extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@603 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-06-18 20:03:19 +00:00
parent ea38e5f72b
commit f556717fc5
21 changed files with 11625 additions and 10655 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1618
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

344
Shorewall-docs/FAQ.htm
View File

@ -49,9 +49,9 @@
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with <p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p> port forwarding</a></p>
<p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to <b>connect <p align="left"><b>1c. </b><a href="#faq1c">From the internet, I want to
to port 1022</b> on my firewall and have the <b>firewall forward the connection <b>connect to port 1022</b> on my firewall and have the <b>firewall forward
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br> the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p> </p>
<h1><b>DNS and PORT FORWARDING/NAT<br> <h1><b>DNS and PORT FORWARDING/NAT<br>
@ -65,10 +65,10 @@ to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign subnet and I use <b>static NAT</b> to assign
non-RFC1918 addresses to hosts in Z. Hosts in Z non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
cannot communicate with each other using their external communicate with each other using their external (non-RFC1918
(non-RFC1918 addresses) so they <b>can't access each other addresses) so they <b>can't access each other using their
using their DNS names.</b></a></p> DNS names.</b></a></p>
<h1><b>NETMEETING/MSN<br> <h1><b>NETMEETING/MSN<br>
</b></h1> </b></h1>
@ -96,7 +96,7 @@ how I change my rules.
I <b> can't ping</b> through the firewall</a><br> I <b> can't ping</b> through the firewall</a><br>
<b><br> <b><br>
15. </b><a href="#faq15"><b>My local systems can't see 15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p> out to the net</b></a></p>
<h1>LOGGING<br> <h1>LOGGING<br>
</h1> </h1>
@ -136,8 +136,8 @@ out to the net</b></a></p>
<h1>STARTING AND STOPPING<br> <h1>STARTING AND STOPPING<br>
</h1> </h1>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 'shorewall
'shorewall stop', I can't connect to anything</b>. Why doesn't that command stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p> work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -151,9 +151,9 @@ out to the net</b></a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly at startup?</a></p> my interfaces </b>properly at startup?</a></p>
<b>22. </b><a href="#faq22">I have <b>22. </b><a href="#faq22">I
some <b>iptables commands </b>that I want to <b>run when Shorewall have some <b>iptables commands </b>that I want to <b>run when
starts.</b> Which file do I put them in?</a><br> Shorewall starts.</b> Which file do I put them in?</a><br>
<h1>ABOUT SHOREWALL<br> <h1>ABOUT SHOREWALL<br>
</h1> </h1>
@ -161,8 +161,7 @@ out to the net</b></a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does <p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p> it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it support?</a></p>
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p> <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -195,12 +194,13 @@ external interface, <b>my DHCP client cannot renew its lease</b>
<h1>MISCELLANEOUS<br> <h1>MISCELLANEOUS<br>
</h1> </h1>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> <b>19. </b><a href="#faq19">I have added <b>entries to
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br> /etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
anything</b>. Why?</a><br>
<br> <br>
<b>20. </b><a href="#faq20">I <b>20. </b><a href="#faq20">I
have just set up a server. <b>Do I have to change Shorewall have just set up a server. <b>Do I have to change Shorewall
to allow access to my server from the internet?</b></a><br> to allow access to my server from the internet?</b></a><br>
<br> <br>
<b>24. </b><a href="#faq24">How can I <b>allow <b>24. </b><a href="#faq24">How can I <b>allow
conections</b> to let's say the ssh port only<b> from specific conections</b> to let's say the ssh port only<b> from specific
@ -323,8 +323,8 @@ to allow access to my server from the internet?</b></a><br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
Finally, if you need to forward a range of ports, in Finally, if you need to forward a range of ports,
the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br> in the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4> but it doesn't work</h4>
@ -333,13 +333,13 @@ to allow access to my server from the internet?</b></a><br>
things:</p> things:</p>
<ul> <ul>
<li>You are trying <li>You are
to test from inside your firewall (no, that won't trying to test from inside your firewall (no, that
work -- see <a href="#faq2">FAQ #2</a>).</li> won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have <li>You have
a more basic problem with your local system such as a more basic problem with your local system such as
an incorrect default gateway configured (it should be an incorrect default gateway configured (it should be set
set to the IP address of your firewall's internal interface).</li> to the IP address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br> <li>Your ISP is blocking that particular port inbound.<br>
</li> </li>
@ -348,41 +348,41 @@ set to the IP address of your firewall's internal interface).</l
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4> forwarding</h4>
<b>Answer: </b>To further <b>Answer: </b>To further
diagnose this problem:<br> diagnose this problem:<br>
<ul> <ul>
<li>As root, type "iptables <li>As root, type "iptables
-t nat -Z". This clears the NetFilter counters in the -t nat -Z". This clears the NetFilter counters in the
nat table.</li> nat table.</li>
<li>Try to connect to the <li>Try to connect to
redirected port from an external host.</li> the redirected port from an external host.</li>
<li>As root type "shorewall <li>As root type "shorewall
show nat"</li> show nat"</li>
<li>Locate the appropriate <li>Locate the appropriate
DNAT rule. It will be in a chain called <i>&lt;source DNAT rule. It will be in a chain called <i>&lt;source
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li> zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count <li>Is the packet count
in the first column non-zero? If so, the connection in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to request is reaching the firewall and is being redirected
the server. In this case, the problem is usually a missing to the server. In this case, the problem is usually a missing
or incorrect default gateway setting on the server (the server's or incorrect default gateway setting on the server (the server's
default gateway should be the IP address of the firewall's default gateway should be the IP address of the firewall's
interface to the server).</li> interface to the server).</li>
<li>If the packet count <li>If the packet count
is zero:</li> is zero:</li>
<ul> <ul>
<li>the connection request <li>the connection request
is not reaching your server (possibly it is being blocked is not reaching your server (possibly it is being blocked
by your ISP); or</li> by your ISP); or</li>
<li>you are trying to <li>you are trying to
connect to a secondary IP address on your firewall and connect to a secondary IP address on your firewall and
your rule is only redirecting the primary IP address (You need your rule is only redirecting the primary IP address (You
to specify the secondary IP address in the "ORIG. DEST." column need to specify the secondary IP address in the "ORIG. DEST."
in your DNAT rule); or</li> column in your DNAT rule); or</li>
<li>your DNAT rule doesn't <li>your DNAT rule doesn't
match the connection request in some other way. In match the connection request in some other way. In that
that case, you may have to use a packet sniffer such as tcpdump case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br> or ethereal to further diagnose the problem.<br>
</li> </li>
@ -391,8 +391,8 @@ that case, you may have to use a packet sniffer such as tcpdump
</ul> </ul>
<h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want <h4 align="left"><a name="faq1c"></a><b>1c. </b>From the internet, I want
to connect to port 1022 on my firewall and have the firewall forward to connect to port 1022 on my firewall and have the firewall forward the
the connection to port 22 on local system 192.168.1.3. How do I do that?</h4> connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
<div align="left"> <div align="left">
<blockquote> <blockquote>
@ -430,28 +430,28 @@ the connection to port 22 on local system 192.168.1.3. How do I do that?</h4>
</div> </div>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com <h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in (IP 130.151.100.69) to system 192.168.1.5 in my
my local network. External clients can browse http://www.mydomain.com local network. External clients can browse http://www.mydomain.com
but internal clients can't.</h4> but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p> <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul> <ul>
<li>Having an <li>Having an
internet-accessible server in your local network internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If is like raising foxes in the corner of your hen house. If
the server is compromised, there's nothing between that the server is compromised, there's nothing between
server and your other internal systems. For the cost of that server and your other internal systems. For the cost
another NIC and a cross-over cable, you can put your server of another NIC and a cross-over cable, you can put your
in a DMZ such that it is isolated from your local systems - server in a DMZ such that it is isolated from your local systems
assuming that the Server can be located near the Firewall, of course - assuming that the Server can be located near the Firewall,
:-)</li> of course :-)</li>
<li>The accessibility <li>The accessibility
problem is best solved using <a problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com (or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 resolves to 130.141.100.69 externally and 192.168.1.5
internally. That's what I do here at shorewall.net for my internally. That's what I do here at shorewall.net for my
local systems that use static NAT.</li> local systems that use static NAT.</li>
</ul> </ul>
@ -464,8 +464,8 @@ local systems that use static NAT.</li>
</p> </p>
<p align="left">If you are running Shorewall 1.4.0 or earlier see <a <p align="left">If you are running Shorewall 1.4.0 or earlier see <a
href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for href="1.3/FAQ.htm#faq2">the 1.3 FAQ</a> for instructions suitable for those
those releases.<br> releases.<br>
</p> </p>
<p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please <p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
@ -617,21 +617,21 @@ those releases.<br>
so they can't access each other using their DNS names.</h4> so they can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved <p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both using Bind Version 9 "views". It allows both external
external and internal clients to access a NATed and internal clients to access a NATed host using
host using the host's DNS name.</p> the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from <p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts static NAT to Proxy ARP. That way, the hosts
in Z have non-RFC1918 addresses and can be accessed in Z have non-RFC1918 addresses and can be accessed
externally and internally using the same address. </p> externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z <p align="left">If you don't like those solutions and prefer routing all
traffic through your firewall then:</p> Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br> <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
b) Masquerade Z b) Masquerade
to itself.<br> Z to itself.<br>
<br> <br>
Example:</p> Example:</p>
@ -722,11 +722,10 @@ to itself.<br>
<p align="left"><b>Answer: </b>There is an <a <p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting. tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for Look <a href="http://linux-igd.sourceforge.net">here</a> for a
a solution for MSN IM but be aware that there are significant security solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter risks involved with this solution. Also check the Netfilter mailing
mailing list archives at <a list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p> </p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
@ -734,16 +733,16 @@ mailing list archives at <a
as 'closed' rather than 'blocked'. Why?</h4> as 'closed' rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP always rejects connection requests on TCP port
port 113 rather than dropping them. This is necessary 113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services that to prevent outgoing connection problems to services
use the 'Auth' mechanism for identifying requesting users. that use the 'Auth' mechanism for identifying requesting
Shorewall also rejects TCP ports 135, 137 and 139 as well users. Shorewall also rejects TCP ports 135, 137 and 139
as UDP ports 137-139. These are ports that are used by Windows as well as UDP ports 137-139. These are ports that are used
(Windows <u>can</u> be configured to use the DCE cell locator by Windows (Windows <u>can</u> be configured to use the DCE cell
on port 135). Rejecting these connection requests rather than locator on port 135). Rejecting these connection requests rather
dropping them cuts down slightly on the amount of Windows chatter than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p> on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably <p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web your ISP preventing you from running a web
@ -755,22 +754,21 @@ server in violation of your Service Agreement.</p>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port back from your firewall then it reports the port
as open. If you want to see which UDP ports are really open, as open. If you want to see which UDP ports are really
temporarily change your net-&gt;all policy to REJECT, open, temporarily change your net-&gt;all policy to REJECT,
restart Shorewall and do the nmap UDP scan again.<br> restart Shorewall and do the nmap UDP scan again.<br>
</p> </p>
<h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how <h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
I change my rules. </h4> I change my rules. </h4>
I had a rule that allowed telnet from my local network to my firewall; I had a rule that allowed telnet from my local network to my firewall;
I removed that rule and restarted Shorewall but my telnet session still I removed that rule and restarted Shorewall but my telnet session still works!!!<br>
works!!!<br>
<br> <br>
<b>Answer: </b> Rules only govern the establishment of new connections. <b>Answer: </b> Rules only govern the establishment of new connections.
Once a connection is established through the firewall it will be usable until Once a connection is established through the firewall it will be usable
disconnected (tcp) or until it times out (other protocols).  If you stop until disconnected (tcp) or until it times out (other protocols).  If you
