extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-27 01:53:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.3.11 Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@339 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-24 20:08:19 +00:00
parent aff32b8269
commit faf32c61de
25 changed files with 8986 additions and 8388 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

861
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

232
Shorewall-docs/FAQ.htm
View File

@ -12,6 +12,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -32,14 +33,14 @@
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find <b>how to do it</b>.</a></p>
looked everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
</a></p>
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
port forwarding</a></p>
port forwarding</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my
@ -72,7 +73,7 @@ than 'blocked'.</b> Why?</a></p>
that work with Shorewall?</a></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
@ -85,7 +86,7 @@ than 'blocked'.</b> Why?</a></p>
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -107,11 +108,18 @@ than 'blocked'.</b> Why?</a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why this
is</b> getting <b>logged?</b></a><br>
<b>17</b>. <a href="#faq17">How do I find out <b>why
this is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</a>
with Shorewall, and maintain separate rulesets for different IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
</a>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere
@ -139,7 +147,8 @@ rule to a local system is as follows:</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> <br>
@ -148,6 +157,7 @@ rule to a local system is as follows:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -180,6 +190,7 @@ rule to a local system is as follows:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -188,8 +199,8 @@ rule to a local system is as follows:</p>
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -207,13 +218,15 @@ rule to a local system is as follows:</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local
port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</tbody>
</table>
</blockquote>
@ -224,42 +237,43 @@ rule to a local system is as follows:</p>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such
as an incorrect default gateway configured (it should be set to the IP
address of your firewall's internal interface).</li>
<li>You are trying to test from inside your firewall (no,
that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system
such as an incorrect default gateway configured (it should be set to
the IP address of your firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4>
forwarding</h4>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called <i>zone</i>_dnat
where <i>zone</i> is the zone that includes the server ('loc' in the above
examples).</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the server
('loc' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server. In
this case, the problem is usually a missing or incorrect default gateway setting
on the server (the server's default gateway should be the IP address of the
firewall's interface to the server).</li>
request is reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect default gateway
setting on the server (the server's default gateway should be the IP address
of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly it
is being blocked by your ISP); or</li>
<li>the connection request is not reaching your server (possibly
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule); or</li>
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
or</li>
<li>your DNAT rule doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such as tcpdump or
ethereal to further diagnose the problem.<br>
way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -276,16 +290,15 @@ ethereal to further diagnose the problem.<br>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server
is compromised, there's nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or
using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
what I do here at shorewall.net for my local systems that use static
NAT.</li>
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
</ul>
@ -325,6 +338,7 @@ NAT.</li>
<td>130.151.100.69:192.168.1.254</td>
</tr>
</tbody>
</table>
</blockquote>
@ -372,6 +386,7 @@ NAT.</li>
<td>$ETH0_IP:192.168.1.254</td>
</tr>
</tbody>
</table>
</blockquote>
@ -385,24 +400,24 @@ new IP address.</p>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
and can be accessed externally and internally using the same address.
</p>
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
addresses and can be accessed externally and internally using the same
address. </p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
(If you are running a Shorewall version earlier than 1.3.9).<br>
(If you are running a Shorewall version earlier than 1.3.9).<br>
b) Set the Z-&gt;Z policy to ACCEPT.<br>
c) Masquerade Z to itself.<br>
<br>
@ -431,6 +446,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<td>multi</td>
</tr>
</tbody>
</table>
</blockquote>
@ -455,6 +471,7 @@ Z-&gt;Z traffic through your firewall then:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -481,6 +498,7 @@ Z-&gt;Z traffic through your firewall then:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -504,14 +522,14 @@ Z-&gt;Z traffic through your firewall then:</p>
services that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
UDP ports 137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port 135).
Rejecting these connection requests rather than dropping them cuts
down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<u>can</u> be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down slightly
on the amount of Windows chatter on LAN segments connected to the Firewall.
</p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of
your Service Agreement.</p>
your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
@ -540,12 +558,12 @@ your Service Agreement.</p>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
a RedHat system, "service syslog restart"). </p>
@ -569,7 +587,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
href="http://www.logwatch.org"><br>
http://www.logwatch.org</a><br>
http://www.logwatch.org</a><br>
</p>
</blockquote>
@ -620,9 +638,9 @@ http://www.logwatch.org</a><br>
</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
</div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -638,11 +656,11 @@ local zone is defined as all hosts connected through eth1</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I
find myself doing other things. I guess I just don't care enough if
Shorewall has a GUI to invest the effort to create one myself. There
are several Shorewall GUI projects underway however and I will publish
links to them when the authors feel that they are ready. </p>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
myself doing other things. I guess I just don't care enough if Shorewall
has a GUI to invest the effort to create one myself. There are several
Shorewall GUI projects underway however and I will publish links to
them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
@ -659,9 +677,8 @@ links to them when the authors feel that they are ready. </p>
that will let all traffic to and from the 192.168.100.1 address of
the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -686,6 +703,7 @@ following:</p>
<td>RETURN</td>
</tr>
</tbody>
</table>
</blockquote>
@ -730,10 +748,10 @@ following:</p>
</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
</div>
<div align="left">
@ -751,14 +769,17 @@ aside, the most common causes of this problem are:</p>
<ol>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP
and TCP port 53 from the firewall to the internet.</p>
@ -772,7 +793,7 @@ aside, the most common causes of this problem are:</p>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under
RedHat, the max log level that is sent to the console is specified
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
in /etc/sysconfig/init in the LOGLEVEL variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
@ -787,16 +808,19 @@ in /etc/sysconfig/init in the LOGLEVEL variable.<br>
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> or <b>all2all
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that specifies
a log level and this packet is being logged under that policy. If you intend
to ACCEPT this traffic then you need a <a
</b>- You have a<a href="Documentation.htm#Policy"> policy</a> that
specifies a log level and this packet is being logged under that policy.
If you intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; </b>to
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that include a log level.</li>
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
<b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
@ -805,25 +829,25 @@ a log level and this packet is being logged under that policy. If you intend
<li><b>blacklst</b> - The packet is being logged because the source
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because it is a
TCP packet that is not part of any current connection yet it is not a syn
packet. Options affecting the logging of such packets include <b>NEWNOTSYN
<li><b>newnotsyn </b>- The packet is being logged because it is
a TCP packet that is not part of any current connection yet it is not
a syn packet. Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination IP
isn't in any of your defined zones.</li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP
address that isn't in any of your defined zones ("shorewall check" and
look at the printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or if
you use NAT, use the local IP address in your rules). <b>Note:</b> The ":n"
notation (e.g., eth0:0) is deprecated and will disappear eventually. Neither
iproute (ip and tc) nor iptables supports that notation so neither does
Shorewall. <br>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or
if you use NAT, use the local IP address in your rules). <b>Note:</b> The
":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
@ -840,17 +864,33 @@ notation (e.g., eth0:0) is deprecated and will disappear eventually. Neither
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
class="moz-txt-citetags"></span><br> <span class="moz-txt-citetags"></span>ACCEPT net loc:10.1.1.126 tcp www<span
class="moz-txt-citetags"></span><span class="moz-txt-citetags"></span></pre>
class="moz-txt-citetags"></span><br></pre>
<b>Example 3 (DNAT):<br>
</b>
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
so the contents of the tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br>
</h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
that you used during your initial setup for information about how to set
up rules for your server.<br>
<br>
<div align="left"> </div>
<p align="left"><font size="2">Last updated 11/09/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

