extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update graphics and articles

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1964 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-02-19 17:53:51 +00:00
parent 8f82eb2f6a
commit f3ab4762f5
6 changed files with 87 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-13</pubdate>
<pubdate>2005-02-17</pubdate>
<copyright>
<year>2004</year>
@ -401,6 +401,25 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
<warning>
<para>If you have hosts that access the internet through an IPSEC
tunnel, then it is a good idea to set the MSS value for traffic from
those hosts explicitly in the
<filename>/etc/shorewall/ipsec</filename> file. For example, if hosts
in the <emphasis role="bold">sec</emphasis> zone access the internet
through an ESP tunnel then the following entry would be
appropriate:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
isn't effective with the 2.6 native IPSEC implementation because there
is no separate ipsec device with a lower mtu as there was under the
2.4 and earlier kernels.</para>
</warning>
</blockquote>
</section>
@ -732,9 +751,10 @@ all all REJECT info
<section>
<title>IPSEC and <trademark>Windows</trademark> XP</title>
<para>I have successfully configured my work laptop to use IPSEC for
wireless IP communication when it is undocked at home. I looked at dozens
of sites and the one I found most helpful was <ulink
<para>I have successfully configured my work laptop to use IPSEC with
X.509 certificates for wireless IP communication when it is undocked at
home. I looked at dozens of sites and the one I found most helpful was
<ulink
url="http://ipsec.math.ucla.edu/services/ipsec-windows.html">http://ipsec.math.ucla.edu/services/ipsec-windows.html</ulink>.
The instructions on that site are directed to students at UCLA but they
worked fine for me (once I followed them very carefully).</para>
@ -748,7 +768,7 @@ all all REJECT info
<para>One piece of information that may not be so easy to find is "How
to I generate a PKCS#12 certificate to import into Windows?". Here's the
openssl command I used:</para>
openssl command that I used:</para>
<programlisting><command>openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"</command> </programlisting>
@ -775,7 +795,7 @@ all all REJECT info
<listitem>
<para>"IPSEC Cert for Home Wireless" is the friendly name for the
certificate.I</para>
certificate.</para>
</listitem>
</itemizedlist>

BIN
Shorewall-docs2/images/Netfilter.png
View File

Binary file not shown.

85
Shorewall-docs2/images/Netfilter.vdx
View File

File diff suppressed because one or more lines are too long

BIN
Shorewall-docs2/images/Thumbs.db
View File

Binary file not shown.

30
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-15</pubdate>
<pubdate>2005-02-17</pubdate>
<copyright>
<year>2001-2005</year>
@ -214,7 +214,6 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<blockquote>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=ULOG
WIFI_IF=eth0
EXT_IF=eth2
@ -231,7 +230,6 @@ DMZ_IF=eth1</programlisting></para>
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
Wifi Wireless Wirewall Network
sec Secure Secure Wireless Zone
vpn OpenVPN Open VPN Clients
@ -251,7 +249,6 @@ vpn OpenVPN Open VPN Clients
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
vpn tun+ -
Wifi $WIFI_IF - maclist,dhcp
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -263,7 +260,6 @@ Wifi $WIFI_IF - maclist,dhcp
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
tx texas:192.168.8.0/22
sec $WIFI_IF:192.168.3.0/24
sec $EXT_IF:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -274,11 +270,15 @@ sec $EXT_IF:0.0.0.0/0
<title>Ipsec File</title>
<para><blockquote>
<para>Note the mss=1400 IN option. This causes TCP connections
originating in the secure wireless zone to have their MSS set to
1400 so that misconfigured routers on the internet don't cause
problems with non-fragmentable packets larger than that.</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec Yes mode=tunnel mss=1400
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote></para>
</section>
@ -348,10 +348,7 @@ sec Wifi NONE
fw Wifi ACCEPT
loc vpn ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT $LOG
dmz tx ACCEPT
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -406,12 +403,10 @@ $EXT_IF:: eth2 206.124.146.176
</section>
<section>
<title>Tunnels File (Shell variable TEXAS set in
/etc/shorewall/params)</title>
<title>Tunnels</title>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
openvpn:1194 net 0.0.0.0/0
openvpn:1194 Wifi 192.168.3.0/24
ipsec Wifi 192.168.3.0/24 sec
@ -476,8 +471,8 @@ DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP sy
<blockquote>
<programlisting>##########################################################################################################################################################################
#####
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER
# PORT(S) DEST:SNAT SET
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER/
# PORT(S) DEST GROUP
##########################################################################################################################################################################
#####
# Local Network to Internet - Reject attempts by Trojans to call home, direct SMTP and MS Message Service
@ -583,10 +578,10 @@ AllowPing net dmz
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!$TEXAS loc:192.168.1.4 gre -
DNAT net loc:192.168.1.4 gre -
ACCEPT net loc:192.168.1.5 tcp 22
#
# ICQ
@ -667,7 +662,6 @@ ACCEPT fw dmz udp
REJECT fw dmz udp 137:139
##########################################################################################################################################################################
#####
ACCEPT tx loc:192.168.1.5 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>

8
Shorewall-docs2/traffic_shaping.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-14</pubdate>
<pubdate>2005-02-19</pubdate>
<copyright>
<year>2001-2005</year>
@ -279,12 +279,16 @@
<listitem>
<para>SOURCE - The source of the packet. If the packet originates on
the firewall, place <quote>fw</quote> in this column. Otherwise, this
the firewall, place <quote>$FW</quote> in this column. Otherwise, this
is a comma-separated list of interface names, IP addresses, MAC
addresses in Shorewall Format and/or Subnets.</para>
<para>Examples <programlisting> eth0
192.168.2.4,192.168.1.0/24</programlisting></para>
<para>Beginning with Shorewall version 2.2.2, "$fw" may be optionally
followed by a colon (":") and a host/net address or an address
range.</para>
</listitem>
<listitem>