telnet and try to establish a new session your firerwall will block that stop telnet and try to establish a new session your firerwall will block
attempt.<br> that attempt.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4> can't ping through the firewall</h4>
@ -781,7 +779,7 @@ attempt.<br>
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist. <p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br> <br>
b) Be sure that b) Be sure that
the first command in the file is ". /etc/shorewall/common.def"<br> the first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following c) Add the following
to /etc/shorewall/common </p> to /etc/shorewall/common </p>
@ -796,15 +794,15 @@ the first command in the file is ". /etc/shorewall/common.def"<br>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4> and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
(see "man openlog") and you get to choose the log level (again, see "man facility (see "man openlog") and you get to choose the log level (again,
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
href="Documentation.htm#Rules">rules</a>. The destination for messaged and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure When you have changed /etc/syslog.conf, be sure
to restart syslogd (on a RedHat system, "service syslog to restart syslogd (on a RedHat system, "service syslog
restart"). </p> restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages <p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> through <a href="Documentation.htm#Conf">settings</a>
@ -860,12 +858,12 @@ to log all messages, set: </p>
<li>They are corrupted reply packets.</li> <li>They are corrupted reply packets.</li>
</ol> </ol>
You can distinguish the difference by setting the You can distinguish the difference by setting
<b>logunclean</b> option (<a the <b>logunclean</b> option (<a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an logged twice, they are corrupted. I solve this problem by using
/etc/shorewall/common file like this:<br> an /etc/shorewall/common file like this:<br>
<blockquote> <blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre> <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -903,10 +901,10 @@ to log all messages, set: </p>
that command work?</h4> that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into <p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed a safe state whereby only those hosts listed in
in /etc/shorewall/routestopped' are activated. /etc/shorewall/routestopped' are activated. If
If you want to totally open up your firewall, you must use you want to totally open up your firewall, you must use the
the 'shorewall clear' command. </p> 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4> I get messages about insmod failing -- what's wrong?</h4>
@ -950,9 +948,9 @@ the 'shorewall clear' command. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net <p align="left"><b>Answer: </b>The above output is perfectly normal. The
zone is defined as all hosts that are connected through eth0 and the local Net zone is defined as all hosts that are connected through eth0 and the
zone is defined as all hosts connected through eth1</p> local zone is defined as all hosts connected through eth1</p>
</div> </div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -983,8 +981,8 @@ the 'shorewall clear' command. </p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem <h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows and it has an internal web server that allows
me to configure/monitor it but as expected if I me to configure/monitor it but as expected if I enable
enable rfc1918 blocking for my eth0 interface (the internet rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4> one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking <p align="left">Is there any way it can add a rule before the rfc1918 blocking
@ -992,8 +990,9 @@ one), it also blocks the cable modems web server.</h4>
address of the modem in/out but still block all other address of the modem in/out but still block all other
rfc1918 addresses?</p> rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier <p align="left"><b>Answer: </b>If you are running a version of Shorewall
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p> earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<div align="left"> <div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre> <pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -1030,9 +1029,9 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p> </p>
<p align="left">Note: If you add a second IP address to your external firewall <p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, interface to correspond to the modem address, you
you must also make an entry in /etc/shorewall/rfc1918 must also make an entry in /etc/shorewall/rfc1918 for
for that address. For example, if you configure the address that address. For example, if you configure the address
192.168.100.2 on your firewall, then you would add two entries 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br> to /etc/shorewall/rfc1918: <br>
</p> </p>
@ -1071,10 +1070,10 @@ for that address. For example, if you configure the address
</div> </div>
<div align="left"> <div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
1918 filtering on my external interface, my DHCP client cannot renew its RFC 1918 filtering on my external interface, my DHCP client cannot renew
lease.</h4> its lease.</h4>
</div> </div>
<div align="left"> <div align="left">
@ -1107,7 +1106,7 @@ lease.</h4>
<p align="left">The DNS settings on the local systems are wrong or the <p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall user is running a DNS server on the firewall
and hasn't enabled UDP and TCP port 53 from the and hasn't enabled UDP and TCP port 53 from the
firewall to the internet.</p> firewall to the internet.</p>
</li> </li>
</ol> </ol>
@ -1115,7 +1114,9 @@ firewall to the internet.</p>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages <h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
all over my console making it unusable!</h4> all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command <p align="left"><b>Answer: </b>If you are running Shorewall version 1.4.4
or 1.4.4a then check the <a href="errata.htm">errata.</a> Otherwise, see
the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent Under RedHat, the max log level that is sent
to the console is specified in /etc/sysconfig/init in to the console is specified in /etc/sysconfig/init in
@ -1125,33 +1126,32 @@ the LOGLEVEL variable.<br>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4> logged?</h4>
<b>Answer: </b>Logging <b>Answer: </b>Logging
occurs out of a number of chains (as indicated in the occurs out of a number of chains (as indicated in
log message) in Shorewall:<br> the log message) in Shorewall:<br>
<ol> <ol>
<li><b>man1918 - </b>The <li><b>man1918 -
destination address is listed in /etc/shorewall/rfc1918 </b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> <li><b>rfc1918</b>
- The source address is listed in /etc/shorewall/rfc1918 - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <li><b>all2&lt;zone&gt;</b>,
<b>&lt;zone&gt;2all</b> or <b>all2all <b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> </b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
that specifies a log level and this packet is being specifies a log level and this packet is being logged
logged under that policy. If you intend to ACCEPT this under that policy. If you intend to ACCEPT this traffic
traffic then you need a <a href="Documentation.htm#Rules">rule</a> to then you need a <a href="Documentation.htm#Rules">rule</a> to that effect.<br>
that effect.<br>
</li> </li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; <li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and </b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that matches a <a href="Documentation.htm#Rules">rule</a> that includes
includes a log level.</li> a log level.</li>
<li><b>&lt;interface&gt;_mac</b> <li><b>&lt;interface&gt;_mac</b>
- The packet is being logged under the <b>maclist</b> - The packet is being logged under the <b>maclist</b>
<a href="Documentation.htm#Interfaces">interface option</a>.<br> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
@ -1168,17 +1168,18 @@ includes a log level.</li>
- The packet is being logged because the source IP - The packet is being logged because the source IP
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li> </a>file.</li>
<li><b>newnotsyn </b>- <li><b>newnotsyn
The packet is being logged because it is a TCP packet </b>- The packet is being logged because it is a
that is not part of any current connection yet it is not a TCP packet that is not part of any current connection yet
syn packet. Options affecting the logging of such packets include it is not a syn packet. Options affecting the logging of such
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> </b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <li><b>INPUT</b> or
<b>FORWARD</b> - The packet has a source IP address <b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check" that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD and look at the printed zone definitions) or the chain is
and the destination IP isn't in any of your defined zones.</li> FORWARD and the destination IP isn't in any of your defined
zones.</li>
<li><b>logflags </b>- The packet <li><b>logflags </b>- The packet
is being logged because it failed the checks implemented is being logged because it failed the checks implemented
by the <b>tcpflags </b><a by the <b>tcpflags </b><a
@ -1204,9 +1205,9 @@ the tcrules file are simply being ignored.<br>
the internet?</b><br> the internet?</b><br>
</h4> </h4>
Yes. Consult the <a Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
you used during your initial setup for information about how to set used during your initial setup for information about how to set up
up rules for your server.<br> rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br> what are they?<br>
@ -1221,10 +1222,10 @@ you used during your initial setup for information about how to set
<b>Answer: </b>While most people <b>Answer: </b>While most people
associate the Internet Control Message Protocol (ICMP) associate the Internet Control Message Protocol (ICMP)
with 'ping', ICMP is a key piece of the internet. ICMP is with 'ping', ICMP is a key piece of the internet. ICMP is
used to report problems back to the sender of a packet; this used to report problems back to the sender of a packet; this is
is what is happening here. Unfortunately, where NAT is involved what is happening here. Unfortunately, where NAT is involved (including
(including SNAT, DNAT and Masquerade), there are a lot of broken SNAT, DNAT and Masquerade), there are a lot of broken implementations.
implementations. That is what you are seeing with these messages.<br> That is what you are seeing with these messages.<br>
<br> <br>
Here is my interpretation of what Here is my interpretation of what
is happening -- to confirm this analysis, one would have is happening -- to confirm this analysis, one would have
@ -1233,47 +1234,46 @@ to have packet sniffers placed a both ends of the connection.<br>
Host 172.16.1.10 behind NAT gateway Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and
your DNS server tried to send a response (the response information your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as is in the brackets -- note source port 53 which marks this as a
a DNS reply). When the response was returned to to 206.124.146.179, DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
packet to 172.16.1.10 who no longer had a connection on UDP port to 172.16.1.10 who no longer had a connection on UDP port 2857.
2857. This causes a port unreachable (type 3, code 3) to be generated This causes a port unreachable (type 3, code 3) to be generated back
back to 192.0.2.3. As this packet is sent back through 206.124.146.179, to 192.0.2.3. As this packet is sent back through 206.124.146.179,
that box correctly changes the source address in the packet to 206.124.146.179 that box correctly changes the source address in the packet to 206.124.146.179
but doesn't reset the DST IP in the original DNS response similarly. but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result appear to be related to anything that was sent. The final result
is that the packet gets logged and dropped in the all2all chain. I is that the packet gets logged and dropped in the all2all chain. I have
have also seen cases where the source IP in the ICMP itself isn't set also seen cases where the source IP in the ICMP itself isn't set back
back to the external IP of the remote NAT gateway; that causes your to the external IP of the remote NAT gateway; that causes your firewall
firewall to log and drop the packet out of the rfc1918 chain because to log and drop the packet out of the rfc1918 chain because the source
the source IP is reserved by RFC 1918.<br> IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I want to <b>run when Shorewall starts.</b> Which file do
I put them in?</h4> I put them in?</h4>
You can place these commands in You can place these commands in
one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s) that Scripts</a>. Be sure that you look at the contents of the chain(s) that
you will be modifying with your commands to be sure that the you will be modifying with your commands to be sure that the
commands will do what they are intended. Many iptables commands commands will do what they are intended. Many iptables commands
published in HOWTOs and other instructional material use the -A command published in HOWTOs and other instructional material use the -A
which adds the rules to the end of the chain. Most chains that Shorewall command which adds the rules to the end of the chain. Most chains
constructs end with an unconditional DROP, ACCEPT or REJECT rule and that Shorewall constructs end with an unconditional DROP, ACCEPT or
any rules that you add after that will be ignored. Check "man iptables" REJECT rule and any rules that you add after that will be ignored.
and look at the -I (--insert) command.<br> Check "man iptables" and look at the -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4> web site?</h4>
The Shorewall web site is almost font neutral The Shorewall web site is almost font neutral
(it doesn't explicitly specify fonts except on a few pages) so (it doesn't explicitly specify fonts except on a few pages)
the fonts you see are largely the default fonts configured in your so the fonts you see are largely the default fonts configured in
browser. If you don't like them then reconfigure your browser.<br> your browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
internet?</h4>
In the SOURCE column of the rule, follow "net" In the SOURCE column of the rule, follow "net"
by a colon and a list of the host/subnet addresses as a comma-separated by a colon and a list of the host/subnet addresses as a comma-separated
list.<br> list.<br>
@ -1292,14 +1292,10 @@ internet?</h4>
<br> <br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br> <font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br> <br>
<font size="2">Last updated 4/14/2003 - <a <font size="2">Last updated 5/29/2003 - <a
href="support.htm">Tom Eastep</a></font> href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

