extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Correct FAQ numbering

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2094 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-09 14:49:08 +00:00
parent 2c39bc42b4
commit fa8ae95a22
2 changed files with 214 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

440
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-04-24</pubdate> <pubdate>2005-05-08</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -99,22 +99,27 @@
shows how to do port forwarding under Shorewall. The format of a shows how to do port forwarding under Shorewall. The format of a
port-forwarding rule to a local system is as follows:</para> port-forwarding rule to a local system is as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DEST PORT DNAT net
DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port #</emphasis>&gt;</programlisting> loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local
port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt;
&lt;<emphasis>port #</emphasis>&gt;</programlisting>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the <para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para> rule is:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DEST PORT DNAT net
DNAT net loc:192.168.1.5 udp 7777</programlisting> loc:192.168.1.5 udp 7777</programlisting>
<para>If you want to forward requests directed to a particular address ( <para>If you want to forward requests directed to a particular address (
<emphasis>&lt;external IP&gt;</emphasis> ) on your firewall to an <emphasis>&lt;external IP&gt;</emphasis> ) on your firewall to an
internal system:</para> internal system:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL #
# PORT DEST. PORT DEST. DNAT net loc:&lt;l<emphasis>ocal IP
DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port #</emphasis>&gt; - &lt;<emphasis>external IP</emphasis>&gt;</programlisting> address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;]
&lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port
#</emphasis>&gt; - &lt;<emphasis>external
IP</emphasis>&gt;</programlisting>
<para>Finally, if you need to forward a range of ports, in the DEST PORT <para>Finally, if you need to forward a range of ports, in the DEST PORT
column specify the range as column specify the range as
@ -230,8 +235,8 @@ DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>
<para>In /<filename>etc/shorewall/rules</filename>:</para> <para>In /<filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DEST PORT DNAT net
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting> loc:192.168.1.3:22 tcp 1022</programlisting>
</section> </section>
<section id="faq1d"> <section id="faq1d">
@ -258,25 +263,26 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
using the firewall's external IP address by adding this rule:</para> using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 -
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting> 206.124.146.176</programlisting>
<para>If your external IP address is dynamic, then you must do the <para>If your external IP address is dynamic, then you must do the
following:</para> following:</para>
<para>In <filename>/etc/shorewall/init</filename>:</para> <para>In <filename>/etc/shorewall/init</filename>:</para>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_interface_address
eth0`</command></programlisting>
<para>For users of Shorewall 2.1.0 and later:</para> <para>For users of Shorewall 2.1.0 and later:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_first_interface_address
eth0`</command></programlisting>
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL #
# PORT DEST. PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
</section> </section>
<section id="faq1e"> <section id="faq1e">
@ -292,8 +298,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0
If you add the following rule then from the net, you will have 4104 If you add the following rule then from the net, you will have 4104
listening, from your LAN, port 22.</para> listening, from your LAN, port 22.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net
DNAT net fw:192.168.1.1:22 tcp 4104</programlisting> fw:192.168.1.1:22 tcp 4104</programlisting>
</section> </section>
</section> </section>
@ -373,40 +379,42 @@ DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect
loc eth1 detect <emphasis role="bold">routeback</emphasis></programlisting> <emphasis role="bold">routeback</emphasis></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/masq</filename>:</para> <para>In <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) <programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth1:192.168.1.5 eth1 192.168.1.254 tcp www</programlisting> eth1:192.168.1.5 eth1 192.168.1.254 tcp www</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/rules</filename>:</para> <para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST. # PORT DEST. DNAT loc loc:192.168.1.5 tcp www -
DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</programlisting> 130.151.100.69</programlisting>
