "eth0:0" for IP addresses that it creates under
of just the interface name:<br> ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
 <br> the label instead of just the interface name:<br>
   a) In the INTERFACE column of /etc/shorewall/masq<br> <br>
   b) In the INTERFACE column of /etc/shorewall/nat<br> a) In the INTERFACE column of /etc/shorewall/masq<br>
 </li> b) In the INTERFACE column of /etc/shorewall/nat<br>
<li>Support for OpenVPN Tunnels.<br> </li>
<br> <li>Support for OpenVPN Tunnels.<br>
</li> <br>
<li>Support for VLAN devices with names of the form $DEV.$VID
(e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally
followed by ":" and either 'F' or 'P' to designate that the marking will
occur in the FORWARD or PREROUTING chains respectively. If this additional
specification is omitted, the chain used to mark packets will be determined
by the setting of the MARK_IN_FORWARD_CHAIN option in <a
href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET column
of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not masquerade
traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the
interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
 <br>
Example 3 -- What if your current configuration is like this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
<li>Support for VLAN devices with names of the
form $DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may
be optionally followed by ":" and either 'F' or 'P' to designate that
the marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
<br>
a) The subnets associated with other addresses
on the interface.<br>
b) Subnets accessed through local routers.<br>
<br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
<br>
Example 1 -- This is how it works in 1.3.14.<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
<br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
<br>
Example 2 -- Suppose that your current config is as
follows:<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
<br>
Example 3 -- What if your current configuration is
like this?<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, you would want to change the entry
in /etc/shorewall/masq to:<br>
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol> </ol>
<br> <br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b> <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p> </b></p>
Webmin version 1.060 now has Shorewall support included as Webmin version 1.060 now has Shorewall support included
standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b> as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b> </b>
<p><b></b></p>
<p><b></b></p>
<ul>
</ul>
<p><b></b><a href="News.htm">More News</a></p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -519,9 +515,9 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
</table> </table>
</center> </center>
</div> </div>
@ -530,11 +526,11 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -545,11 +541,12 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p> </a></p>
@ -561,15 +558,16 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td> <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</tr> </td>
</tr>
@ -583,12 +581,9 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

61
STABLE/documentation/shorewall_extension_scripts.htm
View File

@ -19,16 +19,16 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1> <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -41,14 +41,15 @@ placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p> mechanism. The following scripts can be supplied:</p>
<ul> <ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li> <li>init -- invoked early in "shorewall start" and "shorewall
<li>start -- invoked after the firewall has been started or restarted.</li> restart"</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li> <li>start -- invoked after the firewall has been started or restarted.</li>
<li>stopped -- invoked after the firewall has been stopped.</li> <li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li> <li>stopped -- invoked after the firewall has been stopped.</li>
<li>refresh -- invoked while the firewall is being refreshed but before <li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li> the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li> chain has been created but before any rules have been added to it.</li>
</ul> </ul>
@ -58,10 +59,11 @@ chain has been created but before any rules have been added to it.</li>
<p><u><b>If your version of Shorewall doesn't have the file that you want <p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p> to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter <p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has been file has been processed but before the /etc/shorewall/policy file has
processed.</p> been processed.</p>
@ -76,16 +78,16 @@ for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the <p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p> during processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to <p> If you decide to create /etc/shorewall/common it is a good idea to use
use the following technique</p> the following technique</p>
@ -98,7 +100,7 @@ use the following technique</p>
<blockquote> <blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre> <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote> </blockquote>
<p>If you need to supercede a rule in the released common.def file, you can <p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows add the superceding rule before the '.' command. Using this technique allows
@ -113,21 +115,12 @@ if the policy is ACCEPT or CONTINUE.</p>
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will <p align="left"><font size="2">Last updated 2/18/2003 - <a
be rejected by the firewall. It is recommended with this setting that you
create the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT<br></pre>
<p align="left"><font size="2">Last updated 12/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br>
</body> </body>
</html> </html>

54
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -17,52 +17,52 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall Requires:<br> Shorewall Requires:<br>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
<a href="kernel.htm"> Check here for kernel configuration <a href="kernel.htm"> Check here for kernel configuration information.</a>
information.</a> If you are looking for a firewall for use with 2.2 If you are looking for a firewall for use with 2.2 kernels, <a
kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall href="http://seawall.sf.net"> see the Seattle Firewall site</a>
site</a> .</li> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a <li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Some features require iproute ("ip" utility). The iproute package <li>Iproute ("ip" utility). The iproute package is included with
is included with most distributions but may not be installed by default. most distributions but may not be installed by default. The official
The official download site is <a download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. </li>
</li> <li>A Bourne shell or derivative such as bash or ash. This shell must
<li>A Bourne shell or derivative such as bash or ash. This shell must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i> }, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> } and ${<i>variable</i>##<i>pattern</i>}.</li>
} and ${<i>variable</i>##<i>pattern</i>}.</li> <li>The firewall monitoring display is greatly improved if you have
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li> awk (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 11/10/2002 - <a <p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

328
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -2,17 +2,22 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -20,288 +25,297 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 3.1</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System <li><a href="standalone.htm">Standalone</a> Linux
(<a href="standalone_fr.html">Version Française</a>)</li> System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> Linux <li><a href="two-interface.htm">Two-interface</a>
System acting as a firewall/router for a small local network (<a Linux System acting as a firewall/router for a small local network
href="two-interface_fr.html">Version Française</a>)</li> (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p> Shorewall than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 <li><a
Shorewall Concepts</a></li> href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 <li><a
Network Interfaces</a></li> href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 <li><a
Addressing, Subnets and Routing</a> href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 <li><a
IP Addresses</a></li> href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 <li><a
Routing</a></li> href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4
Resolution Protocol</a></li> Address Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 <li><a
RFC 1918</a></li> href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 <li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a> Setting up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 <li><a
Routed</a></li> href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 <li><a
Non-routed</a> href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 <li><a
SNAT</a></li> href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 <li><a
DNAT</a></li> href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li> href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li> Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 <li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li> Rules</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0
<li><a DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li> Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying described above</b>. Please review the appropriate guide before
to use this documentation directly.</p> trying to use this documentation directly.</p>
<ul> <ul>
<li><a href="Shorewall_and_Aliased_Interfaces.html">Aliased <li><a
(virtual) Interfaces (e.g., eth0:0)</a><br> href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
</li> (e.g., eth0:0)</a><br>
<li><a href="blacklisting_support.htm">Blacklisting</a> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common
file features</a> configuration file features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port <li><a
Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li> href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br> href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li> a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using <li><a
MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference <li><a href="Documentation.htm">Configuration File
Manual</a> Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code)</li> to extend Shorewall without modifying Shorewall code through the use of
<li><a href="fallback.htm">Fallback/Uninstall</a></li> files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
<li><a href="shorewall_firewall_structure.htm">Firewall etc.)</li>
Structure</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel <li><a href="shorewall_firewall_structure.htm">Firewall
Configuration</a></font></li> Structure</a></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><font color="#000099"><a href="kernel.htm">Kernel
</li> Configuration</a></font></li>
<li><a href="MAC_Validation.html">MAC Verification</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally <li><a href="MAC_Validation.html">MAC Verification</a><br>
use Shorewall)</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="myfiles.htm">My Shorewall Configuration
</li> (How I personally use Shorewall)</a><br>
<li><a href="ports.htm">Port Information</a> </li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy NAT</a></font></li>
with Shorewall</a><br> <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
</li> Proxy with Shorewall</a><br>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> </li>
<li>VPN <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system <li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li> behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li> List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