422
Shorewall-docs/IPSEC.htm
View File

@ -28,15 +28,15 @@
<h2><font color="#660066">Configuring FreeS/Wan</font></h2> <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a There is an excellent guide to configuring IPSEC tunnels at<a
href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a> href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a>
. I highly recommend that you consult that site for information about confuring . I highly recommend that you consult that site for information about configuring
FreeS/Wan.  FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and <p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences. FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of rather than to the interface that you specify in the INTERFACE column
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so of /etc/shorewall/proxyarp. I haven't had the time to debug this problem
I can't say if it is a bug in the Kernel or in FreeS/Wan. </p> so I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following <p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p> (I haven't tried it):</p>
@ -115,9 +115,9 @@ I can't say if it is a bug in the Kernel or in FreeS/Wan.
</blockquote> </blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify then the tunnels file entry on the <u><b>other</b></u> endpoint should
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the
address should specify the external address of the NAT gateway.<br> GATEWAY address should specify the external address of the NAT gateway.<br>
</p> </p>
<p align="left">You need to define a zone for the remote subnet or include <p align="left">You need to define a zone for the remote subnet or include
@ -199,8 +199,353 @@ created a zone called "vpn" to represent the remote subnet.</p>
shorewall restart); you are now ready to configure the tunnel in <a shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p> href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road <h2><a name="VPNHub"></a>VPN Hub</h2>
Warrior)</font></h2> Shorewall can be used in a VPN Hub environment where multiple remote networks
are connected to a gateway running Shorewall. This environment is shown in
this diatram.<br>
<div align="center"><img src="images/ThreeNets.png"
alt="(Three networks linked with IPSEC)" width="750" height="781">
<br>
</div>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks
and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.</p>
<p align="left">To make this work, we need to do several things:</p>
<p align="left">a) Open the firewall so that two IPSEC tunnels can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnels two/from the local zone
(192.168.1.0/24).<br>
</p>
<p align="left">c) Deny traffic through the tunnels between the two remote
networks.<br>
</p>
<p align="left">Opening the firewall for the IPSEC tunnels is accomplished
by adding two entries to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec<br>
</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">130.152.100.14<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on systems B and C, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"></p>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should
specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
</i> and the GATEWAY address should specify the external address of the
NAT gateway.<br>
</p>
<p align="left">On each system, we will create a zone to represent the remote
networks. On System A:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn1</td>
<td>VPN1</td>
<td>Remote Subnet on system B</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN2<br>
</td>
<td valign="top">Remote Subnet on system C<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On systems B and C:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet on system A</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At system A, ipsec0 represents two zones so we have the following
in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>-<br>
</td>
<td>ipsec0</td>
<td> </td>
<td><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">The /etc/shorewall/hosts file on system A defines the two
VPN zones:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> HOSTS</strong><br>
</td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn1<br>
</td>
<td>ipsec0:10.0.0.0/16</td>
<td><br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">ipsec0:10.1.0.0/16<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At systems B and C, ipsec0 represents a single zone so we
have the following in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn<br>
</td>
<td>ipsec0</td>
<td> </td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p align="left">On systems A, you will need to allow traffic between the "vpn1"
zone and the "loc" zone as well as between "vpn2" and the "loc" zone
-- if you simply want to admit all traffic in both directions, you
can use the following policy file entries on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn1</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn1</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">vpn2<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On systems B and C, you will need to allow traffic between
the "vpn" zone and the "loc" zone -- if you simply want to admit all
traffic in both directions, you can use the following policy file entries
on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">Once you have the Shorewall entries added, restart Shorewall
on each gateway (type shorewall restart); you are now ready to configure
the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a>
.</p>
Note that to allow traffic between the networks attached to systems B and
C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
file on system A.<br>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>vpn1<br>
</td>
<td>vpn2</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn2</td>
<td>vpn1<br>
</td>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile System
(Road Warrior)</h2>
<p>Suppose that you have a laptop system (B) that you take with you when you <p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your travel and you want to be able to establish a secure connection back to your
@ -266,9 +611,9 @@ system.</p>
</p> </p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2> <h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones Beginning with Shorewall release 1.3.10, you can define multiple VPN
and add and delete remote endpoints dynamically using /sbin/shorewall. In zones and add and delete remote endpoints dynamically using /sbin/shorewall.
/etc/shorewall/zones:<br> In /etc/shorewall/zones:<br>
<br> <br>
<blockquote> <blockquote>
@ -342,15 +687,15 @@ system.</p>
</table> </table>
<br> <br>
</blockquote> </blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall When Shorewall is started, the zones vpn[1-3] will all be empty and
will issue warnings to that effect. These warnings may be safely ignored. Shorewall will issue warnings to that effect. These warnings may be safely
FreeS/Wan may now be configured to have three different Road Warrior connections ignored. FreeS/Wan may now be configured to have three different Road Warrior
with the choice of connection being based on X-509 certificates or some connections with the choice of connection being based on X-509 certificates
other means. Each of these connectioins will utilize a different updown or some other means. Each of these connectioins will utilize a different
script that adds the remote station to the appropriate zone when the connection updown script that adds the remote station to the appropriate zone when the
comes up and that deletes the remote station when the connection comes down. connection comes up and that deletes the remote station when the connection
For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of comes down. For example, when 134.28.54.2 connects for the vpn2 zone the
the script will issue the command":<br> 'up' part of the script will issue the command":<br>
<br> <br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br> <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
@ -359,13 +704,15 @@ the script will issue the command":<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br> <blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<br> <br>
</blockquote> </blockquote>
<h3>Limitations of Dynamic Zones</h3> <h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br> hosts are not excluded from the rule.<br>
<br> <br>
Example with dyn=dynamic zone:<br> Example with dyn=dynamic zone:<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
@ -381,10 +728,10 @@ Example with dyn=dynamic zone:<br>
<td valign="top"><u><b>PORT(S)<br> <td valign="top"><u><b>PORT(S)<br>
</b></u></td> </b></u></td>
<td valign="top"><u><b>CLIENT<br> <td valign="top"><u><b>CLIENT<br>
PORT(S)<br> PORT(S)<br>
</b></u></td> </b></u></td>
<td valign="top"><u><b>ORIGINAL<br> <td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br> DESTINATION<br>
</b></u></td> </b></u></td>
</tr> </tr>
<tr> <tr>
@ -403,19 +750,18 @@ DESTINATION<br>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above rule. Dynamic changes to the zone <b>dyn</b> will have no effect on the above
rule.
<p><font size="2">Last updated 5/3//2003 - </font><font size="2"> <a <p><font size="2">Last updated 6/10//2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

62
Shorewall-docs/MAC_Validation.html
View File

@ -16,7 +16,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
@ -27,9 +26,9 @@
</table> </table>
<br> <br>
All traffic from an interface or from a subnet on an interface All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore, can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses. each MAC address may be optionally associated with one or more IP addresses.
<br> <br>
<br> <br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).</b><br> - module name ipt_mac.o).</b><br>
@ -43,11 +42,11 @@ this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a <li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC is specified for a subnet, all traffic from that subnet is subject to
verification.</li> MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li> with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
@ -64,9 +63,9 @@ not logged.<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment
by INTERFACE. It is not necessary to use the Shorewall MAC format in connected by INTERFACE. It is not necessary to use the Shorewall MAC format
this column although you may use that format if you so choose.</li> in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses <li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
@ -78,35 +77,44 @@ this column although you may use that format if you so choose.</li>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,maclist<br> dmz eth1 192.168.2.255<br> net eth3 206.124.146.255 blacklist<br> - texas 192.168.9.255<br> loc ppp+<br></pre> <blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>wap eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <blockquote>
As shown above, I use MAC Verification on my local zone.<br> <pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP
traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it's own MAC address. Consequently, I don't assign the WET11
a fixed IP address in /etc/shorewall/maclist.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone Suppose now that I add a second wireless segment to my wireless
and gateway that segment via a router with MAC address 00:06:43:45:C6:15 zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.1.253. Hosts in the second segment have IP addresses and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.3.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second wireless segment (192.168.4.0/24). Remember that
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded all traffic being sent to my firewall from the 192.168.4.0/24 segment
by the router so that traffic's MAC address will be that of the router will be forwarded by the router so that traffic's MAC address will be
(00:06:43:45:C6:15) and not that of the host sending the traffic. that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 2/21/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 6/10/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

2232
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

73
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -41,9 +41,10 @@
height="60" alt="Caution" align="middle"> height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to height="13">
run as a transparent proxy as described at <a &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13"
@ -52,19 +53,22 @@
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface or in the local zone, that zone must be defined ONLY by its interface --
-- no /etc/shorewall/hosts file entries. That is because the packets being no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your height="13">
/etc/shorewall/conf file<br> </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in
your /etc/shorewall/conf file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
@ -74,11 +78,11 @@ Squid server.<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
DMZ</a></li> the DMZ</a></li>
</ol> </ol>
@ -86,9 +90,9 @@ the local network</a></li>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your own
http server (206.124.146.177) http server (206.124.146.177)
to a Squid to a Squid transparent
transparent proxy running on the firewall and listening on port proxy running on the firewall and listening on port 3128. Squid
3128. Squid will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
@ -134,12 +138,20 @@ transparent proxy running on the firewall and listening on port
</table> </table>
<br> <br>
</blockquote> </blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a
transparent proxy Squid transparent
running in your local zone at 192.168.1.3 and listening on port 3128. proxy running in your local zone at 192.168.1.3 and listening on port
Your local interface is eth1. There may also be a web server running 3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br> local zone to the internet.<br>
@ -169,8 +181,8 @@ local zone to the internet.<br>
</blockquote> </blockquote>
<ul> <ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
upgrade to Shorewall 1.4.2 or later.<br> please upgrade to Shorewall 1.4.2 or later.<br>
<br> <br>
</li> </li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br> <li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
@ -305,8 +317,8 @@ following policy in place of the above rule:<br>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ You want to run both a web server and Squid on that system. Your DMZ interface
interface is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
@ -487,8 +499,8 @@ interface is eth1 and your local interface is eth2.<br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the
command to be executed after networking has come up<br> following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
@ -508,11 +520,12 @@ interface is eth1 and your local interface is eth2.<br>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br> <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
</body> </body>
</html> </html>

54
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -13,6 +13,7 @@
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -24,12 +25,14 @@
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
@ -46,16 +49,18 @@
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a <li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a
href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
@ -65,26 +70,28 @@
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br> href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall <li><a href="1.3"
1.3 Site</a></li> target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
1.2 Site</a></li> Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a
href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a
href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a
href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li> <li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
@ -94,8 +101,10 @@
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
@ -103,11 +112,20 @@
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>

70
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -13,6 +13,7 @@
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -24,12 +25,14 @@
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
@ -46,17 +49,20 @@
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a></b></li>
<li> <a <li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a
href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a
href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
@ -67,45 +73,59 @@
</li> </li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li> <li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2 href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
Site</a></li> 1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a
href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a
href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a
href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li> <li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a
Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li>GSLUG Presentation</li>
from Users</a></li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
@ -114,11 +134,7 @@ Site</a></li>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><br>
href="http://www.shorewall.net" target="_top"> </a></p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

29
Shorewall-docs/download.htm
View File

@ -20,6 +20,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
@ -29,7 +30,7 @@
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format at:</p>
@ -40,8 +41,8 @@
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>The documentation in HTML format is included in the .rpm and in the
packages below.</p> .tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
@ -61,7 +62,8 @@ packages below.</p>
copy of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li> Branch</a>.</li>
@ -72,8 +74,8 @@ copy of the documentation).</li>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory
can be obtained using the following command:<br> which can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
@ -82,11 +84,11 @@ copy of the documentation).</li>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font> <p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version to see if there are updates that apply to the version
that you have downloaded.</p> that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
@ -133,14 +135,6 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
@ -195,5 +189,6 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