<para>That rule only works of course if you have a static external <para>That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running IP address. If you have a dynamic IP address and are running
Shorewall 1.3.4 through Shorewall 2.0.* then include this in Shorewall 1.3.4 through Shorewall 2.0.* then include this in
<filename>/etc/shorewall/init</filename>:</para> <filename>/etc/shorewall/init</filename>:</para>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_interface_address
eth0`</command></programlisting>
<para>For users of Shorewall 2.1.0 and later:</para> <para>For users of Shorewall 2.1.0 and later:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_first_interface_address
eth0`</command></programlisting>
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST. # PORT DEST. DNAT loc loc:192.168.1.5 tcp www -
DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP</programlisting> $ETH0_IP</programlisting>
<para>Using this technique, you will want to configure your <para>Using this technique, you will want to configure your
DHCP/PPPoE client to automatically restart Shorewall each time that DHCP/PPPoE client to automatically restart Shorewall each time that
@ -430,7 +438,8 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0
<programlisting>Oct 4 10:26:40 netgw kernel: <programlisting>Oct 4 10:26:40 netgw kernel:
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200
DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF
PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN URGP=0</programlisting> PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN
URGP=0</programlisting>
</note> </note>
<para><emphasis role="bold">Answer:</emphasis> This is another problem <para><emphasis role="bold">Answer:</emphasis> This is another problem
@ -460,12 +469,14 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0
<example> <example>
<title>Example:</title> <title>Example:</title>
<literallayout>Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24</literallayout> <literallayout>Zone: dmz Interface: eth2 Subnet:
192.168.2.0/24</literallayout>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para> <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS dmz eth2
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis></programlisting> 192.168.2.255 <emphasis
role="bold">routeback</emphasis></programlisting>
<para>In <filename>/etc/shorewall/na</filename>t, be sure that you <para>In <filename>/etc/shorewall/na</filename>t, be sure that you
have <quote>Yes</quote> in the ALL INTERFACES column.</para> have <quote>Yes</quote> in the ALL INTERFACES column.</para>
@ -496,25 +507,26 @@ dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis>
using the firewall's external IP address by adding this rule:</para> using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 -
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting> 206.124.146.176</programlisting>
<para>If your external IP address is dynamic, then you must do the <para>If your external IP address is dynamic, then you must do the
following:</para> following:</para>
<para>In <filename>/etc/shorewall/init</filename>:</para> <para>In <filename>/etc/shorewall/init</filename>:</para>
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_interface_address
eth0`</command></programlisting>
<para>For users of Shorewall 2.1.0 and later:</para> <para>For users of Shorewall 2.1.0 and later:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting> <programlisting><command>ETH0_IP=`find_first_interface_address
eth0`</command></programlisting>
<para>and make your DNAT rule:</para> <para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL #
# PORT DEST. PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
</section> </section>
</section> </section>
</section> </section>
@ -533,17 +545,17 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0
following:</para> following:</para>
<blockquote> <blockquote>
<para><programlisting>&gt; I know PoM -ng is going to address this issue, but till it is ready, and <para><programlisting>&gt; I know PoM -ng is going to address this
&gt; all the extras are ported to it, is there any way to use the h.323 issue, but till it is ready, and &gt; all the extras are ported to it,
&gt; contrack module kernel patch with a 2.6 kernel? is there any way to use the h.323 &gt; contrack module kernel patch
&gt; Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not with a 2.6 kernel? &gt; Running 2.6.1 - no 2.4 kernel stuff on the
&gt; an option... The module is not ported yet to 2.6, sorry. system, so downgrade is not &gt; an option... The module is not ported
&gt; Do I have any options besides a gatekeeper app (does not work in my yet to 2.6, sorry. &gt; Do I have any options besides a gatekeeper app
&gt; network) or a proxy (would prefer to avoid them)? (does not work in my &gt; network) or a proxy (would prefer to avoid
them)? I suggest everyone to setup a proxy (gatekeeper) instead: the
