mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Documentation updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1392 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d6a10e45e2
commit
f60bffbc0f
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-21</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -58,8 +58,9 @@
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-04</pubdate>
|
||||
<pubdate>2004-06-08</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,20 +29,15 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>This documentation does not cover configuring IPSEC under the 2.6
|
||||
Linux Kernel. David Hollis has provided i<ulink
|
||||
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
|
||||
about how to set up a simple tunnel under 2.6</ulink>. One important point
|
||||
that is not made explicit in David's post is that the <emphasis
|
||||
role="bold">vpn</emphasis> zone must be defined before the <emphasis
|
||||
role="bold">net</emphasis> zone in
|
||||
<filename>/etc/shorewall/zones</filename>.</para>
|
||||
<para>This documentation is incomplete regarding using IPSEC and the 2.6
|
||||
Kernel. Netfilter currently lacks full support for the 2.6 kernel's
|
||||
implementation of IPSEC. Until that implementation is complete, only a
|
||||
simple network-network tunnel is described for 2.6.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
@ -56,8 +51,7 @@
|
||||
<warning>
|
||||
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
|
||||
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
|
||||
2.0.0 available from the <ulink url="errata.htm">Errata
|
||||
Page</ulink>.</para>
|
||||
2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
|
||||
</warning>
|
||||
|
||||
<important>
|
||||
@ -96,7 +90,8 @@ conn packetdefault
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network.</para>
|
||||
communicate with systems in the 10.0.0.0/8 network. We assume that on both
|
||||
systems A and B, eth0 is the internet interface.</para>
|
||||
|
||||
<para>To make this work, we need to do two things:</para>
|
||||
|
||||
@ -117,7 +112,7 @@ conn packetdefault
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
<title>/etc/shorewall/tunnels - System A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -149,7 +144,7 @@ conn packetdefault
|
||||
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B</title>
|
||||
<title>/etc/shorewall/tunnels - System B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -186,124 +181,158 @@ conn packetdefault
|
||||
gateway.</para>
|
||||
</note>
|
||||
|
||||
<example>
|
||||
<title>VPN</title>
|
||||
<para>You need to define a zone for the remote subnet or include it in
|
||||
your local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote subnet. Note that
|
||||
you should define the vpn zone before the net zone.</para>
|
||||
|
||||
<para>You need to define a zone for the remote subnet or include it in
|
||||
your local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote subnet.</para>
|
||||
<para><table><title>/etc/shorewall/zones - Systems A and B</title><tgroup
|
||||
cols="3"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">DISPLAY</entry><entry align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row><row><entry>net</entry><entry>Internet</entry><entry>The
|
||||
big bad internet</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones local</title>
|
||||
<para><emphasis role="bold">If you are running kernel 2.4:</emphasis><blockquote><para>At
|
||||
both systems, ipsec0 would be included in /etc/shorewall/interfaces as a
|
||||
<quote>vpn</quote> interface:</para><para><table><title>/etc/shorewall/interfaces
|
||||
- Systems A and B</title><tgroup cols="4"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">INTERFACE</entry><entry
|
||||
align="center">BROADCAST</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry></row></tbody></tgroup></table></para></blockquote></para>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<para><emphasis role="bold">If you are running kernel 2.6:</emphasis></para>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
<blockquote>
|
||||
<para>Remember the assumption that both systems A and B have eth0 as
|
||||
their internet interface.</para>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<para>You must define the vpn zone using the /etc/shorewall/hosts file.</para>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts - System A</title>
|
||||
|
||||
<entry>VPN</entry>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>ZONE</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<entry>HOSTS</entry>
|
||||
|
||||
<para>At both systems, ipsec0 would be included in
|
||||
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
|
||||
<entry>OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/interfaces system local & remote</title>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