156
Shorewall-docs/errata.htm
View File

@ -34,28 +34,33 @@
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p> may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
For example, do NOT install the 1.3.9a firewall script if you are BELOW. For example, do NOT install the 1.3.9a firewall script if
running 1.3.7c.</font></b><br> you are running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
@ -81,10 +86,14 @@ iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with <li><b><a href="#Multiport">Problems with
iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel
and NAT</a></b><br> 2.4.18-10 and NAT</a></b></li>
</li> <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1) <img src="images/new10.gif" alt="(New)"
width="28" height="12" border="0">
</a><br>
</b></li>
</ul> </ul>
@ -93,25 +102,59 @@ iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h3></h3> <h3></h3>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.<br>
</li>
</ul>
<h3>1.4.4<br> <h3>1.4.4<br>
</h3> </h3>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may experience <li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule is problems starting Shorewall because the --log-prefix in a logging rule
too long. Upgrade to Version 1.4.4a to fix this problem..</li> is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul> </ul>
<h3>1.4.3</h3> <h3>1.4.3</h3>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended to <li>The LOGMARKER variable introduced in version 1.4.3 was intended
allow integration of Shorewall with Fireparse (http://www.firewparse.com). to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I have Unfortunately, LOGMARKER only solved part of the integration problem. I
implimented a new LOGFORMAT variable which will replace LOGMARKER which has have implimented a new LOGFORMAT variable which will replace LOGMARKER which
completely solved this problem and is currently in production with fireparse has completely solved this problem and is currently in production with fireparse
here at shorewall.net. The updated files may be found at <a here at shorewall.net. The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
</li> </li>
</ul> </ul>
@ -120,11 +163,11 @@ See the 0README.txt file for details.<br>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory <li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by installing created in /tmp is not being removed. This problem may be corrected by
<a installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br> described above. <br>
</li> </li>
</ul> </ul>
@ -132,9 +175,9 @@ described ablve. <br>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP <li>Some TCP requests are rejected in the 'common' chain with an
port-unreachable response rather than the more appropriate TCP RST response. ICMP port-unreachable response rather than the more appropriate TCP RST
This problem is corrected in <a response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br> /etc/shorewall/common.def.<br>
@ -145,11 +188,11 @@ described ablve. <br>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" produces <li>When a "shorewall check" command is executed, each "rule"
the harmless additional message:<br> produces the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator      /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br> expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
@ -162,9 +205,9 @@ expected<br>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to create <li>When running under certain shells Shorewall will attempt
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove to create ECN rules even when /etc/shorewall/ecn is empty. You may either
/etc/shorewall/ecn or you can install <a just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
@ -188,8 +231,8 @@ expected<br>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I corrected 1.2.3 rpm which you can download here</a>  and
have also built an <a I have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
@ -197,10 +240,10 @@ have also built an <a
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you has released an iptables-1.2.4 RPM of their own which you
can download from<font color="#ff6633"> <a can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it </font>I have installed this RPM on my firewall and it
works fine.</p> works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
@ -244,8 +287,8 @@ RedHat iptables</h3>
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;= <p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" 2.2 yet you have a 2.4 kernel installed, simply use the
option to rpm.</p> "--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -255,16 +298,16 @@ RedHat iptables</h3>
MULTIPORT=Yes</b></h3> MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as change to the syntax used to specify multiport match rules;
a consequence, if you install iptables 1.2.7 you must as a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p> be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf;
</li> or </li>
<li>if you are <li>if you
running Shorewall 1.3.6 you may are running Shorewall 1.3.6 you may
install <a install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
@ -274,21 +317,32 @@ be running Shorewall 1.3.7a or later or:</p>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will /etc/shorewall/nat entries of the following form
result in Shorewall being unable to start:<br> will result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel The solution is to put "no" in the LOCAL column.
support for LOCAL=yes has never worked properly and 2.4.18-10 Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support under has disabled it. The 2.4.19 kernel contains corrected support
a new kernel configuraiton option; see <a under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just like
DROP rules when dealing with TCP. A kernel patch and precompiled modules to
fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

143
Shorewall-docs/mailing_list.htm
View File

@ -23,6 +23,7 @@
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle"
align="left"> align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -33,16 +34,20 @@
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
<p align="right"><font color="#ffffff"><b>  </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%">
href="http://www.postfix.org/"> <img <a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="124" src="images/postfix-white.gif" align="right" border="0" width="158"
height="66" alt="(Postfix Logo)"> height="84" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
@ -51,9 +56,8 @@
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><b><font color="#ffffff"><br>
<b><font color="#ffffff"><br> </font></b><br>
   </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
@ -71,53 +75,62 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep <p align="left">You can report such problems by sending mail to tmeastep at
at hotmail dot com.</p> hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a <h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net <p>Please note that the mail server at shorewall.net checks
checks incoming mail:<br> incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> href="http://spamassassin.org">Spamassassin</a> (including <a
href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully
<li>to verify that the sender's domain has an A qualified.</li>
or MX record in DNS.</li> <li>to verify that the sender's domain has an
A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO <li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the sending system has a valid PTR record in DNS.</li>
</ol> </ol>
<big><font color="#cc0000"><b>This last point is important. If you run your
own outgoing mail server and it doesn't have a valid DNS PTR record, your
email won't reach the lists unless/until the postmaster notices that your
posts are being rejected. To avoid this problem, you should configure your
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
a valid PTR record (such as the one at your ISP). </b></font></big><br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are
all HTML traffic. At least one MTA has gone so far as to blacklist rejecting all HTML traffic. At least one MTA has gone so far as to
shorewall.net "for continuous abuse" because it has been my policy to blacklist shorewall.net "for continuous abuse" because it has been my
allow HTML in list posts!!<br> policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to
spam and that the ultimate losers here are not the spammers but the control spam and that the ultimate losers here are not the spammers
list subscribers whose MTAs are bouncing all shorewall.net mail. As but the list subscribers whose MTAs are bouncing all shorewall.net
one list subscriber wrote to me privately "These e-mail admin's need to mail. As one list subscriber wrote to me privately "These e-mail admin's
get a <i>(explitive deleted)</i> life instead of trying to rid the planet need to get a <i>(explitive deleted)</i> life instead of trying to rid
of HTML based e-mail". Nevertheless, to allow subscribers to receive list the planet of HTML based e-mail". Nevertheless, to allow subscribers
posts as must as possible, I have now configured the list server at shorewall.net to receive list posts as must as possible, I have now configured the
to strip all HTML from outgoing posts. This means that HTML-only posts list server at shorewall.net to strip all HTML from outgoing posts.
will be bounced by the list server.<br> This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br> stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -151,30 +164,30 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by If you want to trust X.509 certificates issued
Shoreline Firewall (such as the one used on my web site), you by Shoreline Firewall (such as the one used on my web site),
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates
you can either use unencrypted access when subscribing to Shorewall then you can either use unencrypted access when subscribing to
mailing lists or you can use secure access (SSL) and accept the server's Shorewall mailing lists or you can use secure access (SSL) and
certificate when prompted by your browser.<br> accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also
to this list.</p> posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem
guidelines</a>.</b></p> reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
@ -194,9 +207,9 @@ may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
@ -223,8 +236,8 @@ may be found at <a
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for
ongoing Shorewall Development.</p> coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
@ -253,21 +266,25 @@ may be found at <a
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
password reminder, or change your subscription options enter a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be
to you.</p> emailed to you.</p>
</li> </li>
</ul> </ul>
@ -277,13 +294,11 @@ may be found at <a
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 3/24/2003 - <a <p align="left"><font size="2">Last updated 6/14/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

128
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

334
Shorewall-docs/seattlefirewall_index.htm
View File

@ -7,8 +7,8 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -20,39 +20,24 @@
<tr> <tr>
<td width="100%" height="90"> <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1 align="center"> <font size="4"><i> <a <h1><font color="#ffffff">Shorewall 1.4</font><i><font
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
alt="Shorwall Logo" height="70" width="85" align="left" </td>
src="images/washington.jpg" border="0"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
</a></i></font><a href="http://www.shorewall.net" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
target="_top"><img border="1" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <br>
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
</font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
@ -95,20 +80,20 @@ General Public License</a> as published by the Free Software
<br> <br>
This program is distributed in the hope This program is distributed in the
that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS
PURPOSE. See the GNU General Public License FOR A PARTICULAR PURPOSE. See the GNU General
for more details.<br> Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of
GNU General Public License along the GNU General Public License
with this program; if not, write to the Free along with this program; if not, write to
Software Foundation, Inc., 675 Mass the Free Software Foundation, Inc.,
Ave, Cambridge, MA 02139, USA</p> 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -123,11 +108,12 @@ General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly
your setup. If you want to use the documentation that you find here, it to your setup. If you want to use the documentation that you find here,
is best if you uninstall what you have and install a setup that matches it is best if you uninstall what you have and install a setup that
the documentation on this site. See the <a href="two-interface.htm">Two-interface matches the documentation on this site. See the <a
QuickStart Guide</a> for details.<br> href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2> <h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
@ -135,116 +121,177 @@ QuickStart Guide</a> for details.<br>
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2>News</h2> <h2>News</h2>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous
5-character limit by conditionally omitting the log rule number when
the LOGFORMAT doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
that the code in 1.4.4 restricts the length of short zone names to 4 characters.
I've produced version 1.4.4a that restores the previous 5-character limit
by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
I apologize for the rapid-fire releases but since there is a potential I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to make configuration change required to go from 1.4.3a to 1.4.4, I decided to
it a full release rather than just a bug-fix release. <br> make it a full release rather than just a bug-fix release. <br>
<br> <br>
<b>    Problems corrected:</b><br> <b> Problems corrected:</b><br>
<blockquote>None.<br> <blockquote>None.<br>
</blockquote> </blockquote>
<b>    New Features:<br> <b> New Features:<br>
</b> </b>
<ol> <ol>
<li>A REDIRECT- rule target has been added. This target behaves <li>A REDIRECT- rule target has been added. This target
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter behaves for REDIRECT in the same way as DNAT- does for DNAT in that the
nat table REDIRECT rule is added but not the companion filter table ACCEPT Netfilter nat table REDIRECT rule is added but not the companion filter
rule.<br> table ACCEPT rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and
been changed to a 'printf' formatting template which accepts three arguments has been changed to a 'printf' formatting template which accepts three
(the chain name, logging rule number and the disposition). To use LOGFORMAT arguments (the chain name, logging rule number and the disposition).
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), To use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br> <br>
       LOGFORMAT="fp=%s:%d a=%s "<br> LOGFORMAT="fp=%s:%d a=%s "<br>
 <br> <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the
string (up to but not including the first '%') to find log messages in LOGFORMAT string (up to but not including the first '%') to find log
the 'show log', 'status' and 'hits' commands. This part should not be omitted messages in the 'show log', 'status' and 'hits' commands. This part should
(the LOGFORMAT should not begin with "%") and the leading part should be not be omitted (the LOGFORMAT should not begin with "%") and the leading
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> part should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br> <br>
</li> </li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, <li>When logging is specified on a DNAT[-] or REDIRECT[-]
the logging now takes place in the nat table rather than in the filter table. rule, the logging now takes place in the nat table rather than in the
This way, only those connections that actually undergo DNAT or redirection filter table. This way, only those connections that actually undergo DNAT
will be logged.<br> or redirection will be logged.<br>
</li> </li>
</ol> </ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br> <p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in
and in the .rpm. In addition: <br> the .tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you are <li>(This change is in 1.4.3 but is not documented) If
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
replies as follows:<br> return reject replies as follows:<br>
   a) tcp - RST<br> a) tcp - RST<br>
   b) udp - ICMP port unreachable<br> b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br> c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br> d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's
convention:<br> traditional convention:<br>
   a) tcp - RST<br> a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li> b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain. <li>UDP port 135 is now silently dropped in the common.def
Remember that this chain is traversed just before a DROP or REJECT policy chain. Remember that this chain is traversed just before a DROP or REJECT
is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br> <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail
remove a temporary directory from /tmp. These cases have been corrected.</li> to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback
have been moved to before the rule that drops status=INVALID packets. interface have been moved to before the rule that drops status=INVALID
This insures that all loopback traffic is allowed even if Netfilter connection packets. This insures that all loopback traffic is allowed even if
tracking is confused.</li> Netfilter connection tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br> <b>New Features:<br>
</b> </b>
<ol> <ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now <li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
supported in the /etc/shorewall/tunnels file.</li> now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix <li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By default, used by Shorewall using the LOGMARKER variable in shorewall.conf. By
"Shorewall:" is used.<br> default, "Shorewall:" is used.<br>
</li> </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> </b></p>
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
@ -254,10 +301,12 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p> </b></p>
@ -273,17 +322,18 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is Shorewall presentation to GSLUG</a>. The presentation
in HTML format but was generated from Microsoft PowerPoint and is best is in HTML format but was generated from Microsoft PowerPoint and
viewed using Internet Explorer (although Konqueror also seems to work is best viewed using Internet Explorer (although Konqueror also seems
reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
work well to view the presentation.<br> Netscape work well to view the presentation.<br>
</blockquote> </blockquote>
<p><b></b></p>
<blockquote> <blockquote>
@ -292,6 +342,7 @@ work well to view the presentation.<br>
</ol> </ol>
</blockquote> </blockquote>
@ -303,23 +354,25 @@ work well to view the presentation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, have a LEAF (router/firewall/gateway on
CD or compact flash) distribution called a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.14 called <i>Bering</i> that features
and Kernel-2.4.20. You can find their Shorewall-1.3.14 and Kernel-2.4.20. You
work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent release <b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br> of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
@ -327,15 +380,17 @@ of Bering 1.2!!! </b><br>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font color="#ffffff"><b>Note: <font
</b></font></strong><font color="#ffffff">Search is unavailable color="#ffffff"><b>Note: </b></font></strong><font
Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font <font
face="Arial" size="-1"> <input type="text" name="words" face="Arial" size="-1"> <input type="text" name="words"
@ -349,6 +404,7 @@ of Bering 1.2!!! </b><br>
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
@ -362,33 +418,37 @@ of Bering 1.2!!! </b><br>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;"
valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff"><br>
if you try it and find it useful, please consider making a donation <font size="+2"> Shorewall is free but if you try it and find
to it useful, please consider making a donation
<a href="http://www.starlight.org"><font color="#ffffff">Starlight to <a
Children's Foundation.</font></a> Thanks!</font></p> href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
@ -398,10 +458,8 @@ if you try it and find it useful, please consider making a donation
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br> <br>
</p>
</body> </body>
</html> </html>