I suggest everyone to setup a proxy (gatekeeper) instead: the module is module is really dumb and does not deserve to exist at all. It was an
really dumb and does not deserve to exist at all. It was an excellent tool excellent tool to debug/develop the newnat
to debug/develop the newnat interface.</programlisting></para> interface.</programlisting></para>
</blockquote> </blockquote>
<para>Look <ulink url="http://linux-igd.sourceforge.net">here</ulink> <para>Look <ulink url="http://linux-igd.sourceforge.net">here</ulink>
@ -726,16 +738,16 @@ to debug/develop the newnat interface.</programlisting></para>
<para>I have this entry in <ulink <para>I have this entry in <ulink
url="Documentation.htm#Tunnels">/etc/shorewall/tunnels</ulink>:</para> url="Documentation.htm#Tunnels">/etc/shorewall/tunnels</ulink>:</para>
<programlisting># TYPE ZONE GATEWAY GATEWAY <programlisting># TYPE ZONE GATEWAY GATEWAY # ZONE openvpn:5000 net
# ZONE 69.145.71.133</programlisting>
openvpn:5000 net 69.145.71.133</programlisting>
<para>Yet I am seeing this log message:</para> <para>Yet I am seeing this log message:</para>
<programlisting>Oct 12 13:41:03 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT= <programlisting>Oct 12 13:41:03 localhost kernel:
MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 Shorewall:net2all:DROP:IN=eth0 OUT=
DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133
SPT=33120 DPT=5000 LEN=22</programlisting> DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP
SPT=33120 DPT=5000 LEN=22</programlisting>
<para><emphasis role="bold">Answer</emphasis>: Shorewall's <emphasis <para><emphasis role="bold">Answer</emphasis>: Shorewall's <emphasis
role="bold">openvpn</emphasis> tunnel type assumes that OpenVPN will be role="bold">openvpn</emphasis> tunnel type assumes that OpenVPN will be
@ -745,9 +757,8 @@ SPT=33120 DPT=5000 LEN=22</programlisting>
url="Documentation.htm#Tunnels">/etc/shorewall/tunnels</ulink> entry url="Documentation.htm#Tunnels">/etc/shorewall/tunnels</ulink> entry
with this one:</para> with this one:</para>
<programlisting># TYPE ZONE GATEWAY GATEWAY <programlisting># TYPE ZONE GATEWAY GATEWAY # ZONE generic:udp:5000 net
# ZONE 69.145.71.133</programlisting>
generic:udp:5000 net 69.145.71.133</programlisting>
</section> </section>
</section> </section>
@ -776,8 +787,7 @@ generic:udp:5000 net 69.145.71.133</programlisting>
<filename>/etc/shorewall/shorewall.conf</filename> -- If you want to log <filename>/etc/shorewall/shorewall.conf</filename> -- If you want to log
all messages, set:</para> all messages, set:</para>
<programlisting>LOGLIMIT="" <programlisting>LOGLIMIT="" LOGBURST=""</programlisting>
LOGBURST=""</programlisting>
<para>Beginning with Shorewall version 1.3.12, you can <ulink <para>Beginning with Shorewall version 1.3.12, you can <ulink
url="shorewall_logging.html">set up Shorewall to log all of its messages url="shorewall_logging.html">set up Shorewall to log all of its messages
@ -792,11 +802,13 @@ LOGBURST=""</programlisting>
<literallayout><ulink <literallayout><ulink
url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/</ulink> url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/</ulink>
<ulink url="http://www.fireparse.com">http://www.fireparse.com</ulink> <ulink url="http://www.fireparse.com">http://www.fireparse.com</ulink>
<ulink url="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</ulink> <ulink
<ulink url="http://www.logwatch.org">http://www.logwatch.org</ulink> url="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</ulink>
<ulink url="http://gege.org/iptables">http://gege.org/iptables</ulink> <ulink url="http://www.logwatch.org">http://www.logwatch.org</ulink>
<ulink url="http://home.regit.org/ulogd-php.html">http://home.regit.org/ulogd-php.html</ulink></literallayout> <ulink url="http://gege.org/iptables">http://gege.org/iptables</ulink>
<ulink
url="http://home.regit.org/ulogd-php.html">http://home.regit.org/ulogd-php.html</ulink></literallayout>
<para>I personally use Logwatch. It emails me a report each day from <para>I personally use Logwatch. It emails me a report each day from
my various systems with each report summarizing the logged activity on my various systems with each report summarizing the logged activity on
@ -804,7 +816,7 @@ LOGBURST=""</programlisting>
</section> </section>
<section id="faq6b"> <section id="faq6b">
<title>(FAQ 2b) DROP messages on port 10619 are flooding the logs with <title>(FAQ 6b) DROP messages on port 10619 are flooding the logs with
their connect requests. Can i exclude these error messages for this their connect requests. Can i exclude these error messages for this
port temporarily from logging in Shorewall?</title> port temporarily from logging in Shorewall?</title>
@ -1074,13 +1086,14 @@ LOGBURST=""</programlisting>
<example> <example>
<title>Here is an example:</title> <title>Here is an example:</title>
<programlisting>Jun 27 15:37:56 gateway kernel: <programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:<emphasis
Shorewall:<emphasis role="bold">all2all:REJECT</emphasis>:<emphasis role="bold">all2all:REJECT</emphasis>:<emphasis