3146
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

470
STABLE/documentation/sourceforge_index.htm
View File

@ -17,7 +17,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -49,8 +49,8 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.3 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1> href="http://www.sf.net"> </a></h1>
@ -64,11 +64,13 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td> <div align="center"><a href="/1.3/index.html" target="_top"><font
</tr> color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
@ -87,11 +89,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -118,10 +121,10 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux a multi-function gateway/router/server or on a standalone
system.</p> GNU/Linux system.</p>
@ -136,27 +139,27 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the
of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A warranty of MERCHANTABILITY or FITNESS FOR
PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to along with this program; if not, write
the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -187,17 +190,17 @@
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques
and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to <b>Congratulations
Jacques and Eric on the recent release of Bering 1.1!!! to Jacques and Eric on the recent release of Bering
<br> 1.1!!! <br>
</b> </b>
@ -219,100 +222,135 @@ Jacques and Eric on the recent release of Bering 1.1!!!
<p><b>3/7/2003 - Shorewall 1.4.0 RC2  </b><b> </b><b><img <p><b>3/17/2003 - Shorewall 1.4.0  </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>  </b><b> </b></p>
Shorewall 1.4 represents Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial the next step in the evolution of Shorewall. The main thrust of the
release is simply to remove the cruft that has accumulated in Shorewall initial release is simply to remove the cruft that has accumulated in
over time. <br> Shorewall over time. <br>
<br> <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
Function from 1.3 that has been omitted from this version include:<br> Function from 1.3 that has been omitted from this version
include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br> <br>
</li> </li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br> in /etc/shorewall/interfaces now generate an error.<br>
<br> <br>
</li> </li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br> of the 'noping' or 'filterping' interface options.<br>
<br> <br>
</li> </li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces <li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
no longer accepted.<br> longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br> <br>
</li> </li>
<li>The icmp.def file has been removed.<br> <li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li> </li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol> </ol>
Changes for 1.4 include:<br> <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<ol> <p>A roleup of the following bug fixes and other updates:</p>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ol> <ul>
You may download the Release Candidate from:<br> <li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address. </li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. </li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option. </li>
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
<li>The firewall fails to start in the case where you have "eth0
eth1" in /etc/shorewall/masq and the default route is through eth1
</li>
</ul>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p> <p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
@ -321,53 +359,54 @@ may now be turned off on a host or network basis using the new /etc/shorewall/e
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been When set to Yes, Shorewall ping handling is as it has always been
(see http://www.shorewall.net/ping.html).<br> (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request. The
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
options in /etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as  "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via </li>
rules and policies just like any other connection request. The FORWARDPING=Yes <li>Support for VLAN devices with names of the form
option in shorewall.conf and the 'noping' and 'filterping' options $DEV.$VID (e.g., eth0.0)<br>
in /etc/shorewall/interfaces will all generate an error.<br> <br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be
optionally followed by ":" and either 'F' or 'P' to designate that the
marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a <li>When an interface name is entered in the SUBNET
"label" such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes column of the /etc/shorewall/masq file, Shorewall previously masqueraded
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead traffic from only the first subnet defined on that interface. It
of just the interface name:<br> did not masquerade traffic from:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) The subnets associated with other addresses on the
   b) In the INTERFACE column of /etc/shorewall/nat<br> interface.<br>
 </li>    b) Subnets accessed through local routers.<br>
<li>Support for OpenVPN Tunnels.<br>  <br>
<br> Beginning with Shorewall 1.3.14, if you enter an interface
</li> name in the SUBNET column, shorewall will use the firewall's routing
<li>Support for VLAN devices with names of the form $DEV.$VID table to construct the masquerading/SNAT rules.<br>
(e.g., eth0.0)<br>  <br>
<br> Example 1 -- This is how it works in 1.3.14.<br>
</li>    <br>
<li>In /etc/shorewall/tcrules, the MARK value may be optionally
followed by ":" and either 'F' or 'P' to designate that the marking will
occur in the FORWARD or PREROUTING chains respectively. If this additional
specification is omitted, the chain used to mark packets will be determined
by the setting of the MARK_IN_FORWARD_CHAIN option in <a
href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET column
of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic
from only the first subnet defined on that interface. It did not masquerade
traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
@ -380,18 +419,18 @@ table to construct the masquerading/SNAT rules.<br>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>  <br>
When upgrading to Shorewall 1.3.14, if you have multiple local When upgrading to Shorewall 1.3.14, if you have multiple
subnets connected to an interface that is specified in the SUBNET column local subnets connected to an interface that is specified in the
of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
need changing. In most cases, you will simply be able to remove redundant file will need changing. In most cases, you will simply be able to remove
entries. In some cases though, you might want to change from using the redundant entries. In some cases though, you might want to change from
interface name to listing specific subnetworks if the change described using the interface name to listing specific subnetworks if the change described
above will cause masquerading to occur on subnetworks that you don't wish above will cause masquerading to occur on subnetworks that you don't wish
to masquerade.<br> to masquerade.<br>
 <br>  <br>
Example 2 -- Suppose that your current config is as follows:<br> Example 2 -- Suppose that your current config is as follows:<br>
   <br>    <br>
@ -400,12 +439,13 @@ to masquerade.<br>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, the second entry in /etc/shorewall/masq is    In this case, the second entry in /etc/shorewall/masq
no longer required.<br> is no longer required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like
 <br> this?<br>
 <br>
@ -414,26 +454,25 @@ to masquerade.<br>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in 
to:<br> /etc/shorewall/masq to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b> <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p> </b></p>
Webmin version 1.060 now has Shorewall support included as Webmin version 1.060 now has Shorewall support included
standard. See <a href="http://www.webmin.com">http://www.webmin.com</a> as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
<b> </b> <b> </b>
<p><b></b></p>
@ -452,6 +491,7 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
</ul> </ul>
@ -461,6 +501,7 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -486,7 +527,7 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -501,6 +542,7 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
@ -513,13 +555,14 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr>
</tr>
@ -530,9 +573,9 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
</table> </table>
</center> </center>
</div> </div>
@ -541,11 +584,11 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -561,7 +604,8 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -576,13 +620,13 @@ standard. See <a href="http://www.webmin.com">http://www.webmin.com<
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -596,12 +640,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

466
STABLE/documentation/standalone.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,45 +30,45 @@
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very <p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p> easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check your firewall system. As root, you can use the 'which' command to check
for this program:</p> for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself <p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you
save them as Unix files if your editor supports that option or you must must save them as Unix files if your editor supports that option or you
run them through dos2unix before trying to use them. Similarly, if you must run them through dos2unix before trying to use them. Similarly, if
copy a configuration file from your Windows hard drive to a floppy disk, you copy a configuration file from your Windows hard drive to a floppy
you must run dos2unix against the copy before using it with Shorewall.</p> disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -76,9 +76,9 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of /etc/shorewall -- for simple setups, you only need to deal with a few
these as described in this guide. After you have <a of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
@ -86,24 +86,24 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
during Shorewall installation)</b>.</p> during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one set of <i>zones.</i> In the one-interface sample configuration, only
zone is defined:</p> one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody> </tbody>
</table> </table>
@ -111,315 +111,315 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> <p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default, <p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p> the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed <p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone <li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP  that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common (the the request is first checked against the rules in /etc/shorewall/common
samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has <p>The /etc/shorewall/policy file included with the one-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>all<br>
<td>ACCEPT</td> </td>
<td> </td> <td>DROP</td>
<td> </td> <td>info</td>
</tr> <td> </td>
<tr> </tr>
<td>net</td> <tr>
<td>all<br> <td>all</td>
</td> <td>all</td>
<td>DROP</td> <td>REJECT</td>
<td>info</td> <td>info</td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to your
firewall</li> firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
</ol> </ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that <p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p> you wish.</p>
<h2 align="left">External Interface</h2> <h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol "Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
a <b>ppp0</b>. If you connect via a regular modem, your External Interface Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
will also be <b>ppp0</b>. If you connect using ISDN, your external interface External Interface will also be <b>ppp0</b>. If you connect using ISDN,
will be<b> ippp0.</b></p> your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that
external interface is <b>eth0</b>. If your configuration is different, the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that
specified for the interface. Some hints:</p> are specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the
list. </p> option list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p> for use in private networks:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address      Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you should of your external interface and if it is one of the above ranges, you
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p> firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <p align="left">Example - You want to run a Web Server and a POP3 Server
your firewall system:</p> on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
/etc/shorewall/startup_disabled.<br> </p>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p> configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall and test it using the <a
try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 1/26/2003 - <a <p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