86
Shorewall-docs/shoreline.htm
View File

@ -28,11 +28,11 @@
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/Tom.jpg"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom - June 2003" width="640" height="480">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tom -- June 2003<br>
<br> <br>
</p> </p>
@ -46,8 +46,8 @@
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, <li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a href="http://www.hp.com">The Incorporated</a> (now part of the <a
New HP</a>) 1980 - present</li> href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
@ -59,8 +59,8 @@
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed Expanding on what I learned from Seattle Firewall, I then
and wrote Shorewall. </p> designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
@ -70,29 +70,28 @@ I live with my wife Tarry.
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
&amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows 40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
system. Serves as a PPTP server for Road Warrior access. Dual boots <a Windows system. Serves as a PPTP server for Road Warrior access. Dual
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
NIC - My personal Linux System which runs Samba configured LNE100TX(Tulip) NIC - My personal Linux System which runs Samba.
as a WINS server. This system also has <a This system also has <a href="http://www.vmware.com/">VMware</a>
href="http://www.vmware.com/">VMware</a> installed and can run both installed and can run both <a href="http://www.debian.org">Debian
<a href="http://www.debian.org">Debian Woody</a> and <a Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
(Pure_ftpd), DNS server (Bind 9).</li> FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.2  and a DHCP server.</li> 1.4.4c, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
work system.</li> <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys LinkSys WET11 - Our Laptop.<br>
WAC11 - Our Laptop.<br>
</li> </li>
</ul> </ul>
@ -106,13 +105,14 @@ WAC11 - Our Laptop.<br>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
</a><a href="http://www.pureftpd.org"><img border="0" height="25">
src="images/pure.jpg" width="88" height="31"> </a><a href="http://www.pureftpd.org"><img
</a><font size="4"><a href="http://www.apache.org"><img border="0" src="images/pure.jpg" width="88" height="31">
border="0" src="images/apache_pb1.gif" hspace="2" width="170" </a><font size="4"><a
height="20"> href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
@ -123,21 +123,13 @@ WAC11 - Our Laptop.<br>
</a>  <a href="http://www.hp.com"><img </a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120" src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0"> height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p> </a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a <p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas href="copyright.htm"><font size="2">Copyright</font> © <font
M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

30
Shorewall-docs/shorewall_mirrors.htm
View File

@ -29,8 +29,8 @@
<p align="left"><b>Remember that updates to the mirrors are often delayed <p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content, for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>) the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p> is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a <p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
@ -43,12 +43,13 @@ is updated at the same time as the rsync site.</b></p>
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li> target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a> <li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> <li><a target="_top"
(Martinez (Zona Norte - GBA), Argentina)</li> href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)<br> </a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)<br>
</li> </li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br> (Washington State, USA)<br>
@ -69,17 +70,19 @@ is updated at the same time as the rsync site.</b></p>
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
<li> <a target="_blank" <li> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul> </ul>
Search results and the mailing list archives are always fetched from the Search results and the mailing list archives are always fetched from
site in Washington State.<br> the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 5/8/2003 - <a <p align="left"><font size="2">Last Updated 6/5/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -89,5 +92,8 @@ site in Washington State.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