role="bold">IN=eth2</emphasis> <emphasis role="bold">OUT=eth1</emphasis> <emphasis role="bold">IN=eth2</emphasis> <emphasis
role="bold">SRC=192.168.2.2</emphasis> role="bold">OUT=eth1</emphasis> <emphasis
<emphasis role="bold">DST=192.168.1.3 </emphasis>LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <emphasis role="bold">SRC=192.168.2.2</emphasis> <emphasis
role="bold">PROTO=UDP</emphasis> role="bold">DST=192.168.1.3 </emphasis>LEN=67 TOS=0x00 PREC=0x00
SPT=1803 <emphasis role="bold">DPT=53</emphasis> LEN=47</programlisting> TTL=63 ID=5805 DF <emphasis role="bold">PROTO=UDP</emphasis> SPT=1803
<emphasis role="bold">DPT=53</emphasis> LEN=47</programlisting>
<para>Let's look at the important parts of this message:</para> <para>Let's look at the important parts of this message:</para>
@ -1233,23 +1246,21 @@ LOGBURST=""</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect net
net eth0 detect eth1 detect</programlisting>
net eth1 detect</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST <programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST net net
net net DROP</programlisting> DROP</programlisting>
<para>If you have masqueraded hosts, be sure to update <para>If you have masqueraded hosts, be sure to update
<filename>/etc/shorewall/masq</filename> to masquerade to both ISPs. For <filename>/etc/shorewall/masq</filename> to masquerade to both ISPs. For
example, if you masquerade all hosts connected to <filename example, if you masquerade all hosts connected to <filename
class="devicefile">eth2</filename> then:</para> class="devicefile">eth2</filename> then:</para>
<programlisting>#INTERFACE SUBNET ADDRESS <programlisting>#INTERFACE SUBNET ADDRESS eth0 eth2 eth1
eth0 eth2 eth2</programlisting>
eth1 eth2</programlisting>
<para>There was an article in SysAdmin covering the topic of setting up <para>There was an article in SysAdmin covering the topic of setting up
routing for this configuration. It may be found at <ulink routing for this configuration. It may be found at <ulink
@ -1272,23 +1283,12 @@ eth1 eth2</programlisting>
providers that connect a local network (or even a single machine) to providers that connect a local network (or even a single machine) to
the big Internet.</para> the big Internet.</para>
<programlisting> ________ <programlisting>________ +------------+ / | | | +-------------+
+------------+ / Provider 1 +------- __ | | | / ___/ \_ +------+-------+ +------------+
| | | | _/ \__ | if1 | / / \ | | | | Local network -----+ Linux router | |
+-------------+ Provider 1 +------- Internet \_ __/ | | | \__ __/ | if2 | \ \___/ +------+-------+
__ | | | / +------------+ | | | | \ +-------------+ Provider 2 +------- | | |
___/ \_ +------+-------+ +------------+ | +------------+ \________</programlisting>
_/ \__ | if1 | /
/ \ | | |
| Local network -----+ Linux router | | Internet
\_ __/ | | |
\__ __/ | if2 | \
\___/ +------+-------+ +------------+ |
| | | \
+-------------+ Provider 2 +-------
| | |
+------------+ \________
</programlisting>
<para>There are usually two questions given this setup.</para> <para>There are usually two questions given this setup.</para>
@ -1319,10 +1319,9 @@ eth1 eth2</programlisting>
These are added in /etc/iproute2/rt_tables. Then you set up routing in These are added in /etc/iproute2/rt_tables. Then you set up routing in
these tables as follows:</para> these tables as follows:</para>
<programlisting>ip route add $P1_NET dev $IF1 src $IP1 table T1 <programlisting>ip route add $P1_NET dev $IF1 src $IP1 table T1 ip
ip route add default via $P1 table T1 route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src
ip route add $P2_NET dev $IF2 src $IP2 table T2 $IP2 table T2 ip route add default via $P2 table T2</programlisting>
ip route add default via $P2 table T2</programlisting>
<para>Nothing spectacular, just build a route to the gateway and build <para>Nothing spectacular, just build a route to the gateway and build
a default route via that gateway, as you would do in the case of a a default route via that gateway, as you would do in the case of a
@ -1336,8 +1335,8 @@ ip route add default via $P2 table T2</programlisting>
to that neighbour. Note the `src' arguments, they make sure the right to that neighbour. Note the `src' arguments, they make sure the right
outgoing IP address is chosen.</para> outgoing IP address is chosen.</para>
<programlisting>ip route add $P1_NET dev $IF1 src $IP1 <programlisting>ip route add $P1_NET dev $IF1 src $IP1 ip route add
ip route add $P2_NET dev $IF2 src $IP2</programlisting> $P2_NET dev $IF2 src $IP2</programlisting>
<para>Then, your preference for default route:</para> <para>Then, your preference for default route:</para>
@ -1348,8 +1347,8 @@ ip route add $P2_NET dev $IF2 src $IP2</programlisting>
a given interface if you already have the corresponding source a given interface if you already have the corresponding source
address:</para> address:</para>
<programlisting>ip rule add from $IP1 table T1 <programlisting>ip rule add from $IP1 table T1 ip rule add from $IP2