359
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -20,18 +20,18 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot.
you have installed "firewall" in your init.d directory, simply type Once you have installed "firewall" in your init.d directory, simply
"chkconfig --add firewall". This will start the firewall in run type "chkconfig --add firewall". This will start the firewall
levels 2-5 and stop it in run levels 1 and 6. If you want to configure in run levels 2-5 and stop it in run levels 1 and 6. If you want
your firewall differently from this default, you can use the "--level" to configure your firewall differently from this default, you can
option in chkconfig (see "man chkconfig") or using your favorite use the "--level" option in chkconfig (see "man chkconfig") or using
graphical run-level editor.</p> your favorite graphical run-level editor.</p>
@ -57,17 +57,17 @@
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have configured <li>Shorewall startup is disabled by default. Once you have
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. configured your firewall, you can enable startup by removing the file
Note: Users of the .deb package must edit /etc/default/shorewall and /etc/shorewall/startup_disabled. Note: Users of the .deb package must
set 'startup=1'.<br> edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall in <li>If you use dialup, you may want to start the firewall
your /etc/ppp/ip-up.local script. I recommend just placing "shorewall in your /etc/ppp/ip-up.local script. I recommend just placing
restart" in that script.</li> "shorewall restart" in that script.</li>
</ol> </ol>
@ -78,24 +78,27 @@ set 'startup=1'.<br>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li> running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li> installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a If you include the keyword <i>debug</i> as the first argument, then
shell trace of the command is produced as in:<br> a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
@ -104,127 +107,138 @@ shell trace of the command is produced as in:<br>
<p>The above command would trace the 'start' command and place the trace <p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br> information in the file /tmp/trace<br>
</p> </p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br> bottom of this page.<br>
</p> </p>
<p>The "shorewall" program may also be used to monitor the firewall.</p> <p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the
(iptables -L -n -v)</li> firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <li>shorewall show <i>chain</i> - produce a verbose report
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li> about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat <li>shorewall show nat - produce a verbose report about the
table (iptables -t nat -L -n -v)</li> nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the
table (iptables -t mangle -L -n -v)</li> mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections <li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li> currently being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays
about the traffic control/shaping configuration.</li> information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the
status, last 20 log entries and nat. When the log entry display firewall status, last 20 log entries and nat. When the log
changes, an audible alarm is sounded.</li> entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version
<li>shorewall check - Performs a <u>cursory</u> validation number.</li>
of the zones, interfaces, hosts, rules and policy files. <font <li>shorewall check - Performs a <u>cursory</u> validation of the
size="4" color="#ff6666"><b>The "check" command does not parse and validate zones, interfaces, hosts, rules and policy files.<br>
the generated iptables commands so even though the "check" command <br>
completes successfully, the configuration may fail to start. See the <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
recommended way to make configuration changes described below. </b></font> and does not parse and validate the generated iptables commands. Even
</li> though the "check" command completes successfully, the configuration
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> may fail to start. Problem reports that complain about errors that the 'check'
] - Restart shorewall using the specified configuration and if an command does not detect will not be accepted.<br>
error occurs or if the<i> timeout </i> option is given and the new configuration <br>
has been up for that many seconds then shorewall is restarted using See the recommended way to make configuration changes described below.</b></font><br>
the standard configuration.</li> <br>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall </li>
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the ] - Restart shorewall using the specified configuration and if an
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new error occurs or if the<i> timeout </i> option is given and the new
Shorewall messages are logged.</li> configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the Finally, the "shorewall" program may be used to dynamically alter
contents of a zone.<br> the contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
the specified interface (and host if included) to the specified zone.</li> Adds the specified interface (and host if included) to the specified
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
zone.</li> zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font> <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br> vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
</blockquote> from zone vpn1<br>
</blockquote> </blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a <b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> is going to use a file in /etc/shorewall it will first look in the
. If the file is present in the <i>configuration-directory</i>, that <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
file will be used; otherwise, the file in /etc/shorewall will be used.</p> that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from
to . and change them here&gt;</li> /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to to restore the old configuration. If the new configuration fails
start, the "try" command will automatically start the old one for you.</p> to start, the "try" command will automatically start the old one for
you.</p>
@ -236,11 +250,11 @@ start, the "try" command will automatically start the old one for you.</p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
@ -248,89 +262,80 @@ start, the "try" command will automatically start the old one for you.</p>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p> </p>
<div align="center"><img src="images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle">
<br> <br>
</div> </div>
<p>  <br> <p>  <br>
</p> </p>
You will note that the commands that result in state transitions use You will note that the commands that result in state transitions
the word "firewall" rather than "shorewall". That is because the actual transitions use the word "firewall" rather than "shorewall". That is because the actual
are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
Debian); /sbin/shorewall runs 'firewall" according to the following table:<br> on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br> <br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">shorewall start<br> <td valign="top">shorewall start<br>
</td> </td>
<td valign="top">firewall start<br> <td valign="top">firewall start<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br> <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br> If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 2/10/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

521
STABLE/documentation/support.htm
View File

@ -10,20 +10,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -31,18 +18,19 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
@ -50,318 +38,258 @@
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <h2>Before Reporting a Problem or Asking a Question<br>
emailed directly to me, I try to spend some time each day answering questions </h2>
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span There are a number
style="font-weight: 400;"></span></big></b></p> of sources of Shorewall information. Please try these before you post.
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot
more than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources
for problem solution information. Please try these before you
post.
<h3> </h3>
<h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the <li>More than half of the questions posted
support list have answers directly accessible from the <a on the support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> </li>
</li> <li> The <a
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li> </li>
</ul> <li> The <a
<h3> </h3>
<ul>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li> a number of tips to help you solve common problems.
</li>
</ul> <li> The <a
<h3> </h3>
<ul>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
</ul> </ul>
<h3> </h3>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
<ul> <ul>
<li> The Mailing <li>Please remember we only know what is posted
List Archives search facility can locate posts about similar in your message. Do not leave out any information that appears to
problems: </li> be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
</ul> configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<h2> </h2> <br>
</li>
<h2>Mailing List Archive Search</h2> <li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
<p> <font size="-1"> Match: good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<select name="method"> <br>
<option value="and">All </option> </li>
<option value="or">Any </option> <li> Please don't
<option value="boolean">Boolean </option> describe your environment and then ask us to send you
</select> custom configuration files. We're here to answer your
Format: questions but we can't do your job for you.<br>
<br>
</li>
<select name="format"> <li>When reporting a problem, <strong>ALWAYS</strong>
<option value="builtin-long">Long </option> include this information:</li>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text"
size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</form>
<h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a
real-world example. It would be like saying that you have three
rooms at home, and when you walk into one of the rooms, you detect
this strange smell. Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to
the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div>
<br>
<h3> </h3>
<ul>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when
it actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not
an obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact output from<br> <li>If your kernel is modularized, the exact
<br> output from<br>
<font color="#009900"><b>lsmod</b></font><br> <br>
<br> <font color="#009900"><b>lsmod</b></font><br>
</li> <br>
<li>the exact wording of any <code </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, <li>If you installed Shorewall using one of the QuickStart
please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using
installation of Shorewall, please say so.</b><br> the Mandrake installation of Shorewall, please say so.</b><br>
<br> <br>
</li> </li>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br> any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general
information</strong> in an attempt to conceal your IP address, netmask, matter, please <strong>do not edit the diagnostic information</strong>
nameserver addresses, domain name, etc. These aren't secrets, and concealing in an attempt to conceal your IP address, netmask, nameserver addresses,
them often misleads us (and 80% of the time, a hacker could derive domain name, etc. These aren't secrets, and concealing them often
them anyway from information contained in the SMTP headers of your post).<strong></strong></li> misleads us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul> </ul>
<ul> <blockquote>
</ul>
<h3> </h3>
<ul> The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
</ul> found at <a
<h3> </h3>
<ul>
<li> Do you see
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that
is giving you problems? If so, include the message(s) in your post
along with a copy of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).
</li>
</ul>
<h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
</li>
</ul>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>Please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -370,39 +298,42 @@ to strip all HTML from outgoing posts.<br>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network <b>If you run Shorewall under MandrakeSoft Multi
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft Network Firewall (MNF) and you have not purchased an MNF license
then you can post non MNF-specific Shorewall questions to the </b><a from MandrakeSoft then you can post non MNF-specific Shorewall questions
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
list</a> or to the <a users mailing list</a>. <b>Do not expect to get free MNF support
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support on the list or forum.</b><br>
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>.</p>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support </blockquote>
Forum</a>.</p>
</blockquote>
<p>The Shorewall List Server provides additional information about <a
href="http://lists.shorewall.net/mailing_list.htm">Shorewall Mailing Lists</a>.<br> <p>To Subscribe to the mailing list go to <a
</p> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
<p align="left"><font size="2">Last Updated 3/6/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