428
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -49,7 +49,8 @@
</blockquote> </blockquote>
<p><a href="#DNS">6.0 DNS</a><br> <p><a href="#DNS">6.0 DNS</a><br>
<a href="#StartingAndStopping">7.0 Starting and Stopping the Firewall</a></p> <a href="#StartingAndStopping">7.0 Starting and Stopping the
Firewall</a></p>
<h2><a name="Introduction"></a>1.0 Introduction</h2> <h2><a name="Introduction"></a>1.0 Introduction</h2>
@ -58,18 +59,18 @@
more about Shorewall than is contained in the <a more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give the range of possible applications is so broad, the Guide will give
you general guidelines and will point you to other resources as necessary.</p> you general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT     If you run LEAF Bering, your Shorewall configuration is
what I release -- I suggest that you consider installing a stock Shorewall NOT what I release -- I suggest that you consider installing a stock
lrp from the shorewall.net site before you proceed.</p> Shorewall lrp from the shorewall.net site before you proceed.</p>
<p>Shorewall requires that the iproute/iproute2 package be installed (on <p>Shorewall requires that the iproute/iproute2 package be installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for firewall system. As root, you can use the 'which' command to check for
this program:</p> this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -82,15 +83,15 @@ this program:</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them with Shorewall. or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p> it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
@ -100,8 +101,8 @@ of dos2unix</a></li>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2> <h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall <p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for most setups, you will only need to deal with a few of these as described -- for most setups, you will only need to deal with a few of these as described
in this guide. Skeleton files are created during the <a in this guide. Skeleton files are created during the <a
href="Install.htm">Shorewall Installation Process</a>.</p> href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
@ -110,7 +111,7 @@ in this guide. Skeleton files are created during the <a
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the default installation, the following zone set of <i>zones.</i> In the default installation, the following zone
names are used:</p> names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -140,23 +141,24 @@ names are used:</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default, <p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> but that may be changed in the firewall itself is known as <b>fw</b> but that may be changed in
the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a> the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p> file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means to zone names. Zones are entirely what YOU make of them. That means
that you should not expect Shorewall to do something special "because that you should not expect Shorewall to do something special "because
this is the internet zone" or "because that is the DMZ".</p> this is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>     Edit the /etc/shorewall/zones file and make any changes
necessary.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed <p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one <li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -168,18 +170,18 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection
tracking function</a> that allows what is often referred to as <i>stateful tracking function</a> that allows what is often referred to as <i>stateful
inspection</i> of packets. This stateful property allows firewall rules inspection</i> of packets. This stateful property allows firewall rules
to be defined in terms of <i>connections</i> rather than in terms of to be defined in terms of <i>connections</i> rather than in terms
packets. With Shorewall, you:</p> of packets. With Shorewall, you:</p>
<ol> <ol>
<li> Identify the source zone.</li> <li> Identify the source zone.</li>
<li> Identify the destination zone.</li> <li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's <li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do nothing zone is what you want for this client/server pair, you need do
further.</li> nothing further.</li>
<li> If the POLICY is not what you want, then you must <li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li> and the server's zone.</li>
</ol> </ol>
@ -187,9 +189,9 @@ and the server's zone.</li>
A to the firewall and are also allowed from the firewall to zone B <font A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from have a proxy running on the firewall that accepts a connection from
zone A and then establishes its own separate connection from the firewall zone A and then establishes its own separate connection from the firewall
to zone B.</p> to zone B.</p>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that file
@ -239,40 +241,40 @@ to zone B.</p>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network
the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the internet
to your firewall or local network and log a message at the <i>info</i> to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li> levels).</li>
<li>reject all other connection requests and log a message at <li>reject all other connection requests and log a message
the <i>info</i> level. When a request is rejected, the firewall at the <i>info</i> level. When a request is rejected, the firewall
will return an RST (if the protocol is TCP) or an ICMP port-unreachable will return an RST (if the protocol is TCP) or an ICMP port-unreachable
packet for other protocols.</li> packet for other protocols.</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any     At this point, edit your /etc/shorewall/policy and make any
changes that you wish.</p> changes that you wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2> <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
<p align="left">For the remainder of this guide, we'll refer to the following <p align="left">For the remainder of this guide, we'll refer to the following
diagram. While it may not look like your own network, it can be used diagram. While it may not look like your own network, it can be used
to illustrate the important aspects of Shorewall configuration.</p> to illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p> <p align="left">In this diagram:</p>
<ul> <ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ
is used to isolate your internet-accessible servers from your local is used to isolate your internet-accessible servers from your local
systems so that if one of those servers is compromised, you still have systems so that if one of those servers is compromised, you still have
the firewall between the compromised system and your local systems. </li> the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and <li>The Local Zone consists of systems Local 1, Local 2 and
Local 3. </li> Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone. <li>All systems from the ISP outward comprise the Internet
</li> Zone. </li>
</ul> </ul>
@ -288,12 +290,12 @@ Local 3. </li>
<p align="left">The firewall illustrated above has three network interfaces. <p align="left">The firewall illustrated above has three network interfaces.
Where Internet connectivity is through a cable or DSL "Modem", the <i>External Where Internet connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the Ethernet adapter that is connected to that Interface</i> will be the Ethernet adapter that is connected to that
"Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
via a regular modem, your External Interface will also be <b>ppp0</b>. via a regular modem, your External Interface will also be <b>ppp0</b>.
If you connect using ISDN, you external interface will be <b>ippp0.</b></p> If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -304,21 +306,21 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single will be connected to the same switch (note: If you have only a single
local system, you can connect the firewall directly to the computer using local system, you can connect the firewall directly to the computer
a <i>cross-over </i> cable).</p> using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p> computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same hub </b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect it or switch (even for testing). It won't work the way that you expect
to and you will end up confused and believing that Linux networking doesn't it to and you will end up confused and believing that Linux networking
work at all.</p> doesn't work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p> <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -377,8 +379,8 @@ to and you will end up confused and believing that Linux networking doesn't
    Edit the /etc/shorewall/interfaces file and define the network     Edit the /etc/shorewall/interfaces file and define the network
interfaces on your firewall and associate each interface with a zone. interfaces on your firewall and associate each interface with a zone.
If you have a zone that is interfaced through more than one interface, If you have a zone that is interfaced through more than one interface,
simply include one entry for each interface and repeat the zone name as simply include one entry for each interface and repeat the zone name as
many times as necessary.</p> many times as necessary.</p>
<p align="left">Example:</p> <p align="left">Example:</p>
@ -489,8 +491,8 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
<p align="left">You will still hear the terms "Class A network", "Class B <p align="left">You will still hear the terms "Class A network", "Class B
network" and "Class C network". In the early days of IP, networks only network" and "Class C network". In the early days of IP, networks only
came in three sizes (there were also Class D networks but they were used came in three sizes (there were also Class D networks but they were
differently):</p> used differently):</p>
<blockquote> <blockquote>
<p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p> <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -503,17 +505,17 @@ Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
<p align="left">The class of a network was uniquely determined by the value <p align="left">The class of a network was uniquely determined by the value
of the high order byte of its address so you could look at an IP address of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask and immediately determine the associated <i>netmask</i>. The netmask
is a number that when logically ANDed with an address isolates the <i>network is a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. number</i>; the remainder of the address is the <i>host number</i>.
For example, in the Class C address 192.0.2.14, the network number is For example, in the Class C address 192.0.2.14, the network number is
hex C00002 and the host number is hex 0E.</p> hex C00002 and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross partitioning <p align="left">As the internet grew, it became clear that such a gross partitioning
of the 32-bit address space was going to be very limiting (early on, large of the 32-bit address space was going to be very limiting (early on, large
corporations and universities were assigned their own class A network!). corporations and universities were assigned their own class A network!).
After some false starts, the current technique of <i>subnetting</i> these After some false starts, the current technique of <i>subnetting</i> these
networks into smaller <i>subnetworks</i> evolved; that technique is referred networks into smaller <i>subnetworks</i> evolved; that technique is referred
to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
you are likely to work with will understand CIDR and Class-based networking you are likely to work with will understand CIDR and Class-based networking
is largely a thing of the past.</p> is largely a thing of the past.</p>
@ -541,8 +543,8 @@ to as
<p align="left">As you can see by this definition, in each subnet of size <p align="left">As you can see by this definition, in each subnet of size
<b>n</b> there are (<b>n</b> - 2) usable addresses (addresses that <b>n</b> there are (<b>n</b> - 2) usable addresses (addresses that
can be assigned to hosts). The first and last address in the subnet can be assigned to hosts). The first and last address in the subnet
are used for the subnet address and subnet broadcast address respectively. are used for the subnet address and subnet broadcast address respectively.
Consequently, small subnetworks are more wasteful of IP addresses than Consequently, small subnetworks are more wasteful of IP addresses than
are large ones. </p> are large ones. </p>
@ -638,7 +640,7 @@ are used for the subnet address and subnet broadcast address respectively.
<p align="left">You will notice that the above table also contains a column <p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we Mask</i> for a network of size <b>n</b>. From the above table, we
can derive the following one which is a little easier to use.</p> can derive the following one which is a little easier to use.</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -735,8 +737,8 @@ can derive the following one which is a little easier to use.</p>
<p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is <p align="left">The subnet's mask (also referred to as its <i>netmask) </i>is
simply a 32-bit number with the first "VLSM" bits set to one and the simply a 32-bit number with the first "VLSM" bits set to one and the
remaining bits set to zero. For example, for a subnet of size 64, the remaining bits set to zero. For example, for a subnet of size 64,
subnet mask has 26 leading one bits:</p> the subnet mask has 26 leading one bits:</p>
<blockquote> <blockquote>
<p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 <p align="left">11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0
@ -745,14 +747,14 @@ can derive the following one which is a little easier to use.</p>
<p align="left">The subnet mask has the property that if you logically AND <p align="left">The subnet mask has the property that if you logically AND
the subnet mask with an address in the subnet, the result is the subnet the subnet mask with an address in the subnet, the result is the subnet
address. Just as important, if you logically AND the subnet mask with address. Just as important, if you logically AND the subnet mask
an address outside the subnet, the result is NOT the subnet address. with an address outside the subnet, the result is NOT the subnet address.
As we will see below, this property of subnet masks is very useful in As we will see below, this property of subnet masks is very useful
routing.</p> in routing.</p>
<p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork
as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.  </p> as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.  </p>
<p align="left">Example:</p> <p align="left">Example:</p>
@ -821,8 +823,8 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b> <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface utility also uses this syntax). This simply means that the interface
is configured with ip address <b>a.b.c.d</b> and with the netmask that is configured with ip address <b>a.b.c.d</b> and with the netmask that
corresponds to VLSM <b>/v</b>.</p> corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p> <p align="left">Example: 192.0.2.65/29</p>
@ -846,9 +848,10 @@ corresponds to VLSM <b>/v</b>.</p>
The first three routes are <i>host routes</i> since they indicate The first three routes are <i>host routes</i> since they indicate
how to get to a single host. In the 'netstat' output this can be seen how to get to a single host. In the 'netstat' output this can be seen
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default route</i> how to route packets to a subnetwork. The last route is the <i>default
and the gateway mentioned in that route is called the <i>default gateway</i>.</p> route</i> and the gateway mentioned in that route is called the <i>default
gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p> <b>A</b>, it starts at the top of the routing table and:</p>
@ -906,8 +909,8 @@ eth2.</p>
<p align="left">One more thing needs to be emphasized -- all outgoing packet <p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think case. There seems to be a common mis-conception whereby people think
that request packets are like salmon and contain a genetic code that that request packets are like salmon and contain a genetic code that
is magically transferred to reply packets so that the replies follow is magically transferred to reply packets so that the replies follow
the reverse route taken by the request. That isn't the case; the replies the reverse route taken by the request. That isn't the case; the replies
may take a totally different route back to the client than was taken by may take a totally different route back to the client than was taken by
@ -956,7 +959,7 @@ to the card itself. </p>
<p align="left">In order to avoid having to exchange ARP information each <p align="left">In order to avoid having to exchange ARP information each
time that an IP packet is to be sent, systems maintain an <i>ARP cache</i> time that an IP packet is to be sent, systems maintain an <i>ARP cache</i>
of IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your of IP&lt;-&gt;MAC correspondences. You can see the ARP cache on your
system (including your Windows system) using the 'arp' command:</p> system (including your Windows system) using the 'arp' command:</p>
<blockquote> <blockquote>
<div align="left"> <div align="left">
@ -979,9 +982,9 @@ system (including your Windows system) using the 'arp' command:</p>
Registries</i> (RIRs). For example, allocation for the Americas and for Registries</i> (RIRs). For example, allocation for the Americas and for
sub-Sahara Africa is delegated to the <i><a sub-Sahara Africa is delegated to the <i><a
href="http://www.arin.net">American Registry for Internet Numbers</a> href="http://www.arin.net">American Registry for Internet Numbers</a>
</i>(ARIN). These RIRs may in turn delegate to national registries. Most </i>(ARIN). These RIRs may in turn delegate to national registries. Most
of us don't deal with these registrars but rather get our IP addresses of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p> from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many <p align="left">It's a fact of life that most of us can't afford as many
Public IP addresses as we have devices to assign them to so we end up making Public IP addresses as we have devices to assign them to so we end up making
@ -996,8 +999,8 @@ ranges for this purpose:</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses understandable given that anyone can select any of these addresses
for their private use.</p> for their private use.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1034,8 +1037,8 @@ more organizations (including ISPs) are beginning to use RFC 1918 addresses
<div align="left"> <div align="left">
<p align="left">The choice of how to set up your network depends primarily <p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable on how many Public IP addresses you have vs. how many addressable
entities you have in your network. Regardless of how many addresses entities you have in your network. Regardless of how many addresses
you have, your ISP will handle that set of addresses in one of two you have, your ISP will handle that set of addresses in one of two
ways:</p> ways:</p>
</div> </div>
@ -1067,7 +1070,7 @@ ways:</p>
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, file to ensure that the following are set correctly; if they are not,
change them appropriately:<br> change them appropriately:<br>
</p> </p>
<ul> <ul>
@ -1084,12 +1087,12 @@ change them appropriately:<br>
<div align="left"> <div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28 <p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64 routed through 192.0.2.65. That means that you have IP addresses
- 192.0.2.79 and that your firewall's external IP address is 192.0.2.65. 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is
Your ISP has also told you that you should use a netmask of 255.255.255.0 192.0.2.65. Your ISP has also told you that you should use a netmask
(so your /28 is part of a larger /24). With this many IP addresses, of 255.255.255.0 (so your /28 is part of a larger /24). With this
you are able to subnet your /28 into two /29's and set up your network many IP addresses, you are able to subnet your /28 into two /29's