710
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

10
Shorewall-docs/Shorewall_CVS_Access.html
View File

@ -41,12 +41,12 @@ THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
- <a href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a>
</font> </p>
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a
href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>

38
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -2,17 +2,22 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -41,11 +46,11 @@
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -70,40 +75,49 @@
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.sf.net" target="_top">SourceForge</a><br>
<li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
@ -120,8 +134,10 @@
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

60
Shorewall-docs/configuration_file_basics.htm
View File

@ -49,22 +49,22 @@ policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li>
to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field
in packet headers.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS
field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
@ -75,9 +75,9 @@ later use by traffic control/shaping or policy routing.</li>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end
of any line, again by delimiting the comment from the rest of the
line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at the
end of any line, again by delimiting the comment from the rest of
the line with a pound sign.</p>
<p>Examples:</p>
@ -99,9 +99,9 @@ line with a pound sign.</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a
result of DNS problems then don't say that you were not forewarned. <br>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
@ -120,7 +120,7 @@ So change in the DNS-&gt;IP address relationship that occur after the firewall
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
@ -129,9 +129,9 @@ start.</li>
your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your
firewall.<br>
firewall.<br>
</li>
</ul>
@ -172,8 +172,8 @@ inconvenience by Shorewall. <br>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must
be no white space following the "!".</p>
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
@ -201,7 +201,7 @@ would be embedded white space)</li>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
@ -252,7 +252,7 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br>
6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -267,22 +267,23 @@ host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6
hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
Shorewall, MAC addresses begin with a tilde ("~") and consist of
6 hex numbers separated by hyphens. In Shorewall, the MAC address
in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
</p>
<h2>Shorewall Configurations</h2>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the
corresponding files in /etc/shorewall. The alternate directory need not
contain a complete configuration; those files not in the alternate directory
commands allow you to specify an alternate configuration directory
and Shorewall will use the files in the alternate directory rather than
the corresponding files in /etc/shorewall. The alternate directory need
not contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
@ -293,7 +294,7 @@ will be read from /etc/shorewall.</p>
to a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li>
</ol>
@ -301,7 +302,7 @@ or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
<p><font size="2"> Updated 10/24/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -315,5 +316,6 @@ or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
<br>
<br>
<br>
<br>
</body>
</html>