1453
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

438
STABLE/documentation/traffic_shaping.htm
View File

@ -17,97 +17,99 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support <p align="left">Shorewall has limited support for traffic shaping/control.
for traffic shaping/control. In order to use traffic shaping under Shorewall, In order to use traffic shaping under Shorewall, it is essential that
it is essential that you get a copy of the <a you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, and Shaping HOWTO</a>, version 0.3.0 or later.</p>
version 0.3.0 or later. You must also install the iproute (iproute2)
package to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li> Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
setting of this variable determines whether Shorewall clears the traffic the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br> shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can specify <li><b>/etc/shorewall/tcrules</b> - A file where you can
firewall marking of packets. The firewall mark value may be used specify firewall marking of packets. The firewall mark value may
to classify packets for traffic shaping/control.<br> be used to classify packets for traffic shaping/control.<br>
</li> </li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that <li><b>/etc/shorewall/tcstart </b>- A user-supplied file
is sourced by Shorewall during "shorewall start" and which you can that is sourced by Shorewall during "shorewall start" and which
use to define your traffic shaping disciplines and classes. I have you can use to define your traffic shaping disciplines and classes.
provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> I have provided a <a
that does table-driven CBQ shaping but if you read the traffic shaping href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
sections of the HOWTO mentioned above, you can probably code your table-driven CBQ shaping but if you read the traffic shaping sections
own faster than you can learn how to use my sample. I personally of the HOWTO mentioned above, you can probably code your own faster
use <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see than you can learn how to use my sample. I personally use <a
below). HTB support may eventually become an integral part of Shorewall href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the In tcstart, when you want to run the 'tc' utility, use
run_tc function supplied by shorewall if you want tc errors to stop the run_tc function supplied by shorewall if you want tc errors
the firewall.<br> to stop the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by simply You can generally use off-the-shelf traffic shaping scripts by
copying them to /etc/shorewall/tcstart. I use <a simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
modified it according to the Wonder Shaper README). <b>WARNING: </b>If and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address) you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been
so when traffic shaping happens, all outbound traffic will have as a source applied so when traffic shaping happens, all outbound traffic will have
address the IP addresss of your firewall's external interface.<br> as a source address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that <li><b>/etc/shorewall/tcclear</b> - A user-supplied file
is sourced by Shorewall when it is clearing traffic shaping. This that is sourced by Shorewall when it is clearing traffic shaping.
file is normally not required as Shorewall's method of clearing qdisc This file is normally not required as Shorewall's method of clearing
and filter definitions is pretty general.</li> qdisc and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts Shorewall allows you to start traffic shaping when Shorewall itself
or it allows you to bring up traffic shaping when you bring up your interfaces.<br> starts or it allows you to bring up traffic shaping when you bring up your
<br> interfaces.<br>
To start traffic shaping when Shorewall starts:<br> <br>
To start traffic shaping when Shorewall starts:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic <li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li> shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li> shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark <li>If your tcstart script uses the 'fwmark' classifier, you can
packets using entries in /etc/shorewall/tcrules.</li> mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
To start traffic shaping when you bring up your network interfaces, you To start traffic shaping when you bring up your network interfaces,
will have to arrange for your traffic shaping configuration script to be run you will have to arrange for your traffic shaping configuration script to
at that time. How you do that is distribution dependent and will not be covered be run at that time. How you do that is distribution dependent and will not
here. You then should:<br> be covered here. You then should:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li> <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
<li value="4">If your tcstart script uses the 'fwmark' classifier, you scripts.</li>
can mark packets using entries in /etc/shorewall/tcrules.</li> <li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
@ -117,178 +119,179 @@ here. You then should:<br>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br> a means for specifying these marks in a tabular fashion.<br>
</p> </p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading
being used. Beginning with Shorewall 1.3.12, you can cause packet marking are being used. Beginning with Shorewall 1.3.12, you can cause packet
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case <li>MARK - Specifies the mark value is to be assigned in
of a match. This is an integer in the range 1-255. Beginning with Shorewall case of a match. This is an integer in the range 1-255. Beginning
version 1.3.14, this value may be optionally followed by ":" and either 'F' with Shorewall version 1.3.14, this value may be optionally followed by
or 'P' to designate that the marking will occur in the FORWARD or PREROUTING ":" and either 'F' or 'P' to designate that the marking will occur in the
chains respectively. If this additional specification is omitted, the chain FORWARD or PREROUTING chains respectively. If this additional specification
used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN is omitted, the chain used to mark packets will be determined by the setting
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in comma-separated list of interface names, IP addresses, MAC addresses
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list <li>DEST -- Destination of the packet. Comma-separated
of IP addresses and/or subnets.<br> list of IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of <li>PORT(S) - Destination Ports. A comma-separated list
Port names (from /etc/services), port numbers or port ranges (e.g., of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as 21:22); if the protocol is "icmp", this column is interpreted
the destination icmp type(s).<br> as the destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with 2. with 1. All packets arriving on eth2 and eth3 should be marked with
All packets originating on the firewall itself should be marked with 3.</p> 2. All packets originating on the firewall itself should be marked with
3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr> <tr>
<td><b>MARK</b></td> <td>3</td>
<td><b>SOURCE</b></td> <td>fw</td>
<td><b>DEST</b></td> <td>0.0.0.0/0</td>
<td><b>PROTO</b></td> <td>all</td>
<td><b>PORT(S)</b></td> <td> </td>
<td><b>CLIENT PORT(S)</b></td> <td> </td>
</tr> </tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with on the firewall and destined for 155.186.235.151 should be marked with
12.</p> 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>47</td> <td>47</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>22</td> <td>22</td>
<td>192.168.1.0/24</td> <td>192.168.1.0/24</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3>My Setup<br> <h3>My Setup<br>
</h3> </h3>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br> hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
@ -304,28 +307,33 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote> </blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1 <p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at my <a href="myfiles.htm">network configuration</a> above. You can look at <a href="myfiles.htm">my configuration</a> to
to get an idea of why I wanted these particular rules.<br> see why I wanted shaping of this type.<br>
</p> </p>
<ol> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound <li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems can use all available bandwidth if there is no traffic from the local
or from my laptop or firewall).</li> systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li> <li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br> <li>My firewall could use up to 20kbits/second.</li>
</li>
</ol> </ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 2/13/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

244
STABLE/documentation/troubleshoot.htm
View File

@ -15,16 +15,16 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -32,190 +32,184 @@
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version sure that there isn't an update that you are missing for your version
of the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting If you receive an error message when starting or restarting
the firewall and you can't determine the cause, then do the following: the firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>Make a note of the error message that you see.<br> <li>Make a note of the error message that you see.<br>
</li> </li>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you <li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it where the error message you saw is generated -- in 99.9% of the cases, it
will not be near the end of the log because after startup errors, Shorewall will not be near the end of the log because after startup errors, Shorewall
goes through a "shorewall stop" phase which will also be traced.</li> goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the <li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li> <a href="support.htm">support page</a>.</li>
</ul> </ul>
Here's an example. During startup, a user sees the following:<br> Here's an example. During startup, a user sees the following:<br>
<blockquote> <blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre> <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote> </blockquote>
A search through the trace for "No chain/target/match by that name" turned A search through the trace for "No chain/target/match by that name" turned
up the following:  up the following: 
<blockquote> <blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre> <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote> </blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus: actually an ill-conceived network setup. Here are several popular snafus:
</p> </p>
<ul> <ul>
<li>Port Forwarding where client and server are in <li>Port Forwarding where client and server are in
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the
subnet, thinking that Shorewall will suddenly believe that the system external subnet, thinking that Shorewall will suddenly believe that
is in the 'net' zone.</li> the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. <li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests, Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li> this type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they TO MAKE IT WORK. Such additional rules will NEVER make it work, they
add clutter to your rule set and they represent a big security hole in add clutter to your rule set and they represent a big security hole in
the event that you forget to remove them later.</p> the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted will generate when you try to connect in a way that isn't permitted
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that you problem. If you DO see packet messages, it may be an indication that you
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p> are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p> LEN=47</font></p>
</font> </font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all <li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT chain -- the packet was rejected under the "all"-&gt;"all" REJECT
policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li> policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p> is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br> <p align="left">ACCEPT    dmz    loc    udp    53<br>
</p> </p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information <p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br> about how to interpret the chain name appearing in a Shorewall log message.<br>
</p> </p>
<h3 align="left">'Ping' Problems?</h3> <h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br> href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or <li>Seeing rejected/dropped packets logged out of the INPUT
FORWARD chains? This means that: or FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that <li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected to <li>the source and destination hosts are both connected to
the same interface and that interface doesn't have the 'multi' the same interface and you don't have a policy or rule for the
option specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> source zone to or from the destination zone.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings type 8 ("ping") requests to be sent between zones. If you want
to be allowed between zones, you need a rule of the form:<br> pings to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br> have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type and you ping 130.252.100.18, unless you have allowed icmp
8 between the zone containing the system you are pinging from and the type 8 between the zone containing the system you are pinging from
zone containing 10.1.1.2, the ping requests will be dropped. This is and the zone containing 10.1.1.2, the ping requests will be dropped. </li>
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> <li>If you specify "routefilter" for an interface, that
<li>If you specify "routefilter" for an interface, that interface interface must be up prior to starting the firewall.</li>
must be up prior to starting the firewall.</li> <li>Is your routing correct? For example, internal systems
<li>Is your routing correct? For example, internal systems usually usually need to be configured with their default gateway set to
need to be configured with their default gateway set to the IP address the IP address of their nearest firewall interface. One often overlooked
of their nearest firewall interface. One often overlooked aspect aspect of routing is that in order for two hosts to communicate, the
of routing is that in order for two hosts to communicate, the routing routing between them must be set up <u>in both directions.</u> So
between them must be set up <u>in both directions.</u> So when setting when setting up routing between <b>A</b> and<b> B</b>, be sure to
up routing between <b>A</b> and<b> B</b>, be sure to verify that the verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
route from <b>B</b> back to <b>A</b> is defined.</li> <li>Some versions of LRP (EigerStein2Beta for example) have
<li>Some versions of LRP (EigerStein2Beta for example) have a a shell with broken variable expansion. <a
shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program <li>Shorewall requires the "ip" program. That program is
is generally included in the "iproute" package which should be included generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>Problems with NAT? Be sure that you let Shorewall
then the zone must be entirely defined in /etc/shorewall/hosts unless add all external addresses to be use with NAT unless you have set <a
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
@ -223,15 +217,17 @@ is generally included in the "iproute" package which should be included
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.<br> <p>See the<a href="support.htm"> support page.<br>
</a></p> </a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 1/7/2003 - Tom Eastep</font> </p> <p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