<entry>eth0:10.0.0.0/8</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts - System B</title>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>ZONE</entry>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
<entry>HOSTS</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
<entry>OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<entry></entry>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<entry>eth0:192.168.1.0/24</entry>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</para>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/policy local & remote</title>
|
||||
<para>In addition, <emphasis role="bold">if you are using Masquerading
|
||||
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
|
||||
network from Masquerade/SNAT. These entries <emphasis role="bold">replace</emphasis>
|
||||
your current masquerade/SNAT entries for the local networks.</para>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
<table>
|
||||
<title>/etc/shorewall/masq - System A</title>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>INTERFACE</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
<entry>SUBNET</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<entry>ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:!10.0.0.0/8</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
<entry>192.168.1.0/24</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
<table>
|
||||
<title>/etc/shorewall/masq System B</title>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>INTERFACE</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
<entry>SUBNET</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
<entry>ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:!192.168.1.0/24</entry>
|
||||
|
||||
<para>Once you have these entries in place, restart Shorewall (type
|
||||
shorewall restart); you are now ready to configure the tunnel in <ulink
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
</example>
|
||||
<entry>10.0.0.0/8</entry>
|
||||
|
||||
<entry>...</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/policy - Systems A and B</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
|
||||
align="center">DEST</entry><entry align="center">POLICY</entry><entry
|
||||
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>Once you have these entries in place, restart Shorewall (type
|
||||
shorewall restart); you are now ready to configure the tunnel in <ulink
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>VPN Hub</title>
|
||||
<title>VPN Hub using Kernel 2.4</title>
|
||||
|
||||
<para>Shorewall can be used in a VPN Hub environment where multiple remote
|
||||
networks are connected to a gateway running Shorewall. This environment is
|
||||
@ -383,7 +412,7 @@ conn packetdefault
|
||||
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -460,7 +489,7 @@ conn packetdefault
|
||||
<para>On systems B and C:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
@ -518,8 +547,7 @@ conn packetdefault
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN
|
||||
zones:</para>
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts system A</title>
|
||||
@ -559,7 +587,7 @@ conn packetdefault
|
||||
following in /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -660,7 +688,7 @@ conn packetdefault
|
||||
policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
@ -701,8 +729,7 @@ conn packetdefault
|
||||
|
||||
<para>Once you have the Shorewall entries added, restart Shorewall on each
|
||||
gateway (type shorewall restart); you are now ready to configure the
|
||||
tunnels in <ulink
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
|
||||
<note>
|
||||
<para>to allow traffic between the networks attached to systems B and C,
|
||||
@ -758,7 +785,7 @@ conn packetdefault
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Mobile System (Road Warrior)</title>
|
||||
<title>Mobile System (Road Warrior) Using Kernel 2.4</title>
|
||||
|
||||
<para>Suppose that you have a laptop system (B) that you take with you
|
||||
when you travel and you want to be able to establish a secure connection
|
||||
@ -770,75 +797,27 @@ conn packetdefault
|
||||
<title>Road Warrior VPN</title>
|
||||
|
||||
<para>You need to define a zone for the laptop or include it in your
|
||||
local zone. In this example, we'll assume that you have created a zone
|
||||
called <quote>vpn</quote> to represent the remote host.</para>
|
||||
local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote host.</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/zones local</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
|
||||
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the /etc/shorewall/tunnels
|
||||
file on system A, the following entry should be made:</para>
|
||||
|
||||
<para><table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">TYPE</entry><entry
|
||||
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
|
||||
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table></para>
|
||||
|
||||
<para><note>
|
||||
<para>the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the