209
Shorewall-docs/download.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
@ -35,23 +36,24 @@
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4
kernel, you can use the RPM version (note: the RPM should also
work with other distributions that store init scripts in /etc/init.d
and that include chkconfig or insserv). If you find that it
works in other cases, let <a href="mailto:teastep@shorewall.net"> me</a>
know so that I can mention them here. See the <a
href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
Linux PPC</b> or <b> TurboLinux</b> distribution with a
2.4 kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might
also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
</ul>
@ -64,10 +66,10 @@ Unstable Branch</a>.</li>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain
the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul>
@ -78,11 +80,12 @@ Unstable Branch</a>.</li>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -95,23 +98,15 @@ Unstable Branch</a>.</li>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz"
target="_blank">Download .tgz</a> <br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp"
target="_blank">Download .lrp</a></td>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
@ -123,7 +118,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
@ -132,7 +130,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
.rpm</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Texas, USA</td>
@ -145,7 +146,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
@ -153,7 +157,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td>
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
@ -166,7 +173,10 @@ Unstable Branch</a>.</li>
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
@ -175,7 +185,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
@ -188,7 +201,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
@ -197,7 +213,10 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
@ -207,7 +226,9 @@ Unstable Branch</a>.</li>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
@ -216,17 +237,40 @@ Unstable Branch</a>.</li>
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td>
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="top">SourceForge (California, USA)<br>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="top">sf.net<br>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/projects/shorewall">Download</a><br>
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><br>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr>
@ -234,7 +278,25 @@ Unstable Branch</a>.</li>
</table>
</blockquote>
<p>Browse Download Sites:</p>
<p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -246,23 +308,26 @@ Unstable Branch</a>.</li>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
@ -290,26 +355,29 @@ Unstable Branch</a>.</li>
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">CVS:</p>
<p align="left"><b>CVS:</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at all.</p>
component. There's no guarantee that what you find there will work at
all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 11/9/2002 - <a
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -320,5 +388,8 @@ Unstable Branch</a>.</li>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

121
Shorewall-docs/errata.htm
View File

@ -33,8 +33,8 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
@ -57,24 +57,25 @@ to start Shorewall during boot. It is that file that must be overwritte
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
@ -86,48 +87,70 @@ Version 1.3</a></b></li>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running on
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but
with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br>
</li>
</ul>
@ -167,13 +190,15 @@ at <a
has two problems:</p>
<ol>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic
and static clients on a LAN segment.</li>
<li>If the firewall is running a
DHCP server, the client won't be able
to obtain an IP address lease from that
server.</li>
<li>With this order of checking,
the "dhcp" option cannot be used as a
noise-reduction measure where there are
both dynamic and static clients on a LAN
segment.</li>
</ol>
@ -205,9 +230,10 @@ and static clients on a LAN segment.</li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
@ -268,7 +294,8 @@ SNAT alias. </p>
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
@ -298,10 +325,10 @@ version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
/etc/shorewall/interfaces contained a typo that prevented it
from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -331,8 +358,8 @@ like "NAT_BEFORE_RULES=Yes".</li>
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option.
For example:<br>
Shorewall may ignore all but the first appearence of the
option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
@ -358,10 +385,10 @@ option.<br>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
rather than 1.3.0. The "shorewall version" command will tell
you which version that you have installed.</li>
<li>Folks who downloaded 1.3.0 from the links on the
download page before 23:40 GMT, 29 May 2002 may have downloaded
1.2.13 rather than 1.3.0. The "shorewall version" command
will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
@ -386,8 +413,8 @@ option.<br>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
corrected 1.2.3 rpm which you can download here</a>  and I have also
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
@ -462,8 +489,8 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6
you may install
<li>if you are running Shorewall
1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
@ -486,7 +513,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<p><font size="2"> Last updated 11/24/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -498,5 +525,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<br>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/Vexira_Antivirus_Logo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