1205
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

295
STABLE/documentation/upgrade_issues.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -17,13 +18,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -31,203 +32,279 @@
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p> href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version &gt;= 1.3.14</h3> <h3> </h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a <h3>Version &gt;= 1.4.0</h3>
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change <b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) ('ip' utility).</b><br>
<b>column</b>:<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface <li>The <b>noping </b>and <b>forwardping</b> interface options are
(as shown by "ip addr show <i>interface</i>") and would masquerade traffic no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
from that subnet. Any other subnets that routed through eth1 needed their ICMP echo-request (ping) packets are treated just like any other connection
own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li> request and are subject to rules and policies.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
table to determine ALL subnets routed through the named interface. Traffic /etc/shorewall/interfaces now generate a Shorewall error at startup (they
originating in ANY of those subnets is masqueraded or has SNAT applied.</li> always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are not dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
</ul> </ul>
You will need to make a change to your configuration if:<br>
<ul>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
interface (as shown by "ip addr show <i>interface</i>") and would masquerade
traffic from that subnet. Any other subnets that routed through eth1 needed
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq with an interface <li>You have one or more entries in /etc/shorewall/masq with an interface
name in the SUBNET (second) column; and</li> name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br> <b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.     Version 1.3.14 also introduced simplified ICMP echo-request (ping)
The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
to specify that the old (pre-1.3.14) ping handling is to be used (If the is used to specify that the old (pre-1.3.14) ping handling is to be used
option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
is assumed). I don't plan on supporting the old handling indefinitely so is assumed). I don't plan on supporting the old handling indefinitely so
I urge current users to migrate to using the new handling as soon as possible. I urge current users to migrate to using the new handling as soon as possible.
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br> See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you The 'functions' file has moved to /usr/lib/shorewall/functions.
have an application that uses functions from that file, your application If you have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br> will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8, versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules will need to include the following rules
in their /etc/shorewall/icmpdef file (creating in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p> this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3> Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version
1.3.3 and later:</p> 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup -- you <li>Be sure you have a backup
will need to transcribe any Shorewall configuration -- you will need to transcribe any Shorewall
changes that you have made to the new configuration changes that you have
configuration.</li> made to the new configuration.</li>
<li>Replace the shorwall.lrp package <li>Replace the shorwall.lrp
provided on the Bering floppy with the package provided on the Bering floppy
later one. If you did not obtain the later with the later one. If you did not obtain
version from Jacques's site, see additional the later version from Jacques's site,
instructions below.</li> see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget to entry if present. Then do not forget
backup root.lrp !</li> to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p> the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN <font face="Courier">run_iptables -A newnotsyn -j RETURN
# So that the connection tracking table can be rebuilt<br> # So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets                                     # from non-SYN
after takeover.<br> packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags <font face="Courier">run_iptables -A common -p tcp
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br> --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
                                                                    connection<br>
#tracking table. <br>                                                                    
. /etc/shorewall/common.def</font> </p> #tracking table. <br>
</li> . /etc/shorewall/common.def</font> </p>
</li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p> longer supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 1/25/2003 - <p><font size="2"> Last updated 3/6/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

507
STABLE/documentation/whitelisting_under_shorewall.htm
View File

@ -1,281 +1,326 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Whitelisting under Shorewall</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</table> </table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an <p align="left">For a brief time, the 1.2 version of Shorewall supported an
/etc/shorewall/whitelist file. This file was intended to contain a list of IP /etc/shorewall/whitelist file. This file was intended to contain a list of
addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
implemented as a stop-gap measure until the facilities necessary for file was implemented as a stop-gap measure until the facilities necessary
implementing white lists using zones was in place. As of Version 1.3 RC1, those for implementing white lists using zones was in place. As of Version 1.3
facilities were available.</p> RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special privileges to a
set&nbsp; of hosts within an organization. Let us suppose that we have the <p align="left">White lists are most often used to give special privileges
following environment:</p> to a set  of hosts within an organization. Let us suppose that we have the
following environment:</p>
<ul> <ul>
<li>A firewall with three interfaces -- one to the internet, one <li>A firewall with three interfaces -- one to the internet, one to
to a local network and one to a DMZ.</li> a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised <li>The local network uses SNAT to the internet and is comprised of
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
local network, the technique described here in no way depends on that or on local network, the technique described here in no way depends on that or
SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li> on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
<li>The network operations staff have workstations with IP <li>The network operations staff have workstations with IP addresses
addresses in the class C network 10.10.10.0/24</li> in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to <li>We want the network operations staff to have full access to all
all other hosts.</li> other hosts.</li>
<li>We want the network operations staff to bypass the transparent <li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li> HTTP proxy running on our firewall.</li>
</ul> </ul>
<p align="left">The basic approach will be that we will place the operations <p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate staff's class C in its own zone called <b>ops</b>. Here are the appropriate
configuration files:</p> configuration files:</p>
<h2 align="left">Zone File</h2> <h2 align="left">Zone File</h2>
<blockquote> <blockquote>
<table border="2"> <table border="2">
<tr> <tbody>
<td><b> <tr>
ZONE</b></td> <td><b> ZONE</b></td>
<td><b> <td><b> DISPLAY</b></td>
DISPLAY</b></td> <td><b> COMMENTS</b></td>
<td><b> </tr>
COMMENTS</b></td> <tr>
</tr> <td>net</td>
<td>Net</td>
<td>Internet</td>
</tr>
<tr>
<td>ops</td>
<td>Operations</td>
<td>Operations Staff's Class C</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Class B</td>
</tr>
<tr>
<td>dmz</td>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
<tr> </tbody>
<td>net</td> </table>
<td>Net</td> </blockquote>
<td>Internet</td>
</tr> <p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
<tr> since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
<td>ops</td>
<td>Operations</td>
<td>Operations Staff's Class C</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Class B</td>
</tr>
<tr>
<td>dmz</td>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</table>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- since
<b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
<h2>Interfaces File</h2> <h2>Interfaces File</h2>
<blockquote> <blockquote>
<table border="2"> <table border="2">
<tr> <tbody>
<td><b>
ZONE</b></td>
<td><b>
INTERFACE</b></td>
<td><b>
BROADCAST</b></td>
<td><b>
OPTIONS</b></td>
</tr>
<tr> <tr>
<td>net</td> <td><b> ZONE</b></td>
<td>eth0</td> <td><b> INTERFACE</b></td>
<td>&lt;whatever&gt;</td> <td><b> BROADCAST</b></td>
<td>&lt;options&gt;</td> <td><b> OPTIONS</b></td>
</tr> </tr>
<tr> <tr>
<td>dmz</td> <td>net</td>
<td>eth1</td> <td>eth0</td>
<td>&lt;whatever&gt;</td> <td>&lt;whatever&gt;</td>
<td>routestopped</td> <td>&lt;options&gt;</td>
</tr> </tr>
<tr> <tr>
<td>-</td> <td>dmz</td>
<td>eth2</td> <td>eth1</td>
<td>10.10.255.255</td> <td>&lt;whatever&gt;</td>
<td>&nbsp;</td> <td><br>
</tr> </td>
</tr>
<tr>
<td>-</td>
<td>eth2</td>
<td>10.10.255.255</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
we don't specify a zone for it here.</p>
</table>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, we
don't specify a zone for it here.</p>
<h2>Hosts File</h2> <h2>Hosts File</h2>
<blockquote>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2"> <table border="2">
<tr> <tbody>
<td><b>
ZONE</b></td>
<td><b>
HOST(S)</b></td>
<td><b>
OPTIONS</b></td>
</tr>
<tr> <tr>
<td>ops</td> <td><b> ZONE</b></td>
<td>eth2:10.10.10.0/24</td> <td><b> HOST(S)</b></td>
<font face="Century Gothic, Arial, Helvetica"> <td><b> OPTIONS</b></td>
</tr>
<tr>
<td>ops</td>
<td>eth2:10.10.10.0/24</td>
<td><br>
</td>
</tr>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td> </td>
</tr>
<td>routestopped</td> </tbody>
</font> </table>
</tr> </blockquote>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is <p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
stopped, only the hosts in the <b>ops</b> zone will be allowed to access the stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255)
that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for falls into that zone. If I used 10.10.0.0/16 then I would have to have a
that special address.</p> separate entry for that special address.</p>
<h2>Policy File</h2> <h2>Policy File</h2>
<blockquote>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2"> <table border="2">
<tr> <tbody>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
POLICY</b></td>
<td><b>
LOG LEVEL</b></td>
<td><b>LIMIT:BURST</b></td>
</tr>
<tr> <tr>
<td><font color="#0000FF">ops</font></td> <td><b>SOURCE</b></td>
<td><font color="#0000FF">all</font></td> <td><b>DEST</b></td>
<td><font color="#0000FF">ACCEPT</font></td> <td><b> POLICY</b></td>
<td><b> LOG LEVEL</b></td>
<td><b>LIMIT:BURST</b></td>
</tr>
<tr>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
<td>&nbsp;</td> </tbody>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
file.<font color="#ff0000"><b></b></font></p>
<td>&nbsp;</td>
</tr>
<tr>
<td><font color="#0000FF">all</font></td>
<td><font color="#0000FF">ops</font></td>
<td><font color="#0000FF">CONTINUE</font></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<font face="Century Gothic, Arial, Helvetica">
<td>&nbsp;</td>
<td>&nbsp;</td>
</font>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy file.
<font color="#FF0000"><b>WARNING: You must be running Shorewall 1.3.1 or later
for the above to work properly.</b></font></p>
<h2>Rules File</h2> <h2>Rules File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc!ops</td>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>...</td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2>
<blockquote> <blockquote>
<table border="2"> <table border="2">
<tr> <tbody>
<font face="Century Gothic, Arial, Helvetica"> <tr>
<td><b>ACTION</b></td> <td><b>INTERFACE</b><br>
<td><b>SOURCE</b></td> </td>
<td><b>DEST</b></td> <td><b> HOST(S)</b></td>
<td><b> </tr>
PROTO</b></td> <tr>
<td><b>DEST<br> <td valign="top">eth1<br>
PORT(S)</b></td> </td>
<td><b>SOURCE<br> <td valign="top"><br>
PORT(S)</b></td> </td>
<td><b>ORIGINAL<br> </tr>
DEST</b></td> <tr>
</font> <td>eth2<br>
</tr> </td>
<tr> <td>10.10.10.0/24</td>
<td>REDIRECT</td> </tr>
<td>loc!ops</td>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>...</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table> </tbody>
</table>
<br>
</blockquote> </blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the <b>ops</b>
zone from the rule.</p>
<p><font size="2">
Updated 5/31/2002 - <a href="support.htm">Tom <p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
</body> <br>
</body>
</html> </html>