ip rule add from $IP2 table T2</programlisting> table T2</programlisting>
<para>This set of commands makes sure all answers to traffic coming in <para>This set of commands makes sure all answers to traffic coming in
on a particular interface get answered from that interface.</para> on a particular interface get answered from that interface.</para>
@ -1358,12 +1357,11 @@ ip rule add from $IP2 table T2</programlisting>
<para>'If $P0_NET is the local network and $IF0 is its interface, <para>'If $P0_NET is the local network and $IF0 is its interface,
the following additional entries are desirable:</para> the following additional entries are desirable:</para>
<programlisting format="linespecific">ip route add $P0_NET dev $IF0 table T1 <programlisting format="linespecific">ip route add $P0_NET dev $IF0
ip route add $P2_NET dev $IF2 table T1 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add
ip route add 127.0.0.0/8 dev lo table T1 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2
ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev
ip route add $P1_NET dev $IF1 table T2 lo table T2</programlisting>
ip route add 127.0.0.0/8 dev lo table T2</programlisting>
</note> </note>
<para>Now, this is just the very basic setup. It will work for all <para>Now, this is just the very basic setup. It will work for all
@ -1386,8 +1384,8 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
is done as follows (once more building on the example in the section is done as follows (once more building on the example in the section
on split-access):</para> on split-access):</para>
<programlisting>ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ <programlisting>ip route add default scope global nexthop via $P1 dev
nexthop via $P2 dev $IF2 weight 1</programlisting> $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1</programlisting>
<para>This will balance the routes over both providers. The <emphasis <para>This will balance the routes over both providers. The <emphasis
role="bold">weight</emphasis> parameters can be tweaked to favor one role="bold">weight</emphasis> parameters can be tweaked to favor one
@ -1464,20 +1462,21 @@ ip route add 127.0.0.0/8 dev lo table T2</programlisting>
<para><emphasis role="bold">Answer:</emphasis> The output you will see <para><emphasis role="bold">Answer:</emphasis> The output you will see
looks something like this:</para> looks something like this:</para>
<programlisting>/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy <programlisting>/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o:
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters init_module: Device or resource busy Hint: insmod errors can be caused
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
Perhaps iptables or your kernel needs to be upgraded.</programlisting> ip_tables failed iptables v1.2.3: can't initialize iptables table `nat':
iptables who? (do you need to insmod?) Perhaps iptables or your kernel
needs to be upgraded.</programlisting>
<para>This problem is usually corrected through the following sequence <para>This problem is usually corrected through the following sequence
of commands</para> of commands</para>
<programlisting><command>service ipchains stop <programlisting><command>service ipchains stop chkconfig --delete
chkconfig --delete ipchains ipchains rmmod ipchains</command></programlisting>
rmmod ipchains</command></programlisting>
<para>Also, be sure to check the <ulink url="errata.htm">errata</ulink> <para>Also, be sure to check the <ulink url="errata.htm">errata</ulink>
for problems concerning the version of iptables (v1.2.3) shipped with for problems concerning the version of iptables (v1.2.3) shipped with
@ -1500,21 +1499,13 @@ rmmod ipchains</command></programlisting>
<para>I just installed Shorewall and when I issue the start command, I <para>I just installed Shorewall and when I issue the start command, I
see the following:</para> see the following:</para>
<programlisting>Processing /etc/shorewall/params ... <programlisting>Processing /etc/shorewall/params ... Processing
Processing /etc/shorewall/shorewall.conf ... /etc/shorewall/shorewall.conf ... Starting Shorewall... Loading
Starting Shorewall... Modules... Initializing... Determining Zones... Zones: net loc
Loading Modules... Validating interfaces file... Validating hosts file... Determining Hosts
Initializing... in Zones... <emphasis role="bold">Net Zone: eth0:0.0.0.0/0
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
<emphasis role="bold">Net Zone: eth0:0.0.0.0/0
</emphasis><emphasis role="bold">Local Zone: eth1:0.0.0.0/0</emphasis> </emphasis><emphasis role="bold">Local Zone: eth1:0.0.0.0/0</emphasis>
Deleting user chains... Deleting user chains... Creating input Chains... ...</programlisting>
Creating input Chains...
...</programlisting>
<para>Why can't Shorewall detect my interfaces properly?</para> <para>Why can't Shorewall detect my interfaces properly?</para>
@ -1629,11 +1620,11 @@ Creating input Chains...
