extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1392 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-11 18:35:13 +00:00
parent d6a10e45e2
commit f60bffbc0f
11 changed files with 276 additions and 259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-21</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -58,8 +58,9 @@
class="directory">/etc/shorewall</filename> and modify the copies.</para> class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do and /usr/share/doc/shorewall/default-config/modules to <filename
not modify it.</para> class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
</section> </section>
</section> </section>

364
Shorewall-docs2/IPSEC.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-04</pubdate> <pubdate>2004-06-08</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -29,20 +29,15 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<warning> <warning>
<para>This documentation does not cover configuring IPSEC under the 2.6 <para>This documentation is incomplete regarding using IPSEC and the 2.6
Linux Kernel. David Hollis has provided i<ulink Kernel. Netfilter currently lacks full support for the 2.6 kernel&#39;s
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation implementation of IPSEC. Until that implementation is complete, only a
about how to set up a simple tunnel under 2.6</ulink>. One important point simple network-network tunnel is described for 2.6.</para>
that is not made explicit in David's post is that the <emphasis
role="bold">vpn</emphasis> zone must be defined before the <emphasis
role="bold">net</emphasis> zone in
<filename>/etc/shorewall/zones</filename>.</para>
</warning> </warning>
<section> <section>
@ -56,8 +51,7 @@
<warning> <warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall <para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall 2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata 2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
Page</ulink>.</para>
</warning> </warning>
<important> <important>
@ -96,7 +90,8 @@ conn packetdefault
<graphic fileref="images/TwoNets1.png" /> <graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 sub-network to be able to <para>We want systems in the 192.168.1.0/24 sub-network to be able to
communicate with systems in the 10.0.0.0/8 network.</para> communicate with systems in the 10.0.0.0/8 network. We assume that on both
systems A and B, eth0 is the internet interface.</para>
<para>To make this work, we need to do two things:</para> <para>To make this work, we need to do two things:</para>
@ -117,7 +112,7 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system A, we need the following</para> <para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table> <table>
<title>/etc/shorewall/tunnels system A</title> <title>/etc/shorewall/tunnels - System A</title>
<tgroup cols="4"> <tgroup cols="4">
<thead> <thead>
@ -149,7 +144,7 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system B, we would have:</para> <para>In /etc/shorewall/tunnels on system B, we would have:</para>
<table> <table>
<title>/etc/shorewall/tunnels system B</title> <title>/etc/shorewall/tunnels - System B</title>
<tgroup cols="4"> <tgroup cols="4">
<thead> <thead>
@ -186,124 +181,158 @@ conn packetdefault
gateway.</para> gateway.</para>
</note> </note>
<example> <para>You need to define a zone for the remote subnet or include it in
<title>VPN</title> your local zone. In this example, we&#39;ll assume that you have created a
zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para>
<para>You need to define a zone for the remote subnet or include it in <para><table><title>/etc/shorewall/zones - Systems A and B</title><tgroup
your local zone. In this example, we'll assume that you have created a cols="3"><thead><row><entry align="center">ZONE</entry><entry
zone called <quote>vpn</quote> to represent the remote subnet.</para> align="center">DISPLAY</entry><entry align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row><row><entry>net</entry><entry>Internet</entry><entry>The
big bad internet</entry></row></tbody></tgroup></table></para>
<para><table> <para><emphasis role="bold">If you are running kernel 2.4:</emphasis><blockquote><para>At
<title>/etc/shorewall/zones local</title> both systems, ipsec0 would be included in /etc/shorewall/interfaces as a
<quote>vpn</quote> interface:</para><para><table><title>/etc/shorewall/interfaces
- Systems A and B</title><tgroup cols="4"><thead><row><entry
align="center">ZONE</entry><entry align="center">INTERFACE</entry><entry
align="center">BROADCAST</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry></row></tbody></tgroup></table></para></blockquote></para>
<tgroup cols="3"> <para><emphasis role="bold">If you are running kernel 2.6:</emphasis></para>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry> <blockquote>