12
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.14 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -49,14 +49,18 @@ restore_file() # $1 = file to restore
fi fi
} }
if [ ! -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ ! -f /usr/share/shorewall/version-${VERSION}.bkout ]; then
echo "Shorewall Version $VERSION is not installed" echo "Shorewall Version $VERSION is not installed"
exit 1 exit 1
fi fi
echo "Backing Out Installation of Shorewall $VERSION" echo "Backing Out Installation of Shorewall $VERSION"
if [ -L /usr/lib/shorewall/firewall ]; then if [ -L /usr/share/shorewall/init ]; then
FIREWALL=`ls -l /usr/share/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL
restore_file /usr/share/shorewall/firewall
elif [ -L /usr/lib/shorewall/firewall ]; then
FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'` FIREWALL=`ls -l /usr/lib/shorewall/firewall | sed 's/^.*> //'`
restore_file $FIREWALL restore_file $FIREWALL
elif [ -L /var/lib/shorewall/firewall ]; then elif [ -L /var/lib/shorewall/firewall ]; then
@ -127,6 +131,8 @@ restore_file /etc/shorewall/stop
restore_file /etc/shorewall/stopped restore_file /etc/shorewall/stopped
restore_file /etc/shorewall/ecn
if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then if [ -f /usr/lib/shorewall/version-${VERSION}.bkout ]; then
restore_file /usr/lib/shorewall/version restore_file /usr/lib/shorewall/version
oldversion="`cat /usr/lib/shorewall/version`" oldversion="`cat /usr/lib/shorewall/version`"

1073
STABLE/firewall
View File

File diff suppressed because it is too large Load Diff

17
STABLE/functions
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall 1.3 -- /usr/lib/shorewall/functions # Shorewall 1.4 -- /usr/lib/shorewall/functions
# #
# Suppress all output for a command # Suppress all output for a command
@ -29,6 +29,21 @@ separate_list() {
local list local list
local part local part
local newlist local newlist
#
# There's been whining about us not catching embedded white space in
# comma-separated lists. This is an attempt to snag some of the cases.
#
# The 'terminator' function will be set by the 'firewall' script to
# either 'startup_error' or 'fatal_error' depending on the command and
# command phase
#
case "$@" in
*,|,*|*,,*|*[[:space:]]*)
[ -n "$terminator" ] && \
$terminator "Invalid comma-separated list \"$@\""
echo "Warning -- invalid comma-separated list \"$@\"" >&2
;;
esac
list="$@" list="$@"
part="${list%%,*}" part="${list%%,*}"

9
STABLE/hosts
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - /etc/shorewall/hosts # Shorewall 1.4 - /etc/shorewall/hosts
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it # file and 80% of those who try to add such entries get it
@ -30,11 +30,6 @@
# OPTIONS - A comma-separated list of options. Currently-defined # OPTIONS - A comma-separated list of options. Currently-defined
# options are: # options are:
# #
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# route messages to and from this
# member when the firewall is in the
# stopped state
# maclist - Connection requests from these hosts # maclist - Connection requests from these hosts
# are compared against the contents of # are compared against the contents of
# /etc/shorewall/maclist. If this option # /etc/shorewall/maclist. If this option
@ -43,5 +38,5 @@
# Shorewall is started. # Shorewall is started.
# #
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

2
STABLE/init
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/init # Shorewall 1.4 -- /etc/shorewall/init
# #
# Add commands below that you want to be executed at the beginning of # Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command. # a "shorewall start" or "shorewall restart" command.

2
STABLE/init.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
RCDLINKS="2,S41 3,S41 6,K41" RCDLINKS="2,S41 3,S41 6,K41"
# #
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.4 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #

57
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.14 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -93,6 +93,18 @@ backup_file() # $1 = file to backup
fi fi
} }
delete_file() # $1 = file to delete
{
if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then
if (mv $1 ${1}-${VERSION}.bkout); then
echo
echo "$1 moved to ${1}-${VERSION}.bkout"
else
exit 1
fi
fi
}
modify_rclocal() modify_rclocal()
{ {
if [ -f /etc/rc.d/rc.local ]; then if [ -f /etc/rc.d/rc.local ]; then
@ -261,10 +273,10 @@ echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL" echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
# #
# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
# #
mkdir -p ${PREFIX}/etc/shorewall mkdir -p ${PREFIX}/etc/shorewall
mkdir -p ${PREFIX}/usr/lib/shorewall mkdir -p ${PREFIX}/usr/share/shorewall
mkdir -p ${PREFIX}/var/lib/shorewall mkdir -p ${PREFIX}/var/lib/shorewall
# #
# Install the config file # Install the config file
@ -300,10 +312,10 @@ if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
rm -f ${PREFIX}/var/lib/shorewall/functions rm -f ${PREFIX}/var/lib/shorewall/functions
fi fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444 install_file_with_backup functions ${PREFIX}/usr/share/shorewall/functions 0444
echo echo
echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions" echo "Common functions installed in ${PREFIX}/usr/share/shorewall/functions"
# #
# Install the common.def file # Install the common.def file
# #
@ -311,13 +323,11 @@ install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo echo
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def" echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
#
# Install the icmp.def file
#
install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
echo #
echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def" # Delete the icmp.def file
#
delete_file icmp.def
# #
# Install the policy file # Install the policy file
@ -528,10 +538,22 @@ else
echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped" echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
fi fi
# #
# Install the ECN file
#
if [ -f ${PREFIX}/etc/shorewall/ecn ]; then
backup_file /etc/shorewall/ecn
else
run_install -o $OWNER -g $GROUP -m 0600 ecn ${PREFIX}/etc/shorewall/ecn
echo
echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
fi
#
# Backup the version file # Backup the version file
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then
if [ -f /usr/lib/shorewall/version ]; then if [ -f /usr/share/shorewall/version ]; then
backup_file /usr/share/shorewall/version
elif [ -f /usr/lib/shorewall/version ]; then
backup_file /usr/lib/shorewall/version backup_file /usr/lib/shorewall/version
elif [ -n "$oldversion" ]; then elif [ -n "$oldversion" ]; then
echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout echo $oldversion > /usr/lib/shorewall/version-${VERSION}.bkout
@ -542,10 +564,10 @@ fi
# #
# Create the version file # Create the version file
# #
echo "$VERSION" > ${PREFIX}/usr/lib/shorewall/version echo "$VERSION" > ${PREFIX}/usr/share/shorewall/version
chmod 644 ${PREFIX}/usr/lib/shorewall/version chmod 644 ${PREFIX}/usr/share/shorewall/version
# #
# Remove and create the symbolic link to the firewall script # Remove and create the symbolic link to the init script
# #
if [ -z "$PREFIX" ]; then if [ -z "$PREFIX" ]; then
@ -554,12 +576,13 @@ if [ -z "$PREFIX" ]; then
[ -L /usr/lib/shorewall/firewall ] && \ [ -L /usr/lib/shorewall/firewall ] && \
mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout mv -f /usr/lib/shorewall/firewall /usr/lib/shorewall/firewall-${VERSION}.bkout
rm -f /usr/lib/shorewall/init rm -f /usr/lib/shorewall/init
ln -s ${DEST}/${FIREWALL} /usr/lib/shorewall/init rm -f /usr/share/shorewall/init
ln -s ${DEST}/${FIREWALL} /usr/share/shorewall/init
fi fi
# #
# Install the firewall script # Install the firewall script
# #
install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544 install_file_with_backup firewall ${PREFIX}/usr/share/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