as shown in the following diagram.</p> and set up your network as shown in the following diagram.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1109,10 +1112,10 @@ the local network would be 192.0.2.73.</p>
<p align="left">Notice that this arrangement is rather wasteful of public <p align="left">Notice that this arrangement is rather wasteful of public
IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router.
Nevertheless, it shows how subnetting can work and if we were dealing Nevertheless, it shows how subnetting can work and if we were dealing
with a /24 rather than a /28 network, the use of 6 IP addresses out with a /24 rather than a /28 network, the use of 6 IP addresses out
of 256 would be justified because of the simplicity of the setup.</p> of 256 would be justified because of the simplicity of the setup.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1144,7 +1147,7 @@ the connecting of multiple firewall/router interfaces to the same hub
or switch. When an ARP request for one of the firewall/router's IP addresses or switch. When an ARP request for one of the firewall/router's IP addresses
is sent by another system connected to the hub/switch, all of the firewall's is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then interfaces that connect to the hub/switch can respond! It is then
a race as to which "here-is" response reaches the sender first.</p> a race as to which "here-is" response reaches the sender first.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1167,14 +1170,14 @@ IP addresses to set up our networks as shown in the preceding example
<div align="left"> <div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP <p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to has assigned you IP addresses 192.0.2.176-180 and has told you to
use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p> use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Clearly, that set of addresses doesn't comprise a subnetwork <p align="left">Clearly, that set of addresses doesn't comprise a subnetwork
and there aren't enough addresses for all of the network interfaces. and there aren't enough addresses for all of the network interfaces.
There are four different techniques that can be used to work around There are four different techniques that can be used to work around
this problem.</p> this problem.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1211,18 +1214,18 @@ these will be discussed in the sections that follow.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC <p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates 1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP rewrites the IP header in the request to use one of your public IP
addresses as the source address. When <b>B</b> responds and the response addresses as the source address. When <b>B</b> responds and the response
is received by the firewall, the firewall changes the destination address is received by the firewall, the firewall changes the destination
back to the RFC 1918 address of <b>A</b> and forwards the response back address back to the RFC 1918 address of <b>A</b> and forwards the response
to <b>A.</b></p> back to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Let's suppose that you decide to use SNAT on your local zone <p align="left">Let's suppose that you decide to use SNAT on your local zone
and use public address 192.0.2.176 as both your firewall's external and use public address 192.0.2.176 as both your firewall's external
IP address and the source IP address of internet requests sent from IP address and the source IP address of internet requests sent from
that zone.</p> that zone.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1238,9 +1241,9 @@ that zone.</p>
<div align="left"> <img border="0" src="images/BD21298_2.gif" <div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    The systems in the local zone would be configured with a     The systems in the local zone would be configured with
default gateway of 192.168.201.1 (the IP address of the firewall's a default gateway of 192.168.201.1 (the IP address of the firewall's
local interface).</div> local interface).</div>
<div align="left">  </div> <div align="left">  </div>
@ -1274,10 +1277,10 @@ local interface).</div>
<p align="left">This example used the normal technique of assigning the same <p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have If you wanted to use a different IP address, you would either have
to use your distributions network configuration tools to add that IP to use your distributions network configuration tools to add that
address to the external interface or you could set ADD_SNAT_ALIASES=Yes IP address to the external interface or you could set ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf and Shorewall will add the address for in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p> you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1294,9 +1297,9 @@ you.</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
     Suppose that your daughter wants to run a web server on      Suppose that your daughter wants to run a web server
her system "Local 3". You could allow connections to the internet to on her system "Local 3". You could allow connections to the internet
her server by adding the following entry in <a to her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p> href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div> </div>
@ -1335,8 +1338,8 @@ her server by adding the following entry in <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. to 192.168.201.4 (your daughter's system) and forward the request.
When your daughter's server responds, the firewall will rewrite the When your daughter's server responds, the firewall will rewrite the
source address back to 192.0.2.176 and send the response back to <b>A.</b></p> source address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1388,14 +1391,14 @@ will respond (with the MAC if the firewall interface to <b>H</b>). </p>
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be on the firewall. That address and netmask isn't relevant - just be
sure it doesn't overlap another subnet that you've defined.</div> sure it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div> <div align="left">  </div>
<div align="left"> <img border="0" src="images/BD21298_2.gif" <div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    The Shorewall configuration of Proxy ARP is done using the     The Shorewall configuration of Proxy ARP is done using
<a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div> the <a href="Documentation.htm#ProxyArp">/etc/shorewall/proxyarp</a> file.</div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
@ -1433,14 +1436,14 @@ sure it doesn't overlap another subnet that you've defined.</div>
<p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured <p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
to have the IP addresses shown but should have the same default gateway to have the IP addresses shown but should have the same default gateway
as the firewall itself -- namely 192.0.2.254. In other words, they should as the firewall itself -- namely 192.0.2.254. In other words, they should
be configured just like they would be if they were parallel to the firewall be configured just like they would be if they were parallel to the firewall
rather than behind it.<br> rather than behind it.<br>
</p> </p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es) <p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface (192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
(eth0 in this example) of the firewall.</b></font><br> (eth0 in this example) of the firewall.</b></font><br>
</p> </p>
<div align="left"> </div> <div align="left"> </div>
@ -1454,18 +1457,18 @@ rather than behind it.<br>
<div align="left"> <div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure <p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it parallel to your firewall to behind your firewall with Proxy ARP,
will probably be HOURS before that system can communicate with the internet. it will probably be HOURS before that system can communicate with the
There are a couple of things that you can try:<br> internet. There are a couple of things that you can try:<br>
</p> </p>
<ol> <ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br> Illustrated, Vol 1</i> reveals that a <br>
<br> <br>
"gratuitous" ARP packet should cause the ISP's router to refresh their "gratuitous" ARP packet should cause the ISP's router to refresh
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
MAC address for its own IP; in addition to ensuring that the IP address the MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br> isn't a duplicate,...<br>
<br> <br>
"if the host sending the gratuitous ARP has just changed its hardware "if the host sending the gratuitous ARP has just changed its hardware
@ -1473,27 +1476,27 @@ rather than behind it.<br>
cache for the old hardware address to update its ARP cache entry accordingly."<br> cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br> <br>
Which is, of course, exactly what you want to do when you switch Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br> Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br> <br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly     <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br> proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br> example</b></font><br>
<br> <br>
Stevens goes on to mention that not all systems respond correctly Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the idea to gratuitous ARPs, but googling for "arping -U" seems to support the
that it works most of the time.<br> idea that it works most of the time.<br>
<br> <br>
</li> </li>
<li>You can call your ISP and ask them to purge the stale ARP <li>You can call your ISP and ask them to purge the stale ARP
cache entry but many either can't or won't purge individual entries.</li> cache entry but many either can't or won't purge individual entries.</li>
</ol> </ol>
You can determine if your ISP's gateway ARP cache is stale using You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump a stale ARP cache entry for 192.0.2.177. On the firewall, run tcpdump
as follows:</div> as follows:</div>
<div align="left"> <div align="left">
@ -1501,12 +1504,12 @@ cache entry but many either can't or won't purge individual entries.</li>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we <p align="left">Now from 192.0.2.177, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p> will assume is 192.0.2.254):</p>
</div> </div>
<div align="left"> <div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre> <pre> <b><font color="#009900">ping 192.0.2.254</font></b></pre>
</div> </div>
</div> </div>
@ -1521,10 +1524,10 @@ cache entry but many either can't or won't purge individual entries.</li>
<div align="left"> <div align="left">
<p align="left">Notice that the source MAC address in the echo request is <p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the while 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words,
gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ the gateway's ARP cache still associates 192.0.2.177 with the NIC
1 rather than with the firewall's eth0.</p> in DMZ 1 rather than with the firewall's eth0.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1535,9 +1538,9 @@ gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
<p align="left">With static NAT, you assign local systems RFC 1918 addresses <p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination Network Translation) occurs and on incoming connections DNAT (Destination
Address Translation) occurs. Let's go back to our earlier example involving Network Address Translation) occurs. Let's go back to our earlier example
your daughter's web server running on system Local 3.</p> involving your daughter's web server running on system Local 3.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1549,7 +1552,7 @@ gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
<div align="left"> <div align="left">
<p align="left">Recall that in this setup, the local network is using SNAT <p align="left">Recall that in this setup, the local network is using SNAT
and is sharing the firewall external IP (192.0.2.176) for outbound and is sharing the firewall external IP (192.0.2.176) for outbound
connections. This is done with the following entry in /etc/shorewall/masq:</p> connections. This is done with the following entry in /etc/shorewall/masq:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1577,7 +1580,7 @@ connections. This is done with the following entry in /etc/shorewall/masq:
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Suppose now that you have decided to give your daughter     Suppose now that you have decided to give your daughter
her own IP address (192.0.2.179) for both inbound and outbound connections. her own IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <a You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p> href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div> </div>
@ -1651,6 +1654,82 @@ her own IP address (192.0.2.179) for both inbound and outbound connection
</div> </div>
<div align="left"> <div align="left">
<div align="left">
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with static NAT,
it will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh
their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the
idea that it works most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has
a stale ARP cache entry for 209.0.2.179. On the firewall, run tcpdump
as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
<p align="left">Now from the 192.168.201.4, ping the ISP's gateway (which
we will assume is 192.0.2.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 192.0.2.254</font></b></pre>
</div>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 192.0.2.179 &gt; 192.0.2.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 192.0.2.254 &gt; 192.0.2.179 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC
while 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words,
the gateway's ARP cache still associates 192.0.2.179 with the NIC
in the local zone rather than with the firewall's eth0.</p>
</div>
<h3 align="left"><a name="Rules"></a>5.3 Rules</h3> <h3 align="left"><a name="Rules"></a>5.3 Rules</h3>
</div> </div>
@ -1658,11 +1737,11 @@ her own IP address (192.0.2.179) for both inbound and outbound connection
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    With the default policies, your local systems (Local 1-3)     With the default policies, your local systems (Local 1-3)
can access any servers on the internet and the DMZ can't access any can access any servers on the internet and the DMZ can't access any
other host (including the firewall). With the exception of <a other host (including the firewall). With the exception of <a
href="#DNAT">DNAT rules</a> which cause address translation and allow href="#DNAT">DNAT rules</a> which cause address translation and allow
the translated connection request to pass through the firewall, the the translated connection request to pass through the firewall, the
way to allow connection requests through your firewall is to use ACCEPT way to allow connection requests through your firewall is to use ACCEPT
rules.</p> rules.</p>
</div> </div>
@ -1961,9 +2040,9 @@ I prefer to use NAT only in cases where a system that is part of an RFC
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If you haven't already, it would be a good idea to browse     If you haven't already, it would be a good idea to browse
through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
just to see if there is anything there that might be of interest. just to see if there is anything there that might be of interest.
You might also want to look at the other configuration files that You might also want to look at the other configuration files that
you haven't touched yet just to get a feel for the other things that you haven't touched yet just to get a feel for the other things that
Shorewall can do.</p> Shorewall can do.</p>
</div> </div>
@ -2366,11 +2445,11 @@ DNS servers. You can combine the two into a single BIND 9 server using
<div align="left"> <div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two <p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want DMZ systems named www.foobar.net and mail.foobar.net and you want
the three local systems named "winken.foobar.net, blinken.foobar.net the three local systems named "winken.foobar.net, blinken.foobar.net
and nod.foobar.net. You want your firewall to be known as firewall.foobar.net and nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and it's interface to the local network to be know as gateway.foobar.net externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS and its interface to the dmz as dmz.foobar.net. Let's have the DNS
server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p> server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div> </div>
<div align="left"> <div align="left">
@ -2384,7 +2463,7 @@ server on 192.0.2.177 which will also be known by the name ns1.foobar.net.
</div> </div>
<div align="left"> <div align="left">
<pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br> #<br> # These are the clients that see this view<br> #<br> match-clients { 192.168.201.0/29;<br> 192.168.202.0/29;<br> 127.0.0/24;<br> 192.0.2.176/32; <br> 192.0.2.178/32;<br> 192.0.2.179/32;<br> 192.0.2.180/32; };<br> #<br> # If this server can't complete the request, it should use outside<br> # servers to do so<br> #<br> recursion yes;<br><br> zone "." in {<br> type hint;<br> file "int/root.cache";<br> };<br><br> zone "foobar.net" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.foobar";<br> };<br><br> zone "0.0.127.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.127.0.0"; <br> };<br><br> zone "201.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.201";<br> };<br><br> zone "202.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.202";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.176";<br> };<br> (or status NAT for that matter)<br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.206.124.146.179";<br> };<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br> match-clients { any; };<br> #<br> # If we can't answer the query, we tell the client so<br> #<br> recursion no;<br><br> zone "foobar.net" in {<br> type master;<br> notify yes;<br> allow-update {none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "ext/db.foobar";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.176";<br> };<br><br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.179";<br> };<br>};</pre> <pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br> #<br> # These are the clients that see this view<br> #<br> match-clients { 192.168.201.0/29;<br> 192.168.202.0/29;<br> 127.0.0.0/8;<br> 192.0.2.176/32; <br> 192.0.2.178/32;<br> 192.0.2.179/32;<br> 192.0.2.180/32; };<br> #<br> # If this server can't complete the request, it should use outside<br> # servers to do so<br> #<br> recursion yes;<br><br> zone "." in {<br> type hint;<br> file "int/root.cache";<br> };<br><br> zone "foobar.net" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.foobar";<br> };<br><br> zone "0.0.127.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.127.0.0"; <br> };<br><br> zone "201.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.201";<br> };<br><br> zone "202.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.202";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.176";<br> };<br> (or status NAT for that matter)<br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.206.124.146.179";<br> };<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br> match-clients { any; };<br> #<br> # If we can't answer the query, we tell the client so<br> #<br> recursion no;<br><br> zone "foobar.net" in {<br> type master;<br> notify yes;<br> allow-update {none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "ext/db.foobar";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.176";<br> };<br><br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.179";<br> };<br>};</pre>
</div> </div>
</blockquote> </blockquote>
</div> </div>
@ -2497,7 +2576,7 @@ server on 192.0.2.177 which will also be known by the name ns1.foobar.net.
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -2508,36 +2587,27 @@ routing is enabled on those hosts that have an entry in <a
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    Edit the /etc/shorewall/routestopped file and configure     Edit the /etc/shorewall/routestopped file and configure
those systems that you want to be able to access the firewall when those systems that you want to be able to access the firewall when
it is stopped.</p> it is stopped.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i> an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 5/3/2003 - <a <p align="left"><font size="2">Last updated 6/7/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Easte</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