<para>Remember the assumption that both systems A and B have eth0 as
their internet interface.</para>
<entry align="center">COMMENTS</entry> <para>You must define the vpn zone using the /etc/shorewall/hosts file.</para>
</row>
</thead>
<tbody> <table>
<row> <title>/etc/shorewall/hosts - System A</title>
<entry>vpn</entry>
<entry>VPN</entry> <tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<entry>Remote Subnet</entry> <entry>HOSTS</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>At both systems, ipsec0 would be included in <entry>OPTIONS</entry>
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para> </row>
</thead>
<para><table> <tbody>
<title>/etc/shorewall/interfaces system local &amp; remote</title> <row>
<entry>vpn</entry>
<tgroup cols="4"> <entry>eth0:10.0.0.0/8</entry>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry> <entry></entry>
</row>
</tbody>
</tgroup>
</table>
<entry align="center">BROADCAST</entry> <table>
<title>/etc/shorewall/hosts - System B</title>
<entry align="center">OPTIONS</entry> <tgroup cols="3">
</row> <thead>
</thead> <row>
<entry>ZONE</entry>
<tbody> <entry>HOSTS</entry>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry> <entry>OPTIONS</entry>
</row>
</thead>
<entry></entry> <tbody>
<row>
<entry>vpn</entry>
<entry></entry> <entry>eth0:192.168.1.0/24</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>You will need to allow traffic between the <quote>vpn</quote> zone <entry></entry>
and the <quote>loc</quote> zone -- if you simply want to admit all </row>
traffic in both directions, you can use the policy file:</para> </tbody>
</tgroup>
</table>
<para><table> <para>In addition, <emphasis role="bold">if you are using Masquerading
<title>/etc/shorewall/policy local &amp; remote</title> or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
network from Masquerade/SNAT. These entries <emphasis role="bold">replace</emphasis>
your current masquerade/SNAT entries for the local networks.</para>
<tgroup cols="4"> <table>
<thead> <title>/etc/shorewall/masq - System A</title>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry> <tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<entry align="center">POLICY</entry> <entry>SUBNET</entry>
<entry align="center">LOG LEVEL</entry> <entry>ADDRESS</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row> <row>
<entry>loc</entry> <entry>eth0:!10.0.0.0/8</entry>
<entry>vpn</entry> <entry>192.168.1.0/24</entry>
<entry>ACCEPT</entry> <entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
<entry></entry> <table>
</row> <title>/etc/shorewall/masq System B</title>
<row> <tgroup cols="3">
<entry>vpn</entry> <thead>
<row>
<entry>INTERFACE</entry>
<entry>loc</entry> <entry>SUBNET</entry>
<entry>ACCEPT</entry> <entry>ADDRESS</entry>
</row>
</thead>
<entry></entry> <tbody>
</row> <row>
</tbody> <entry>eth0:!192.168.1.0/24</entry>
</tgroup>
</table></para>
<para>Once you have these entries in place, restart Shorewall (type <entry>10.0.0.0/8</entry>
shorewall restart); you are now ready to configure the tunnel in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para> <entry>...</entry>
</example> </row>
</tbody>
</tgroup>
</table>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para>
<para><table><title>/etc/shorewall/policy - Systems A and B</title><tgroup
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
align="center">DEST</entry><entry align="center">POLICY</entry><entry
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
</section> </section>
<section> <section>
<title>VPN Hub</title> <title>VPN Hub using Kernel 2.4</title>
<para>Shorewall can be used in a VPN Hub environment where multiple remote <para>Shorewall can be used in a VPN Hub environment where multiple remote
networks are connected to a gateway running Shorewall. This environment is networks are connected to a gateway running Shorewall. This environment is
@ -383,7 +412,7 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para> <para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table> <table>
<title>/etc/shorewall/tunnels system B &amp; C</title> <title>/etc/shorewall/tunnels system B &#38; C</title>
<tgroup cols="4"> <tgroup cols="4">
<thead> <thead>
@ -460,7 +489,7 @@ conn packetdefault
<para>On systems B and C:</para> <para>On systems B and C:</para>
<table> <table>
<title>/etc/shorewall/zones system B &amp; C</title> <title>/etc/shorewall/zones system B &#38; C</title>
<tgroup cols="3"> <tgroup cols="3">
<thead> <thead>
@ -518,8 +547,7 @@ conn packetdefault
</tgroup> </tgroup>
</table> </table>
<para>The /etc/shorewall/hosts file on system A defines the two VPN <para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
zones:</para>
<table> <table>
<title>/etc/shorewall/hosts system A</title> <title>/etc/shorewall/hosts system A</title>
@ -559,7 +587,7 @@ conn packetdefault
following in /etc/shorewall/interfaces:</para> following in /etc/shorewall/interfaces:</para>