18
STABLE/interfaces
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Interfaces File # Shorewall 1.4 -- Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #
@ -46,11 +46,6 @@
# a DHCP server running on the firewall or # a DHCP server running on the firewall or
# you have a static IP but are on a LAN # you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients. # segment with lots of Laptop DHCP clients.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive # norfc1918 - This interface should not receive
# any packets whose source is in one # any packets whose source is in one
# of the ranges reserved by RFC 1918 # of the ranges reserved by RFC 1918
@ -59,9 +54,6 @@
# enabled in shorewall.conf, packets # enabled in shorewall.conf, packets
# whose destination addresses are # whose destination addresses are
# reserved by RFC 1918 are also rejected. # reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This # interface (anti-spoofing measure). This
# option can also be enabled globally in # option can also be enabled globally in
@ -106,21 +98,19 @@
# local subnet is 192.168.1.0/24. The interface gets # local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet # it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet # 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to # 192.168.2.0/24 using eth2.
# access the firewall from the local network when the
# firewall is stopped.
# #
# Your entries for this setup would look like: # Your entries for this setup would look like:
# #
# net eth0 206.191.149.223 dhcp # net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255 routestopped # local eth1 192.168.1.255
# dmz eth2 192.168.2.255 # dmz eth2 192.168.2.255
# #
# Example 2: The same configuration without specifying broadcast # Example 2: The same configuration without specifying broadcast
# addresses is: # addresses is:
# #
# net eth0 detect dhcp # net eth0 detect dhcp
# loc eth1 detect routestopped # loc eth1 detect
# dmz eth2 detect # dmz eth2 detect
# #
# Example 3: You have a simple dial-in system with no ethernet # Example 3: You have a simple dial-in system with no ethernet

2
STABLE/maclist
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - MAC list file # Shorewall 1.4 - MAC list file
# #
# /etc/shorewall/maclist # /etc/shorewall/maclist
# #

2
STABLE/masq
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - Masquerade file # Shorewall 1.4 - Masquerade file
# #
# /etc/shorewall/masq # /etc/shorewall/masq
# #

7
STABLE/modules
View File

@ -1,7 +1,12 @@
############################################################################## ##############################################################################
# Shorewall 1.3 /etc/shorewall/modules # Shorewall 1.4 /etc/shorewall/modules
# #
# This file loads the modules needed by the firewall. # This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
loadmodule ip_tables loadmodule ip_tables
loadmodule iptable_filter loadmodule iptable_filter

2
STABLE/nat
View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Network Address Translation Table # Shorewall 1.4 -- Network Address Translation Table
# #
# /etc/shorewall/nat # /etc/shorewall/nat
# #

24
STABLE/params
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 /etc/shorewall/params # Shorewall 1.4 /etc/shorewall/params
# #
# Assign any variables that you need here. # Assign any variables that you need here.
# #
@ -11,7 +11,7 @@
# #
# NET_IF=eth0 # NET_IF=eth0
# NET_BCAST=130.252.100.255 # NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918 # NET_OPTIONS=routefilter,norfc1918
# #
# Example (/etc/shorewall/interfaces record): # Example (/etc/shorewall/interfaces record):
# #
@ -19,25 +19,7 @@
# #
# The result will be the same as if the record had been written # The result will be the same as if the record had been written
# #
# net eth0 130.252.100.255 noping,norfc1918 # net eth0 130.252.100.255 routefilter,norfc1918
# #
# Variables can be used in the following places in the other configuration
# files:
#
# /etc/shorewall/interfaces:
# /etc/shorewall/hosts
#
# All except the first column.
#
# /etc/shorewall/rules
#
# First column after ":".
# All remaining columns
#
# /etc/shorewall/tunnels
# /etc/shorewall/proxyarp
# /etc/shorewall/nat
#
# All columns
############################################################################## ##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

2
STABLE/policy
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Policy File # Shorewall 1.4 -- Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #

2
STABLE/proxyarp
View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Proxy ARP # Shorewall 1.4 -- Proxy ARP
# #
# /etc/shorewall/proxyarp # /etc/shorewall/proxyarp
# #

151
STABLE/releasenotes.txt
View File

@ -1,105 +1,94 @@
This is a minor release of Shorewall that has a couple of new features. This is a major release of Shorewall.
New features include: Function from 1.3 that has been omitted from this version includes:
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When 1) The MERGE_HOSTS variable in shorewall.conf is no longer
set to Yes, Shorewall ping handling is as it has always been (see supported. Shorewall 1.4 behavior is the same as 1.3 with
http://www.shorewall.net/ping.html). MERGE_HOSTS=Yes.
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 2) Interface names of the form <device>:<integer> in
policies just like any other connection request. The FORWARDPING /etc/shorewall/interfaces now generate an error.
option in shorewall.conf is ignored and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will generate an
error.
2) It is now possible to direct Shorewall to create a "label" such as 3) Shorewall 1.4 implements behavior consistent with
"eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label at startup as will specification of the 'noping' or 'filterping'
instead of just the interface name: interface options.
a) In the INTERFACE column of /etc/shorewall/masq 4) The 'routestopped' option in the /etc/shorewall/interfaces and
b) In the INTERFACE column of /etc/shorewall/nat /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
3) The ability to name your VLAN interfaces using the $dev.$vid 5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
convention (e.g., "eth0.0") has been restored. This capability was accepted.
inadvertently broken in version 1.3.12.
4) Support has been added for defining OpenVPN tunnels in the 6) The ALLOWRELATED variable in shorewall.conf is no longer
/etc/shorewall/tunnels file. supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
5) When an interface name is entered in the SUBNET column of the 7) The 'multi' interface option is no longer supported. Shorewall will
/etc/shorewall/masq file, Shorewall previously masqueraded traffic generate rules for sending packets back out the same interface
from only the first subnet defined on that interface. It did not that they arrived on in two cases:
masquerade traffic from:
a) The subnets associated with other addresses on the interface. a) There is an _explicit_ policy for the source zone to the
b) Subnets accessed through local routers. destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
Beginning with Shorewall 1.3.14, if you enter an interface name in b) There are one or more rules for traffic for the source zone to
the SUBNET column, shorewall will use the firewall's routing table or from the destination zone including rules that use the 'all'
to construct the masquerading/SNAT rules. reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Example 1 -- This is how it works in 1.3.14. Changes for 1.4 include:
[root@gateway test]# cat /etc/shorewall/masq 1) shorewall.conf has been completely reorganized into logical
#INTERFACE SUBNET ADDRESS sections.
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2 2) LOG is now a valid action for a rule (/etc/shorewall/rules).
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# ip route show dev eth2 3) The firewall script and version file are now installed in
192.168.1.0/24 scope link /usr/share/shorewall.
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]# shorewall start
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
When upgrading to Shorewall 1.3.14, if you have multiple local 4. Late arriving DNS replies are now silently dropped in the common
subnets connected to an interface that is specified in the SUBNET chain by default.
column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to
remove redundant entries. In some cases though, you might want to change
from using the interface name to listing specific subnetworks if the
change described above will cause masquerading to occur on
subnetworks that you don't wish to masquerade.
Example 2 -- Suppose that your current config is as follows: 5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
[root@gateway test]# cat /etc/shorewall/masq 6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
[root@gateway test]# ip route show dev eth2 7) 802.11b devices with names of the form wlan<n> now support the
192.168.1.0/24 scope link 'maclist' option.
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, the second entry in /etc/shorewall/masq is no longer 8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
required. utility).
Example 3 -- What if your current configuration is like this? 9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:
[root@gateway test]# cat /etc/shorewall/masq a) You must be running kernel 2.4.20
#INTERFACE SUBNET ADDRESS b) You must have applied the patch in
eth0 eth2 206.124.146.176 http://www.shorewall/net/pub/shorewall/ecn/patch.
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE c) You must have iptables 1.2.7a installed.
10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.
[root@gateway test]# ip route show dev eth2
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
In this case, you would want to change the entry in
/etc/shorewall/masq to:
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
STABLE/rfc1918
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- RFC1918 File # Shorewall 1.4 -- RFC1918 File
# #
# /etc/shorewall/rfc1918 # /etc/shorewall/rfc1918
# #
@ -25,7 +25,7 @@
192.0.2.0/24 logdrop # Example addresses 192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
# #
# The following are generated using the Python program found at: # The following are generated with the help of the Python program found at:
# #
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
# #
@ -43,6 +43,8 @@
39.0.0.0/8 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved
@ -53,6 +55,8 @@
96.0.0.0/3 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback 127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved
198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
240.0.0.0/4 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved
# #
# End of generated entries # End of generated entries