<para>When I start shorewall I got the following errors.</para> <para>When I start shorewall I got the following errors.</para>
<programlisting>Oct 30 11:13:12 fwr modprobe: modprobe: Can't locate module ipt_conntrack <programlisting>Oct 30 11:13:12 fwr modprobe: modprobe: Can't locate
Oct 30 11:13:17 fwr modprobe: modprobe: Can't locate module ipt_pkttype module ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can't
Oct 30 11:13:18 fwr modprobe: modprobe: Can't locate module ipt_pkttype locate module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can't
Oct 30 11:13:57 fwr last message repeated 2 times locate module ipt_pkttype Oct 30 11:13:57 fwr last message repeated 2
Oct 30 11:14:06 fwr root: Shorewall Restarted</programlisting> times Oct 30 11:14:06 fwr root: Shorewall Restarted</programlisting>
<para>The "shorewall status" output seems complying with my rules set. <para>The "shorewall status" output seems complying with my rules set.
Should I worry ? and is there any way to get rid of these errors Should I worry ? and is there any way to get rid of these errors
@ -1663,8 +1654,8 @@ Oct 30 11:14:06 fwr root: Shorewall Restarted</programlisting>
are not disabling a feature in your new kernel that you want to are not disabling a feature in your new kernel that you want to
use.</para> use.</para>
<programlisting>alias ipt_conntrack off <programlisting>alias ipt_conntrack off alias ipt_pkttype
alias ipt_pkttype off</programlisting> off</programlisting>
<para>For users who don't have the pkttype match feature in their <para>For users who don't have the pkttype match feature in their
kernel, I also recommend upgrading to Shorewall 2.0.6 or later and then kernel, I also recommend upgrading to Shorewall 2.0.6 or later and then
@ -1689,15 +1680,12 @@ alias ipt_pkttype off</programlisting>
<para><command>shorewall start</command> produces the following <para><command>shorewall start</command> produces the following
output:</para> output:</para>
<programlisting> <programlisting>… Processing /etc/shorewall/policy... Policy ACCEPT for
Processing /etc/shorewall/policy... fw to net using chain fw2net Policy ACCEPT for loc0 to net using chain
Policy ACCEPT for fw to net using chain fw2net loc02net Policy ACCEPT for loc1 to net using chain loc12net Policy
Policy ACCEPT for loc0 to net using chain loc02net ACCEPT for wlan to net using chain wlan2net Masqueraded Networks and
Policy ACCEPT for loc1 to net using chain loc12net Hosts: iptables: Invalid argument ERROR: Command "/sbin/iptables -t nat
Policy ACCEPT for wlan to net using chain wlan2net -A …" Failed</programlisting>
Masqueraded Networks and Hosts:
iptables: Invalid argument
ERROR: Command "/sbin/iptables -t nat -A …" Failed</programlisting>
<para><emphasis role="bold">Answer</emphasis>: 99.999% of the time, this <para><emphasis role="bold">Answer</emphasis>: 99.999% of the time, this
error is caused by a mismatch between your iptables and kernel.</para> error is caused by a mismatch between your iptables and kernel.</para>
@ -1771,7 +1759,8 @@ iptables: Invalid argument
<para>At the shell prompt, type:</para> <para>At the shell prompt, type:</para>
<programlisting><command>/sbin/shorewall version</command></programlisting> <programlisting><command>/sbin/shorewall
version</command></programlisting>
</section> </section>
<section id="faq31"> <section id="faq31">
@ -1891,7 +1880,8 @@ iptables: Invalid argument
version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and
in it, place the following:</para> in it, place the following:</para>
<programlisting><command>run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</command></programlisting> <programlisting><command>run_iptables -I rfc1918 -s 192.168.100.1 -j
ACCEPT</command></programlisting>
<para>If you are running version 1.3.1 or later, add the following to <para>If you are running version 1.3.1 or later, add the following to
<ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink> <ulink url="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</ulink>
@ -1902,8 +1892,7 @@ iptables: Invalid argument
<para>Be sure that you add the entry ABOVE the entry for <para>Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</para> 192.168.0.0/16.</para>
<programlisting>#SUBNET TARGET <programlisting>#SUBNET TARGET 192.168.100.1 RETURN</programlisting>
192.168.100.1 RETURN</programlisting>
<note> <note>
<para>If you add a second IP address to your external firewall <para>If you add a second IP address to your external firewall
@ -1912,9 +1901,8 @@ iptables: Invalid argument
configure the address 192.168.100.2 on your firewall, then you would configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918:</para> add two entries to /etc/shorewall/rfc1918:</para>
<programlisting>#SUBNET TARGET <programlisting>#SUBNET TARGET 192.168.100.1 RETURN 192.168.100.2
192.168.100.1 RETURN RETURN</programlisting>
192.168.100.2 RETURN</programlisting>
</note> </note>
<section id="faq14a"> <section id="faq14a">
@ -1933,8 +1921,10 @@ iptables: Invalid argument