<table> <table>
<title>/etc/shorewall/interfaces system B &amp; C</title> <title>/etc/shorewall/interfaces system B &#38; C</title>
<tgroup cols="4"> <tgroup cols="4">
<thead> <thead>
@ -660,7 +688,7 @@ conn packetdefault
policy file entries on all three gateways:</para> policy file entries on all three gateways:</para>
<table> <table>
<title>/etc/shorewall/policy system B &amp; C</title> <title>/etc/shorewall/policy system B &#38; C</title>
<tgroup cols="4"> <tgroup cols="4">
<thead> <thead>
@ -701,8 +729,7 @@ conn packetdefault
<para>Once you have the Shorewall entries added, restart Shorewall on each <para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the gateway (type shorewall restart); you are now ready to configure the
tunnels in <ulink tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
<note> <note>
<para>to allow traffic between the networks attached to systems B and C, <para>to allow traffic between the networks attached to systems B and C,
@ -758,7 +785,7 @@ conn packetdefault
</section> </section>
<section> <section>
<title>Mobile System (Road Warrior)</title> <title>Mobile System (Road Warrior) Using Kernel 2.4</title>
<para>Suppose that you have a laptop system (B) that you take with you <para>Suppose that you have a laptop system (B) that you take with you
when you travel and you want to be able to establish a secure connection when you travel and you want to be able to establish a secure connection
@ -770,75 +797,27 @@ conn packetdefault
<title>Road Warrior VPN</title> <title>Road Warrior VPN</title>
<para>You need to define a zone for the laptop or include it in your <para>You need to define a zone for the laptop or include it in your
local zone. In this example, we'll assume that you have created a zone local zone. In this example, we&#39;ll assume that you have created a
called <quote>vpn</quote> to represent the remote host.</para> zone called <quote>vpn</quote> to represent the remote host.</para>
<para><table> <para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
<title>/etc/shorewall/zones local</title> align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
<tgroup cols="3"> Subnet</entry></row></tbody></tgroup></table></para>
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2 <para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para> file on system A, the following entry should be made:</para>
<para><table> <para><table><title>/etc/shorewall/tunnels system A</title><tgroup
<title>/etc/shorewall/tunnels system A</title> cols="4"><thead><row><entry align="center">TYPE</entry><entry
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
<tgroup cols="4"> <para><note><para>the GATEWAY ZONE column contains the name of the zone
<thead> corresponding to peer subnetworks. This indicates that the gateway
<row> system itself comprises the peer subnetwork; in other words, the remote
<entry align="center">TYPE</entry> gateway is a standalone system.</para></note></para>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn</entry>
</row>
</tbody>
</tgroup>
</table></para>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</para>
</note></para>
<para>You will need to configure /etc/shorewall/interfaces and establish <para>You will need to configure /etc/shorewall/interfaces and establish
your <quote>through the tunnel</quote> policy as shown under the first your <quote>through the tunnel</quote> policy as shown under the first
@ -939,8 +918,7 @@ conn packetdefault
a different updown script that adds the remote station to the appropriate a different updown script that adds the remote station to the appropriate
zone when the connection comes up and that deletes the remote station when zone when the connection comes up and that deletes the remote station when
the connection comes down. For example, when 134.28.54.2 connects for the the connection comes down. For example, when 134.28.54.2 connects for the
vpn2 zone the <quote>up</quote> part of the script will issue the vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
command:</para>
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting> <programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
@ -957,45 +935,11 @@ conn packetdefault
<example> <example>
<title>dyn=dynamic zone</title> <title>dyn=dynamic zone</title>
<para><informaltable> <para><informaltable><tgroup cols="7"><thead><row><entry
<tgroup cols="7"> align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
<thead> align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
<row> align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
<entry align="center">ACTION</entry> align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>z!dyn</entry>
<entry>loc:192.168.1.3</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis> <para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para> will have no effect on the above rule.</para>