|
||||
remote gateway is a standalone system.</para>
|
||||
</note></para>
|
||||
<para><note><para>the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the remote
|
||||
gateway is a standalone system.</para></note></para>
|
||||
|
||||
<para>You will need to configure /etc/shorewall/interfaces and establish
|
||||
your <quote>through the tunnel</quote> policy as shown under the first
|
||||
@ -939,8 +918,7 @@ conn packetdefault
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the
|
||||
command:</para>
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
|
||||
|
||||
@ -957,45 +935,11 @@ conn packetdefault
|
||||
<example>
|
||||
<title>dyn=dynamic zone</title>
|
||||
|
||||
<para><informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT(S)</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>z!dyn</entry>
|
||||
|
||||
<entry>loc:192.168.1.3</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>80</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable></para>
|
||||
<para><informaltable><tgroup cols="7"><thead><row><entry
|
||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
||||
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
|
||||
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
|
||||
|
||||
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
|
||||
will have no effect on the above rule.</para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-02</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -50,8 +50,9 @@
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
</warning>
|
||||
|
||||
<section id="Install_RPM">
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Some Things that Shorewall Cannot Do</title>
|
||||
<title>Some Things that Shorewall Does Not Do</title>
|
||||
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-03-18</pubdate>
|
||||
<pubdate>2004-06-08</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -34,7 +34,7 @@
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Shorewall Cannot:</title>
|
||||
<title>Shorewall Does not:</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -43,8 +43,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Be used with an Operating System other than Linux (version
|
||||
>= 2.4.0)</para>
|
||||
<para>Work with an Operating System other than Linux (version >=
|
||||
2.4.0)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -64,6 +64,22 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set up Routing (except to support <ulink url="ProxyARP.htm">Proxy
|
||||
ARP</ulink>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do Traffic Shaping/Bandwidth Management (although it provides
|
||||
<ulink url="traffic_shaping.htm">hooks to interface to Traffic
|
||||
Control/Bandwidth Management solutions</ulink>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Configure/manage Network Devices (your Distribution includes
|
||||
tools for that).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-12</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -235,6 +235,65 @@ BRIDGE=br0
|
||||
ONBOOT=yes</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Florin Grad at <trademark>Mandrake</trademark> provides this script
|
||||
for configuring a bridge:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#!/bin/sh
|
||||
# chkconfig: 2345 05 89
|
||||
# description: Layer 2 Bridge
|
||||
#
|
||||
|
||||
[ -f /etc/sysconfig/bridge ] && . /etc/sysconfig/bridge
|
||||
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
do_stop() {
|
||||
echo "Stopping Bridge"
|
||||
for i in $INTERFACES $BRIDGE_INTERFACE ; do
|
||||
ip link set $i down
|
||||
done
|
||||
brctl delbr $BRIDGE_INTERFACE
|
||||
}
|
||||
|
||||
do_start() {
|
||||
|
||||
echo "Starting Bridge"
|
||||
for i in $INTERFACES ; do
|
||||
ip link set $i up
|
||||
done
|
||||
brctl addbr br0
|
||||
for i in $INTERFACES ; do
|
||||
ip link set $i up
|
||||
brctl addif br0 $i
|
||||
done
|
||||
ifup $BRIDGE_INTERFACE
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
do_start
|
||||
;;
|
||||
stop)
|
||||
do_stop
|
||||
;;
|
||||
restart)
|
||||
do_stop
|
||||
sleep 1
|
||||
do_start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
exit 1
|
||||
esac
|
||||
exit 0</programlisting>
|
||||
|
||||
<para>The <filename>/etc/sysconfig/bridge</filename>:</para>
|
||||
|
||||
<programlisting>BRIDGE_INTERFACE=br0 #The name of your Bridge
|
||||
INTERFACES="eth0 eth1" #The physical interfaces to be bridged</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Users who successfully configure bridges on other distributions,
|
||||
with static or dynamic IP addresses, are encouraged to send <ulink
|
||||
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-27</pubdate>
|
||||
<pubdate>2004-06-07</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -110,7 +110,7 @@
|
||||
|
||||
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||||
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
|
||||
server (Pure-ftpd) under Fedora Core 2. The system also runs fetchmail to