<para>I see the following in my log:</para> <para>I see the following in my log:</para>
<programlisting>Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60 <programlisting>Mar 1 18:20:07 Mail kernel:
TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 </programlisting> Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797
DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0</programlisting>
<para>Answer: The fact that the message is being logged from the <para>Answer: The fact that the message is being logged from the
OUTPUT chain means that the destination IP address is not in any OUTPUT chain means that the destination IP address is not in any
@ -1946,8 +1936,8 @@ TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES
<para>Add a zone for the modem in <para>Add a zone for the modem in
<filename>/etc/shorewall/zones</filename>:</para> <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS <programlisting>#ZONE DISPLAY COMMENTS modem ADSLModem Zone for
modem ADSLModem Zone for modem</programlisting> modem</programlisting>
</listitem> </listitem>
<listitem> <listitem>
@ -1956,17 +1946,16 @@ modem ADSLModem Zone for modem</programlisting>
to your modem) in to your modem) in
<filename>/etc/shorewall/interfaces</filename>:</para> <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS modem eth0
modem eth0 detect</programlisting> detect</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>Allow web traffic to the modem in <para>Allow web traffic to the modem in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT fw
ACCEPT fw modem tcp 80 modem tcp 80 ACCEPT loc modem tcp 80</programlisting>
ACCEPT loc modem tcp 80</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -1980,8 +1969,8 @@ ACCEPT loc modem tcp 80</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para> <para><filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS <programlisting>#INTERFACE SUBNET ADDRESS eth0 eth1 # eth1 = interface
eth0 eth1 # eth1 = interface to local network</programlisting> to local network</programlisting>
<para>For an example of this when the ADSL/Cable modem is bridged, see <para>For an example of this when the ADSL/Cable modem is bridged, see
<ulink url="myfiles.htm">my configuration</ulink>. In that case, I <ulink url="myfiles.htm">my configuration</ulink>. In that case, I
@ -2038,7 +2027,8 @@ eth0 eth1 # eth1 = interface to local netwo
<example> <example>
<title>Example:</title> <title>Example:</title>
<programlisting>ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22</programlisting> <programlisting>ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp
22</programlisting>
</example> </example>
</section> </section>
@ -2063,7 +2053,8 @@ eth0 eth1 # eth1 = interface to local netwo
<para>Otherwise, add this command to your /etc/shorewall/start <para>Otherwise, add this command to your /etc/shorewall/start
file:</para> file:</para>
<programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting> <programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state
--state INVALID -j DROP</command></programlisting>
</section> </section>
</section> </section>
@ -2086,19 +2077,14 @@ eth0 eth1 # eth1 = interface to local netwo
<para>The last few lines of <ulink url="troubleshoot.htm">a startup <para>The last few lines of <ulink url="troubleshoot.htm">a startup
trace</ulink> are these:</para> trace</ulink> are these:</para>
<programlisting>+ run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j <programlisting>+ run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24
MASQUERADE -d 0.0.0.0/0 -j MASQUERADE + '[' 'x-t nat -A eth0_masq -s
+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE' = 'x-t nat -A eth0_masq -s
MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. 192.168.2.0/24 -d 0.0.0. 0/0 -j MASQUERADE' ']' + run_iptables -t nat
0/0 -j MASQUERADE' ']' -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables
+ run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE
MASQUERADE iptables: Invalid argument + '[' -z '' ']' + stop_firewall + set
+ iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j +x</programlisting>
MASQUERADE
iptables: Invalid argument
+ '[' -z '' ']'
+ stop_firewall
+ set +x</programlisting>
<para><emphasis role="bold">Answer:</emphasis> Your new kernel <para><emphasis role="bold">Answer:</emphasis> Your new kernel
contains headers that are incompatible with the ones used to compile contains headers that are incompatible with the ones used to compile
@ -2122,15 +2108,15 @@ iptables: Invalid argument
everyone's site. Adsense is a Javascript that people add to their Web everyone's site. Adsense is a Javascript that people add to their Web
pages. So I entered the rule:</para> pages. So I entered the rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO <programlisting>#ACTION SOURCE DEST PROTO REJECT fw
REJECT fw net:pagead2.googlesyndication.com all</programlisting> net:pagead2.googlesyndication.com all</programlisting>
<para>However, this also sometimes restricts access to "google.com". Why <para>However, this also sometimes restricts access to "google.com". Why