7
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-06-02</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -50,8 +50,9 @@
class="directory">/etc/shorewall</filename> and modify the copies.</para> class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do and /usr/share/doc/shorewall/default-config/modules to <filename
not modify it.</para> class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
</warning> </warning>
<section id="Install_RPM"> <section id="Install_RPM">

26
Shorewall-docs2/Shorewall_Doesnt.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Some Things that Shorewall Cannot Do</title> <title>Some Things that Shorewall Does Not Do</title>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
@ -13,7 +13,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2004-03-18</pubdate> <pubdate>2004-06-08</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -34,7 +34,7 @@
</articleinfo> </articleinfo>
<section> <section>
<title>Shorewall Cannot:</title> <title>Shorewall Does not:</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -43,8 +43,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Be used with an Operating System other than Linux (version <para>Work with an Operating System other than Linux (version &#62;=
&#62;= 2.4.0)</para> 2.4.0)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -64,6 +64,22 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem>
<para>Set up Routing (except to support <ulink url="ProxyARP.htm">Proxy
ARP</ulink>)</para>
</listitem>
<listitem>
<para>Do Traffic Shaping/Bandwidth Management (although it provides
<ulink url="traffic_shaping.htm">hooks to interface to Traffic
Control/Bandwidth Management solutions</ulink>)</para>
</listitem>
<listitem>
<para>Configure/manage Network Devices (your Distribution includes
tools for that).</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

61
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-04-12</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -235,6 +235,65 @@ BRIDGE=br0
ONBOOT=yes</programlisting></para> ONBOOT=yes</programlisting></para>
</blockquote> </blockquote>
<para>Florin Grad at <trademark>Mandrake</trademark> provides this script
for configuring a bridge:</para>
<blockquote>
<programlisting>#!/bin/sh
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
[ -f /etc/sysconfig/bridge ] &#38;&#38; . /etc/sysconfig/bridge
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
do_stop() {
echo &#34;Stopping Bridge&#34;
for i in $INTERFACES $BRIDGE_INTERFACE ; do
ip link set $i down
done
brctl delbr $BRIDGE_INTERFACE
}
do_start() {
echo &#34;Starting Bridge&#34;
for i in $INTERFACES ; do
ip link set $i up
done
brctl addbr br0
for i in $INTERFACES ; do
ip link set $i up
brctl addif br0 $i
done
ifup $BRIDGE_INTERFACE
}
case &#34;$1&#34; in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo &#34;Usage: $0 {start|stop|restart}&#34;
exit 1
esac
exit 0</programlisting>
<para>The <filename>/etc/sysconfig/bridge</filename>:</para>
<programlisting>BRIDGE_INTERFACE=br0 #The name of your Bridge
INTERFACES=&#34;eth0 eth1&#34; #The physical interfaces to be bridged</programlisting>
</blockquote>
<para>Users who successfully configure bridges on other distributions, <para>Users who successfully configure bridges on other distributions,
with static or dynamic IP addresses, are encouraged to send <ulink with static or dynamic IP addresses, are encouraged to send <ulink
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I

4
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-04-27</pubdate> <pubdate>2004-06-07</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -110,7 +110,7 @@
<para>The single system in the DMZ (address 206.124.146.177) runs postfix, <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to server (Pure-ftpd) under Fedora Core 2. The system also runs fetchmail to
fetch our email from our old and current ISPs. That server is managed fetch our email from our old and current ISPs. That server is managed
through Proxy ARP.</para> through Proxy ARP.</para>