|
||||
fetch our email from our old and current ISPs. That server is managed
|
||||
through Proxy ARP.</para>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-05-07</pubdate>
|
||||
<pubdate>2004-06-08</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -27,8 +27,7 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -37,7 +36,7 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Uses Netfilter's connection tracking facilities for stateful
|
||||
<para>Uses Netfilter's connection tracking facilities for stateful
|
||||
packet filtering.</para>
|
||||
</listitem>
|
||||
|
||||
@ -57,8 +56,7 @@
|
||||
<listitem>
|
||||
<para>Allows you to partition the network into <ulink
|
||||
url="Documentation.htm#Zones">zones</ulink> and gives you complete
|
||||
control over the connections permitted between each pair of
|
||||
zones.</para>
|
||||
control over the connections permitted between each pair of zones.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -80,8 +78,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>A <emphasis role="bold">GUI</emphasis> is available via Webmin
|
||||
1.060 and later (<ulink
|
||||
url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
|
||||
1.060 and later (<ulink url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -92,18 +89,15 @@
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Flexible address management/routing
|
||||
support</emphasis> (and you can use all types in the same
|
||||
firewall):</para>
|
||||
support</emphasis> (and you can use all types in the same firewall):</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
|
||||
<para><ulink url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="FAQ.htm#faq1">Port Forwarding
|
||||
(DNAT)</ulink>.</para>
|
||||
<para><ulink url="FAQ.htm#faq1">Port Forwarding (DNAT)</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -157,16 +151,16 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="PPTP.htm">PPTP</ulink> clients and
|
||||
Servers.</para>
|
||||
<para><ulink url="PPTP.htm">PPTP</ulink> clients and Servers.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Support for <ulink url="traffic_shaping.htm"><emphasis
|
||||
role="bold">Traffic</emphasis> Control/<emphasis
|
||||
role="bold">Shaping</emphasis></ulink> integration.</para>
|
||||
role="bold">Traffic</emphasis> Control/<emphasis role="bold">Shaping</emphasis></ulink>
|
||||
integration (although Shorewall itself contains no Traffic/Bandwidth
|
||||
control facilities).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -183,7 +177,7 @@
|
||||
<listitem>
|
||||
<para>Includes automated <ulink url="Install.htm">install,
|
||||
upgrade, fallback and uninstall facilities</ulink> for users who
|
||||
can't use or choose not to use the RPM or Debian packages.</para>
|
||||
can't use or choose not to use the RPM or Debian packages.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -196,8 +190,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="MAC_Validation.html">Media Access Control (<emphasis
|
||||
role="bold">MAC</emphasis>) Address <emphasis
|
||||
role="bold">Verification</emphasis></ulink>.</para>
|
||||
role="bold">MAC</emphasis>) Address <emphasis role="bold">Verification</emphasis></ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -206,9 +199,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="bridge.html"><emphasis
|
||||
role="bold">Bridge</emphasis>/Firewall support</ulink> (requires a 2.6
|
||||
kernel or a patched 2.4 kernel).</para>
|
||||
<para><ulink url="bridge.html"><emphasis role="bold">Bridge</emphasis>/Firewall
|
||||
support</ulink> (requires a 2.6 kernel or a patched 2.4 kernel).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -105,8 +105,9 @@
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para></warning></para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para></warning></para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -144,8 +144,9 @@
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
</warning>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -166,7 +166,8 @@
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to /etc/shorewall even if you do not modify it.</para></warning></para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
|
||||
if you do not modify those files.</para></warning></para>
|
||||
|
||||
<para>After you have installed Shorewall, download the three-interface
|
||||
sample, un-tar it (<command>tar <option>-zxvf</option>
|
||||
|
@ -12,7 +12,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2003-05-18</pubdate>
|
||||
<pubdate>2003-06-11</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002</year>
|
||||
@ -154,8 +154,9 @@
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para></warning></para>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para></warning></para>
|
||||
|
||||
<para><tip><para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, download the <ulink
|
||||
|
Loading…
Reference in New Issue
Block a user