is that? Using dig, I found these IPs for domain is that? Using dig, I found these IPs for domain
googlesyndication.com:<programlisting>216.239.37.99 googlesyndication.com:<programlisting>216.239.37.99
216.239.39.99</programlisting>And this for google.com:<programlisting>216.239.37.99 216.239.39.99</programlisting>And this for
216.239.39.99 google.com:<programlisting>216.239.37.99 216.239.39.99
216.239.57.99</programlisting>So my guess is that you are not actually 216.239.57.99</programlisting>So my guess is that you are not actually
blocking the domain, but rather the IP being called. So how in the world blocking the domain, but rather the IP being called. So how in the world
do you block an actual domain name?</para> do you block an actual domain name?</para>
@ -2150,24 +2136,23 @@ REJECT fw net:pagead2.googlesyndication.com all</programlisting
expressed in terms of those IP addresses. So the rule that you entered expressed in terms of those IP addresses. So the rule that you entered
was equivalent to:</para> was equivalent to:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO <para><programlisting>#ACTION SOURCE DEST PROTO REJECT fw
REJECT fw net:216.239.37.99 all net:216.239.37.99 all REJECT fw net:216.239.39.99
REJECT fw net:216.239.39.99 all</programlisting>Given that all</programlisting>Given that name-based multiple hosting is a common
name-based multiple hosting is a common practice (another example: practice (another example: lists.shorewall.net and www1.shorewall.net
lists.shorewall.net and www1.shorewall.net are both hosted on the same are both hosted on the same system with a single IP address), it is not
system with a single IP address), it is not possible to filter possible to filter connections to a particular name by examiniation of
connections to a particular name by examiniation of protocol headers protocol headers alone. While some protocols such as <ulink
alone. While some protocols such as <ulink url="FTP.html">FTP</ulink> url="FTP.html">FTP</ulink> require the firewall to examine and possibly
require the firewall to examine and possibly modify packet payload, modify packet payload, parsing the payload of individual packets doesn't
parsing the payload of individual packets doesn't always work because always work because the application-level data stream can be split
the application-level data stream can be split across packets in across packets in arbitrary ways. This is one of the weaknesses of the
arbitrary ways. This is one of the weaknesses of the 'string match' 'string match' Netfilter extension available in Patch-O-Matic. The only
Netfilter extension available in Patch-O-Matic. The only sure way to sure way to filter on packet content is to proxy the connections in
filter on packet content is to proxy the connections in question -- in question -- in the case of HTTP, this means running something like
the case of HTTP, this means running something like <ulink <ulink url="Shorewall_Squid_Usage.html">Squid</ulink>. Proxying allows
url="Shorewall_Squid_Usage.html">Squid</ulink>. Proxying allows the the proxy process to assemble complete application-level messages which
proxy process to assemble complete application-level messages which can can then be accurately parsed and decisions can be made based on the
then be accurately parsed and decisions can be made based on the
result.</para> result.</para>
</section> </section>
@ -2179,27 +2164,16 @@ REJECT fw net:216.239.39.99 all</programlisting>Given that
check</command>. There is a section near the top of the resulting output check</command>. There is a section near the top of the resulting output
that gives you a synopsis of your kernel/iptables capabilities.</para> that gives you a synopsis of your kernel/iptables capabilities.</para>
<programlisting>gateway:/etc/shorewall # shorewall check <programlisting>gateway:/etc/shorewall # shorewall check Loading
Loading /usr/share/shorewall/functions... /usr/share/shorewall/functions... Processing /etc/shorewall/params ...
Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Notice:
Processing /etc/shorewall/shorewall.conf... The 'check' command is unsupported and problem reports complaining about
Loading Modules... errors that it didn't catch will not be accepted Shorewall has detected
the following iptables/netfilter capabilities: NAT: Available Packet
Notice: The 'check' command is unsupported and problem Mangling: Available Multi-port Match: Available Connection Tracking
reports complaining about errors that it didn't catch Match: Available Packet Type Match: Not available Policy Match:
will not be accepted Available Physdev Match: Available IP range Match: Available Verifying
Configuration... ...</programlisting>
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Not available
Policy Match: Available
Physdev Match: Available
IP range Match: Available
Verifying Configuration...
...</programlisting>
</section> </section>
</section> </section>
</article> </article>

BIN
Shorewall-docs2/images/Thumbs.db
View File

Binary file not shown.