276
Shorewall-docs/sourceforge_index.htm
View File

@ -7,8 +7,8 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -20,24 +20,23 @@
<tr> <tr>
<td width="100%" height="90"> <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1 align="center"> <font size="4"><i> <a <h1><font color="#ffffff">Shorewall 1.4</font><i><font
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
alt="Shorwall Logo" height="70" width="85" align="left" </td>
src="images/washington.jpg" border="0"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
</a></i></font><font color="#ffffff">Shorewall 1.4 target="_top"><br>
- <font size="4">"<i>iptables made </a></h1>
easy"</i></font></font><br> <br>
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a>
</h1>
</td> </td>
</tr> </tr>
@ -66,7 +65,7 @@ easy"</i></font></font><br>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used (iptables) based firewall that can be used
on a dedicated firewall system, a multi-function on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -75,26 +74,26 @@ on a dedicated firewall system, a multi-function
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the
that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS
PURPOSE. See the GNU General Public License FOR A PARTICULAR PURPOSE. See the GNU General
for more details.<br> Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of
GNU General Public License along the GNU General Public License
with this program; if not, write to the Free along with this program; if not, write to
Software Foundation, Inc., 675 Mass the Free Software Foundation, Inc.,
Ave, Cambridge, MA 02139, USA</p> 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -104,12 +103,14 @@ General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly
your setup. If you want to use the documentation that you find here, it to your setup. If you want to use the documentation that you find here,
is best if you uninstall what you have and install a setup that matches it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
@ -117,25 +118,73 @@ QuickStart Guide</a> for details.<br>
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0" <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out
that the code in 1.4.4 restricts the length of short zone names to 4 characters. <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
I've produced version 1.4.4a that restores the previous 5-character limit version 1.4.4.</p>
by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'. <p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <p>Groan -- This version corrects a problem whereby the --log-level
</b><b> </b></p> was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to make configuration change required to go from 1.4.3a to 1.4.4, I decided to
it a full release rather than just a bug-fix release. <br> make it a full release rather than just a bug-fix release. <br>
<br> <br>
<b>    Problems corrected:</b><br> <b>    Problems corrected:</b><br>
@ -150,24 +199,25 @@ contain '%d'.
rule.<br> rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and
been changed to a 'printf' formatting template which accepts three arguments has been changed to a 'printf' formatting template which accepts three
(the chain name, logging rule number and the disposition). To use LOGFORMAT arguments (the chain name, logging rule number and the disposition). To
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br>  <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>        LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>  <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the
string (up to but not including the first '%') to find log messages in LOGFORMAT string (up to but not including the first '%') to find log messages
the 'show log', 'status' and 'hits' commands. This part should not be omitted in the 'show log', 'status' and 'hits' commands. This part should not
(the LOGFORMAT should not begin with "%") and the leading part should be be omitted (the LOGFORMAT should not begin with "%") and the leading part
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br> <br>
</li> </li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, <li>When logging is specified on a DNAT[-] or REDIRECT[-]
the logging now takes place in the nat table rather than in the filter table. rule, the logging now takes place in the nat table rather than in the filter
This way, only those connections that actually undergo DNAT or redirection table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li> will be logged.</li>
</ol> </ol>
@ -175,57 +225,66 @@ the 'show log', 'status' and 'hits' commands. This part should not be omitted
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b> <p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br> </b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in the
and in the .rpm. In addition: <br> .tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you are <li>(This change is in 1.4.3 but is not documented) If
running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
replies as follows:<br> return reject replies as follows:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>    b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>    c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>    d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's
convention:<br> traditional convention:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>    b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def chain. <li>UDP port 135 is now silently dropped in the common.def
Remember that this chain is traversed just before a DROP or REJECT policy chain. Remember that this chain is traversed just before a DROP or REJECT
is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail
remove a temporary directory from /tmp. These cases have been corrected.</li> to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback
have been moved to before the rule that drops status=INVALID packets. interface have been moved to before the rule that drops status=INVALID
This insures that all loopback traffic is allowed even if Netfilter connection packets. This insures that all loopback traffic is allowed even if Netfilter
tracking is confused.</li> connection tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4) <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li> (6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
<li value="2">You may now change the leading portion of the file.</li>
--log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf. <li value="2">You may now change the leading portion
By default, "Shorewall:" is used.<br> of the --log-prefix used by Shorewall using the LOGMARKER variable in
shorewall.conf. By default, "Shorewall:" is used.<br>
</li> </li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
@ -237,18 +296,22 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p> </b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p> </b></p>
@ -256,15 +319,16 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<blockquote> This morning, I gave <a href="GSLUG.htm" <blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is in HTML format but was generated from Microsoft PowerPoint
is best viewed using Internet Explorer (although Konqueror also seems and is best viewed using Internet Explorer (although Konqueror also
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape seems to work reasonably well as does Opera 7.1.0). Neither Opera
work well to view the presentation.</blockquote> 6 nor Netscape work well to view the presentation.</blockquote>
<p><b></b></p> <p><b></b></p>
<blockquote> <blockquote>
<ol> <ol>
@ -277,6 +341,7 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
@ -296,16 +361,18 @@ This insures that all loopback traffic is allowed even if Netfilter connectio
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, have a LEAF (router/firewall/gateway
CD or compact flash) distribution called on a floppy, CD or compact flash) distribution
<i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You
their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and
on the recent release of Bering 1.2!!! </b><br> Eric on the recent release of Bering 1.2!!!
</b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
@ -333,6 +400,7 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
@ -344,6 +412,7 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font type="text" name="words" size="15"></font><font size="-1"> </font><font
@ -388,6 +457,7 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
@ -397,11 +467,12 @@ Shorewall-1.3.14 and Kernel-2.4.20. You can find
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff"><br>
if you try it and find it useful, please consider making a donation <font size="+2">Shorewall is free but if you try it and find
to it useful, please consider making a donation
<a href="http://www.starlight.org"><font color="#ffffff">Starlight to <a
Children's Foundation.</font></a> Thanks!</font></p> href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
@ -411,11 +482,8 @@ if you try it and find it useful, please consider making a donation
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br> <br>
</p>
</body> </body>
</html> </html>

159
Shorewall-docs/support.htm
View File

@ -30,11 +30,11 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There There
are a number of sources of Shorewall information. Please try these are a number of sources of Shorewall information. Please try these
before you post. before you post.
<ul> <ul>
<li>Shorewall versions earlier <li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br> that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
@ -43,17 +43,17 @@ that 1.3.0 are no longer supported.<br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li> solutions to more than 20 common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help Information contains a number of tips to
you solve common problems. </li> help you solve common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li> to download updated components. </li>
<li> The Site <li> The
and Mailing List Archives search facility can locate documents Site and Mailing List Archives search facility can locate
and posts about similar problems: </li> documents and posts about similar problems: </li>
</ul> </ul>
@ -102,30 +102,30 @@ solutions to more than 20 common problems. </li>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what <li>Please remember we only know
is posted in your message. Do not leave out any information what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous post. that appears to be correct, or was mentioned in a previous
There have been countless posts by people who were sure that post. There have been countless posts by people who were sure
some part of their configuration was correct when it actually that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is contained a small error. We tend to be skeptics where detail
lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that you're
asking for <strong>free</strong> technical support. Any asking for <strong>free</strong> technical support.
help we offer is an act of generosity, not an obligation. Try Any help we offer is an act of generosity, not an obligation.
to make it easy for us to help you. Follow good, courteous practices Try to make it easy for us to help you. Follow good, courteous
in writing and formatting your e-mail. Provide details that we need practices in writing and formatting your e-mail. Provide details that
if you expect good answers. <em>Exact quoting </em> of error messages, we need if you expect good answers. <em>Exact quoting </em> of
log entries, command output, and other output is better than a paraphrase error messages, log entries, command output, and other output is better
or summary.<br> than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask us Please don't describe your environment and then ask
to send you custom configuration files. We're here us to send you custom configuration files. We're
to answer your questions but we can't do your here to answer your questions but we can't do
job for you.<br> your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
@ -148,30 +148,32 @@ job for you.<br>
<ul> <ul>
<li>the exact kernel version you <li>the exact kernel version you
are running<br> are running<br>
<br> <br>
<font color="#009900"><b>uname <font color="#009900"><b>uname
-a<br> -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output
of<br>
<br> <br>
<font color="#009900"><b>ip addr <font color="#009900"><b>ip
show<br> addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output
of<br>
<br> <br>
<font color="#009900"><b>ip route <font color="#009900"><b>ip
show<br> route show<br>
<br> <br>
</b></font></li> </b></font></li>
@ -184,6 +186,7 @@ are running<br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
</li> </li>
</ul> </ul>
</ul> </ul>
@ -191,10 +194,10 @@ are running<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection <li><font color="#ff0000"><u><i><big><b>If you are having
problems of any kind then:</b></big></i></u></font><br> connection problems of any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
@ -213,32 +216,32 @@ are running<br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br> the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As
a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time, secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in a hacker could derive them anyway from information contained
the SMTP headers of your post).<br> in the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
/etc/shorewall/interfaces file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies).<br> one also knows the policies).<br>
<br> <br>
</li> </li>
@ -250,7 +253,7 @@ one also knows the policies).<br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't <li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc. post GIFs of your network layout, etc.
to the Mailing List -- your post will be rejected.</b></li> to the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
@ -262,22 +265,29 @@ to the Mailing List -- your post will be rejected.</b></li>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are rejecting <blockquote> A growing number of MTAs serving list subscribers are
all HTML traffic. At least one MTA has gone so far as to blacklist rejecting all HTML traffic. At least one MTA has gone so far as to
shorewall.net "for continuous abuse" because it has been my policy blacklist shorewall.net "for continuous abuse" because it has been
to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is I think that blocking all HTML
a Draconian way to control spam and that the ultimate losers is a Draconian way to control spam and that the ultimate
here are not the spammers but the list subscribers whose losers here are not the spammers but the list subscribers
MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list
wrote to me privately "These e-mail admin's need to get a <i>(expletive subscriber wrote to me privately "These e-mail admin's need
deleted)</i> life instead of trying to rid the planet of HTML to get a <i>(expletive deleted)</i> life instead of trying to
based e-mail". Nevertheless, to allow subscribers to receive rid the planet of HTML based e-mail". Nevertheless, to allow
list posts as must as possible, I have now configured the list subscribers to receive list posts as must as possible, I have now
server at shorewall.net to strip all HTML from outgoing posts.<br> configured the list server at shorewall.net to strip all HTML from
</blockquote> outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To
avoid this problem, you should configure your MTA to forward posts to shorewall.net
through an MTA that <u>does</u> have a valid PTR record (such as the one
at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
@ -286,14 +296,19 @@ list posts as must as possible, I have now configured the list
to the <a to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under
Multi Network Firewall (MNF) and you have not purchased MandrakeSoft Multi Network Firewall (MNF) and you have
an MNF license from MandrakeSoft then you can post non MNF-specific not purchased an MNF license from MandrakeSoft then you can
Shorewall questions to the </b><a post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br> list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>If you have a question, you may post it on the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>:
<font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR
ASKING FOR HELP WITH PROBLEMS.<br>
</b></font><br>
Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p> list</a> .</p>
@ -307,7 +322,7 @@ an MNF license from MandrakeSoft then you can post non MNF-specifi
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 5/19/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>