4
STABLE/routestopped
View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped # Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
# the firewall # the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet # HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-", # If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. # 0.0.0.0/0 is assumed.
# #
# Example: # Example:

27
STABLE/rules
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.3 - Rules File # Shorewall version 1.4 - Rules File
# #
# /etc/shorewall/rules # /etc/shorewall/rules
# #
@ -30,18 +30,25 @@
# the companion ACCEPT rule. # the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level.This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
@ -90,6 +97,8 @@
# 2. In DNAT rules, only IP addresses are # 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses # allowed; no FQDNs or subnet addresses
# are permitted. # are permitted.
# 3. You may not specify both an interface and
# an address.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -106,10 +115,8 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port

27
STABLE/shorewall
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 # Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
@ -84,6 +84,7 @@
# #
# Display a chain if it exists # Display a chain if it exists
# #
showfirstchain() # $1 = name of chain showfirstchain() # $1 = name of chain
{ {
awk \ awk \
@ -570,24 +571,11 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
else
config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
@ -599,6 +587,15 @@ else
exit 2 exit 2
fi fi
config=`find_file shorewall.conf`
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then if [ -L $FIREWALL ]; then

373
STABLE/shorewall.conf
View File

@ -1,5 +1,5 @@
############################################################################## ##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup # match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -8,12 +8,7 @@
# #
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# # L O G G I N G
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
############################################################################## ##############################################################################
# #
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
@ -45,59 +40,19 @@ SHARED_DIR=/usr/lib/shorewall
# configured to log all Shorewall message to their own log file # configured to log all Shorewall message to their own log file
################################################################################ ################################################################################
# #
# PATH - Change this if you want to change the order in which Shorewall # LOG FILE LOCATION
# searches directories for executable files.
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
# LOGFILE=/var/log/messages
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
# #
# LOG RATE LIMITING # LOG RATE LIMITING
@ -132,25 +87,122 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable # packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level. # is empty, these packets will still be logged at the 'info' level.
# #
# See the comment at the top of this file for a description of log levels # See the comment at the top of this section for a description of log levels
# #
LOGUNCLEAN=info LOGUNCLEAN=info
# #
# LOG FILE LOCATION # BLACKLIST LOG LEVEL
# #
# This variable tells the /sbin/shorewall program where to look for Shorewall # Set this variable to the syslogd level that you want blacklist packets logged
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then # (beware of DOS attacks resulting from such logging). If not set, no logging
# /var/log/messages is assumed. # of blacklist packets occurs.
# #
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # See the comment at the top of this section for a description of log levels
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# #
# http://www.shorewall.net/FAQ.htm#faq6 BLACKLIST_LOGLEVEL=
LOGFILE=/var/log/messages #
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# #
# ENABLE NAT SUPPORT # ENABLE NAT SUPPORT
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No TC_ENABLED=No
# #
# BLACKLIST DISPOSITION # Clear Traffic Shapping/Control
# #
# Set this variable to the action that you want to perform on packets from # If this option is set to 'No' then Shorewall won't clear the current
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # traffic control rules during [re]start. This setting is intended
# DROP is assumed. # for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
# #
BLACKLIST_DISPOSITION=DROP # If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
# #
# BLACKLIST LOG LEVEL # Mark Packets in the forward chain
# #
# Set this variable to the syslogd level that you want blacklist packets logged # When processing the tcrules file, Shorewall normally marks packets in the
# (beward of DOS attacks resulting from such logging). If not set, no logging # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# of blacklist packets occurs. # this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
# #
# See the comment at the top of this file for a description of log levels # Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
# #
BLACKLIST_LOGLEVEL= # Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
# #
# MSS CLAMPING # MSS CLAMPING
@ -335,39 +403,6 @@ MULTIPORT=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.
MERGE_HOSTS=Yes
# #
# MUTEX TIMEOUT # MUTEX TIMEOUT
# #
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping handling
# facility including the FORWARDPING option in this file and the 'noping' and
# 'filterping' interface options. If this option is set to 'No' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
# DON'T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
# #
# NEWNOTSYN # NEWNOTSYN
# #
@ -430,6 +435,18 @@ OLD_PING_HANDLING=No
NEWNOTSYN=No NEWNOTSYN=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
# #
# MAC List Disposition # MAC List Disposition
# #
@ -441,18 +458,6 @@ NEWNOTSYN=No
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
# #
# TCP FLAGS Disposition # TCP FLAGS Disposition
# #
@ -463,64 +468,4 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

32
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.14 %define version 1.4.0
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -15,7 +15,7 @@ Source: %{name}-%{version}.tgz
URL: http://www.shorewall.net/ URL: http://www.shorewall.net/
BuildArch: noarch BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: iptables Requires: iptables iproute
Conflicts: kernel <= 2.2 Conflicts: kernel <= 2.2
%description %description
@ -71,11 +71,10 @@ fi
%files %files
/etc/init.d/shorewall /etc/init.d/shorewall
%attr(0700,root,root) %dir /etc/shorewall %attr(0700,root,root) %dir /etc/shorewall
%attr(0700,root,root) %dir /usr/lib/shorewall %attr(0700,root,root) %dir /usr/share/shorewall
%attr(0700,root,root) %dir /var/lib/shorewall %attr(0700,root,root) %dir /var/lib/shorewall
%attr(0600,root,root) /usr/lib/shorewall/version %attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /etc/shorewall/common.def %attr(0600,root,root) /etc/shorewall/common.def
%attr(0600,root,root) /etc/shorewall/icmp.def
%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf
%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones
%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy
@ -98,15 +97,30 @@ fi
%attr(0600,root,root) %config(noreplace) /etc/shorewall/start %attr(0600,root,root) %config(noreplace) /etc/shorewall/start
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stop %attr(0600,root,root) %config(noreplace) /etc/shorewall/stop
%attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped %attr(0600,root,root) %config(noreplace) /etc/shorewall/stopped
%attr(0600,root,root) %config(noreplace) /etc/shorewall/ecn
%attr(0544,root,root) /sbin/shorewall %attr(0544,root,root) /sbin/shorewall
%attr(0444,root,root) /usr/lib/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/lib/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/firewall
%doc documentation %doc documentation
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Feb 07 2003 Tom Eastep <tom@shorewall.net> * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-1 - Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC2
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC1
* Mon Feb 24 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0Beta2
* Sun Feb 23 2003 Tom Eastep <tom@shorewall.net>
- Add ecn file
* Fri Feb 21 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.4.0-0Beta1
* Thu Feb 06 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.4.0Alpha1
- Delete icmp.def
- Move firewall and version to /usr/share/shorewall
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net> * Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.14-0RC1 - Changes version to 1.3.14-0RC1
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net> * Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/start
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/start # Shorewall 1.4 -- /etc/shorewall/start
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been started or restarted. # been started or restarted.

2
STABLE/stop
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop # Shorewall 1.4 -- /etc/shorewall/stop
# #
# Add commands below that you want to be executed at the beginning of a # Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command. # "shorewall stop" command.

2
STABLE/stopped
View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped # Shorewall 1.4 -- /etc/shorewall/stopped
# #
# Add commands below that you want to be executed at the completion of a # Add commands below that you want to be executed at the completion of a
# "shorewall stop" command. # "shorewall stop" command.

2
STABLE/tcrules
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.3 - Traffic Control Rules File # Shorewall version 1.4 - Traffic Control Rules File
# #
# /etc/shorewall/tcrules # /etc/shorewall/tcrules
# #

2
STABLE/tos
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- /etc/shorewall/tos # Shorewall 1.4 -- /etc/shorewall/tos
# #
# This file defines rules for setting Type Of Service (TOS) # This file defines rules for setting Type Of Service (TOS)
# #

2
STABLE/tunnel
View File

@ -2,7 +2,7 @@
RCDLINKS="2,S45 3,S45 6,K45" RCDLINKS="2,S45 3,S45 6,K45"
################################################################################ ################################################################################
# Script to create a gre or ipip tunnel -- Shorewall 1.3 # Script to create a gre or ipip tunnel -- Shorewall 1.4
# #
# Modified - Steve Cowles 5/9/2000 # Modified - Steve Cowles 5/9/2000
# Incorporated init {start|stop} syntax and iproute2 usage # Incorporated init {start|stop} syntax and iproute2 usage

2
STABLE/tunnels
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - /etc/shorewall/tunnels # Shorewall 1.4 - /etc/shorewall/tunnels
# #
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
# #

3
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.14 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -108,6 +108,7 @@ fi
rm -rf /etc/shorewall rm -rf /etc/shorewall
rm -rf /usr/lib/shorewall rm -rf /usr/lib/shorewall
rm -rf /var/lib/shorewall rm -rf /var/lib/shorewall
rm -rf /usr/share/shorewall
echo "Shorewall Uninstalled" echo "Shorewall Uninstalled"

2
STABLE/zones
View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 /etc/shorewall/zones # Shorewall 1.4 /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #