diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm index 5bc38e28f..82de396d7 100644 --- a/Shorewall-docs/Documentation.htm +++ b/Shorewall-docs/Documentation.htm @@ -1,333 +1,345 @@
- + - + - +
- Shorewall 1.3 Reference- |
-
Shorewall consists of the following components:
- -Shorewall consists of the following components:
+ +You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration files.
- + that you can then use in some of the other configuration files. +It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs
- + within the Shorewall programs +Example:
- +NET_IF=eth0- +
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918
Example (/etc/shorewall/interfaces record):
- +net $NET_IF $NET_BCAST $NET_OPTIONS- +
The result will be the same as if the record had been written
- +net eth0 130.252.100.255 noping,norfc1918- +
Variables may be used anywhere in the other configuration - files.
- + files. +This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns in an entry are:
- -The /etc/shorewall/zones file released with Shorewall is as follows:
- -ZONE | -DISPLAY | -COMMENTS | -|||||||||||
net | -Net | -Internet | -|||||||||||
loc | -Local | -Local networks | -|||||||||||
dmz | -DMZ | -Demilitarized zone | -
ZONE | +DISPLAY | +COMMENTS | +
net | +Net | +Internet | +
loc | +Local | +Local networks | +
dmz | +DMZ | +Demilitarized zone | +
You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.
- + as desired so long as you have at least one zone defined. +Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than "shorewall restart".
- + stop; shorewall start" to install the change rather than "shorewall +restart". +Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.
- + significant in some cases. +This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one entry in -/etc/shorewall/interfaces for each of your interfaces. Columns in an entry - are:
- + interfaces are connected to which zone. There will be one entry in + /etc/shorewall/interfaces for each of your interfaces. Columns in an entry + are: + blacklist - This option causes incoming packets on this
- interface to be checked against the blacklist.
-
- dhcp - The interface is assigned an IP address via DHCP or is
- used by a DHCP server running on the firewall. The firewall will
- be configured to allow DHCP traffic to and from the interface even
- when the firewall is stopped. You may also wish to use this option if
-you have a static IP but you are on a LAN segment that has a lot of
+
tcpflags (added in version 1.3.11) - This option causes
+Shorewall to make sanity checks on the header flags in TCP packets arriving
+on this interface. Packets failing these checks are logged according to the
+TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf
+and are disposed of according to the TCP_FLAGS_DISPOSITION option.
+
+blacklist - This option causes incoming packets on this
+ interface to be checked against the blacklist.
+
+ dhcp - The interface is assigned an IP address via DHCP or
+is used by a DHCP server running on the firewall. The firewall
+will be configured to allow DHCP traffic to and from the interface
+even when the firewall is stopped. You may also wish to use this option
+if you have a static IP but you are on a LAN segment that has a lot of
Laptops that use DHCP and you select the norfc1918 option (see
below).
noping - ICMP echo-request (ping) packets addressed to
- the firewall will be ignored by this interface.
-
- filterping - ICMP echo-request (ping) packets addressed to
-the firewall will be handled according to the /etc/shorewall/rules and
- /etc/shorewall/policy file. If the applicable policy is DROP or REJECT
-and you have supplied your own /etc/shorewall/icmpdef file then these
-'ping' requests will be passed through the rules in that file before being
-dropped or rejected. If neither noping nor filterping is
-specified then the firewall will automatically ACCEPT these 'ping' requests.
-If both noping and filterping are specified, filterping
- takes precedence.
routestopped - Beginning with Shorewall 1.3.4, this option - is deprecated in favor of the /etc/shorewall/routestopped - file. When the firewall is stopped, traffic to and from this interface - will be accepted and routing will occur between this interface and - other routestopped interfaces.
+ is deprecated in favor of the /etc/shorewall/routestopped + file. When the firewall is stopped, traffic to and from this interface + will be accepted and routing will occur between this interface and + other routestopped interfaces. - + norfc1918 - Packets arriving on this interface and that
- have a source address that is reserved in RFC 1918 or in other RFCs will
- be dropped after being optionally logged. If packet mangling
- is enabled in /etc/shorewall/shorewall.conf , then packets arriving
- on this interface that have a destination address that is reserved
-by one of these RFCs will also be logged and dropped.
-
- Addresses blocked by the standard rfc1918
- file include those addresses reserved by RFC1918 plus other
-ranges reserved by the IANA or by other RFCs.
Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses within their own infrastructure. - Also, many cable and DSL "modems" have an RFC 1918 address that can be - used through a web browser for management and monitoring functions. If - you want to specify norfc1918 on your external interface but need - to allow access to certain addresses from the above list, see norfc1918 on your external interface but +need to allow access to certain addresses from the above list, see FAQ 14.
- +routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel will reject - any packets incoming on this interface that have a source address - that would be routed outbound through another interface on the firewall. - Warning: If you specify this option - for an interface then the interface must be up prior to starting the - firewall.
+ (anti-spoofing) facility on this interface. The kernel will reject + any packets incoming on this interface that have a source address + that would be routed outbound through another interface on the firewall. + Warning: If you specify this option + for an interface then the interface must be up prior to starting the + firewall. - +multi - The interface has multiple addresses and - you want to be able to route between them. Example: you have two -addresses on your single local interface eth1, one each in subnets -192.168.1.0/24 and 192.168.2.0/24 and you want to route between these -subnets. Because you only have one interface in the local zone, Shorewall -won't normally create a rule to forward packets from eth1 to eth1. -Adding "multi" to the entry for eth1 will cause Shorewall to create -the loc2loc chain and the appropriate forwarding rule.
- + you want to be able to route between them. Example: you have two + addresses on your single local interface eth1, one each in subnets + 192.168.1.0/24 and 192.168.2.0/24 and you want to route between these + subnets. Because you only have one interface in the local zone, Shorewall + won't normally create a rule to forward packets from eth1 to eth1. + Adding "multi" to the entry for eth1 will cause Shorewall to create + the loc2loc chain and the appropriate forwarding rule. +dropunclean - Packets from this interface that
are selected by the 'unclean' match target in iptables will
be optionally logged and then dropped.
- Warning: This feature requires
- that UNCLEAN match support be configured in your kernel,
- either in the kernel itself or as a module. UNCLEAN
- support is broken in some versions of the kernel but appears
- to work ok in 2.4.17-rc1.
-
- Update 12/17/2001: The unclean match
-patch from 2.4.17-rc1 is Warning: This feature
+requires that UNCLEAN match support be configured in your
+ kernel, either in the kernel itself or as a module. UNCLEAN
+ support is broken in some versions of the kernel but appears
+ to work ok in 2.4.17-rc1.
+
+ Update 12/17/2001: The unclean match
+ patch from 2.4.17-rc1 is available
- for download. I am currently running this patch
- applied to kernel 2.4.16.
Update 12/20/2001: I've - seen a number of tcp connection requests with OPT + seen a number of tcp connection requests with OPT (020405B40000080A...) being dropped in the badpkt chain. This appears to be a bug in the remote TCP stack whereby it is 8-byte aligning @@ -338,795 +350,812 @@ a timestamp (TCP option 8) but rather than padding with 0x01 the check that causes these connections to be dropped, here's a kernel patch against 2.4.17-rc2.
- +logunclean - This option works like dropunclean - with the exception that packets selected by the 'unclean' - match target in iptables are logged but not dropped. - The level at which the packets are logged is determined - by the setting of LOGUNCLEAN - and if LOGUNCLEAN has not been set, "info" is assumed.
- + with the exception that packets selected by the 'unclean' + match target in iptables are logged but not dropped. + The level at which the packets are logged is determined + by the setting of LOGUNCLEAN + and if LOGUNCLEAN has not been set, "info" is assumed. +proxyarp (Added in version 1.3.5) - This option
causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
- and is used when implementing Proxy ARP Sub-netting
- as described at
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
not set this option if you are implementing Proxy ARP
through entries in
/etc/shorewall/proxyarp.
-
- maclist (Added in version 1.3.10) - If this option is specified,
-all connection requests from this interface are subject to
+ maclist (Added in version 1.3.10) - If this option is specified,
+ all connection requests from this interface are subject to MAC Verification. May only be specified for
-ethernet interfaces.
-
Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local network and eth0 - gets its IP address via DHCP. You want to ignore ping requests from the - internet and you want to check all packets entering from - the internet against the black list. - Your /etc/shorewall/interfaces file would be as follows:
- --+ + +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,noping,norfc1918,blacklist -- - - - + ethernet interfaces.loc -eth1 -detect --
+ + -
Example 1: You have a conventional firewall setup in which eth0 connects + to a Cable or DSL modem and eth1 connects to your local network and +eth0 gets its IP address via DHCP. You want to ignore ping requests from +the internet and you want to check all packets entering +from the internet against the black +list. Your /etc/shorewall/interfaces file would be as follows:
-Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:
- - -+- -+- +
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- +net -ppp0 -- - ZONE +INTERFACE +BROADCAST +OPTIONS + ++ +net +eth0 +detect +dhcp,noping,norfc1918,blacklist ++ - +loc +eth1 +detect ++
Example 3: You have local interface eth1 with two IP - addresses - 192.168.1.1/24 and 192.168.12.1/24
- -+ +- +Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:
+ + +- + +- -
- -ZONE -INTERFACE -BROADCAST -OPTIONS -- + +loc -eth1 -192.168.1.255,192.168.12.255 -- + +ZONE +INTERFACE +BROADCAST +OPTIONS ++ - - + + +net +ppp0 ++ + Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + + +loc +eth1 +192.168.1.255,192.168.12.255 ++ /etc/shorewall/hosts - Configuration
- + Configuration +For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.
- +WARNING: 90% of Shorewall users don't need to put entries in this file and 80% of those who try to add such entries do it wrong. Unless you are ABSOLUTELY SURE that you need entries in this file, don't touch it.
- +Columns in this file are:
- +-
- -- ZONE - A zone defined in the /etc/shorewall/zones - file.
-- HOST(S) - The name of a network interface followed -by a colon (":") followed by either:
- +- ZONE - A zone defined in the /etc/shorewall/zones + file.
+- HOST(S) - The name of a network interface followed + by a colon (":") followed by either:
+- -- -- -
- - -- An IP address (example - eth1:192.168.1.3)
- -- A subnet in CIDR notation - (example - eth2:192.168.2.0/24)
- - -The interface name much match an entry in /etc/shorewall/interfaces.
--
- - +- OPTIONS - A comma-separated list of options.
- -++ ++ +
+ + +- An IP address (example - eth1:192.168.1.3)
+ +- A subnet in CIDR notation + (example - eth2:192.168.2.0/24)
+ + +The interface name much match an entry in /etc/shorewall/interfaces.
++
+ + +- OPTIONS - A comma-separated list of options.
+ +++ for ethernet interfaces.routestopped - Beginning with Shorewall 1.3.4, this option is deprecated in favor of the /etc/shorewall/routestopped file. When the firewall is stopped, traffic to and from - this host (these hosts) will be accepted and routing will occur between - this host and other routestopped interfaces and hosts.
-
-
- maclist - Added in version 1.3.10. If specified, connection requests -from the hosts specified in this entry are subject to routestopped interfaces and hosts.
+
+ maclist - Added in version 1.3.10. If specified, connection requests + from the hosts specified in this entry are subject to MAC Verification. This option is only valid -for ethernet interfaces.
-
+ +
If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces - to the zone.
+ to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces + to the zone. - +Note 1: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.
- +Note 2: The setting of the MERGE_HOSTS variable - in /etc/shorewall/shorewall.conf - has an important effect on how the host file -is processed. Please read the description of that - variable carefully.
+ in /etc/shorewall/shorewall.conf + has an important effect on how the host file + is processed. Please read the description of +that variable carefully. - +Example:
- +Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:
- + you want to make into separate zones: +Your /etc/shorewall/interfaces file might look like:
- -+ +- -- - -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,noping,norfc1918 -- - - - - -- -eth1 -detect -- The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.
- - -Your /etc/shorewall/hosts file might look like:
- - -- -- - -- +
-- -ZONE -HOST(S) -OPTIONS -- -loc1 -eth1:192.168.1.0/25 -- - - - - - -loc2 -eth1:192.168.1.128/25 -routestopped -Hosts in 'loc2' can communicate with the firewall while Shorewall is - stopped -- those in 'loc1' cannot.
- - -Nested and Overlapping Zones
- - -The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow -you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that they appear - in the /etc/shorewall/zones file. So if you have nested zones, you want - the sub-zone to appear before the super-zone and in the case of overlapping - zones, the rules that will apply to hosts that belong to both zones is - determined by which zone appears first in /etc/shorewall/zones.
- - -Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special CONTINUE policy described below.
- - -- /etc/shorewall/policy Configuration.
- - -This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in terms of clients - who initiate connections and servers who receive those connection - requests. Policies defined in /etc/shorewall/policy describe which zones - are allowed to establish connections with other zones.
- - -Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to a particular - connection request then the policy from /etc/shorewall/policy is applied.
- - -Four policies are defined:
- - --
- - -- ACCEPT - The connection is allowed.
-- DROP - The connection request is ignored.
-- REJECT - The connection request is rejected with an - RST (TCP) or an ICMP destination-unreachable packet being returned - to the client.
-- CONTINUE - The connection is neither ACCEPTed, DROPped - nor REJECTed. CONTINUE may be used when one or both of the zones named - in the entry are sub-zones of or intersect with another zone. For -more information, see below.
- -For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time that the policy - is applied.
- - -Entries in /etc/shorewall/policy have four columns as follows:
- - -- -
- - -- SOURCE - The name of a -client zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or "all").
- -- DEST - The name of a destination - zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or "all").
- -- POLICY - The default policy - for connection requests from the SOURCE zone to the DESTINATION zone.
- -- LOG LEVEL - Optional. If - left empty, no log message is generated when the policy is applied. - Otherwise, this column should contain an integer or name indicating - a syslog level. See the syslog.conf man page for a description of -each log level.
- -- LIMIT:BURST - Optional. If -left empty, TCP connection requests from the SOURCE zone to the - DEST zone will not be rate-limited. Otherwise, this column -specifies the maximum rate at which TCP connection requests will be accepted -followed by a colon (":") followed by the maximum burst size that will -be tolerated. Example: 10/sec:40 specifies that the maximum -rate of TCP connection requests allowed will be 10 per second and a burst -of 40 connections will be tolerated. Connection requests in excess of -these limits will be dropped.
- - -In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.
- - -The policy file installed by default is as follows:
- - -- -+- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -net -ACCEPT -- - - - -net -all -DROP -info -- - +all -all -REJECT -info -- ZONE +INTERFACE +BROADCAST +OPTIONS + ++ +net +eth0 +detect +dhcp,noping,norfc1918 ++ - +- +eth1 +detect ++
This table may be interpreted as follows:
- -WARNING:
- -The firewall script processes the - /etc/shorewall/policy file from top to bottom and uses the first applicable - policy that it finds. For example, in the following policy file, - the policy for (loc, loc) connections would be ACCEPT as specified in - the first entry even though the third entry in the file specifies REJECT.
- -+ ++ + +The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.
+ + +Your /etc/shorewall/hosts file might look like:
+ + ++- -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -all -ACCEPT -- - - -net -all -DROP -info -- - + +loc -loc -REJECT -info -- + +ZONE +HOST(S) +OPTIONS ++ +loc1 +eth1:192.168.1.0/25 ++ + - +loc2 +eth1:192.168.1.128/25 +routestopped +- The CONTINUE policy
- -Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones to be managed - under the rules of all of these zones. Let's look at an example:
- -/etc/shorewall/zones:
- -++ + +Hosts in 'loc2' can communicate with the firewall while Shorewall is + stopped -- those in 'loc1' cannot.
+ + +Nested and Overlapping Zones
+ + +The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order that they appear + in the /etc/shorewall/zones file. So if you have nested zones, you want + the sub-zone to appear before the super-zone and in the case of overlapping + zones, the rules that will apply to hosts that belong to both zones +is determined by which zone appears first in /etc/shorewall/zones.
+ + +Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special CONTINUE policy described below.
+ + ++ /etc/shorewall/policy Configuration.
+ + +This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in terms of clients + who initiate connections and servers who receive those connection + requests. Policies defined in /etc/shorewall/policy describe which zones + are allowed to establish connections with other zones.
+ + +Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to a particular + connection request then the policy from /etc/shorewall/policy is applied.
+ + +Four policies are defined:
+ + ++
+ + +- ACCEPT - The connection is allowed.
+- DROP - The connection request is ignored.
+- REJECT - The connection request is rejected with +an RST (TCP) or an ICMP destination-unreachable packet being returned + to the client.
+- CONTINUE - The connection is neither ACCEPTed, +DROPped nor REJECTed. CONTINUE may be used when one or both of the +zones named in the entry are sub-zones of or intersect with another +zone. For more information, see below.
+ +For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time that the policy + is applied.
+ + +Entries in /etc/shorewall/policy have four columns as follows:
+ + ++ +
+ + +- SOURCE - The name of +a client zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall zone or +"all").
+ +- DEST - The name of a +destination zone (a zone defined in the /etc/shorewall/zones + file , the name of the firewall zone or "all"). +Shorewall automatically allows all traffic from the firewall to itself so +the name of the firewall zone cannot appear in both the +SOURCE and DEST columns.
+ +- POLICY - The default +policy for connection requests from the SOURCE zone to the DESTINATION +zone.
+ +- LOG LEVEL - Optional. +If left empty, no log message is generated when the policy is applied. + Otherwise, this column should contain an integer or name indicating + a syslog level. See the syslog.conf man page for a description of + each log level.
+ +- LIMIT:BURST - Optional. +If left empty, TCP connection requests from the SOURCE zone +to the DEST zone will not be rate-limited. Otherwise, this +column specifies the maximum rate at which TCP connection requests will +be accepted followed by a colon (":") followed by the maximum burst size +that will be tolerated. Example: 10/sec:40 specifies that +the maximum rate of TCP connection requests allowed will be 10 per second +and a burst of 40 connections will be tolerated. Connection requests in +excess of these limits will be dropped.
+ + +In the SOURCE and DEST columns, you can enter "all" to indicate all + zones.
+ + +The policy file installed by default is as follows:
+ + ++ ++- -
-- -ZONE -DISPLAY -COMMENTS -- -sam -Sam -Sam's system at home -- -net -Internet -The Internet -- + +loc -Loc -Local Network -+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +net +ACCEPT ++ + + + +net +all +DROP +info ++ + - +all +all +REJECT +info ++
This table may be interpreted as follows:
+ +/etc/shorewall/interfaces:
+WARNING:
-+-The firewall script processes the + /etc/shorewall/policy file from top to bottom and uses the first +applicable policy that it finds. For example, in the following +policy file, the policy for (loc, loc) connections would be ACCEPT as + specified in the first entry even though the third entry in the file specifies + REJECT.
+ +++- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -- -eth0 -detect -dhcp,noping,norfc1918 -- + +loc -eth1 -detect -routestopped -+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +all +ACCEPT ++ + + +net +all +DROP +info ++ + - +loc +loc +REJECT +info ++
/etc/shorewall/hosts:
++-Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones to be managed + under the rules of all of these zones. Let's look at an example:
+ +/etc/shorewall/zones:
+ ++- -
-- -ZONE -HOST(S) -OPTIONS -- -net -eth0:0.0.0.0/0 -- - + +sam -eth0:206.191.149.197 -routestopped -+ +ZONE +DISPLAY +COMMENTS ++ +sam +Sam +Sam's system at home ++ +net +Internet +The Internet ++ - - +loc +Loc +Local Network +
Note that Sam's home system is a member of both the sam zone - and the net zone and as described above , that means that sam must -be listed before net in /etc/shorewall/zones.
+/etc/shorewall/interfaces:
-/etc/shorewall/policy:
- -+-+- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -- -loc -net -ACCEPT -- - -sam -all -CONTINUE -- - -net -all -DROP -info -- + +all -all -REJECT -info -+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +- +eth0 +detect +dhcp,noping,norfc1918 ++ - +loc +eth1 +detect +routestopped +
The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source zone is -sam and if there is no match then the connection request should be -treated under rules where the source zone is net. It is important -that this policy be listed BEFORE the next policy (net to all).
+/etc/shorewall/hosts:
-Partial /etc/shorewall/rules:
- -++ -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -... -- - - - - - - -DNAT -sam -loc:192.168.1.3 -tcp -ssh -- -- - -DNAT -net -loc:192.168.1.5 -tcp -www -- -- - + +... -- - - - - - + +ZONE +HOST(S) +OPTIONS ++ +net +eth0:0.0.0.0/0 ++ + - +sam +eth0:206.191.149.197 +routestopped +
Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to 192.168.1.3. -Like all hosts in the net zone, Sam can connect to the firewall's -internet interface on TCP port 80 and the connection request will be forwarded -to 192.168.1.5. The order of the rules is not significant.
- -Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can SSH to the firewall - and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the - firewall's external IP, he should be connected to the firewall itself. - Because of the way that Netfilter is constructed, this requires two -rules as follows:
- --+ +- Note that Sam's home system is a member of both the sam zone + and the net zone and as described above , that means that sam must +be listed before net in /etc/shorewall/zones. + +
/etc/shorewall/policy:
+ +++- -
- +ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -- - - - - - - - -... -- - - - - - - -DNAT -sam -fw -tcp -ssh -- -- - -DNAT -net!sam -loc:192.168.1.3 -tcp -ssh -- -- - +... -- - - - - - SOURCE +DEST +POLICY +LOG LEVEL + ++ +loc +net +ACCEPT ++ + +sam +all +CONTINUE ++ + +net +all +DROP +info ++ - - + + + +all +all +REJECT +info +The second entry above says that when Sam is the client, connection + requests should first be process under rules where the source zone is + sam and if there is no match then the connection request should be + treated under rules where the source zone is net. It is important + that this policy be listed BEFORE the next policy (net to all).
+ +Partial /etc/shorewall/rules:
+ ++ ++ ++ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +... ++ + + + + + + +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++ + +DNAT +net +loc:192.168.1.5 +tcp +www +- ++ + + + + + + + +... ++ + + + + + Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. + Like all hosts in the net zone, Sam can connect to the firewall's + internet interface on TCP port 80 and the connection request will be forwarded + to 192.168.1.5. The order of the rules is not significant.
+ +Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH to the firewall + and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the + firewall's external IP, he should be connected to the firewall itself. + Because of the way that Netfilter is constructed, this requires two +rules as follows:
+ ++ +++ + +
+ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ ++ + + + + + + + +... ++ + + + + + + +DNAT +sam +fw +tcp +ssh +- ++ + +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++ + + + + + +... ++ + + + + + The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the @@ -1135,298 +1164,313 @@ rules as follows:
connection port forwarded to 192.168.1.3. If you need to exclude more than one zone in this way, - you can list the zones separated - by commas (e.g., net!sam,joe,fred). - This technique also may be -used when the ACTION is REDIRECT. + you can list the zones separated + by commas (e.g., net!sam,joe,fred). + This technique also may be + used when the ACTION is REDIRECT. - +/etc/shorewall/rules
- +The /etc/shorewall/rules file defines exceptions to the policies established - in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules - for each of these rules.
+ in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules + for each of these rules.
+ +Shorewall automatically enables firewall->firewall traffic over the +loopback interface (lo) -- that traffic cannot be regulated using rules and +any rule that tries to regulate such traffic will generate a warning and +will be ignored.
- +
+Entries in the file have the following columns:
- +-
- +- ACTION +
- ACTION
--
- +- ACCEPT, DROP or REJECT. These have the same meaning here as - in the policy file above.
-- DNAT -- Causes the connection request to be forwarded to the - system specified in the DEST column (port forwarding). "DNAT" stands - for "Destination Network Address Translation"
-- REDIRECT -- Causes the connection request to be redirected -to a port on the local (firewall) system.
- +- ACCEPT, DROP or REJECT. These have the same meaning here +as in the policy file above.
+- DNAT -- Causes the connection request to be forwarded to +the system specified in the DEST column (port forwarding). "DNAT" +stands for "Destination Network Address Translation"
+- REDIRECT -- Causes the connection request to be redirected + to a port on the local (firewall) system.
+The ACTION may optionally be followed by ":" and a syslogd log - level (example: REJECT:info). This causes the packet to be logged at - the specified level prior to being processed according to the specified - ACTION.
-
-
- The use of DNAT or REDIRECT requires that you have +
+ The use of DNAT or REDIRECT requires that you have NAT enabled.
-- SOURCE - Describes the source hosts to which the rule applies.. - The contents of this field must begin with the name of a zone defined - in /etc/shorewall/zones or $FW. If the ACTION is DNAT or REDIRECT, sub-zones - may be excluded from the rule by following the initial zone name with - "!' and a comma-separated list of those sub-zones to be excluded. There - is an example above.
-
-
- The source may be further restricted by adding a colon (":") followed - by a comma-separated list of qualifiers. Qualifiers are may include: - --
+- An interface name - refers to any connection requests arriving - on the specified interface (example loc:eth4). Beginning with -Shorwall 1.3.9, the interface name may optionally be followed by a colon (":") -and an IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
-- An IP address - refers to a connection request from the host - with the specified address (example net:155.186.235.151). If the - ACTION is DNAT, this must not be a DNS name.
-- A MAC Address in Shorewall format.
-- A subnet - refers to a connection request from any host in -the specified subnet (example net:155.186.235.0/24).
- -- DEST - Describes the destination host(s) to which the -rule applies. May take any of the forms described above for SOURCE -plus the following two additional forms: +
- SOURCE - Describes the source hosts to which the rule +applies.. The contents of this field must begin with the name of +a zone defined in /etc/shorewall/zones, $FW or "all". If the ACTION +is DNAT or REDIRECT, sub-zones may be excluded from the rule by following +the initial zone name with "!' and a comma-separated list of those +sub-zones to be excluded. There is an example above.
-
+
+ If the source is not 'all' then the source may be further restricted +by adding a colon (":") followed by a comma-separated list of qualifiers. +Qualifiers are may include: +-
-- An IP address followed by a colon and the port number - that the server is listening on (service names from /etc/services - are not allowed - example loc:192.168.1.3:80).
-- A single port number (again, service names are not allowed) - -- this form is only allowed if the ACTION is REDIRECT and refers -to a server running on the firewall itself and listening on the -specified port.
- +- An interface name - refers to any connection requests arriving + on the specified interface (example loc:eth4). Beginning with + Shorwall 1.3.9, the interface name may optionally be followed by a colon +(":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
+- An IP address - refers to a connection request from the +host with the specified address (example net:155.186.235.151). +If the ACTION is DNAT, this must not be a DNS name.
+- A MAC Address in Shorewall format.
+- A subnet - refers to a connection request from any host +in the specified subnet (example net:155.186.235.0/24).
+- PROTO - Protocol. Must be a protocol name from /etc/protocols, - a number, "all" or "related". Specifies the protocol of the connection - request. "related" should be specified only if you have given ALLOWRELATED="no" - in /etc/shorewall/shorewall.conf and you wish to override that setting - for related connections originating with the client(s) and server(s) - specified in this rule. When "related" is given for the protocol, - the remainder of the columns should be left blank.
-- DEST PORT(S) - Port or port range (<low port>:<high - port>) being connected to. May only be specified if the protocol - is tcp, udp or icmp. For icmp, this column's contents are interpreted - as an icmp type. If you don't want to specify DEST PORT(S) but need - to include information in one of the columns to the right, enter -"-" in this column. You may give a list of ports and/or port ranges separated - by commas. Port numbers may be either integers or service names from -/etc/services.
-- SOURCE PORTS(S) - May be used to restrict -the rule to a particular client port or port range (a port range is -specified as <low port number>:<high port number>). If +
+- DEST - Describes the destination host(s) to which the + rule applies. May take any of the forms described above for SOURCE + plus the following two additional forms: + +
++
+- An IP address followed by a colon and the port number + that the server is listening on (service names from /etc/services + are not allowed - example loc:192.168.1.3:80).
+
+- A single port number (again, service names are not allowed) + -- this form is only allowed if the ACTION is REDIRECT and refers + to a server running on the firewall itself and listening on the + specified port.
+ +
+- PROTO - Protocol. Must be a protocol name from /etc/protocols, + a number, "all" or "related". Specifies the protocol of the connection + request. "related" should be specified only if you have given ALLOWRELATED="no" + in /etc/shorewall/shorewall.conf and you wish to override that setting + for related connections originating with the client(s) and server(s) + specified in this rule. When "related" is given for the protocol, + the remainder of the columns should be left blank.
+- DEST PORT(S) - Port or port range (<low port>:<high + port>) being connected to. May only be specified if the protocol + is tcp, udp or icmp. For icmp, this column's contents are interpreted + as an icmp type. If you don't want to specify DEST PORT(S) but need + to include information in one of the columns to the right, enter + "-" in this column. You may give a list of ports and/or port ranges + separated by commas. Port numbers may be either integers or service names + from /etc/services.
+- SOURCE PORTS(S) - May be used to restrict + the rule to a particular client port or port range (a port range is + specified as <low port number>:<high port number>). If you don't want to restrict client ports but want to specify something in the next column, enter "-" in this column. If you wish to specify a list of port number or ranges, separate the list elements with commas -(with no embedded white space). Port numbers may be either integers + (with no embedded white space). Port numbers may be either integers or service names from /etc/services.
-- ORIGINAL DEST - This column may only be non-empty if -the ACTION is DNAT or REDIRECT.
-
- If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is - left empty, any connection request arriving at the firewall from the - SOURCE that matches the rule will be forwarded or redirected. This -works fine for connection requests arriving from the internet where -the firewall has only a single external IP address. When the firewall -has multiple external IP addresses or when the SOURCE is other than -the internet, there will usually be a desire for the rule to only apply -to those connection requests directed to a particular IP address (see -Example 2 below for another usage). That IP address (or a comma-separated -list of such addresses) is specified in the ORIGINAL DEST column.
-
- The IP address may be optionally followed by ":" and a second - IP address. This latter address, if present, is used as the source -address for packets forwarded to the server (This is called "Source NAT" +- ORIGINAL DEST - This column may only be non-empty if + the ACTION is DNAT or REDIRECT.
- +
+
+ If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column +is left empty, any connection request arriving at the firewall from +the SOURCE that matches the rule will be forwarded or redirected. This + works fine for connection requests arriving from the internet where + the firewall has only a single external IP address. When the firewall + has multiple external IP addresses or when the SOURCE is other than + the internet, there will usually be a desire for the rule to only apply + to those connection requests directed to a particular IP address (see + Example 2 below for another usage). That IP address (or a comma-separated + list of such addresses) is specified in the ORIGINAL DEST column.
+
+ The IP address may be optionally followed by ":" and a second + IP address. This latter address, if present, is used as the source + address for packets forwarded to the server (This is called "Source NAT" or SNAT).
-
- + Note: When using SNAT, it is a good idea to qualify the source with an IP address or subnet. Otherwise, it is likely that SNAT will occur on connections other than those described in the rule. The reason for this is that SNAT occurs in the Netfilter POSTROUTING hook where it is not possible to restrict the scope of a rule by incoming interface.
-
- Example: DNAT loc:192.168.1.0/24 loc:192.168.1.3 - tcp www - 206.124.146.179:192.168.1.3
-
- If SNAT is not used (no ":" and second IP address), the - original source address is used. If you want any destination address - to match the rule but want to specify SNAT, simply use a colon followed - by the SNAT address.
+ Example: DNAT loc:192.168.1.0/24 loc:192.168.1.3 + tcp www - 206.124.146.179:192.168.1.3
+
+ If SNAT is not used (no ":" and second IP address), +the original source address is used. If you want any destination +address to match the rule but want to specify SNAT, simply use a colon +followed by the SNAT address. +Example 1. You wish to forward all - ssh connection requests from the internet to local system 192.168.1.3.
- + ssh connection requests from the internet to local system 192.168.1.3. ++- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - - - - - -DNAT -net -loc:192.168.1.3 -tcp -ssh -- - Example 2. You want to redirect all local www connection requests - EXCEPT those to your own - http server (206.124.146.177) - to a Squid transparent -proxy running on the firewall and listening on port 3128. Squid will of -course require access to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - - (notice the "!") originally - destined to 206.124.146.177 - are redirected to local - port 3128.
- --- -- +
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL +
- DESTACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL
+ DEST- -REDIRECT -loc -3128 -tcp -www -- !206.124.146.177 -- - - - - - - -ACCEPT -fw -net -tcp -www -- - Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.
- - --+ +- -
+- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -ACCEPT -net -dmz:155.186.235.222 -tcp -www -- -- - +ACCEPT -loc -dmz:155.186.235.222 -tcp -www -- - + + + + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++ + Example 2. You want to redirect all local www connection requests + EXCEPT those to your own + http server (206.124.146.177) + to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid will +of course require access to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + + (notice the "!") originally + destined to 206.124.146.177 + are redirected to local + port 3128.
+ ++ +++ +
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +REDIRECT +loc +3128 +tcp +www ++ !206.124.146.177 ++ + + +ACCEPT +fw +net +tcp +www ++ +
Example 3. You want to run a web server at 155.186.235.222 in +your DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.
+ + +++ ++ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ + +ACCEPT +net +dmz:155.186.235.222 +tcp +www +- ++ + + + + + + + +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++ +
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded - DMZ. Your internet interface address is 155.186.235.151 and you want - the FTP server to be accessible from the internet in addition to the local - 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since + DMZ. Your internet interface address is 155.186.235.151 and you want + the FTP server to be accessible from the internet in addition to the +local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since the server is in the 192.168.2.0/24 subnetwork, we can assume that access to the server from that subnet will not involve the firewall (but see FAQ 2). Note that unless you @@ -1447,80 +1491,82 @@ leave it blank in the clearly not what you want - .
+ . - +++ - +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -DNAT -net -dmz:192.168.2.2 -tcp -ftp -- - - + +DNAT -loc:192.168.1.0/24 -dmz:192.168.2.2 -tcp -ftp -- -155.186.235.151 -+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++ + + + - - +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp +- +155.186.235.151 +
If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate:
+ so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate: - +- ++ - +passive ports 0.0.0.0/0 65500 65534
-
If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.
+ the pure-ftpd runline. - +The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with any usage on the - firewall system.
+ passive connections is unique and will not overlap with any usage on +the firewall system. - +Example 5. You wish to allow unlimited DMZ access to the host @@ -1528,51 +1574,97 @@ want - +
++ - -- -
-- +ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- +ACCEPT -loc:~02-00-08-E3-FA-55 -dmz -all -- - - ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ - - + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++ + +
Look here for information on other services. -
+ Example 6. You wish to +allow access to the SMTP server in your DMZ from all zones.+++ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+PORTS(S)
+SOURCE +
+PORT(S)
+ORIGINAL +
+DEST
++ + +ACCEPT +
+all +
+dmz +
+tcp +
+25 +
++
++
+
+Note: When 'all' is used as a source or destination, intra-zone traffic is +not affected. In this example, if there were two DMZ interfaces then the +above rule would NOT enable SMTP traffic between hosts on these interfaces.
Look here for information on other services. +
- +Shorewall allows definition of rules that apply between all zones. @@ -1582,160 +1674,163 @@ want + than modify + /etc/shorewall/common.def, + you should copy + that file to + /etc/shorewall/common + and modify that + file.
- +The /etc/shorewall/common - file is expected - to contain iptables - commands; rather - than running iptables - directly, you should - run it indirectly - using the Shorewall - function 'run_iptables'. - That way, if iptables - encounters an error, the - firewall will be safely - stopped.
+ file is expected + to contain iptables + commands; rather + than running iptables + directly, you +should run it +indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely + stopped. - +The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). There is one entry in the - file for each subnet that you want to masquerade. In order to make use - of this feature, you must have NAT enabled - .
+ and Source Network Address Translation (SNAT). There is one entry in +the file for each subnet that you want to masquerade. In order to make +use of this feature, you must have NAT enabled + . - +Columns are:
- +Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq - file would look like:
+ connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq + file would look like: - +- +- - -- -
-- -INTERFACE -SUBNET -ADDRESS -- - - - - - - -eth0 -192.168.9.0/24 --
Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 subnet to - the remote subnet 10.1.0.0/16 only.
- - -- -+ -- +
-- -INTERFACE -SUBNET -ADDRESS -- +ipsec0:10.1.0.0/16 -192.168.9.0/24 -- INTERFACE +SUBNET +ADDRESS + ++ - +eth0 +192.168.9.0/24 ++
Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) - connected to -eth1. You want -all local->net - connections to use - source address - 206.124.146.176.
- -+- +Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 subnet to + the remote subnet 10.1.0.0/16 only.
+ + ++- + +- -
- -INTERFACE -SUBNET -ADDRESS -- + + +eth0 -192.168.10.0/24 -206.124.146.176 -+ +INTERFACE +SUBNET +ADDRESS ++ - - + + + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++ Example 3: You have a DSL line connected on eth0 and a local + network (192.168.10.0/24) + connected to + eth1. You want + all local->net + connections to use + source address + 206.124.146.176.
+ +++ ++ +
++ +INTERFACE +SUBNET +ADDRESS ++ + + + + + +eth0 +192.168.10.0/24 +206.124.146.176 +Example 4: Same as example 3 except that you wish @@ -1745,34 +1840,35 @@ all local->net the SNAT rule.
- +- ++- -
-- +INTERFACE -SUBNET -ADDRESS -- +eth0 -192.168.10.0/24!192.168.10.44,192.168.10.45 -206.124.146.176 -INTERFACE +SUBNET +ADDRESS + ++ - - + + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
If you want to use proxy ARP on an entire sub-network, @@ -1781,30 +1877,30 @@ all local->net http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide - to use the -technique described -in that HOWTO, - you can set -the proxy_arp flag - for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including the - proxyarp - option in the - interface's - record in - /etc/shorewall/interfaces. - When using Proxy ARP - sub-netting, you do - NOT include - any entries in - /etc/shorewall/proxyarp. -
+ If you decide + to use the + technique described + in that HOWTO, + you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including +the proxyarp + option in +the interface's + record in + + /etc/shorewall/interfaces. + When using Proxy ARP + sub-netting, you do + NOT include + any entries in + /etc/shorewall/proxyarp. + - +The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -1812,47 +1908,47 @@ the proxy_arp flag on a small set of systems since you need one entry - in this file - for each system - using proxy - ARP. Columns are:
- + in this file + for each system + using proxy + ARP. Columns are: +Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers on the LAN segment - connected to the interface specified in the EXTERNAL column of the change/added - entry(s). If you are having problems communicating between an individual - host (A) on that segment and a system whose entry has changed, you may - need to flush the ARP cache on host A as well.
+ file, you may need to flush the ARP cache of all routers on the LAN segment + connected to the interface specified in the EXTERNAL column of the change/added + entry(s). If you are having problems communicating between an individual + host (A) on that segment and a system whose entry has changed, you may + need to flush the ARP cache on host A as well. - +ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long @@ -1861,94 +1957,95 @@ to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.
- +Example: You have public IP addresses 155.182.235.0/28. You configure your - firewall as follows:
- + firewall as follows: +In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the firewall's -eth0 and you configure 155.186.235.1 as the default gateway. In your - /etc/shorewall/proxyarp file, you will have:
+ 155.186.235.4. On the Web server, you subnet just like the firewall's + eth0 and you configure 155.186.235.1 as the default gateway. In your + /etc/shorewall/proxyarp file, you will have: - +- +- + +- + -
-- -ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- +155.186.235.4 -eth2 -eth0 -No -+ +ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE ++ - + - + +155.186.235.4 +eth2 +eth0 +No +
Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. See the Proxy - ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in the HAVEROUTE - column.
- + for details. In this case you will want to place "Yes" in the HAVEROUTE + column. +To learn how I use Proxy ARP in my DMZ, see my configuration files.
- +Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, the proxied - IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) - rather than to the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to debug this problem so - I can't say if it is a bug in the Kernel or in FreeS/Wan.
- + If you start or restart Shorewall with an IPSEC tunnel active, the proxied + IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) + rather than to the interface that you specify in the INTERFACE column +of /etc/shorewall/proxyarp. I haven't had the time to debug this problem +so I can't say if it is a bug in the Kernel or in FreeS/Wan. +You might be able to work around this problem using the following - (I haven't tried it):
- + (I haven't tried it): +In /etc/shorewall/init, include:
- +qt service ipsec stop
- +In /etc/shorewall/start, include:
- +qt service ipsec start
- +The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that you wish to define. - In order to make use of this feature, you must have NAT enabled .
- +IMPORTANT: If @@ -1960,9 +2057,9 @@ files.
static NAT. Port forwarding can be accomplished - with simple - entries in - the rules file. Also, in most @@ -1977,366 +2074,379 @@ be accomplished are accessed using the same IP address internally - and externally. + and externally. - +Columns in an entry are:
- +Look here for additional information and an example. -
- + +Look here for additional information and an example. +
+ +The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP -and PPTP tunnels with end-points on your firewall. To use ipsec, you must - install version 1.9, 1.91 or the current FreeS/WAN development snapshot.
- +Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 results in kernel - compilation errors.
+ or a development snapshot as patching with version 1.9 results in kernel + compilation errors. - +Instructions for setting up IPSEC tunnels may - be found here, instructions for IPIP and -GRE tunnels are here and instructions for -PPTP tunnels are here.
- + be found here, instructions for IPIP and + GRE tunnels are here and instructions +for PPTP tunnels are here. +This file is used to set the following firewall parameters:
- +ZONE | +HOSTS | +BROADCAST | +OPTIONS | +
ZONE | -HOSTS | -BROADCAST | -OPTIONS | -
loc | -eth1 | -- | -dhcp | -
- | -ppp+ | -- | - | loc | +eth1 | +- | +dhcp | + +
- | +ppp+ | ++ | + |
- Hosts File:
-
ZONE | +HOSTS | +
ZONE | -HOSTS | -
loc | -ppp+:192.168.12.0/24 | -loc | +ppp+:192.168.12.0/24 | + + +
- With MERGE_HOSTS=No, the loc zone consists of only
-ppp+:192.168.12.0/24; with MERGE_HOSTS=Yes, it includes eth1:0.0.0.0/0
-and ppp+:192.168.12.0/24.
-
Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range.
-The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall will -source this file during start/restart provided that it exists and that -the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).
- +The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.
+ "loadmodule" for the set of modules that I load. - +The loadmodule function is called as follows:
- +- ++ - +loadmodule <modulename> [ <module parameters> ]
-
where
- +- +- +<modulename>
- +- ++is the name of the modules without the trailing ".o" (example ip_conntrack).
-
<module parameters>
- +- +- - +Optional parameters to the insmod utility.
+
The function determines if the module named by <modulename> - is already loaded and if not then the function determines if the - ".o" file corresponding to the module exists in the moduledirectory; - if so, then the following command is executed:
+ is already loaded and if not then the function determines if the + ".o" file corresponding to the module exists in the moduledirectory; + if so, then the following command is executed: - +- ++ parameters> + - +insmod moduledirectory/<modulename>.o <module - parameters>
-
If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed @@ -2553,397 +2663,400 @@ it does, the function assumes that the running configuration supports compress - +
- ++ parameters> + - +insmod moduledirectory/<modulename>.o.gz <module - parameters>
-
The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, protocol, - source port and destination port. In order for this file to be processed - by Shorewall, you must have mangle support enabled - .
+ in packet headers based on packet source, packet destination, protocol, + source port and destination port. In order for this file to be processed + by Shorewall, you must have mangle support +enabled . - +Entries in the file have the following columns:
- +- ++ Maximize-Throughput (8)- +-Minimize-Delay (16)
-
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)
The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.
+ the following entries. - -+ +- ++- + -
-- -SOURCE -DEST -PROTOCOL -SOURCE -
- PORT(S)DEST PORT(S) -TOS -- -all -all -tcp -- -ssh -16 -- -all -all -tcp -ssh -- -16 -- -all -all -tcp -- -ftp -16 -- -all -all -tcp -ftp -- -16 -- -all -all -tcp -- -ftp-data -8 -- +all -all -tcp -ftp-data -- -8 -+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ - + + - +all +all +tcp +ftp-data +- +8 +
WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos file.
+ adding the ESP and AH protocols to the /etc/shorewall/tos file. - +Each line in /etc/shorewall/blacklist contains - an - IP - address, a MAC address in Shorewall - Format - or - subnet - address. - Example:
+ an + IP + address, a MAC address in Shorewall + Format + or + subnet + address. + Example: - +130.252.100.69- +
206.124.146.0/24
Packets
from
hosts
listed
in
- the
- blacklist
- file
- will
- be
- disposed
+ the
+ blacklist
+ file
+ will
+ be
- of
- according
- to
- the
- value
- assigned
+disposed
+ of
+ according
+ to
+ the
+ value
- to
- the BLACKLIST_DISPOSITION
+ assigned
+ to
+ the BLACKLIST_DISPOSITION
-and BLACKLIST_LOGLEVEL variables
- in
- /etc/shorewall/shorewall.conf.
+ and BLACKLIST_LOGLEVEL variables
+ in
- Only
- packets
- arriving
- on
- interfaces
+ /etc/shorewall/shorewall.conf.
+ Only
+ packets
- that
- have
- the
- 'blacklist'
+ arriving
+ on
+ interfaces
+ that
+ have
+ the
- option
- in
- /etc/shorewall/interfaces
- are
+ 'blacklist'
+ option
+ in
- checked
- against
- the
- blacklist. The black list is
-designed to prevent listed hosts/subnets from accessing services on your
- network.
-
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-
Shorewall also has a dynamic blacklist - capability.
+ capability. - +IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, I suggest that - you install and configure Squid (http://www.squid-cache.org). -
+ designed to police your users' web browsing -- to do that, I suggest that + you install and configure Squid (http://www.squid-cache.org). + - +This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:
+ interface option. Columns in the file are: - +This file defines the hosts that are accessible from the firewall when - the firewall is stopped. Columns in the file are:
+ the firewall is stopped. Columns in the file are: - +Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through - eth1 and your local hosts through eth2.
+ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces +through eth1 and your local hosts through eth2. - +- ++ - +- -
-+ +- + -INTERFACE +INTERFACE -HOST(S) +HOST(S) -+ - + -eth2 +eth2 -192.168.1.0/24 +192.168.1.0/24 -+ - + - - + +eth1 +eth1 -- +- -
Updated 10/28/2002 - Tom Eastep -
+ This file is described in the MAC Validation + Documentation.Updated 11/24/2002 - Tom Eastep +
- +Copyright - © 2001, 2002 Thomas M. Eastep.
+ © 2001, 2002 Thomas M. Eastep. -- + |
+
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions
- but it doesn't work.
-
1b. I'm still having problems with -port forwarding
- -2. I port forward www requests
- to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
-local network. External clients can browse http://www.mydomain.com
+
+
+
+ 1a. Ok -- I followed those instructions
+ but it doesn't work. 1b. I'm still having problems with
+ port forwarding 3. I want to use Netmeeting/MSN
- Messenger with Shorewall. What do I do? 4. I just used an online port scanner
- to check my firewall and it shows some ports as 'closed' rather
+
+
+
+ 3. I want to use Netmeeting/MSN
+ Messenger with Shorewall. What do I do? 4a. I just ran an nmap UDP scan
- of my firewall and it showed 100s of ports as open!!!! 5. I've installed Shorewall and now
- I can't ping through the firewall 6. Where are the log messages
- written and how do I change the destination? 6a. Are there any log parsers
- that work with Shorewall? 8. When I try to start Shorewall
- on RedHat 7.x, I get messages about insmod failing -- what's wrong? 9. Why can't Shorewall detect
- my interfaces properly? 10. What distributions does
- it work with? 11. What features does it
- support? 4a. I just ran an nmap UDP scan
+ of my firewall and it showed 100s of ports as open!!!! 5. I've installed Shorewall and now
+ I can't ping through the firewall 6. Where are the log messages
+ written and how do I change the destination? 6a. Are there any log parsers
+ that work with Shorewall? 8. When I try to start Shorewall
+ on RedHat 7.x, I get messages about insmod failing -- what's wrong? 9. Why can't Shorewall detect
+ my interfaces properly? 10. What distributions does
+ it work with? 11. What features does it
+support? 13. Why do you call it "Shorewall"? 15. My local systems can't see
- out to the net 16. Shorewall is writing log messages
- all over my console making it unusable! 15. My local systems can't see
+ out to the net 16. Shorewall is writing log messages
+ all over my console making it unusable!
+
-
-
- 18. Is there any way to use aliased ip addresses
- with Shorewall, and maintain separate rulesets for different IPs?
-
-1. I want to forward UDP port 7777 to
- my my personal PC with IP address 192.168.1.5. I've looked everywhere
- and can't find how to do it.
-
+
+
+
+
+
+
+
+
+ 18. Is there any way to use aliased ip addresses
+ with Shorewall, and maintain separate rulesets for different IPs?
+
+ 19. I have added entries to /etc/shorewall/tcrules
+but they don't seem to do anything. Why?
+
+20. I have just set up a server.
+Do I have to change Shorewall to allow access to my server from the internet?
+
+
Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a port-forwarding + href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows:
- -+ ++ +- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:<local IP address>[:<local port>] -<protocol> -<port #> --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + + +DNAT +net +loc:<local IP address>[:<local +port>] +<protocol> +<port #> ++
++
+So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:
- -++ +So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:
+ +- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
++ + ++ +- -DNAT net loc:192.168.1.5 udp 7777-If you want to forward requests directed to a particular address -( <external IP> ) on your firewall to an internal system:
- -+If you want to forward requests directed to a particular +address ( <external IP> ) on your firewall to an internal system:
+ +- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:<local IP address>[:<local port>] -<protocol> -<port #> -- -<external IP> -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + + +DNAT +net +loc:<local IP address>[:<local +port>] +<protocol> +<port #> +- +<external IP> +1a. Ok -- I followed those instructions - but it doesn't work
- +
Answer: That is usually the result of one of two things:
- +Answer: I have two objections to this setup.
- +If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external interface - is eth0 and your internal interface is eth1 and that eth1 has IP address - 192.168.1.254 with subnet 192.168.1.0/24, do the following:
- -a) In /etc/shorewall/interfaces, specify "multi" as an option - for eth1 (No longer required as of Shorewall version 1.3.9).
- -If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your external interface + is eth0 and your internal interface is eth1 and that eth1 has IP address + 192.168.1.254 with subnet 192.168.1.0/24, do the following:
+ +a) In /etc/shorewall/interfaces, specify "multi" as an option + for eth1 (No longer required as of Shorewall version 1.3.9).
+ +b) In /etc/shorewall/rules, add:
-+
-- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -130.151.100.69:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +130.151.100.69:192.168.1.254 +
DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254-
That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and are running Shorewall - 1.3.4 or later then include this in /etc/shorewall/params:
-That rule only works of course if you have a static external + IP address. If you have a dynamic IP address and are running Shorewall + 1.3.4 or later then include this in /etc/shorewall/params:
+ETH0_IP=`find_interface_address eth0`-
and make your DNAT rule:
-+
-- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -$ETH0_IP:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 +
Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time that you get a + +
Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each time that you get a new IP address.
-Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external and internal clients - to access a NATed host using the host's DNS name.
- -Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses - and can be accessed externally and internally using the same address. -
- -If you don't like those solutions and prefer routing all -Z->Z traffic through your firewall then:
- -a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
-(If you are running a Shorewall version earlier than 1.3.9).
- b) Set the Z->Z policy to ACCEPT.
- c) Masquerade Z to itself.
-
- Example:
Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external and internal clients + to access a NATed host using the host's DNS name.
+ +Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 +addresses and can be accessed externally and internally using the same +address.
+ +If you don't like those solutions and prefer routing all Z->Z +traffic through your firewall then:
+ +a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
+ (If you are running a Shorewall version earlier than 1.3.9).
+ b) Set the Z->Z policy to ACCEPT.
+ c) Masquerade Z to itself.
+
+ Example:
Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24
In /etc/shorewall/interfaces:
- -+ ++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - + +dmz -eth2 -192.168.2.255 -multi -+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +dmz +eth2 +192.168.2.255 +multi +
In /etc/shorewall/policy:
- -+ ++- -- -
-- -SOURCE -DESTINATION -POLICY -LIMIT:BURST -- - - + +dmz -dmz -ACCEPT --
-+ +SOURCE +DESTINATION +POLICY +LIMIT:BURST ++ + + +dmz +dmz +ACCEPT ++
++ + ++- +dmz dmz ACCEPT-In /etc/shorewall/masq:
- -+ ++ +- -- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth2 -192.168.2.0/24 --
-+ +INTERFACE +SUBNET +ADDRESS ++ + + +eth2 +192.168.2.0/24 ++
+3. I want to use Netmeeting/MSN Messenger - with Shorewall. What do I do?
- +3. I want to use Netmeeting/MSN Messenger + with Shorewall. What do I do?
+Answer: There is an H.323 connection - tracking/NAT module that may help. Also check the Netfilter mailing - list archives at http://netfilter.samba.org. -
- -4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' rather than - 'blocked'. Why?
- -Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 rather than dropping - them. This is necessary to prevent outgoing connection problems to - services that use the 'Auth' mechanism for identifying requesting -users. Shorewall also rejects TCP ports 135, 137 and 139 as well as -UDP ports 137-139. These are ports that are used by Windows (Windows -can be configured to use the DCE cell locator on port 135). -Rejecting these connection requests rather than dropping them cuts -down slightly on the amount of Windows chatter on LAN segments connected - to the Firewall.
- -If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server in violation of -your Service Agreement.
- -4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!
- -Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing back from your - firewall then it reports the port as open. If you want to see which - UDP ports are really open, temporarily change your net->all policy - to REJECT, restart Shorewall and do the nmap UDP scan again.
- -5. I've installed Shorewall and now I - can't ping through the firewall
- -Answer: If you want your firewall to be totally open - for "ping":
- + href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection + tracking/NAT module that may help. Also check the Netfilter mailing + list archives at http://netfilter.samba.org. + + +4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' rather than + 'blocked'. Why?
+ +Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port 113 rather than dropping + them. This is necessary to prevent outgoing connection problems to + services that use the 'Auth' mechanism for identifying requesting +users. Shorewall also rejects TCP ports 135, 137 and 139 as well as +UDP ports 137-139. These are ports that are used by Windows (Windows +can be configured to use the DCE cell locator on port 135). Rejecting +these connection requests rather than dropping them cuts down slightly +on the amount of Windows chatter on LAN segments connected to the Firewall. +
+ +If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web server in violation of + your Service Agreement.
+ +4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!
+ +Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing back from your + firewall then it reports the port as open. If you want to see which + UDP ports are really open, temporarily change your net->all policy + to REJECT, restart Shorewall and do the nmap UDP scan again.
+ +5. I've installed Shorewall and now I + can't ping through the firewall
+ +Answer: If you want your firewall to be totally open + for "ping":
+a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
- -
- b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
- c) Add the following to /etc/shorewall/icmpdef:-- -run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-6. Where are the log messages written - and how do I change the destination?
- -Answer: NetFilter uses the kernel's equivalent of -syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) -facility (see "man openlog") and you get to choose the log level (again, -see "man syslog") in your policies - and rules. The destination for messaged - logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart syslogd (on - a RedHat system, "service syslog restart").
- -By default, older versions of Shorewall ratelimited log messages - through settings in /etc/shorewall/shorewall.conf - -- If you want to log all messages, set:
- -+ b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef+ +
+ c) Add the following to /etc/shorewall/icmpdef: + +++ +run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT
+6. Where are the log messages written + and how do I change the destination?
+ +Answer: NetFilter uses the kernel's equivalent of syslog +(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility +(see "man openlog") and you get to choose the log level (again, see "man +syslog") in your policies and rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure to restart syslogd (on + a RedHat system, "service syslog restart").
+ +By default, older versions of Shorewall ratelimited log messages + through settings in /etc/shorewall/shorewall.conf + -- If you want to log all messages, set:
+ +- -LOGLIMIT=""-
LOGBURST=""6a. Are there any log parsers that work - with Shorewall?
- -Answer: Here are several links that may be helpful: -
- -+6a. Are there any log parsers that work + with Shorewall?
+ +Answer: Here are several links that may be helpful: +
+ +- -http://www.shorewall.net/pub/shorewall/parsefw/
-
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatchhttp://www.fireparse.com
+ http://cert.uni-stuttgart.de/projects/fwlogwatch
-http://www.logwatch.org
-7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that command work?
- -The 'stop' command is intended to place your firewall into - a safe state whereby only those interfaces/hosts having the 'routestopped' - option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. - If you want to totally open up your firewall, you must use the 'shorewall - clear' command.
- -8. When I try to start Shorewall on RedHat - 7.x, I get messages about insmod failing -- what's wrong?
- -Answer: The output you will see looks something like - this:
- -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy- -
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: + http://www.logwatch.org
- -
+ + ++ +7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't that command work?
+ +The 'stop' command is intended to place your firewall into + a safe state whereby only those interfaces/hosts having the 'routestopped' + option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. + If you want to totally open up your firewall, you must use the 'shorewall + clear' command.
+ +8. When I try to start Shorewall on RedHat + 7.x, I get messages about insmod failing -- what's wrong?
+ +Answer: The output you will see looks something like + this:
+ +/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy+ +
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: +
+ +- -service ipchains stop-
chkconfig --delete ipchains
rmmod ipchains-- +Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) shipped with - RH7.2.
-++Also, be sure to check the errata + for problems concerning the version of iptables (v1.2.3) shipped with + RH7.2.
+- -
9. Why can't Shorewall detect my interfaces - properly?
- -I just installed Shorewall and when I issue the start command, - I see the following:
- -+ ++ +9. Why can't Shorewall detect my interfaces + properly?
+ +I just installed Shorewall and when I issue the start command, + I see the following:
+ +- -Processing /etc/shorewall/shorewall.conf ...-
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...++ +- -Why can't Shorewall detect my interfaces properly?
--+Answer: The above output is perfectly normal. The -Net zone is defined as all hosts that are connected through eth0 and the -local zone is defined as all hosts connected through eth1
-++ +Answer: The above output is perfectly normal. The Net + zone is defined as all hosts that are connected through eth0 and the local + zone is defined as all hosts connected through eth1
+10. What Distributions does it work + with?
+ +Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.
-10. What Distributions does it work - with?
- -Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.
-11. What Features does it have?
+ +Answer: See the Shorewall + Feature List.
-Answer: See the Shorewall - Feature List.
-12. Why isn't there a GUI?
+ +Answer: Every time I've started to work on one, I find +myself doing other things. I guess I just don't care enough if Shorewall +has a GUI to invest the effort to create one myself. There are several +Shorewall GUI projects underway however and I will publish links to +them when the authors feel that they are ready.
-Answer: Every time I've started to work on one, I -find myself doing other things. I guess I just don't care enough if -Shorewall has a GUI to invest the effort to create one myself. There -are several Shorewall GUI projects underway however and I will publish -links to them when the authors feel that they are ready.
-13. Why do you call it "Shorewall"?
+ +Answer: Shorewall is a concatenation of "Shoreline" + (the city where I live) + and "Firewall".
-Answer: Shorewall is a concatenation of "Shoreline" - (the city where I live) - and "Firewall".
- -14. I'm connected via a cable modem - and it has an internal web server that allows me to configure/monitor - it but as expected if I enable rfc1918 blocking for my eth0 interface - (the internet one), it also blocks the cable modems web server.
- -Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 address of +
14. I'm connected via a cable modem + and it has an internal web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 interface + (the internet one), it also blocks the cable modems web server.
+ +Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 address of the modem in/out but still block all other rfc1918 addresses.
+ +Answer: If you are running a version of Shorewall earlier +than 1.3.1, create /etc/shorewall/start and in it, place the following:
-Answer: If you are running a version of Shorewall -earlier than 1.3.1, create /etc/shorewall/start and in it, place the -following:
- -++ +- -run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT--- -If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:
--+ ++++ +If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:
+++ ++- -
+- +SUBNET -TARGET ++ +SUBNET +TARGET ++ + + + +192.168.100.1 +RETURN ++- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+ +
+Note: If you add a second IP address to your external firewall + interface to correspond to the modem address, you must also make an entry + in /etc/shorewall/rfc1918 for that address. For example, if you configure + the address 192.168.100.2 on your firewall, then you would add two entries + to /etc/shorewall/rfc1918:
+ +
++-+ +
-+ SUBNET +
+TARGET
+- +192.168.100.1 -RETURN +192.168.100.1 +
+RETURN +
++ - +192.168.100.2 +
+RETURN
+-- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
- -
-Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, you must also make an entry - in /etc/shorewall/rfc1918 for that address. For example, if you configure - the address 192.168.100.2 on your firewall, then you would add two entries - to /etc/shorewall/rfc1918:
- -
---- -
-- -SUBNET -
-TARGET -
-- -192.168.100.1 -
-RETURN -
-- - - -192.168.100.2 -
-RETURN -
--- -14a. Even though it assigns public -IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable -RFC 1918 filtering on my external interface, my DHCP client cannot renew -its lease.
--- -The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.
-15. My local systems can't see out to - the net
- -Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers with eyes and -what those computers will "see" when things are working properly. That + +
++ +14a. Even though it assigns public IP + addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC +1918 filtering on my external interface, my DHCP client cannot renew its +lease.
+++ +The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.
+15. My local systems can't see out to + the net
+ +Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers with eyes and +what those computers will "see" when things are working properly. That aside, the most common causes of this problem are:
- +-
- -- -
-The default gateway on each local system isn't set to - the IP address of the local firewall interface.
-- -
-The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.
-- -
- -The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and hasn't enabled UDP - and TCP port 53 from the firewall to the internet.
-16. Shorewall is writing log messages - all over my console making it unusable!
- -Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. Under - RedHat, the max log level that is sent to the console is specified -in /etc/sysconfig/init in the LOGLEVEL variable.
+
-+ +The default gateway on each local system isn't set to + the IP address of the local firewall interface.
++ + +The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.
++ + + + + +The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't enabled UDP + and TCP port 53 from the firewall to the internet.
+16. Shorewall is writing log messages + all over my console making it unusable!
+ +Answer: "man dmesg" -- add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. Under + RedHat, the max log level that is sent to the console is specified + in /etc/sysconfig/init in the LOGLEVEL variable.
+
+17. How do I find out why this is getting logged?
- Answer: Logging occurs out of a number of chains (as indicated - in the log message) in Shorewall:
- + Answer: Logging occurs out of a number of chains (as indicated + in the log message) in Shorewall:
+-
- -- man1918 - The destination address is listed in /etc/shorewall/rfc1918 - with a logdrop target -- see man1918 - The destination address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
-- rfc1918 - The source address is listed in /etc/shorewall/rfc1918 - with a logdrop target -- see rfc1918 - The source address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
-- all2<zone>, <zone>2all or all2all - - You have a policy that specifies -a log level and this packet is being logged under that policy. If you intend - to ACCEPT this traffic then you need a all2<zone>, <zone>2all or all2all + - You have a policy that + specifies a log level and this packet is being logged under that policy. + If you intend to ACCEPT this traffic then you need a rule to that effect.
-
-- <zone1>2<zone2> - Either you have a policy for <zone1> to - <zone2> that specifies a log level and this packet is being - logged under that policy or this packet matches a rule that include a log level.
-- logpkt - The packet is being logged under the logunclean - interface option.
-- badpkt - The packet is being logged under the dropunclean - interface option as specified - in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
-- blacklst - The packet is being logged because the source - IP is blacklisted in the /etc/shorewall/blacklist - file.
-- newnotsyn - The packet is being logged because it is a -TCP packet that is not part of any current connection yet it is not a syn -packet. Options affecting the logging of such packets include NEWNOTSYN - and LOGNEWNOTSYN in +
- <zone1>2<zone2> - Either you have a policy for <zone1> to + <zone2> that specifies a log level and this packet is being + logged under that policy or this packet matches a rule that includes a log level.
+- <interface>_mac - The packet is being logged under the + maclist interface option.
+
+- logpkt - The packet is being logged under the logunclean + interface option.
+- badpkt - The packet is being logged under the dropunclean + interface option as specified + in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
+- blacklst - The packet is being logged because the source + IP is blacklisted in the /etc/shorewall/blacklist + file.
+- newnotsyn - The packet is being logged because it is + a TCP packet that is not part of any current connection yet it is not +a syn packet. Options affecting the logging of such packets include NEWNOTSYN + and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
-- INPUT or FORWARD - The packet has a source IP address - that isn't in any of your defined zones ("shorewall check" and look at the - printed zone definitions) or the chain is FORWARD and the destination IP - isn't in any of your defined zones.
- +- INPUT or FORWARD - The packet has a source IP +address that isn't in any of your defined zones ("shorewall check" and +look at the printed zone definitions) or the chain is FORWARD and the destination + IP isn't in any of your defined zones.
+18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different IPs?
- Answer: Yes. You simply use the IP address in your rules (or if -you use NAT, use the local IP address in your rules). Note: The ":n" -notation (e.g., eth0:0) is deprecated and will disappear eventually. Neither - iproute (ip and tc) nor iptables supports that notation so neither does - Shorewall.
-
- Example 1:
-
- /etc/shorewall/rules + +18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different IPs?
+ Answer: Yes. You simply use the IP address in your rules (or +if you use NAT, use the local IP address in your rules). Note: The +":n" notation (e.g., eth0:0) is deprecated and will disappear eventually. +Neither iproute (ip and tc) nor iptables supports that notation so neither +does Shorewall.
+
+ Example 1:
+
+ /etc/shorewall/rules# Accept AUTH but only on address 192.0.2.125- Example 2 (NAT):
ACCEPT net fw:192.0.2.125 tcp auth
-
- /etc/shorewall/nat
- + Example 2 (NAT):
+
+ /etc/shorewall/nat
+192.0.2.126 eth0 10.1.1.126- /etc/shorewall/rules + /etc/shorewall/rules# Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)- + class="moz-txt-citetags">
ACCEPT net loc:10.1.1.126 tcp www
+ Example 3 (DNAT):
+ +# Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127+ +
DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.12719. I have added entries to /etc/shorewall/tcrules +but they don't seem to do anything. Why?
+ You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf +so the contents of the tcrules file are simply being ignored.
+20. I have just set up a server. Do I have +to change Shorewall to allow access to my server from the internet?
+Yes. Consult the QuickStart guide +that you used during your initial setup for information about how to set +up rules for your server.
+
+
+- -Last updated 11/09/2002 - Tom Eastep
- -Copyright - © 2001, 2002 Thomas M. Eastep.
+ Last updated 11/24/2002 - Tom Eastep + +Copyright + © 2001, 2002 Thomas M. Eastep.
+
+
+
+
-
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index 6016710da..4bd17b10c 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -1,1452 +1,1512 @@ - +Shorewall News - + - + - +- -
- -- +- + + - - + + + ++ + -Shorewall News Archive
-11/09/2002 - Shorewall 1.3.10
+ +11/24/2002 - Shorewall 1.3.11
In this version:
-
+- You may now define the contents of a zone -dynamically with the "shorewall -add" and "shorewall delete" commands. These commands are expected to -be used primarily within FreeS/Wan updown scripts.
-- Shorewall can now do MAC verification - on ethernet segments. You can specify the set of allowed MAC addresses -on the segment and you can optionally tie each MAC address to one or more -IP addresses.
-- PPTP Servers and Clients running on the firewall system may now be -defined in the /etc/shorewall/tunnels file.
-- A new 'ipsecnat' tunnel type is supported for use when the - remote IPSEC endpoint is behind a NAT gateway.
-- The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
-- The main firewall script is now /usr/lib/shorewall/firewall. The script -in /etc/init.d/shorewall is very small and uses /sbin/shorewall to do the -real work. This change makes custom distributions such as for Debian and -for Gentoo easier to manage since it is /etc/init.d/shorewall that tends -to have distribution-dependent code
+- A 'tcpflags' option has been added to entries in /etc/shorewall/interfaces. This +option causes Shorewall to make a set of sanity check on TCP packet header +flags.
+- It is now allowed to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must appear by +itself (in may not be qualified) and it does not enable intra-zone traffic. +For example, the rule
+
+
+ ACCEPT loc all tcp 80
+
+does not enable http traffic from 'loc' to 'loc'.- Shorewall's use of the 'echo' command is now compatible with bash clones +such as ash and dash.
+- fw->fw policies now generate a startup error. fw->fw rules generate +a warning and are ignored
11/14/2002 - Shorewall Documentation in PDF Format
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. +the PDF may be downloaded from
+ +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ +
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+11/09/2002 - Shorewall is Back at SourceForge +
+ +The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
+ +
+11/09/2002 - Shorewall 1.3.10
+ +In this version:
+ ++
+- You may now define the contents of +a zone dynamically with the "shorewall add" and "shorewall + delete" commands. These commands are expected to be used primarily +within FreeS/Wan +updown scripts.
+- Shorewall can now do MAC verification + on ethernet segments. You can specify the set of allowed MAC addresses +on the segment and you can optionally tie each MAC address to one or more +IP addresses.
+- PPTP Servers and Clients running on the firewall system may now +be defined in the /etc/shorewall/tunnels file.
+- A new 'ipsecnat' tunnel type is supported for use when the + remote IPSEC endpoint is behind a NAT gateway.
+- The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
+- The main firewall script is now /usr/lib/shorewall/firewall. The + script in /etc/init.d/shorewall is very small and uses /sbin/shorewall + to do the real work. This change makes custom distributions such as for +Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall +that tends to have distribution-dependent code
+ +10/24/2002 - Shorewall is now in Gentoo Linux
- Alexandru Hartmann reports that his Shorewall package is now a part of -the Gentoo Linux distribution. Thanks -Alex!
-
- + + Alexandru Hartmann reports that his Shorewall package is now a part +of the Gentoo Linux distribution. Thanks + Alex!
+10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:
+ In this version:
+ ++
+ You may download the Beta from:- You may now define the contents of +a zone dynamically with the "shorewall add" and "shorewall + delete" commands. These commands are expected to be used primarily within + FreeS/Wan updown + scripts.
+- Shorewall can now do MAC verification + on ethernet segments. You can specify the set of allowed MAC addresses +on the segment and you can optionally tie each MAC address to one or more +IP addresses.
+- PPTP Servers and Clients running on the firewall system may now + be defined in the /etc/shorewall/tunnels file.
+- A new 'ipsecnat' tunnel type is supported for use when the + remote IPSEC endpoint is behind a NAT gateway.
+- The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
+- The main firewall script is now /usr/lib/shorewall/firewall. The + script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to + do the real work. This change makes custom distributions such as for Debian + and for Gentoo easier to manage since it is /etc/init.d/shorewall that +tends to have distribution-dependent code.
+ +
+ + + +10/10/2002 - Debian 1.3.9b Packages Available
+ +
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +10/9/2002 - Shorewall 1.3.9b
+ This release rolls up fixes to the installer and to the firewall script.
+ +10/6/2002 - Shorewall.net now running on RH8.0
+ Roles up the fix for broken tunnels.
+
+ The firewall and server here at shorewall.net are now running RedHat + release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a
+ +9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
+ +9/28/2002 - Shorewall 1.3.9
+ +In this version:
+-
- You may download the Beta from:- You may now define the contents of a -zone dynamically with the "shorewall add" and "shorewall - delete" commands. These commands are expected to be used primarily within - FreeS/Wan updown - scripts.
-- Shorewall can now do MAC verification - on ethernet segments. You can specify the set of allowed MAC addresses -on the segment and you can optionally tie each MAC address to one or more -IP addresses.
-- PPTP Servers and Clients running on the firewall system may now be -defined in the /etc/shorewall/tunnels file.
-- A new 'ipsecnat' tunnel type is supported for use when the - remote IPSEC endpoint is behind a NAT gateway.
-- The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
-- The main firewall script is now /usr/lib/shorewall/firewall. The -script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to -do the real work. This change makes custom distributions such as for Debian - and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends - to have distribution-dependent code.
- +- DNS Names + are now allowed in Shorewall config files (although I recommend against + using them).
+- The connection SOURCE may now be qualified by both interface + and IP address in a Shorewall rule.
+- Shorewall startup is now disabled after initial installation + until the file /etc/shorewall/startup_disabled is removed. This avoids + nasty surprises during reboot for users who install Shorewall but don't + configure it.
+- The 'functions' and 'version' files and the 'firewall' symbolic + link have been moved from /var/lib/shorewall to /usr/lib/shorewall to + appease the LFS police at Debian.
+
+
- - - -10/10/2002 - Debian 1.3.9b Packages Available
- -
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -10/9/2002 - Shorewall 1.3.9b
- This release rolls up fixes to the installer and to the firewall script.
- -10/6/2002 - Shorewall.net now running on RH8.0
- Roles up the fix for broken tunnels.
-
- The firewall and server here at shorewall.net are now running RedHat -release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a
- -9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
- -9/28/2002 - Shorewall 1.3.9
- -In this version:
- -
--
- -- DNS Names - are now allowed in Shorewall config files (although I recommend against - using them).
-- The connection SOURCE may now be qualified by both interface - and IP address in a Shorewall rule.
-- Shorewall startup is now disabled after initial installation - until the file /etc/shorewall/startup_disabled is removed. This avoids - nasty surprises during reboot for users who install Shorewall but don't - configure it.
-- The 'functions' and 'version' files and the 'firewall' symbolic - link have been moved from /var/lib/shorewall to /usr/lib/shorewall to -appease the LFS police at Debian.
- -
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
- 9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
-
+ + - A couple of recent configuration changes at www.shorewall.net - broke the Search facility:
- -+ A couple of recent configuration changes at www.shorewall.net + broke the Search facility:+ Hopefully these problems are now corrected. +
+ +- Hopefully these problems are now corrected. --
-- Mailing List Archive Search was not available.
-- The Site Search index was incomplete
-- Only one page of matches was presented.
- +- Mailing List Archive Search was not available.
+- The Site Search index was incomplete
+- Only one page of matches was presented.
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
- A couple of recent configuration changes at www.shorewall.net -had the negative effect of breaking the Search facility:
-
- +9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+ A couple of recent configuration changes at www.shorewall.net + had the negative effect of breaking the Search facility:
+
+-
- Hopefully these problems are now corrected.- Mailing List Archive Search was not available.
-- The Site Search index was incomplete
-- Only one page of matches was presented.
- +- Mailing List Archive Search was not available.
+- The Site Search index was incomplete
+- Only one page of matches was presented.
+
- + Hopefully these problems are now corrected.
+9/18/2002 - Debian 1.3.8 Packages Available
- + +
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +9/16/2002 - Shorewall 1.3.8
- +In this version:
- + +
--
- +- A NEWNOTSYN option - has been added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established connection -and that are not 'SYN' packets (SYN flag on and ACK flag off).
-- The need for the 'multi' option to communicate between - zones za and zb on the same interface is removed in the case where +
- A NEWNOTSYN option + has been added to shorewall.conf. This option determines whether +Shorewall accepts TCP packets which are not part of an established +connection and that are not 'SYN' packets (SYN flag on and ACK flag +off).
+- The need for the 'multi' option to communicate between + zones za and zb on the same interface is removed in the case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
- +-
- +- There is a policy for za to zb; or
-- There is at least one rule for za to zb.
- +- There is a policy for za to zb; or
+- There is at least one rule for za to zb.
+-
- +- The /etc/shorewall/blacklist file now contains three -columns. In addition to the SUBNET/ADDRESS column, there are optional -PROTOCOL and PORT columns to block only certain applications from the -blacklisted addresses.
- +
-- The /etc/shorewall/blacklist file now contains three + columns. In addition to the SUBNET/ADDRESS column, there are optional + PROTOCOL and PORT columns to block only certain applications from the + blacklisted addresses.
+
+9/11/2002 - Debian 1.3.7c Packages Available
- +Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +9/2/2002 - Shorewall 1.3.7c
- -This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).
- + +This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).
+8/31/2002 - I'm not available
- -I'm currently on vacation -- please respect my need for a couple of -weeks free of Shorewall problem reports.
- + +I'm currently on vacation -- please respect my need for a couple of + weeks free of Shorewall problem reports.
+-Tom
- +8/26/2002 - Shorewall 1.3.7b
- -This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.
- + +This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.
+8/26/2002 - French FTP Mirror is Operational
- +ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.
- + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available. +8/25/2002 - Shorewall Mirror in France
- -Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.
- + +Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.
+8/25/2002 - Shorewall 1.3.7a Debian Packages Available
- -Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a releasedLorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released -
- -1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.
- + + +1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.
+8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
- +Features in this release include:
- +-
- -- The 'icmp.def' file is now empty! The rules in that -file were required in ipchains firewalls but are not required in -Shorewall. Users who have ALLOWRELATED=No in The 'icmp.def' file is now empty! The rules in that + file were required in ipchains firewalls but are not required +in Shorewall. Users who have ALLOWRELATED=No in shorewall.conf should see the Upgrade Issues.
-- A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting - this variable to Yes is the same as the effect of adding an ACCEPT - rule for ICMP echo-request in /etc/shorewall/icmpdef. Users - who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
-- The loopback CLASS A Network (127.0.0.0/8) has been -added to the rfc1918 file.
-- Shorewall now works with iptables 1.2.7
-- The documentation and web site no longer uses FrontPage - themes.
- +- A 'FORWARDPING' option has been added to shorewall.conf. The effect of setting + this variable to Yes is the same as the effect of adding an ACCEPT + rule for ICMP echo-request in /etc/shorewall/icmpdef. Users + who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
+- The loopback CLASS A Network (127.0.0.0/8) has been + added to the rfc1918 file.
+- Shorewall now works with iptables 1.2.7
+- The documentation and web site no longer uses FrontPage + themes.
+I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input has led to marked - improvement in Shorewall in the last two releases.
- + +I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input has led to marked + improvement in Shorewall in the last two releases.
+8/13/2002 - Documentation in the CVS Repository
- -The Shorewall-docs project now contains just the HTML and image files -- the Frontpage files have been removed.
- + +The Shorewall-docs project now contains just the HTML and image files - +the Frontpage files have been removed.
+8/7/2002 - STABLE branch added to CVS Repository
- -This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get the latest stable - tree.
- -8/7/2002 - Upgrade Issues section -added to the Errata Page
- -Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.
- + +This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable + tree.
+ +8/7/2002 - Upgrade Issues section added + to the Errata Page
+ +Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.
+8/7/2002 - Shorewall 1.3.6
- +This is primarily a bug-fix rollup with a couple of new features:
- +-
- +- The latest QuickStart Guides - including the Shorewall Setup - Guide.
-- Shorewall will now DROP TCP packets that are not part - of or related to an existing connection and that are not SYN packets. - These "New not SYN" packets may be optionally logged by setting -the LOGNEWNOTSYN option in /etc/shorewall/shorewall.conf.
-- The processing of "New not SYN" packets may be extended - by commands in the new The latest QuickStart Guides + including the Shorewall Setup +Guide.
+- Shorewall will now DROP TCP packets that are not +part of or related to an existing connection and that are not SYN +packets. These "New not SYN" packets may be optionally logged by +setting the LOGNEWNOTSYN option in /etc/shorewall/shorewall.conf.
+- The processing of "New not SYN" packets may be extended + by commands in the new newnotsyn extension script.
- +7/30/2002 - Shorewall 1.3.5b Released
- +This interim release:
- +-
- +- Causes the firewall script to remove the lock file -if it is killed.
-- Once again allows lists in the second column of the - /etc/shorewall/hosts file.
-- Includes the latest Causes the firewall script to remove the lock file + if it is killed.
+- Once again allows lists in the second column of +the /etc/shorewall/hosts file.
+- Includes the latest QuickStart Guides.
- +7/29/2002 - New Shorewall Setup Guide Available
- +The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are setting up Shorewall - to manage multiple public IP addresses and by people who want to -learn more about Shorewall than is described in the single-address + href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are setting up Shorewall + to manage multiple public IP addresses and by people who want to +learn more about Shorewall than is described in the single-address guides. Feedback on the new guide is welcome.
- +7/28/2002 - Shorewall 1.3.5 Debian Package Available
- -Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/27/2002 - Shorewall 1.3.5a Released
- +This interim release restores correct handling of REDIRECT rules.
- +7/26/2002 - Shorewall 1.3.5 Released
- -This will be the last Shorewall release for a while. I'm going to be -focusing on rewriting a lot of the documentation.
- + +This will be the last Shorewall release for a while. I'm going to be + focusing on rewriting a lot of the documentation.
+In this version:
- +-
- +- Empty and invalid source and destination qualifiers -are now detected in the rules file. It is a good idea to use the -'shorewall check' command before you issue a 'shorewall restart' -command be be sure that you don't have any configuration problems -that will prevent a successful restart.
-- Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior - of the /etc/shorewall/hosts file.
-- The time that the counters were last reset is now displayed - in the heading of the 'status' and 'show' commands.
-- A proxyarp option has been added for entries -in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in the Proxy - ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes Shorewall - to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
-- The Samples have been updated to reflect the new capabilities - in this release.
- +- Empty and invalid source and destination qualifiers + are now detected in the rules file. It is a good idea to use +the 'shorewall check' command before you issue a 'shorewall restart' + command be be sure that you don't have any configuration problems + that will prevent a successful restart.
+- Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior + of the /etc/shorewall/hosts file.
+- The time that the counters were last reset is now + displayed in the heading of the 'status' and 'show' commands.
+- A proxyarp option has been added for entries + in /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in the + Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall + to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+- The Samples have been updated to reflect the new +capabilities in this release.
+7/16/2002 - New Mirror in Argentina
- -Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!
- + +Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!
+7/16/2002 - Shorewall 1.3.4 Released
- +In this version:
- +-
- +- A new -/etc/shorewall/routestopped file has been added. This file is -intended to eventually replace the routestopped option -in the /etc/shorewall/interface and /etc/shorewall/hosts files. -This new file makes remote firewall administration easier by allowing +
- A new + /etc/shorewall/routestopped file has been added. This file +is intended to eventually replace the routestopped option + in the /etc/shorewall/interface and /etc/shorewall/hosts files. +This new file makes remote firewall administration easier by allowing any IP or subnet to be enabled while Shorewall is stopped.
-- An /etc/shorewall/stopped extension script has been added. - This script is invoked after Shorewall has stopped.
-- A DETECT_DNAT_ADDRS option has been added to - /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply when the destination - address is the external interface's primary IP address.
-- The QuickStart - Guide has been broken into three guides and has been almost -entirely rewritten.
-- The Samples have been updated to reflect the new capabilities - in this release.
- +- An /etc/shorewall/stopped extension script has been added. + This script is invoked after Shorewall has stopped.
+- A DETECT_DNAT_ADDRS option has been added +to /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply when the destination + address is the external interface's primary IP address.
+- The QuickStart + Guide has been broken into three guides and has been almost + entirely rewritten.
+- The Samples have been updated to reflect the new +capabilities in this release.
+7/8/2002 - Shorewall 1.3.3 Debian Package Available
- +Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/6/2002 - Shorewall 1.3.3 Released
- +In this version:
- +-
- +- Entries in /etc/shorewall/interface that use the wildcard - character ("+") now have the "multi" option assumed.
-- The 'rfc1918' chain in the mangle table has been renamed - 'man1918' to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in the filter table.
-- Interface names appearing in the hosts file are now -validated against the interfaces file.
-- The TARGET column in the rfc1918 file is now checked - for correctness.
-- The chain structure in the nat table has been changed - to reduce the number of rules that a packet must traverse and to -correct problems with NAT_BEFORE_RULES=No
-- The "hits" command has been enhanced.
- +- Entries in /etc/shorewall/interface that use the +wildcard character ("+") now have the "multi" option assumed.
+- The 'rfc1918' chain in the mangle table has been +renamed 'man1918' to make log messages generated from that chain +distinguishable from those generated by the 'rfc1918' chain in +the filter table.
+- Interface names appearing in the hosts file are +now validated against the interfaces file.
+- The TARGET column in the rfc1918 file is now checked + for correctness.
+- The chain structure in the nat table has been changed + to reduce the number of rules that a packet must traverse and +to correct problems with NAT_BEFORE_RULES=No
+- The "hits" command has been enhanced.
+6/25/2002 - Samples Updated for 1.3.2
- -The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.
- + +The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.
+6/25/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/19/2002 - Documentation Available in PDF Format
- -Thanks to Mike Martinez, the Shorewall Documentation is now available -for download in Adobe PDF format.
- + +Thanks to Mike Martinez, the Shorewall Documentation is now available for + download in Adobe + PDF format.
+6/16/2002 - Shorewall 1.3.2 Released
- +In this version:
- +-
- +- A logwatch command - has been added to /sbin/shorewall.
-- A dynamic blacklist - facility has been added.
-- Support for the Netfilter - multiport match function has been added.
-- The files firewall, functions and version - have been moved from /etc/shorewall to /var/lib/shorewall.
- +- A logwatch +command has been added to /sbin/shorewall.
+- A dynamic blacklist + facility has been added.
+- Support for the Netfilter multiport match function +has been added.
+- The files firewall, functions and version + have been moved from /etc/shorewall to /var/lib/shorewall.
+6/6/2002 - Why CVS Web access is Password Protected
- -Last weekend, I installed the CVS Web package to provide brower-based -access to the Shorewall CVS repository. Since then, I have had several -instances where my server was almost unusable due to the high load generated -by website copying tools like HTTrack and WebStripper. These mindless tools:
- + +Last weekend, I installed the CVS Web package to provide brower-based access + to the Shorewall CVS repository. Since then, I have had several instances +where my server was almost unusable due to the high load generated by website +copying tools like HTTrack and WebStripper. These mindless tools:
+-
- -- Ignore robot.txt files.
-- Recursively copy everything that they find.
-- Should be classified as weapons rather than tools.
- +- Ignore robot.txt files.
+- Recursively copy everything that they find.
+- Should be classified as weapons rather than tools.
+These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the cgi-generated HTML - resulting in 1000s of executions of the cvsweb.cgi script. Yesterday, - I spend several hours implementing measures to block these tools but - unfortunately, these measures resulted in my server OOM-ing under + +
These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated HTML + resulting in 1000s of executions of the cvsweb.cgi script. Yesterday, + I spend several hours implementing measures to block these tools but + unfortunately, these measures resulted in my server OOM-ing under even moderate load.
- -Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web access will remain - Password Protected.
- + +Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain + Password Protected.
+6/5/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/2/2002 - Samples Corrected
- -The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems have been corrected - in the 1.3.1 samples.
- + +The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have been corrected + in the 1.3.1 samples.
+6/1/2002 - Shorewall 1.3.1 Released
- +Hot on the heels of 1.3.0, this release:
- +-
- +- Corrects a serious problem with "all <zone> - CONTINUE" policies. This problem is present in all versions of -Shorewall that support the CONTINUE policy. These previous versions -optimized away the "all2<zone>" chain and replaced it -with the "all2all" chain with the usual result that a policy of REJECT -was enforced rather than the intended CONTINUE policy.
-- Adds an /etc/shorewall/rfc1918 - file for defining the exact behavior of theCorrects a serious problem with "all <zone> + CONTINUE" policies. This problem is present in all versions of + Shorewall that support the CONTINUE policy. These previous versions + optimized away the "all2<zone>" chain and replaced it + with the "all2all" chain with the usual result that a policy of REJECT + was enforced rather than the intended CONTINUE policy.
+- Adds an /etc/shorewall/rfc1918 + file for defining the exact behavior of the 'norfc1918' interface option.
- +5/29/2002 - Shorewall 1.3.0 Released
- -In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:
- + +In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:
+-
- +- A 'filterping' interface option that allows ICMP echo-request - (ping) requests addressed to the firewall to be handled by entries - in /etc/shorewall/rules and /etc/shorewall/policy.
- +- A 'filterping' interface option that allows ICMP +echo-request (ping) requests addressed to the firewall to be handled +by entries in /etc/shorewall/rules and /etc/shorewall/policy.
+5/23/2002 - Shorewall 1.3 RC1 Available
- -In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:
- + +In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:
+-
- +- Support for the /etc/shorewall/whitelist file has been - withdrawn. If you need whitelisting, see Support for the /etc/shorewall/whitelist file has + been withdrawn. If you need whitelisting, see these instructions.
- +5/19/2002 - Shorewall 1.3 Beta 2 Available
- -In addition to the changes in Beta 1, this release which carries the -designation 1.2.91 adds:
- + +In addition to the changes in Beta 1, this release which carries the + designation 1.2.91 adds:
+-
- +- The structure of the firewall is changed markedly. -There is now an INPUT and a FORWARD chain for each interface; this -reduces the number of rules that a packet must traverse, especially -in complicated setups.
-- Sub-zones may now - be excluded from DNAT and REDIRECT rules.
-- The names of the columns in a number of the configuration - files have been changed to be more consistent and self-explanatory - and the documentation has been updated accordingly.
-- The sample configurations have been updated for 1.3.
- +- The structure of the firewall is changed markedly. + There is now an INPUT and a FORWARD chain for each interface; this + reduces the number of rules that a packet must traverse, especially + in complicated setups.
+- Sub-zones may + now be excluded from DNAT and REDIRECT rules.
+- The names of the columns in a number of the configuration + files have been changed to be more consistent and self-explanatory + and the documentation has been updated accordingly.
+- The sample configurations have been updated for +1.3.
+5/17/2002 - Shorewall 1.3 Beta 1 Available
- -Beta 1 carries the version designation 1.2.90 and implements the following - features:
- + +Beta 1 carries the version designation 1.2.90 and implements the following + features:
+-
- +- Simplified rule syntax which makes the intent of each - rule clearer and hopefully makes Shorewall easier to learn.
-- Upward compatibility with 1.2 configuration files has - been maintained so that current users can migrate to the new syntax - at their convenience.
-- WARNING: Compatibility with - the old parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate to the new - sample configurations before upgrading to 1.3 Beta 1.
- +- Simplified rule syntax which makes the intent of +each rule clearer and hopefully makes Shorewall easier to learn.
+- Upward compatibility with 1.2 configuration files + has been maintained so that current users can migrate to the +new syntax at their convenience.
+- WARNING: Compatibility +with the old parameterized sample configurations has NOT been maintained. + Users still running those configurations should migrate to the + new sample configurations before upgrading to 1.3 Beta 1.
+5/4/2002 - Shorewall 1.2.13 is Available
- +In this version:
- +-
- +- White-listing - is supported.
-- SYN-flood protection - is added.
-- IP addresses added under ADD_IP_ALIASES and ADD_SNAT_ALIASES - now inherit the VLSM and Broadcast Address of the interface's primary - IP address.
-- The order in which port forwarding DNAT and Static -DNAT can now be reversed so -that port forwarding rules can override the contents of White-listing + is supported.
+- SYN-flood protection + is added.
+- IP addresses added under ADD_IP_ALIASES and ADD_SNAT_ALIASES + now inherit the VLSM and Broadcast Address of the interface's primary + IP address.
+- The order in which port forwarding DNAT and Static + DNAT can now be reversed so + that port forwarding rules can override the contents of /etc/shorewall/nat.
- +4/30/2002 - Shorewall Debian News
- -Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the -Debian - Testing Branch and the Debian - Unstable Branch.
- -4/20/2002 - Shorewall 1.2.12 is Available
- --
- -- The 'try' command works again
-- There is now a single RPM that also works with SuSE.
- -4/17/2002 - Shorewall Debian News
- -Lorenzo Marignoni reports that:
- --
- + + - +- Shorewall 1.2.10 is in the Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch
-- Shorewall 1.2.11 is in the Debian - Unstable Branch
- +Testing Branch and the Debian +Unstable Branch. + +4/20/2002 - Shorewall 1.2.12 is Available
+ ++
- + +- The 'try' command works again
+- There is now a single RPM that also works with SuSE.
+4/17/2002 - Shorewall Debian News
+ +Lorenzo Marignoni reports that:
+ ++
+- Shorewall 1.2.10 is in the Debian Testing +Branch
+- Shorewall 1.2.11 is in the Debian +Unstable Branch
+ +Thanks, Lorenzo!
- +4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
- -Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.
- + +Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 + SuSE RPM available.
+4/13/2002 - Shorewall 1.2.11 Available
- +In this version:
- +-
- +- The 'try' command now accepts an optional timeout. -If the timeout is given in the command, the standard configuration -will automatically be restarted after the new configuration has been -running for that length of time. This prevents a remote admin from -being locked out of the firewall in the case where the new configuration -starts but prevents access.
-- Kernel route filtering may now be enabled globally -using the new ROUTE_FILTER parameter in The 'try' command now accepts an optional timeout. + If the timeout is given in the command, the standard configuration + will automatically be restarted after the new configuration has +been running for that length of time. This prevents a remote admin +from being locked out of the firewall in the case where the new configuration + starts but prevents access.
+- Kernel route filtering may now be enabled globally + using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
-- Individual IP source addresses and/or subnets may now - be excluded from masquerading/SNAT.
-- Simple "Yes/No" and "On/Off" values are now case-insensitive - in /etc/shorewall/shorewall.conf.
- +- Individual IP source addresses and/or subnets may + now be excluded from masquerading/SNAT.
+- Simple "Yes/No" and "On/Off" values are now case-insensitive + in /etc/shorewall/shorewall.conf.
+4/13/2002 - Hamburg Mirror now has FTP
- +Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall. - Thanks Stefan!
- + href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall. + Thanks Stefan! +4/12/2002 - New Mirror in Hamburg
- -Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net. -
- + +Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at http://germany.shorewall.net.
+4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
- -Version 1.1 of the QuickStart - Guide is now available. Thanks to those who have read version - 1.0 and offered their suggestions. Corrections have also been made -to the sample scripts.
- + +Version 1.1 of the QuickStart + Guide is now available. Thanks to those who have read version + 1.0 and offered their suggestions. Corrections have also been made + to the sample scripts.
+4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
- -Version 1.0 of the QuickStart - Guide is now available. This Guide and its accompanying sample - configurations are expected to provide a replacement for the recently - withdrawn parameterized samples.
- + +Version 1.0 of the QuickStart + Guide is now available. This Guide and its accompanying sample + configurations are expected to provide a replacement for the recently + withdrawn parameterized samples.
+4/8/2002 - Parameterized Samples Withdrawn
- +Although the parameterized - samples have allowed people to get a firewall up and running -quickly, they have unfortunately set the wrong level of expectation -among those who have used them. I am therefore withdrawing support -for the samples and I am recommending that they not be used in new + href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall up and running + quickly, they have unfortunately set the wrong level of expectation + among those who have used them. I am therefore withdrawing support + for the samples and I am recommending that they not be used in new Shorewall installations.
- +4/2/2002 - Updated Log Parser
- -John Lodge has provided an updated - version of his CGI-based log parser - with corrected date handling.
- + +John Lodge has provided an updated + version of his CGI-based log parser + with corrected date handling.
+3/30/2002 - Shorewall Website Search Improvements
- -The quick search on the home page now excludes the mailing list archives. - The Extended Search allows excluding - the archives or restricting the search to just the archives. An archive - search form is also available on the mailing - list information page.
- + +The quick search on the home page now excludes the mailing list archives. + The Extended Search allows excluding + the archives or restricting the search to just the archives. An archive + search form is also available on the mailing + list information page.
+3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
- +-
- +- The 1.2.10 Debian Package is available at The 1.2.10 Debian Package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-- Shorewall 1.2.9 is now in the Debian - Unstable Distribution.
- +- Shorewall 1.2.9 is now in the Debian +Unstable Distribution.
+3/25/2002 - Log Parser Available
- +John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.
- + href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John. +3/20/2002 - Shorewall 1.2.10 Released
- +In this version:
- +-
- +- A "shorewall try" command has been added (syntax: shorewall - try <configuration directory>). This command attempts - "shorewall -c <configuration directory> start" and -if that results in the firewall being stopped due to an error, a "shorewall - start" command is executed. The 'try' command allows you to create - a new configuration and attempt - to start it; if there is an error that leaves your firewall in the - stopped state, it will automatically be restarted using the default - configuration (in /etc/shorewall).
-- A new variable ADD_SNAT_ALIASES has been added to - /etc/shorewall/shorewall.conf. -If this variable is set to "Yes", Shorewall will automatically add -IP addresses listed in the third column of the A "shorewall try" command has been added (syntax: + shorewall try <configuration directory>). This + command attempts "shorewall -c <configuration directory> + start" and if that results in the firewall being stopped due to an + error, a "shorewall start" command is executed. The 'try' command + allows you to create a new configuration + and attempt to start it; if there is an error that leaves your +firewall in the stopped state, it will automatically be restarted using + the default configuration (in /etc/shorewall).
+- A new variable ADD_SNAT_ALIASES has been added to + /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will automatically + add IP addresses listed in the third column of the /etc/shorewall/masq file.
-- Copyright notices have been added to the documenation.
- +- Copyright notices have been added to the documenation.
+3/11/2002 - Shorewall 1.2.9 Released
- +In this version:
- +-
- +- Filtering by MAC address - has been added. MAC addresses may be used as the source address - in: - +
- Filtering by MAC +address has been added. MAC addresses may be used as the source +address in: +
--
-- Filtering rules (Filtering rules (/etc/shorewall/rules)
-- Traffic Control Classification Rules (Traffic Control Classification Rules (/etc/shorewall/tcrules)
-- TOS Rules (/etc/shorewall/tos)
-- Blacklist (/etc/shorewall/blacklist)
+- TOS Rules (/etc/shorewall/tos)
+- Blacklist (/etc/shorewall/blacklist)
- +- Several bugs have been fixed
-- The 1.2.9 Debian Package is also available at +
- Several bugs have been fixed
+- The 1.2.9 Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +3/1/2002 - 1.2.8 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/25/2002 - New Two-interface Sample
- -I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
- + +I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+2/23/2002 - Shorewall 1.2.8 Released
- -Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies for any inconvenience - my carelessness may have caused.
- + +Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for any inconvenience + my carelessness may have caused.
+2/22/2002 - Shorewall 1.2.7 Released
- +In this version:
- +-
- +- UPnP probes (UDP destination port 1900) are now silently - dropped in the common chain
-- RFC 1918 checking in the mangle table has been streamlined - to no longer require packet marking. RFC 1918 checking in the filter - table has been changed to require half as many rules as previously.
-- A 'shorewall check' command has been added that does - a cursory validation of the zones, interfaces, hosts, rules and - policy files.
- +- UPnP probes (UDP destination port 1900) are now +silently dropped in the common chain
+- RFC 1918 checking in the mangle table has been streamlined + to no longer require packet marking. RFC 1918 checking in the filter + table has been changed to require half as many rules as previously.
+- A 'shorewall check' command has been added that +does a cursory validation of the zones, interfaces, hosts, rules +and policy files.
+2/18/2002 - 1.2.6 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/8/2002 - Shorewall 1.2.6 Released
- +In this version:
- +-
- +- $-variables may now be used anywhere in the configuration - files except /etc/shorewall/zones.
-- The interfaces and hosts files now have their contents - validated before any changes are made to the existing Netfilter - configuration. The appearance of a zone name that isn't defined -in /etc/shorewall/zones causes "shorewall start" and "shorewall -restart" to abort without changing the Shorewall state. Unknown options -in either file cause a warning to be issued.
-- A problem occurring when BLACKLIST_LOGLEVEL was not -set has been corrected.
- +- $-variables may now be used anywhere in the configuration + files except /etc/shorewall/zones.
+- The interfaces and hosts files now have their contents + validated before any changes are made to the existing Netfilter + configuration. The appearance of a zone name that isn't defined +in /etc/shorewall/zones causes "shorewall start" and "shorewall restart" + to abort without changing the Shorewall state. Unknown options in +either file cause a warning to be issued.
+- A problem occurring when BLACKLIST_LOGLEVEL was +not set has been corrected.
+2/4/2002 - Shorewall 1.2.5 Debian Package Available
- +see http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/1/2002 - Shorewall 1.2.5 Released
- -Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.
- + +Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.
+In version 1.2.5:
- +-
- +- The installation problems have been corrected.
-- SNAT is now supported.
-- A "shorewall version" command has been added
-- The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in order to conform to -the GNU/Linux File Hierarchy Standard, Version 2.2.
- +- The installation problems have been corrected.
+- SNAT is now +supported.
+- A "shorewall version" command has been added
+- The default value of the STATEDIR variable in + /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall +in order to conform to the GNU/Linux File Hierarchy Standard, Version +2.2.
+1/28/2002 - Shorewall 1.2.4 Released
- +-
- +- The "fw" zone may now -be given a different name.
-- You may now place end-of-line comments (preceded by -'#') in any of the configuration files
-- There is now protection against against two state changing - operations occuring concurrently. This is implemented using the - 'lockfile' utility if it is available (lockfile is part of procmail); - otherwise, a less robust technique is used. The lockfile is created - in the STATEDIR defined in /etc/shorewall/shorewall.conf and has the - name "lock".
-- "shorewall start" no longer fails if "detect" is - specified in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
- +- The "fw" zone may +now be given a different name.
+- You may now place end-of-line comments (preceded +by '#') in any of the configuration files
+- There is now protection against against two state +changing operations occuring concurrently. This is implemented +using the 'lockfile' utility if it is available (lockfile is part +of procmail); otherwise, a less robust technique is used. The lockfile +is created in the STATEDIR defined in /etc/shorewall/shorewall.conf +and has the name "lock".
+- "shorewall start" no longer fails if "detect" is + specified in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
+1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
- +1/20/2002 - Corrected firewall script available
- -Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.
- + +Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.
+1/19/2002 - Shorewall 1.2.3 Released
- +This is a minor feature and bugfix release. The single new feature is:
- +-
- +- Support for TCP MSS Clamp to PMTU -- This support is -usually required when the internet connection is via PPPoE or PPTP -and may be enabled using the CLAMPMSS - option in /etc/shorewall/shorewall.conf.
- +- Support for TCP MSS Clamp to PMTU -- This support +is usually required when the internet connection is via PPPoE or +PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
+The following problems were corrected:
- +-
- +- The "shorewall status" command no longer hangs.
-- The "shorewall monitor" command now displays the icmpdef - chain
-- The CLIENT PORT(S) column in tcrules is no longer ignored
- +- The "shorewall status" command no longer hangs.
+- The "shorewall monitor" command now displays the +icmpdef chain
+- The CLIENT PORT(S) column in tcrules is no longer +ignored
+1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
- -Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.
- + +Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.
+1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There is a link to Lorenzo's - site from the Shorewall download page.
- + href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There is a link to Lorenzo's + site from the Shorewall download page. +1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.
- + href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health. +1/8/2002 - Shorewall 1.2.2 Released
- +In version 1.2.2
- +-
- +- Support for IP blacklisting has been added - -
--
-- You specify whether you want packets from blacklisted - hosts dropped or rejected using the BLACKLIST_DISPOSITION setting - in /etc/shorewall/shorewall.conf
-- You specify whether you want packets from blacklisted - hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in /etc/shorewall/shorewall.conf
-- You list the IP addresses/subnets that you wish to -blacklist in /etc/shorewall/blacklist
-- You specify the interfaces you want checked against - the blacklist using the new "blacklist" option in - /etc/shorewall/interfaces.
-- The black list is refreshed from /etc/shorewall/blacklist - by the "shorewall refresh" command.
+- Support for IP blacklisting has been added - -
- Use of TCP RST replies has been expanded - +
--
-- TCP connection requests rejected because of a REJECT - policy are now replied with a TCP RST packet.
-- TCP connection requests rejected because of a protocol=all - rule in /etc/shorewall/rules are now replied with a TCP RST -packet.
+- You specify whether you want packets from blacklisted + hosts dropped or rejected using the BLACKLIST_DISPOSITION setting + in /etc/shorewall/shorewall.conf
+- You specify whether you want packets from blacklisted + hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting + in /etc/shorewall/shorewall.conf
+- You list the IP addresses/subnets that you wish +to blacklist in /etc/shorewall/blacklist
+- You specify the interfaces you want checked against + the blacklist using the new "blacklist" option in + /etc/shorewall/interfaces.
+- The black list is refreshed from /etc/shorewall/blacklist + by the "shorewall refresh" command.
- +- A LOGFILE specification - has been added to /etc/shorewall/shorewall.conf. LOGFILE is used - to tell the /sbin/shorewall program where to look for Shorewall messages.
- + +- Use of TCP RST replies has been expanded + + +
++
+- TCP connection requests rejected because of a REJECT + policy are now replied with a TCP RST packet.
+- TCP connection requests rejected because of a protocol=all + rule in /etc/shorewall/rules are now replied with a TCP RST + packet.
+ + +- A LOGFILE +specification has been added to /etc/shorewall/shorewall.conf. +LOGFILE is used to tell the /sbin/shorewall program where to look +for Shorewall messages.
+1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two new rules added:
- + target="_blank">version 1.2.0) released. These are minor updates + to the previously-released samples. There are two new rules added: +-
- +- Unless you have explicitly enabled Auth connections -(tcp port 113) to your firewall, these connections will be REJECTED -rather than DROPPED. This speeds up connection establishment to -some servers.
-- Orphan DNS replies are now silently dropped.
- +- Unless you have explicitly enabled Auth connections + (tcp port 113) to your firewall, these connections will be REJECTED + rather than DROPPED. This speeds up connection establishment +to some servers.
+- Orphan DNS replies are now silently dropped.
+See the README file for upgrade instructions.
- +1/1/2002 - Shorewall Mailing List Moving
- -The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you are a current + +
The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If you are a current subscriber to the list at Sourceforge, please see these instructions. - If you would like to subscribe to the new list, visit see these instructions. + If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
- +12/31/2001 - Shorewall 1.2.1 Released
- +In version 1.2.1:
- +-
- -- Logging -of Mangled/Invalid Packets is added.
-- The tunnel script has been corrected.
-- 'shorewall show tc' now correctly handles tunnels.
- +- Logging + of Mangled/Invalid Packets is added.
+- The tunnel script has been +corrected.
+- 'shorewall show tc' now correctly handles tunnels.
+12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist -releasing 1.2 on 12/21/2001
- + +12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing +1.2 on 12/21/2001
+Version 1.2 contains the following new features:
- +-
- -- Support for Traffic Control/Shaping
-- Support for Filtering - of Mangled/Invalid Packets
-- Support for GRE Tunnels
- +- Support for Traffic +Control/Shaping
+- Support for Filtering + of Mangled/Invalid Packets
+- Support for GRE Tunnels
+For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x users will not be - forced into a quick upgrade to 1.2.0 just to have access to bug fixes.
- -For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading to 1.2.0:
- -+ ++For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will not + be forced into a quick upgrade to 1.2.0 just to have access to bug +fixes.
+ +For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading to 1.2.0:
+ +- -rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. This web -site is mirrored at http://www.infohiiway.com/shorewall and the ftp site is -at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
+12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This web + site is mirrored at http://www.infohiiway.com/shorewall and the ftp site +is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
+11/30/2001 - A new set of the parameterized Sample - Configurations has been released. In this version:
- + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample +Configurations has been released. In this version: +-
- +- Ping is now allowed between the zones.
-- In the three-interface configuration, it is now possible - to configure the internet services that are to be available to servers - in the DMZ.
- +- Ping is now allowed between the zones.
+- In the three-interface configuration, it is now possible + to configure the internet services that are to be available to + servers in the DMZ.
+11/20/2001 - The current version of Shorewall is 1.1.18.
- +In this version:
- --
- -- The spelling of ADD_IP_ALIASES has been corrected in -the shorewall.conf file
-- The logic for deleting user-defined chains has been -simplified so that it avoids a bug in the LRP version of the 'cut' -utility.
-- The /var/lib/lrpkg/shorwall.conf file has been corrected - to properly display the NAT entry in that file.
- -11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror in the Slovak Republic. - The website is now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
-11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:
--
- + +- One Interface -- for a standalone system.
-- Two Interfaces -- A masquerading firewall.
-- Three Interfaces -- A masquerading firewall with DMZ.
- +- The spelling of ADD_IP_ALIASES has been corrected +in the shorewall.conf file
+- The logic for deleting user-defined chains has been + simplified so that it avoids a bug in the LRP version of the 'cut' + utility.
+- The /var/lib/lrpkg/shorwall.conf file has been corrected + to properly display the NAT entry in that file.
+11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak + Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
+ +11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:
+ ++
+- One Interface -- for a standalone system.
+- Two Interfaces -- A masquerading firewall.
+- Three Interfaces -- A masquerading firewall with +DMZ.
+ +Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.
- -11/1/2001 - The current version of Shorewall is 1.1.17. I intend - this to be the last of the 1.1 Shorewall releases.
- + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions. + + +11/1/2001 - The current version of Shorewall is 1.1.17. I intend + this to be the last of the 1.1 Shorewall releases.
+ +In this version:
- +-
- -- The handling of ADD_IP_ALIASES - has been corrected.
- +- The handling of ADD_IP_ALIASES has + been corrected.
+10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:
- + +10/22/2001 - The current version of Shorewall is 1.1.16. In this + version:
+-
- -- A new "shorewall show connections" command has been -added.
-- In the "shorewall monitor" output, the currently tracked - connections are now shown on a separate page.
-- Prior to this release, Shorewall unconditionally added - the external IP adddress(es) specified in /etc/shorewall/nat. Beginning - with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set - to "no" (or "No") to inhibit this behavior. This allows IP aliases - created using your distribution's network configuration tools -to be used in static NAT.
- +- A new "shorewall show connections" command has been + added.
+- In the "shorewall monitor" output, the currently +tracked connections are now shown on a separate page.
+- Prior to this release, Shorewall unconditionally +added the external IP adddress(es) specified in /etc/shorewall/nat. +Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set + to "no" (or "No") to inhibit this behavior. This allows IP aliases + created using your distribution's network configuration tools + to be used in static NAT.
+10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:
- + +10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:
+-
- -- Support for nested zones has been improved. See Support for nested zones has been improved. See the documentation for details
-- Shorewall now correctly checks the alternate configuration - directory for the 'zones' file.
- +- Shorewall now correctly checks the alternate configuration + directory for the 'zones' file.
+10/4/2001 - The current version of Shorewall is 1.1.14. In this - version
- + +10/4/2001 - The current version of Shorewall is 1.1.14. In this + version
+-
- -- Shorewall now supports alternate configuration directories. - When an alternate directory is specified when starting or restarting - Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall - will first look for configuration files in the alternate directory -then in /etc/shorewall. To create an alternate configuration simply:
-
- 1. Create a New Directory
- 2. Copy to that directory any of your configuration files - that you want to change.
- 3. Modify the copied files as needed.
- 4. Restart Shorewall specifying the new directory.- The rules for allowing/disallowing icmp echo-requests - (pings) are now moved after rules created when processing the -rules file. This allows you to add rules that selectively allow/deny +
- Shorewall now supports alternate configuration directories. + When an alternate directory is specified when starting or restarting + Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall + will first look for configuration files in the alternate directory + then in /etc/shorewall. To create an alternate configuration simply:
+
+ 1. Create a New Directory
+ 2. Copy to that directory any of your configuration +files that you want to change.
+ 3. Modify the copied files as needed.
+ 4. Restart Shorewall specifying the new directory.- The rules for allowing/disallowing icmp echo-requests + (pings) are now moved after rules created when processing the +rules file. This allows you to add rules that selectively allow/deny ping based on source or destination address.
-- Rules that specify multiple client ip addresses or subnets - no longer cause startup failures.
-- Zone names in the policy file are now validated against - the zones file.
-- If you have packet mangling support -enabled, the "norfc1918" - interface option now logs and drops any incoming packets on the interface - that have an RFC 1918 destination address.
- +- Rules that specify multiple client ip addresses or + subnets no longer cause startup failures.
+- Zone names in the policy file are now validated against + the zones file.
+- If you have packet mangling support + enabled, the "norfc1918" + interface option now logs and drops any incoming packets on the interface + that have an RFC 1918 destination address.
+9/12/2001 - The current version of Shorewall is 1.1.13. In this - version
- + +9/12/2001 - The current version of Shorewall is 1.1.13. In this + version
+-
- -- Shell variables can now be used to parameterize Shorewall - rules.
-- The second column in the hosts file may now contain -a comma-separated list.
-
-
- Example:
- sea eth0:130.252.100.0/24,206.191.149.0/24- Handling of multi-zone interfaces has been improved. -See the documentation for -the /etc/shorewall/interfaces file.
- +- Shell variables can now be used to parameterize Shorewall + rules.
+- The second column in the hosts file may now contain + a comma-separated list.
+
+
+ Example:
+ sea eth0:130.252.100.0/24,206.191.149.0/24- Handling of multi-zone interfaces has been improved. + See the documentation + for the /etc/shorewall/interfaces file.
+8/28/2001 - The current version of Shorewall is 1.1.12. In this - version
- + +8/28/2001 - The current version of Shorewall is 1.1.12. In this + version
+-
- -- Several columns in the rules file may now contain comma-separated - lists.
-- Shorewall is now more rigorous in parsing the options - in /etc/shorewall/interfaces.
-- Complementation using "!" is now supported in rules.
- +- Several columns in the rules file may now contain +comma-separated lists.
+- Shorewall is now more rigorous in parsing the options + in /etc/shorewall/interfaces.
+- Complementation using "!" is now supported in rules.
+7/28/2001 - The current version of Shorewall is 1.1.11. In this - version
- + +7/28/2001 - The current version of Shorewall is 1.1.11. In this + version
+-
- -- A "shorewall refresh" command has been added to allow - for refreshing the rules associated with the broadcast address on - a dynamic interface. This command should be used in place of "shorewall - restart" when the internet interface's IP address changes.
-- The /etc/shorewall/start file (if any) is now processed - after all temporary rules have been deleted. This change prevents - the accidental removal of rules added during the processing of -that file.
-- The "dhcp" interface option is now applicable to firewall - interfaces used by a DHCP server running on the firewall.
-- The RPM can now be built from the .tgz file using "rpm - -tb"
- +- A "shorewall refresh" command has been added to allow + for refreshing the rules associated with the broadcast address on + a dynamic interface. This command should be used in place of +"shorewall restart" when the internet interface's IP address changes.
+- The /etc/shorewall/start file (if any) is now processed + after all temporary rules have been deleted. This change prevents + the accidental removal of rules added during the processing of + that file.
+- The "dhcp" interface option is now applicable to +firewall interfaces used by a DHCP server running on the firewall.
+- The RPM can now be built from the .tgz file using +"rpm -tb"
+7/6/2001 - The current version of Shorewall is 1.1.10. In this -version
- + +7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+-
- -- Shorewall now enables Ipv4 Packet Forwarding by default. - Packet forwarding may be disabled by specifying IP_FORWARD=Off in - /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable - or disable packet forwarding, add IP_FORWARDING=Keep to your - /etc/shorewall/shorewall.conf file.
-- The "shorewall hits" command no longer lists extraneous - service names in its last report.
-- Erroneous instructions in the comments at the head of - the firewall script have been corrected.
- +- Shorewall now enables Ipv4 Packet Forwarding by default. + Packet forwarding may be disabled by specifying IP_FORWARD=Off + in /etc/shorewall/shorewall.conf. If you don't want Shorewall +to enable or disable packet forwarding, add IP_FORWARDING=Keep +to your /etc/shorewall/shorewall.conf file.
+- The "shorewall hits" command no longer lists extraneous + service names in its last report.
+- Erroneous instructions in the comments at the head + of the firewall script have been corrected.
+6/23/2001 - The current version of Shorewall is 1.1.9. In this -version
- + +6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+-
- -- The "tunnels" file really is in the RPM now.
-- SNAT can now be applied to port-forwarded connections.
-- A bug which would cause firewall start failures in some - dhcp configurations has been fixed.
-- The firewall script now issues a message if you have -the name of an interface in the second column in an entry in /etc/shorewall/masq - and that interface is not up.
-- You can now configure Shorewall so that it doesn't require the NAT and/or -mangle netfilter modules.
-- Thanks to Alex Polishchuk, the "hits" command from - seawall is now in shorewall.
-- Support for IPIP tunnels has -been added.
- +- The "tunnels" file really is in the RPM now.
+- SNAT can now be applied to port-forwarded connections.
+- A bug which would cause firewall start failures in + some dhcp configurations has been fixed.
+- The firewall script now issues a message if you have + the name of an interface in the second column in an entry in +/etc/shorewall/masq and that interface is not up.
+- You can now configure Shorewall so that it doesn't require the NAT and/or mangle +netfilter modules.
+- Thanks to Alex Polishchuk, the "hits" command + from seawall is now in shorewall.
+- Support for IPIP tunnels has + been added.
+6/18/2001 - The current version of Shorewall is 1.1.8. In this -version
- + +6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+-
- +- A typo in the sample rules file has been corrected.
-- It is now possible to restrict masquerading byA typo in the sample rules file has been corrected.
+- It is now possible to restrict masquerading by destination host or subnet.
-- It is now possible to have static NAT rules applied to packets originating - on the firewall itself.
- +- It is now possible to have static NAT rules applied to packets originating + on the firewall itself.
+6/2/2001 - The current version of Shorewall is 1.1.7. In this version
- +-
- -- The TOS rules are now deleted when the firewall is stopped.
-- The .rpm will now install regardless of which version - of iptables is installed.
-- The .rpm will now install without iproute2 being installed.
-- The documentation has been cleaned up.
-- The sample configuration files included in Shorewall -have been formatted to 80 columns for ease of editing on a VGA -console.
- +- The TOS rules are now deleted when the firewall is + stopped.
+- The .rpm will now install regardless of which version + of iptables is installed.
+- The .rpm will now install without iproute2 being +installed.
+- The documentation has been cleaned up.
+- The sample configuration files included in Shorewall + have been formatted to 80 columns for ease of editing on a +VGA console.
+5/25/2001 - The current version of Shorewall is 1.1.6. In this -version
- + +5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+-
- -- You may now rate-limit - the packet log.
-- Previous - versions of Shorewall have an implementation of Static NAT which - violates the principle of least surprise. NAT only occurs for -packets arriving at (DNAT) or send from (SNAT) the interface named -in the INTERFACE column of /etc/shorewall/nat. Beginning with version -1.1.6, NAT effective regardless of which interface packets come from -or are destined to. To get compatibility with prior versions, I have -added a new "ALL "ALL INTERFACES" column -to /etc/shorewall/nat. By placing "no" or "No" in the new column, - the NAT behavior of prior versions may be retained.
-- The treatment of IPSEC - Tunnels where the remote gateway is a standalone system has been - improved. Previously, it was necessary to include an additional - rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall - will now create this rule automatically when you place the name of - the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
- +- You may now rate-limit + the packet log.
+- Previous + versions of Shorewall have an implementation of Static NAT which + violates the principle of least surprise. NAT only occurs for +packets arriving at (DNAT) or send from (SNAT) the interface named +in the INTERFACE column of /etc/shorewall/nat. Beginning with version +1.1.6, NAT effective regardless of which interface packets come from +or are destined to. To get compatibility with prior versions, I have +added a new "ALL "ALL INTERFACES" column +to /etc/shorewall/nat. By placing "no" or "No" in the new column, + the NAT behavior of prior versions may be retained.
+- The treatment of IPSEC + Tunnels where the remote gateway is a standalone system has been + improved. Previously, it was necessary to include an additional + rule allowing UDP port 500 traffic to pass through the tunnel. +Shorewall will now create this rule automatically when you place +the name of the remote peer's zone in a new GATEWAY ZONE column in +/etc/shorewall/tunnels.
+5/20/2001 - The current version of Shorewall is 1.1.5. In this -version
- + +5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+-
- -- You may now pass -parameters when loading netfilter modules and you can specify the -modules to load.
-- Compressed modules are now loaded. This requires that - you modutils support loading compressed modules.
-- You may now set the -Type of Service (TOS) field in packets.
-- Corrected rules generated for port redirection (again).
- +- You may now pass + parameters when loading netfilter modules and you can specify +the modules to load.
+- Compressed modules are now loaded. This requires +that you modutils support loading compressed modules.
+- You may now set the + Type of Service (TOS) field in packets.
+- Corrected rules generated for port redirection (again).
+5/10/2001 - The current version of Shorewall is 1.1.4. In this -version
- + +5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+-
- -- Accepting RELATED -connections is now optional.
-- Corrected problem where if "shorewall start" aborted -early (due to kernel configuration errors for example), superfluous -'sed' error messages were reported.
-- Corrected rules generated for port redirection.
-- The order in which iptables kernel modules are loaded - has been corrected (Thanks to Mark Pavlidis).
- +- Accepting RELATED + connections is now optional.
+- Corrected problem where if "shorewall start" aborted + early (due to kernel configuration errors for example), superfluous + 'sed' error messages were reported.
+- Corrected rules generated for port redirection.
+- The order in which iptables kernel modules are loaded + has been corrected (Thanks to Mark Pavlidis).
+4/28/2001 - The current version of Shorewall is 1.1.3. In this -version
- + +4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+-
- -- Correct message issued when Proxy ARP address added -(Thanks to Jason Kirtland).
-- /tmp/shorewallpolicy-$$ is now removed if there is an - error while starting the firewall.
-- /etc/shorewall/icmp.def and /etc/shorewall/common.def - are now used to define the icmpdef and common chains unless overridden - by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
-- In the .lrp, the file /var/lib/lrpkg/shorwall.conf has - been corrected. An extra space after "/etc/shorwall/policy" has been - removed and "/etc/shorwall/rules" has been added.
-- When a sub-shell encounters a fatal error and has stopped - the firewall, it now kills the main shell so that the main shell -will not continue.
-- A problem has been corrected where a sub-shell stopped - the firewall and main shell continued resulting in a perplexing error - message referring to "common.so" resulted.
-- Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This has been corrected.
-- The first line of "install.sh" has been corrected -- -I had inadvertently deleted the initial "#".
- +- Correct message issued when Proxy ARP address added + (Thanks to Jason Kirtland).
+- /tmp/shorewallpolicy-$$ is now removed if there is + an error while starting the firewall.
+- /etc/shorewall/icmp.def and /etc/shorewall/common.def + are now used to define the icmpdef and common chains unless overridden + by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
+- In the .lrp, the file /var/lib/lrpkg/shorwall.conf + has been corrected. An extra space after "/etc/shorwall/policy" +has been removed and "/etc/shorwall/rules" has been added.
+- When a sub-shell encounters a fatal error and has +stopped the firewall, it now kills the main shell so that the main +shell will not continue.
+- A problem has been corrected where a sub-shell stopped + the firewall and main shell continued resulting in a perplexing +error message referring to "common.so" resulted.
+- Previously, placing "-" in the PORT(S) column in + /etc/shorewall/rules resulted in an error message during start. +This has been corrected.
+- The first line of "install.sh" has been corrected +-- I had inadvertently deleted the initial "#".
+4/12/2001 - The current version of Shorewall is 1.1.2. In this -version
- + +4/12/2001 - The current version of Shorewall is 1.1.2. In this version
+-
- +- Port redirection now works again.
-- The icmpdef and common chains Port redirection now works again.
+- The icmpdef and common chains may now be user-defined.
-- The firewall no longer fails to start if "routefilter" - is specified for an interface that isn't started. A warning message - is now issued in this case.
-- The LRP Version is renamed "shorwall" for 8,3 MSDOS -file system compatibility.
-- A couple of LRP-specific problems were corrected.
- +- The firewall no longer fails to start if "routefilter" + is specified for an interface that isn't started. A warning message + is now issued in this case.
+- The LRP Version is renamed "shorwall" for 8,3 MSDOS + file system compatibility.
+- A couple of LRP-specific problems were corrected.
+4/8/2001 - Shorewall is now affiliated with the Leaf Project -
- + +4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
- +-
- +- The common chain is traversed from INPUT, OUTPUT and -FORWARD before logging occurs
-- The source has been cleaned up dramatically
-- DHCP DISCOVER packets with RFC1918 source addresses -no longer generate log messages. Linux DHCP clients generate such -packets and it's annoying to see them logged.
- +- The common chain is traversed from INPUT, OUTPUT +and FORWARD before logging occurs
+- The source has been cleaned up dramatically
+- DHCP DISCOVER packets with RFC1918 source addresses + no longer generate log messages. Linux DHCP clients generate such + packets and it's annoying to see them logged.
+3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
- +-
- +- Log messages now indicate the packet disposition.
-- Error messages have been improved.
-- The ability to define zones consisting of an enumerated - set of hosts and/or subnetworks has been added.
-- The zone-to-zone chain matrix is now sparse so that -only those chains that contain meaningful rules are defined.
-- 240.0.0.0/4 and 169.254.0.0/16 have been added to the - source subnetworks whose packets are dropped under the norfc1918 - interface option.
-- Exits are now provided for executing an user-defined -script when a chain is defined, when the firewall is initialized, -when the firewall is started, when the firewall is stopped and -when the firewall is cleared.
-- The Linux kernel's route filtering facility can now -be specified selectively on network interfaces.
- +- Log messages now indicate the packet disposition.
+- Error messages have been improved.
+- The ability to define zones consisting of an enumerated + set of hosts and/or subnetworks has been added.
+- The zone-to-zone chain matrix is now sparse so that + only those chains that contain meaningful rules are defined.
+- 240.0.0.0/4 and 169.254.0.0/16 have been added to +the source subnetworks whose packets are dropped under the norfc1918 + interface option.
+- Exits are now provided for executing an user-defined + script when a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall is stopped and + when the firewall is cleared.
+- The Linux kernel's route filtering facility can now + be specified selectively on network interfaces.
+3/19/2001 - The current version of Shorewall is 1.0.4. This version:
- +-
- -- Allows user-defined zones. Shorewall now has only one - pre-defined zone (fw) with the remaining zones being defined -in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones - file released in this version provides behavior that is compatible - with Shorewall 1.0.3.
-- Adds the ability to specify logging in entries in the - /etc/shorewall/rules file.
-- Correct handling of the icmp-def chain so that only -ICMP packets are sent through the chain.
-- Compresses the output of "shorewall monitor" if awk -is installed. Allows the command to work if awk isn't installed +
- Allows user-defined zones. Shorewall now has only +one pre-defined zone (fw) with the remaining zones being defined +in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones + file released in this version provides behavior that is compatible + with Shorewall 1.0.3.
+- Adds the ability to specify logging in entries in +the /etc/shorewall/rules file.
+- Correct handling of the icmp-def chain so that only + ICMP packets are sent through the chain.
+- Compresses the output of "shorewall monitor" if awk + is installed. Allows the command to work if awk isn't installed (although it's not pretty).
- +3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.
- + +3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.
+-
- -- The PATH variable in the firewall script now includes - /usr/local/bin and /usr/local/sbin.
-- DMZ-related chains are now correctly deleted if the -DMZ is deleted.
-- The interface OPTIONS for "gw" interfaces are no longer - ignored.
- +- The PATH variable in the firewall script now includes + /usr/local/bin and /usr/local/sbin.
+- DMZ-related chains are now correctly deleted if the + DMZ is deleted.
+- The interface OPTIONS for "gw" interfaces are no +longer ignored.
+3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and it supports IPSEC - tunnels with end-points on the firewall. There is also a .lrp available - now.
- -Updated 11/09/2002 - Tom Eastep -
- --Copyright © 2001, 2002 Thomas M. Eastep.
+ +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports IPSEC + tunnels with end-points on the firewall. There is also a .lrp available + now.
+ +Updated 11/24/2002 - Tom Eastep +
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+
+
+
diff --git a/Shorewall-docs/Shorewall_CVS_Access.html b/Shorewall-docs/Shorewall_CVS_Access.html index 12b4e86f9..7e1182e98 100644 --- a/Shorewall-docs/Shorewall_CVS_Access.html +++ b/Shorewall-docs/Shorewall_CVS_Access.html @@ -2,51 +2,51 @@Shorewall CVS Access - + - + - +- -
-- + +- +Shorewall CVS Access + +
+ - - ++ -Shorewall CVS Access
-
-
+
- Lots of people try to download the entire Shorewall website for off-line - browsing, including the CVS portion. In addition to being an enormous volume - of data (HTML versions of all versions of all Shorewall files), all of the - pages in Shorewall CVS access are cgi-generated which places a tremendous - load on my little server. I have therefore resorted to making CVS access -password controlled. When you are asked to log in, enter "Shorewall" (NOTE +
+ Lots of people try to download the entire Shorewall website for off-line + browsing, including the CVS portion. In addition to being an enormous volume + of data (HTML versions of all versions of all Shorewall files), all of the + pages in Shorewall CVS access are cgi-generated which places a tremendous + load on my little server. I have therefore resorted to making CVS access +password controlled. When you are asked to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both the user name and the password.
-
- - + +Updated 9/23/2002 + - Tom Eastep +
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm index 7839b5172..9de177b80 100644 --- a/Shorewall-docs/Shorewall_index_frame.htm +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -1,127 +1,143 @@ - + + - + + - + + - + +Shorewall Index -+ + + - + - -
- +- ++ + -- + -Shorewall
-- ++ ++ - - + + + + +- + --
- + +- Home
-- Features
-- Requirements
-- Download
-
-- Installation/Upgrade/
-
- Configuration
-- QuickStart Guides - (HOWTOs)
-
-- Documentation
-- Reference Manual
-- FAQs
-- Useful Links
-
-- Troubleshooting
-- Errata
-- Upgrade Issues
-- Support
-- Mailing Lists
-- Mirrors +
- Home
+- Features
+- Requirements
+- Download
+
+- Installation/Upgrade/
+
+ Configuration
+- QuickStart + Guides (HOWTOs)
+
+- Documentation Index
+- Reference Manual
+- FAQs
+- Useful Links
+
+- Troubleshooting
+- Errata
+- Upgrade Issues
+- Support
+- Mailing Lists
+- Mirrors + + + +
+ - + ++
- Slovak Republic
+- Texas, USA
+- Germany
+- Argentina
+- France
+- Washington + State, USA
+ -
+-
-- Slovak Republic
-- Texas, USA
-- Germany
-- Argentina
-- France
-- SourceForge
- - -
--
-- News Archive
-- CVS Repository
-- Quotes from Users
-- About the Author
-- Donations
+- News Archive
+- CVS Repository
+- Quotes from Users
+- About the Author
+- Donations
- + +Copyright © 2001, 2002 Thomas M. Eastep.
- +-
+
-
+
+ +
- +
diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm index c8657434e..87ca850e3 100644 --- a/Shorewall-docs/configuration_file_basics.htm +++ b/Shorewall-docs/configuration_file_basics.htm @@ -1,316 +1,318 @@ - + - + - + - +Configuration File Basics - +- -
- -- ++ + - - + + + +- Configuration Files
-Warning: If you copy or edit your - configuration files on a system running Microsoft Windows, you must + +
Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must run them through dos2unix + href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix before you use them with Shorewall.
- +Files
- +Shorewall's configuration files are in the directory /etc/shorewall.
- +-
- +- /etc/shorewall/shorewall.conf - used to set several firewall - parameters.
-- /etc/shorewall/params - use this file to set shell variables +
- /etc/shorewall/shorewall.conf - used to set several firewall + parameters.
+- /etc/shorewall/params - use this file to set shell variables that you will expand in other files.
-- /etc/shorewall/zones - partition the firewall's view of +
- /etc/shorewall/zones - partition the firewall's view of the world into zones.
-- /etc/shorewall/policy - establishes firewall high-level +
- /etc/shorewall/policy - establishes firewall high-level policy.
-- /etc/shorewall/interfaces - describes the interfaces on +
- /etc/shorewall/interfaces - describes the interfaces on the firewall system.
-- /etc/shorewall/hosts - allows defining zones in terms of -individual hosts and subnetworks.
-- /etc/shorewall/masq - directs the firewall where to use -many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) +
- /etc/shorewall/hosts - allows defining zones in terms of + individual hosts and subnetworks.
+- /etc/shorewall/masq - directs the firewall where to use +many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT).
-- /etc/shorewall/modules - directs the firewall to load kernel +
- /etc/shorewall/modules - directs the firewall to load kernel modules.
-- /etc/shorewall/rules - defines rules that are exceptions -to the overall policies established in /etc/shorewall/policy.
-- /etc/shorewall/nat - defines static NAT rules.
-- /etc/shorewall/proxyarp - defines use of Proxy ARP.
-- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) +
- /etc/shorewall/rules - defines rules that are exceptions + to the overall policies established in /etc/shorewall/policy.
+- /etc/shorewall/nat - defines static NAT rules.
+- /etc/shorewall/proxyarp - defines use of Proxy ARP.
+- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is stopped.
-- /etc/shorewall/tcrules - defines marking of packets for +
- /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping or policy routing.
-- /etc/shorewall/tos - defines rules for setting the TOS field - in packet headers.
-- /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels +
- /etc/shorewall/tos - defines rules for setting the TOS +field in packet headers.
+- /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall system.
-- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC - addresses.
- +- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC + addresses.
+Comments
- -You may place comments in configuration files by making the first non-whitespace - character a pound sign ("#"). You may also place comments at the end - of any line, again by delimiting the comment from the rest of the -line with a pound sign.
- + +You may place comments in configuration files by making the first non-whitespace + character a pound sign ("#"). You may also place comments at the +end of any line, again by delimiting the comment from the rest of +the line with a pound sign.
+Examples:
- +# This is a comment- +ACCEPT net fw tcp www #This is an end-of-line comment- +Line Continuation
- -You may continue lines in the configuration files using the usual backslash + +
You may continue lines in the configuration files using the usual backslash ("\") followed immediately by a new line character.
- +Example:
- +ACCEPT net fw tcp \- +
smtp,www,pop3,imap #Services running on the firewallUsing DNS Names
- -- -
WARNING: I personally recommend strongly against - using DNS names in Shorewall configuration files. If you use DNS names and - you are called out of bed at 2:00AM because Shorewall won't start as a -result of DNS problems then don't say that you were not forewarned.
- -
--Tom
- -
-Beginning with Shorwall 1.3.9, Host addresses in Shorewall - configuration files may be specified either as IP addresses or as DNS Names.
- -
-
- DNS names in iptables rules aren't nearly as useful as they first appear. - When a DNS name appears in a rule, the iptables utility resolves the name - to one or more IP addresses and inserts those addresses into the rule. -So change in the DNS->IP address relationship that occur after the firewall - has started have absolutely no effect on the firewall's ruleset.If your firewall rules include DNS names then:
++ +
WARNING: I personally recommend strongly against + using DNS names in Shorewall configuration files. If you use DNS names +and you are called out of bed at 2:00AM because Shorewall won't start as +a result of DNS problems then don't say that you were not forewarned.
+ +
+-Tom
+ +
+Beginning with Shorwall 1.3.9, Host addresses in Shorewall + configuration files may be specified either as IP addresses or as DNS Names.
+ +
+
+ DNS names in iptables rules aren't nearly as useful as they first appear. + When a DNS name appears in a rule, the iptables utility resolves the name + to one or more IP addresses and inserts those addresses into the rule. +So change in the DNS->IP address relationship that occur after the firewall + has started have absolutely no effect on the firewall's ruleset.If your firewall rules include DNS names then:
+-
+ +- If your /etc/resolv.conf is wrong then your firewall won't -start.
-- If your /etc/nsswitch.conf is wrong then your firewall won't - start.
-- If your Name Server(s) is(are) down then your firewall won't - start.
-- If your startup scripts try to start your firewall before starting +
- If your /etc/resolv.conf is wrong then your firewall won't + start.
+- If your /etc/nsswitch.conf is wrong then your firewall won't + start.
+- If your Name Server(s) is(are) down then your firewall won't + start.
+- If your startup scripts try to start your firewall before starting your DNS server then your firewall won't start.
-
-- Factors totally outside your control (your ISP's router is -down for example), can prevent your firewall from starting.
-- You must bring up your network interfaces prior to starting your -firewall.
- -
-Factors totally outside your control (your ISP's router is + down for example), can prevent your firewall from starting. +You must bring up your network interfaces prior to starting your + firewall. -
+Each DNS name much be fully qualified and include a minumum - of two periods (although one may be trailing). This restriction is imposed - by Shorewall to insure backward compatibility with existing configuration + + +
Each DNS name much be fully qualified and include a minumum + of two periods (although one may be trailing). This restriction is imposed + by Shorewall to insure backward compatibility with existing configuration files.
- -
-
- Examples of valid DNS names:
--
- Examples of invalid DNS names:- mail.shorewall.net
-- shorewall.net.
- -
+
+ Examples of valid DNS names:
+-
- DNS names may not be used as:- mail (not fully qualified)
-- shorewall.net (only one period)
- -
+mail.shorewall.net +shorewall.net. --
- These are iptables restrictions and are not simply imposed for your + Examples of invalid DNS names:- The server address in a DNAT rule (/etc/shorewall/rules file)
-- In the ADDRESS column of an entry in /etc/shorewall/masq.
-- In the /etc/shorewall/nat file.
-
+ ++
+ DNS names may not be used as:- mail (not fully qualified)
+- shorewall.net (only one period)
+ +
+ ++
+ These are iptables restrictions and are not simply imposed for your inconvenience by Shorewall.- The server address in a DNAT rule (/etc/shorewall/rules file)
+- In the ADDRESS column of an entry in /etc/shorewall/masq.
+- In the /etc/shorewall/nat file.
+ +
-
- -Complementing an Address or Subnet
- -Where specifying an IP address, a subnet or an interface, you can - precede the item with "!" to specify the complement of the item. For - example, !192.168.1.4 means "any host but 192.168.1.4". There must -be no white space following the "!".
- -Comma-separated Lists
- -Comma-separated lists are allowed in a number of contexts within the - configuration files. A comma separated list:
- --
- Must not have any embedded white space.
-
- Valid: routestopped,dhcp,norfc1918
- Invalid: routestopped, dhcp, norfc1818- If you use line continuation to break a comma-separated -list, the continuation line(s) must begin in column 1 (or there -would be embedded white space)
-- Entries in a comma-separated list may appear in any order.
+
+Complementing an Address or Subnet
+ +Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For + example, !192.168.1.4 means "any host but 192.168.1.4". There must be +no white space following the "!".
+ +Comma-separated Lists
+ +Comma-separated lists are allowed in a number of contexts within the + configuration files. A comma separated list:
+ ++
- +- Must not have any embedded white space.
+
+ Valid: routestopped,dhcp,norfc1918
+ Invalid: routestopped, dhcp, norfc1818- If you use line continuation to break a comma-separated +list, the continuation line(s) must begin in column 1 (or there +would be embedded white space)
+- Entries in a comma-separated list may appear in any order.
+Port Numbers/Service Names
- -Unless otherwise specified, when giving a port number you can use - either an integer or a service name from /etc/services.
- + +Unless otherwise specified, when giving a port number you can use + either an integer or a service name from /etc/services.
+Port Ranges
- -If you need to specify a range of ports, the proper syntax is <low - port number>:<high port number>. For example, - if you want to forward the range of tcp ports 4000 through 4100 to local -host 192.168.1.3, the entry in /etc/shorewall/rules is:
- + +
-If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>. For example, + if you want to forward the range of tcp ports 4000 through 4100 to local + host 192.168.1.3, the entry in /etc/shorewall/rules is:
+
+DNAT net loc:192.168.1.3 tcp 4000:4100- +Using Shell Variables
- -You may use the /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration files.
- + +You may use the /etc/shorewall/params file to set shell variables + that you can then use in some of the other configuration files.
+It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally + size="1"> to distinguish them from variables used internally within the Shorewall programs
- +Example:
- -+ ++- +NET_IF=eth0-
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918- -
- Example (/etc/shorewall/interfaces record):+ Example (/etc/shorewall/interfaces record): + ++ +- - +net $NET_IF $NET_BCAST $NET_OPTIONS-The result will be the same as if the record had been written
- -+ ++ + +- - -net eth0 130.252.100.255 noping,norfc1918-Variables may be used anywhere in the other configuration +
Variables may be used anywhere in the other configuration files.
- +Using MAC Addresses
- -Media Access Control (MAC) addresses can be used to specify packet - source in several of the configuration files. To use this feature, - your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) + +
Media Access Control (MAC) addresses can be used to specify packet + source in several of the configuration files. To use this feature, + your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.
- -MAC addresses are 48 bits wide and each Ethernet Controller has a - unique MAC address.
-
- In GNU/Linux, MAC addresses are usually written as a series of -6 hex numbers separated by colons. Example:
-
- [root@gateway root]# ifconfig eth0
- eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
- inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
- TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
- collisions:30394 txqueuelen:100
- RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 + +MAC addresses are 48 bits wide and each Ethernet Controller has a + unique MAC address.
-
+
+ In GNU/Linux, MAC addresses are usually written as a series of + 6 hex numbers separated by colons. Example:
+
+ [root@gateway root]# ifconfig eth0
+ eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
+ inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
+ TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
+ collisions:30394 txqueuelen:100
+ RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
- Interrupt:11 Base address:0x1800
-
- Because Shorewall uses colons as a separator for address fields, - Shorewall requires MAC addresses to be written in another way. In -Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 -hex numbers separated by hyphens. In Shorewall, the MAC address in -the example above would be written "~02-00-08-E3-FA-55".
-Note: It is not necessary to use the special Shorewall notation + Interrupt:11 Base address:0x1800
+ +
+
+ Because Shorewall uses colons as a separator for address fields, + Shorewall requires MAC addresses to be written in another way. In + Shorewall, MAC addresses begin with a tilde ("~") and consist of +6 hex numbers separated by hyphens. In Shorewall, the MAC address +in the example above would be written "~02-00-08-E3-FA-55".
+Note: It is not necessary to use the special Shorewall notation in the /etc/shorewall/maclist file.
- -
-Shorewall Configurations
- -Shorewall allows you to have configuration directories other than /etc/shorewall. - The shorewall start and restart - commands allow you to specify an alternate configuration directory and - Shorewall will use the files in the alternate directory rather than the - corresponding files in /etc/shorewall. The alternate directory need not -contain a complete configuration; those files not in the alternate directory +
+ +Shorewall Configurations
+ +Shorewall allows you to have configuration directories other than /etc/shorewall. + The shorewall start and restart + commands allow you to specify an alternate configuration directory +and Shorewall will use the files in the alternate directory rather than +the corresponding files in /etc/shorewall. The alternate directory need +not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall.
- -This facility permits you to easily create a test or temporary configuration + +
This facility permits you to easily create a test or temporary configuration by:
- +-
- -- copying the files that need modification from /etc/shorewall +
- copying the files that need modification from /etc/shorewall to a separate directory;
-- modify those files in the separate directory; and
-- specifying the separate directory in a shorewall start -or shorewall restart command (e.g., shorewall -c /etc/testconfig +
- modify those files in the separate directory; and
+- specifying the separate directory in a shorewall start + or shorewall restart command (e.g., shorewall -c /etc/testconfig restart ).
- +Updated 10/24/2002 - Tom Eastep -
+ +Updated 11/21/2002 - Tom Eastep +
- -Copyright + +
+Copyright © 2001, 2002 Thomas M. Eastep.
-
+
+
diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm index 79bd135ce..479917401 100644 --- a/Shorewall-docs/download.htm +++ b/Shorewall-docs/download.htm @@ -1,320 +1,391 @@ - + - + - + - +Download - +- -
- +- ++ + - - + + + ++ -Shorewall Download
-I strongly urge you to read and print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own.
- + href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide + for the configuration that most closely matches your own.Once you've done that, download one of the modules:
- +-
- -- If you run a RedHat, SuSE, Mandrake, - Linux PPC or TurboLinux distribution with a 2.4 -kernel, you can use the RPM version (note: the RPM should also -work with other distributions that store init scripts in /etc/init.d - and that include chkconfig or insserv). If you find that it -works in other cases, let me - know so that I can mention them here. See the Installation Instructions if you have problems - installing the RPM.
-- If you are running LRP, download the .lrp file (you might also - want to download the .tgz so you will have a copy of the documentation).
-- If you run Debian -and would like a .deb package, Shorewall is in both the Debian Testing -Branch and the Debian -Unstable Branch.
-- Otherwise, download the shorewall module (.tgz)
- -The documentation in HTML format is included in the .tgz and .rpm files - and there is an documentation .deb that also contains the documentation.
+If you run a RedHat, SuSE, Mandrake, + Linux PPC or TurboLinux distribution with a +2.4 kernel, you can use the RPM version (note: the RPM should + also work with other distributions that store init scripts +in /etc/init.d and that include chkconfig or insserv). If you +find that it works in other cases, let me know so that + I can mention them here. See the Installation Instructions + if you have problems installing the RPM. +If you are running LRP, download the .lrp file (you might +also want to download the .tgz so you will have a copy of the documentation). +If you run Debian + and would like a .deb package, Shorewall is in both the Debian +Testing Branch and the Debian + Unstable Branch. +Otherwise, download the shorewall module + (.tgz) -Please verify the version that you have downloaded -- during the - release of a new version of Shorewall, the links below may point - to a newer or an older version than is shown below.
- --
-- RPM - "rpm -qip LATEST.rpm"
-- TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain - the version)
-- LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf <downloaded - .lrp>; cat var/lib/lrpkg/shorwall.version"
-Once you have verified the version, check the - errata to see if there are updates that apply to the version - that you have downloaded.
- -WARNING - YOU CAN NOT SIMPLY - INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration - of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
- -Download Latest Version (1.3.10): Remember that updates to the - mirrors occur 1-12 hours after an update to the primary site.
- -++ +The documentation in HTML format is included in the .tgz and .rpm files + and there is an documentation .deb that also contains the documentation.
+ +Please verify the version that you have downloaded -- during the + release of a new version of Shorewall, the links below may point + to a newer or an older version than is shown below.
+ ++
+ +- RPM - "rpm -qip LATEST.rpm"
+- TARBALL - "tar -ztf LATEST.tgz" (the directory name will + contain the version)
+- LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf +<downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
+ +Once you have verified the version, check the + errata to see if there are updates that apply to the version + that you have downloaded.
+ +WARNING - YOU CAN NOT SIMPLY + INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed +configuration of your firewall, you can enable startup by removing the +file /etc/shorewall/startup_disabled.
+ +Download Latest Version (1.3.10): Remember that updates +to the mirrors occur 1-12 hours after an update to the primary site.
+ +- -Browse Download Sites:
- -++ +Documentation in PDF format:
+ +
+++ +Juraj Ontkanin has produced a Portable Document Format (PDF) file containing +the Shorewall 1.3.10 documenation (the documentation in HTML format is included +in the .rpm and in the .tgz). The .pdf may be downloaded from
+++ +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/+
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+Browse Download Sites:
+ +- -CVS:
- -++ +CVS:
+ +- -The CVS repository at - cvs.shorewall.net contains the latest snapshots of the each Shorewall - component. There's no guarantee that what you find there will work at all.
-Last Updated 11/9/2002 - CVS repository at + cvs.shorewall.net contains the latest snapshots of the each Shorewall + component. There's no guarantee that what you find there will work at + all.
+
+Last Updated 11/11/2002 - Tom Eastep
- -Copyright - © 2001, 2002 Thomas M. Eastep.
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+
+
+
diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm index 5331d3557..bfba7872f 100644 --- a/Shorewall-docs/errata.htm +++ b/Shorewall-docs/errata.htm @@ -1,152 +1,175 @@ - +Shorewall 1.3 Errata - + - - + + - +- -
- +- +- + + - - + + + ++ -Shorewall Errata/Upgrade Issues
-IMPORTANT
- +-
- -- +
- -
If you use a Windows system to download - a corrected script, be sure to run the script through + dos2unix after you have moved - it to your Linux system.
-- + it to your Linux system. +
+- -
If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory - with the one you downloaded below, and then run install.sh.
-- + with the one you downloaded below, and then run install.sh. +
+- -
When the instructions say to install a corrected - firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall - or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite - the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall - or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall - and /var/lib/shorewall/firewall are symbolic links that point - to the 'shorewall' file used by your system initialization scripts + firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall + or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite + the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall + and /var/lib/shorewall/firewall are symbolic links that point + to the 'shorewall' file used by your system initialization scripts to start Shorewall during boot. It is that file that must be overwritten - with the corrected script.
-- -
-DO NOT INSTALL CORRECTED COMPONENTS -ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, -do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
-
--
- -- Upgrade Issues
-- Problems in -Version 1.3
-- Problems - in Version 1.2
-- Problems in Version 1.1
-- Problem with iptables version 1.2.3 on RH7.2
-- Problems with - kernels >= 2.4.18 and RedHat iptables
-- Problems installing/upgrading RPM on SuSE
-- Problems with iptables version 1.2.7 - and MULTIPORT=Yes
-- Problems with RH Kernel 2.4.18-10 and NAT
- -
+ with the corrected script.
-Problems in Version 1.3
- -Version 1.3.9a
++ + + +DO NOT INSTALL CORRECTED COMPONENTS + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For +example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
+
+-
+ +- If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then -the following message appears during "shorewall [re]start":
+- Upgrade Issues
+- Problems in + Version 1.3
+- Problems + in Version 1.2
+- Problems in Version 1.1
+- Problem with iptables version 1.2.3 on RH7.2
+- Problems +with kernels >= 2.4.18 and RedHat iptables
+- Problems installing/upgrading RPM on SuSE
+- Problems with iptables version 1.2.7 + and MULTIPORT=Yes
+- Problems with RH Kernel 2.4.18-10 and NAT
+ +
+
+Problems in Version 1.3
+ +Version 1.3.10
+ ++
+- If you experience problems connecting to a PPTP server running on +your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, + this +version of the firewall script may help. Please report any cases where +installing this script in /usr/lib/shorewall/firewall solved your connection +problems. Beginning with version 1.3.10, it is safe to save the old version +of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall +is the real script now and not just a symbolic link to the real script.
+
+Version 1.3.9a
+ ++
+- If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then + the following message appears during "shorewall [re]start":
+ +recalculate_interfacess: command not found+The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall -corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described -above.+ corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described + above.
-
+
Alternatively, edit /usr/lob/shorewall/firewall and change the -single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' -to 'recalculate_interface'.+ single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' + to 'recalculate_interface'.
-
DNAT rules where the source zone is 'fw' ($FW) result in an error message. Installing this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.
- + as described above corrects this problem. +"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes. Consequently, after "shorewall refresh", the firewall will not forward @@ -154,344 +177,350 @@ at this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.
- + as described above corrects this problem. +If "norfc1918" and "dhcp" are both specified as options on a given interface then RFC 1918 checking is occurring before DHCP checking. This means that if a DHCP client broadcasts using an RFC 1918 source address, then the firewall will reject the broadcast (usually logging it). This - has two problems:
- + has two problems: +This version of the 1.3.7a firewall script - corrects the problem. It must be installed - in /var/lib/shorewall as described above.
- + corrects the problem. It must be installed + in /var/lib/shorewall as described above. +Version 1.3.7 dead on arrival -- please use version 1.3.7a and check your version against these md5sums -- if there's a difference, please download again.
- +d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz- +
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
In other words, type "md5sum <whatever package you downloaded> - and compare the result with what you see above.
- + and compare the result with what you see above. +I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the - .7 version in each sequence from now on.
- + .7 version in each sequence from now on. +If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, - an error occurs when the firewall script attempts to add an -SNAT alias.
-The logunclean and dropunclean options cause errors during startup when Shorewall is run with iptables - 1.2.7.
-These problems are fixed in this correct firewall script which must be installed in /var/lib/shorewall/ as described above. These problems are also corrected in version 1.3.7.
- +A line was inadvertently deleted from the "interfaces file" -- this line should be added back in if the version that you - downloaded is missing it:
- + downloaded is missing it: +net eth0 detect routefilter,dhcp,norfc1918
- +If you downloaded two-interfaces-a.tgz then the above line should already be in the file.
- +The new 'proxyarp' interface option doesn't work :-( This is fixed in this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.
- +Prior to version 1.3.4, host file entries such as the following were allowed:
- -adm eth0:1.2.4.5,eth0:5.6.7.8-
That capability was lost in version 1.3.4 so that it is only - possible to include a single host specification on each line. This - problem is corrected by this - modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall - as instructed above.
-This problem is corrected in version 1.3.5b.
-REDIRECT rules are broken in this version. Install this corrected firewall script in /var/lib/pub/shorewall/firewall - as instructed above. This problem is corrected in version 1.3.5a.
- + as instructed above. This problem is corrected in version +1.3.5a. +The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file have been previously defined in the /etc/shorewall/zones file. The "shorewall check" command does perform this verification so it's a good idea to run that command after you have made configuration - changes.
- + changes. +If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No chains/target/match - by that name" then you probably have an entry in /etc/shorewall/hosts - that specifies an interface that you didn't include in /etc/shorewall/interfaces. - To correct this problem, you must add an entry to /etc/shorewall/interfaces. - Shorewall 1.3.3 and later versions produce a clearer error + by that name" then you probably have an entry in /etc/shorewall/hosts + that specifies an interface that you didn't include in /etc/shorewall/interfaces. + To correct this problem, you must add an entry to /etc/shorewall/interfaces. + Shorewall 1.3.3 and later versions produce a clearer error message in this case.
- +Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.
- +Both problems are corrected in this script which should be installed in /var/lib/shorewall - as described above.
- + as described above. +The IANA have just announced the allocation of subnet - 221.0.0.0/8. This updated rfc1918 file reflects that allocation.
-These problems are corrected in this firewall script which should be installed in /etc/shorewall/firewall - as described above.
- + as described above. +The upgrade issues have moved to a separate page.
- -+ iptables version 1.2.3 + +++There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat released + prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2.
- +I have built a - corrected 1.2.3 rpm which you can download here and I have also built - an and I have also +built an iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs before - you upgrade to RedHat 7.2.
- -Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can download - from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works fine.
- -If you would like to patch iptables 1.2.3 yourself, - the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification - while this patch - corrects a problem in handling the TOS target.
+ running RedHat 7.1, you can install either of these RPMs before + you upgrade to RedHat 7.2. -To install one of the above patches:
- --
-- cd iptables-1.2.3/extensions
-- patch -p0 < the-patch-file
- -Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can download + from http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM on my firewall and it works fine.
+ +If you would like to patch iptables 1.2.3 yourself, + the patches are available for download. This patch + which corrects a problem with parsing of the --log-level specification + while this patch + corrects a problem in handling the TOS target.
+To install one of the above patches:
+ ++
+- cd iptables-1.2.3/extensions
+- patch -p0 < the-patch-file
+ +
+ +- ++Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 - may experience the following:
- -+ may experience the following: + ++- +# shorewall start-
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by installing - - this iptables RPM. If you are already running a 1.2.5 version of - iptables, you will need to specify the --oldpackage option to rpm (e.g., + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
-
If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" option to rpm.
- +Installing: rpm -ivh --nodeps <shorewall rpm>
- +Upgrading: rpm -Uvh --nodeps <shorewall rpm>
- +The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:
- +#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL- Error message is:
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Setting up NAT...- The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes - has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel - contains corrected support under a new kernel configuraiton option; see + The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes + has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel + contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
iptables: Invalid argument
Terminated
Last updated 10/9/2002 -
+
+ Last updated 11/24/2002 -
Tom Eastep
+
+
Note: The list server limits posts to 120kb. - +Not getting List Mail? -- Check Here- -If you experience problems with any of these lists, please - let me know - + +If you experience problems with any of these lists, please + let me know +Not able to Post Mail to shorewall.net?- -You can report such problems by sending mail to tom dot eastep - at hp dot com. - + +You can report such problems by sending mail to tom dot eastep + at hp dot com. +A Word about SPAM Filters -- -Before subscribing please read my policy - about list traffic that bounces. Also please note that the mail server - at shorewall.net checks the sender of incoming mail against the open -relay databases at ordb.org. - - - -Mailing Lists Archive Search+ + +Before subscribing please read my policy
+ about list traffic that bounces. Also please note that the mail server
+ at shorewall.net checks incoming mail: Shorewall CA Certificate+ If you want to trust X.509 certificates issued by Shoreline Firewall +(such as the one used on my web site), you may download and install my CA certificate + in your browser. If you don't wish to trust my certificates then you can + either use unencrypted access when subscribing to Shorewall mailing lists + or you can use secure access (SSL) and accept the server's certificate when + prompted by your browser.+ Shorewall Users Mailing List- -The Shorewall Users Mailing list provides a way for users -to get answers to questions and to report problems. Information of general -interest to the Shorewall user community is also posted to this list. - -Before posting a problem report to this list, please see -the problem reporting guidelines. - + +The Shorewall Users Mailing list provides a way for users + to get answers to questions and to report problems. Information of general + interest to the Shorewall user community is also posted to this list. + +Before posting a problem report to this list, please see + the problem reporting guidelines. +To subscribe to the mailing list, go to http://www.shorewall.net/mailman/listinfo/shorewall-users. - + href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users + SSL: https//www.shorewall.net/mailman/listinfo/shorewall-users +To post to the list, post to shorewall-users@shorewall.net. - +The list archives are at http://www.shorewall.net/pipermail/shorewall-users. - -Note that prior to 1/1/2002, the mailing list was hosted at -Sourceforge. The archives from that list -may be found at Note that prior to 1/1/2002, the mailing list was hosted +at Sourceforge. The archives from that +list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/. - +Shorewall Announce Mailing List- -This list is for announcements of general interest to the - Shorewall community. To subscribe, go to http://www.shorewall.net/mailman/listinfo/shorewall-announce. - -The list archives are at This list is for announcements of general interest to the
+ Shorewall community. To subscribe, go to http://www.shorewall.net/mailman/listinfo/shorewall-announce
+ SSL: https//www.shorewall.net/mailman/listinfo/shorewall-announce. Shorewall Development Mailing List- -The Shorewall Development Mailing list provides a forum for -the exchange of ideas about the future of Shorewall and for coordinating ongoing -Shorewall Development. - + +The Shorewall Development Mailing list provides a forum for + the exchange of ideas about the future of Shorewall and for coordinating + ongoing Shorewall Development. +To subscribe to the mailing list, go to http://www.shorewall.net/mailman/listinfo/shorewall-devel. - -To post to the list, post to http://www.shorewall.net/mailman/listinfo/shorewall-devel
+ SSL: https//www.shorewall.net/mailman/listinfo/shorewall-devel. The list archives are at http://www.shorewall.net/pipermail/shorewall-devel. - -How to Unsubscribe from one of -the Mailing Lists- -There seems to be near-universal confusion about unsubscribing - from Mailman-managed lists. To unsubscribe: - + +How to Unsubscribe from one of + the Mailing Lists+ +There seems to be near-universal confusion about unsubscribing + from Mailman-managed lists. To unsubscribe: +
+ + Frustrated by having to Rebuild Mailman to use it with Postfix?- + - -Last updated 9/27/2002 - Last updated 11/22/2002 - Tom Eastep - +Copyright © 2001, 2002 Thomas M. Eastep. ++ + + + diff --git a/Shorewall-docs/mailing_list_problems.htm b/Shorewall-docs/mailing_list_problems.htm index 612ae8c83..bda792a3f 100644 --- a/Shorewall-docs/mailing_list_problems.htm +++ b/Shorewall-docs/mailing_list_problems.htm @@ -1,49 +1,53 @@ - + - + - + - +
Shorewall.net is currently experiencing mail delivery problems - to at least one address in each of the following domains:- --- - Last updated 11/3/2002 16:00 GMT - Shorewall.net is currently experiencing mail delivery problems
+ to at least one address in each of the following domains:
+
+ Last updated 11/24/2002 18:44 GMT - Tom Eastep Copyright © 2002 Thomas M. Eastep. In addition to those applications described in the /etc/shorewall/rules documentation, here
-are some other services/applications that you may need to configure your firewall
-to accommodate. NTP (Network Time Protocol) - -+ ++- + rdate - --+ ++ UseNet (NNTP) - -+ ++- + DNS - --- + + ++ ICQ - --- + + ++ PPTP - -+ ++- - IPSEC + +++ + SMTP + +++ + POP3 + +++ + TELNET + +++ + SSH + +++ + Auth (identd) + +++ + Web Access + +++ FTP - -+ ++- - Traceroute - --+ ++ NFS - -+ ++ +- - Didn't find what you are looking for -- have you looked in your own +/etc/services file? +Still looking? Try http://www.networkice.com/advice/Exploits/Ports - -Last updated 10/22/2002 - Last updated 11/10/2002 - Tom Eastep - Copyright - © 2001, 2002 Thomas M. Eastep.+ Copyright + © 2001, 2002 Thomas M. Eastep. + diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index 44adbc73c..a5014f5cd 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -3,71 +3,82 @@ - + +
-
+
Donations+ + |
+ M | +
+ |
-
+
+
+
-
+
+
Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight Children's Foundation. Thanks! - |
-
Updated 11/9/2002 - Tom Eastep + +
Updated 11/24/2002 - Tom Eastep
-
-