40
Shorewall-docs2/shorewall_features.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2004-05-07</pubdate> <pubdate>2004-06-08</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -27,8 +27,7 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -37,7 +36,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Uses Netfilter's connection tracking facilities for stateful <para>Uses Netfilter&#39;s connection tracking facilities for stateful
packet filtering.</para> packet filtering.</para>
</listitem> </listitem>
@ -57,8 +56,7 @@
<listitem> <listitem>
<para>Allows you to partition the network into <ulink <para>Allows you to partition the network into <ulink
url="Documentation.htm#Zones">zones</ulink> and gives you complete url="Documentation.htm#Zones">zones</ulink> and gives you complete
control over the connections permitted between each pair of control over the connections permitted between each pair of zones.</para>
zones.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -80,8 +78,7 @@
<listitem> <listitem>
<para>A <emphasis role="bold">GUI</emphasis> is available via Webmin <para>A <emphasis role="bold">GUI</emphasis> is available via Webmin
1.060 and later (<ulink 1.060 and later (<ulink url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
url="http://www.webmin.com">http://www.webmin.com</ulink>)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -92,18 +89,15 @@
<listitem> <listitem>
<para><emphasis role="bold">Flexible address management/routing <para><emphasis role="bold">Flexible address management/routing
support</emphasis> (and you can use all types in the same support</emphasis> (and you can use all types in the same firewall):</para>
firewall):</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><ulink <para><ulink url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
url="Documentation.htm#Masq">Masquerading/SNAT</ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="FAQ.htm#faq1">Port Forwarding <para><ulink url="FAQ.htm#faq1">Port Forwarding (DNAT)</ulink>.</para>
(DNAT)</ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -157,16 +151,16 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="PPTP.htm">PPTP</ulink> clients and <para><ulink url="PPTP.htm">PPTP</ulink> clients and Servers.</para>
Servers.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<para>Support for <ulink url="traffic_shaping.htm"><emphasis <para>Support for <ulink url="traffic_shaping.htm"><emphasis
role="bold">Traffic</emphasis> Control/<emphasis role="bold">Traffic</emphasis> Control/<emphasis role="bold">Shaping</emphasis></ulink>
role="bold">Shaping</emphasis></ulink> integration.</para> integration (although Shorewall itself contains no Traffic/Bandwidth
control facilities).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -183,7 +177,7 @@
<listitem> <listitem>
<para>Includes automated <ulink url="Install.htm">install, <para>Includes automated <ulink url="Install.htm">install,
upgrade, fallback and uninstall facilities</ulink> for users who upgrade, fallback and uninstall facilities</ulink> for users who
can't use or choose not to use the RPM or Debian packages.</para> can&#39;t use or choose not to use the RPM or Debian packages.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -196,8 +190,7 @@
<listitem> <listitem>
<para><ulink url="MAC_Validation.html">Media Access Control (<emphasis <para><ulink url="MAC_Validation.html">Media Access Control (<emphasis
role="bold">MAC</emphasis>) Address <emphasis role="bold">MAC</emphasis>) Address <emphasis role="bold">Verification</emphasis></ulink>.</para>
role="bold">Verification</emphasis></ulink>.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -206,9 +199,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para><ulink url="bridge.html"><emphasis <para><ulink url="bridge.html"><emphasis role="bold">Bridge</emphasis>/Firewall
role="bold">Bridge</emphasis>/Firewall support</ulink> (requires a 2.6 support</ulink> (requires a 2.6 kernel or a patched 2.4 kernel).</para>
kernel or a patched 2.4 kernel).</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

7
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-18</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -105,8 +105,9 @@
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do and /usr/share/doc/shorewall/default-config/modules to <filename
not modify it.</para></warning></para> class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para></warning></para>
<para>As each file is introduced, I suggest that you look through the <para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration actual file on your system -- each file contains detailed configuration

7
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-18</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2002-2004</year> <year>2002-2004</year>
@ -144,8 +144,9 @@
class="directory">/etc/shorewall</filename> and modify the copies.</para> class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> <para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do and /usr/share/doc/shorewall/default-config/modules to <filename
not modify it.</para> class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
</warning> </warning>
<para>As each file is introduced, I suggest that you look through the <para>As each file is introduced, I suggest that you look through the

5
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-18</pubdate> <pubdate>2004-06-11</pubdate>
<copyright> <copyright>
<year>2002-2004</year> <year>2002-2004</year>
@ -166,7 +166,8 @@
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to /etc/shorewall even if you do not modify it.</para></warning></para> and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
if you do not modify those files.</para></warning></para>
<para>After you have installed Shorewall, download the three-interface <para>After you have installed Shorewall, download the three-interface
sample, un-tar it (<command>tar <option>-zxvf</option> sample, un-tar it (<command>tar <option>-zxvf</option>

7
Shorewall-docs2/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2003-05-18</pubdate> <pubdate>2003-06-11</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002</year>
@ -154,8 +154,9 @@
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do and /usr/share/doc/shorewall/default-config/modules to <filename
not modify it.</para></warning></para> class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para></warning></para>
<para><tip><para>After you have <ulink url="Install.htm">installed <para><tip><para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, download the <ulink Shorewall</ulink>, download the <ulink