108
Shorewall-docs/mailing_list.htm
View File

@ -16,23 +16,27 @@
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35">
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35">
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#ffffff"><b>Powered by Postfix     
</b></font> </p>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix      </b></font> </p>
</td>
</tr>
@ -54,18 +58,30 @@
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
src="images/but3.png" hspace="3" width="88" height="31">
 </a><a href="http://osirusoft.com/"> </a></h2>
 </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks the sender of incoming mail against the open
relay databases at <a href="http://ordb.org">ordb.org.</a></p>
at shorewall.net checks incoming mail:<br>
</p>
<ol>
<li>against the open relay databases at <a
href="http://ordb.org">ordb.org.</a></li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br>
</li>
</ol>
<h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
@ -94,17 +110,29 @@ relay databases at <a href="http://ordb.org">ordb.org.</a></p>
type="submit" value="Search"> </p>
</form>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can
either use unencrypted access when subscribing to Shorewall mailing lists
or you can use secure access (SSL) and accept the server's certificate when
prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p>
to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
@ -112,37 +140,42 @@ the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br>
The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating ongoing
Shorewall Development.</p>
the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">To post to the list, post to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p>
@ -150,19 +183,19 @@ the Mailing Lists</h2>
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
to the list.</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
enter your subscription email address:". Enter your email address in the
box and click on the "Edit Options" button.</p>
"To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name
of list&gt;), enter your subscription email address:". Enter your email
address in the box and click on the "Edit Options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there is
another button that will cause your password to be emailed to you.</p>
and click on "Unsubscribe"; if you have forgotten your password, there
is another button that will cause your password to be emailed to you.</p>
</li>
</ul>
@ -172,12 +205,17 @@ another button that will cause your password to be emailed to you.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/27/2002 - <a
<p align="left"><font size="2">Last updated 11/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

8
Shorewall-docs/mailing_list_problems.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
@ -32,11 +33,11 @@
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a
<p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
@ -49,5 +50,8 @@
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

31
Shorewall-docs/ports.htm
View File

@ -19,7 +19,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
Services/Applications</font></h1>
</td>
</tr>
@ -28,8 +28,8 @@ Services/Applications</font></h1>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your firewall
to accommodate.</p>
are some other services/applications that you may need to configure your
firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
@ -52,18 +52,18 @@ to accommodate.</p>
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return
long replies to queries or if you need to enable ZONE transfers. In the
latter case, be sure that your server is properly configured.</p>
long replies to queries or if you need to enable ZONE transfers. In the
latter case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ   </p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>PPTP</p>
@ -77,7 +77,8 @@ you can specify to your ICQ client. By default, clients use 4000-4100.</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions.</p>
500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP</p>
@ -142,8 +143,9 @@ have:<br>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
@ -177,16 +179,17 @@ starts, then you should include the port list in /etc/modules.conf:<br>
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
</body>
</html>

299
Shorewall-docs/seattlefirewall_index.htm
View File

@ -4,23 +4,27 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
@ -36,7 +40,10 @@
<div align="center"><a href="1.2" target="_top"><font
<div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
@ -49,13 +56,16 @@
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<td
width="90%">
@ -68,6 +78,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
@ -78,21 +89,24 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
This program
is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You should
have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -106,39 +120,31 @@ with this program; if not, write to the Free Software Foundation,
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy,
CD or compact flash) distribution called <i>Bering</i> that
features Shorewall-1.3.9b and Kernel-2.4.18. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You may want to reconsider -- this site is <u><b>181 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the
whole thing (my SDSL is only 384kbs so I'll have lots of time to catch
you). Besides, if you simply download the product and install it, you get
the essential parts of the site in a fraction of the time. And do you really
want to download:<br>
<ul>
<li>Both text and HTML versions of every post ever made on three
different mailing lists (67.5 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall (92MB)?</li>
<li>The Shorewall 1.2 site (16.2MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this
site. Happy downloading!<br>
<h2>News</h2>
@ -147,78 +153,77 @@ whole thing (my SDSL is only 384kbs so I'll have lots of time to catch
<h2></h2>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>The Shorewall 1.3 web site is now mirrored at SourceForge on <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents
of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
on ethernet segments. You can specify the set of allowed MAC addresses
on the segment and you can optionally tie each MAC address to one or more
IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system may
now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when the
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for
Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package is now a part
of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
Thanks Alex!<br>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p>
<p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html">
MAC verification</a> on ethernet segments. You can specify the set of
allowed MAC addresses on the segment and you can optionally tie each MAC
address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
@ -227,15 +232,68 @@ a NAT gateway</a>.</li>
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for
Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
@ -244,31 +302,37 @@ a NAT gateway</a>.</li>
</li>
</ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to the
firewall script.<br>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
10/6/2002 - Shorewall.net now running on RH8.0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now
running RedHat release 8.0.<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
@ -278,27 +342,32 @@ running RedHat release 8.0.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a
There is an updated firewall script at
<a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
@ -306,32 +375,37 @@ running RedHat release 8.0.<br>
<p>In this version:<br>
</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be
qualified by both interface and IP address in a <a
href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled
after initial installation until the file /etc/shorewall/startup_disabled
is removed. This avoids nasty surprises at reboot for users who
install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version' files
and the 'firewall' symbolic link have been moved from /var/lib/shorewall
to /usr/lib/shorewall to appease the LFS police at Debian.<br>
<li>The connection SOURCE
may now be qualified by both interface and IP address in
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is
now disabled after initial installation until the file
/etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved
from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
</ul>
@ -340,6 +414,7 @@ running RedHat release 8.0.<br>
<p><a href="News.htm">More News</a></p>
@ -347,16 +422,18 @@ running RedHat release 8.0.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</table>
</center>
@ -368,8 +445,9 @@ running RedHat release 8.0.<br>
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td
width="100%" style="margin-top: 1px;">
@ -383,6 +461,7 @@ running RedHat release 8.0.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
@ -396,10 +475,12 @@ if you try it and find it useful, please consider making a donation
</table>
<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

2
Shorewall-docs/sfindex.htm
View File

@ -8,7 +8,7 @@
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="contents" target="main" src="Shorewall_sfindex_frame.htm">
<frame name="main" src="sourceforge_index.htm" target="_self" scrolling="auto">
<noframes>
<body>

28
Shorewall-docs/shorewall_mirrors.htm
View File

@ -28,32 +28,32 @@
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary site.</b></p>
for 6-12 hours after an update to the primary site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://www.shorewall.net">http://www.shorewall.net</a> and is located
in Washington State, USA. It is mirrored at:</p>
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" target="_top">
http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
(California, USA)<br>
<li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The main Shorewall FTP Site is <a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
and is located in Washington State, USA.  It is mirrored at:</p>
and is located in Washington State, USA.  It is mirrored at:</p>
<ul>
<li><a target="_blank"
@ -63,15 +63,17 @@ and is located in Washington State, USA.
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
</ul>
Search results and the mailing list archives are always fetched from the
site in Washington State.<br>
<p align="left"><font size="2">Last Updated 11/09/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
@ -79,5 +81,7 @@ and is located in Washington State, USA.
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

33
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -26,43 +26,44 @@
</tbody>
</table>
<br>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
<a href="kernel.htm"> Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a
href="http://www.shorewall.net/seawall"> see the Seattle Firewall
site</a> .</li>
<a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with 2.2
kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
to be running kernel 2.4.18 or later, NO currently-available RedHat iptables
RPM will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
</li>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Some features require iproute ("ip" utility). The iproute package
is included with most distributions but may not be installed by default.
The official download site is <a
is included with most distributions but may not be installed by default.
The official download site is <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font
face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct
support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have awk
(gawk) installed.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 9/19/2002 - <a
<p align="left"><font size="2">Last updated 11/10/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

54
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1>
</td>
@ -42,8 +43,8 @@ must all first walk before we can run.</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
@ -59,8 +60,10 @@ must all first walk before we can run.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
@ -79,8 +82,8 @@ must all first walk before we can run.</p>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -93,24 +96,25 @@ must all first walk before we can run.</p>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
Ends</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
@ -127,7 +131,7 @@ ARP</a></li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
@ -154,9 +158,11 @@ file features</a>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
@ -188,6 +194,11 @@ file features</a>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
@ -196,7 +207,7 @@ file features</a>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li>
firewall to a remote network.</li>
</ul>
</li>
@ -207,15 +218,10 @@ firewall to a remote network.</li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/3/2002 - <a
<p><font size="2">Last modified 11/19/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p>
</body>
</html>

361
Shorewall-docs/sourceforge_index.htm
View File

@ -4,17 +4,19 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
@ -27,41 +29,43 @@
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font><a href="http://www.sf.net"><img
align="right" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=1"
width="88" height="31" hspace="4" vspace="4">
made easy"</i></font></font><a href="http://www.sf.net">
</a></h1>
<div align="center"><a
href="http://www.shorewall.net/1.2/index.htm" target="_top"><font
<div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
@ -74,6 +78,8 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
@ -84,22 +90,27 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is
distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
This
program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for
more details.<br>
<br>
You should have
received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You
should have received a copy of the GNU General Public
License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave,
Cambridge, MA 02139, USA</p>
@ -114,44 +125,18 @@ General Public License</a> as published by the Free Software Foundation.<
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on
a floppy, CD or compact flash) distribution called <i>Bering</i>
that features Shorewall-1.3.9b and Kernel-2.4.18. You
can find their work at: <a
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.10 and
Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You may want to reconsider -- this site is <u><b>181 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the
whole thing (my SDSL is only 384kbs so I'll have lots of time to catch
you). Besides, if you simply download the product and install it, you get
the essential parts of the site in a fraction of the time. And do you really
want to download:<br>
<ul>
<li>Both text and HTML versions of every post ever made
on three different mailing lists (67.5 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall
(92MB)?</li>
<li>The Shorewall 1.2 site (16.2MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this
site. Happy downloading!<br>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! <br>
</b>
<h2>News</h2>
@ -162,64 +147,61 @@ whole thing (my SDSL is only 384kbs so I'll have lots of time to catch
<p><b>11/09/2002 - Shorewall is Back on SourceForge</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>The Shorewall 1.3 web site is now mirrored at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents
of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC
verification</a> on ethernet segments. You can specify the set of allowed
MAC addresses on the segment and you can optionally tie each MAC address
to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when
the <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT
gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for
Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to
version 1.3.10, you will need to use the '--force' option:<br>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<blockquote>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package is now
a part of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>.
Thanks Alex!<br>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<p>The main Shorewall web site is now at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>In this version:</p>
<ul>
@ -231,27 +213,87 @@ gateway</a>.</li>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
behind a NAT gateway</a>.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br>
</a></p>
Alexandru Hartmann reports that his Shorewall package
is now a part of <a href="http://www.gentoo.org">the Gentoo
Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br>
<ul>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add"
and "shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running
on the firewall system may now be defined in the<a
href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now
be specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses
/sbin/shorewall to do the real work. This change makes custom
distributions such as for Debian and for Gentoo easier to manage
since it is /etc/init.d/shorewall that tends to have distribution-dependent
code.</li>
</ul>
You may download the Beta from:<br>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
@ -260,32 +302,40 @@ as for Debian and for Gentoo easier to manage since it is /etc/init.d/shor
</li>
</ul>
<p><b>10/10/2002 - Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to
the firewall script.<br>
This release rolls up fixes to the installer
and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
10/6/2002 - Shorewall.net now running
on RH8.0 </b><b><img border="0" src="images/new10.gif"
width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are
now running RedHat release 8.0.<br>
The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
@ -296,11 +346,14 @@ as for Debian and for Gentoo easier to manage since it is /etc/init.d/shor
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
@ -308,18 +361,21 @@ as for Debian and for Gentoo easier to manage since it is /etc/init.d/shor
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
@ -327,33 +383,40 @@ as for Debian and for Gentoo easier to manage since it is /etc/init.d/shor
<p>In this version:<br>
</p>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may
now be qualified by both interface and IP address in a <a
href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled
after initial installation until the file /etc/shorewall/startup_disabled
is removed. This avoids nasty surprises at reboot for users
who install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved from
/var/lib/shorewall to /usr/lib/shorewall to appease the LFS
police at Debian.<br>
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection
SOURCE may now be qualified by both interface and IP
address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions'
and 'version' files and the 'firewall' symbolic link
have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
</ul>
@ -363,6 +426,7 @@ police at Debian.<br>
<p><a href="News.htm">More News</a></p>
@ -371,29 +435,49 @@ police at Debian.<br>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td
width="100%" style="margin-top: 1px;">
@ -409,22 +493,29 @@ police at Debian.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</p>
<br>
<br>
<br>
</body>
</html>

117
Shorewall-docs/standalone.htm
View File

@ -30,11 +30,11 @@
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in
one of its most common configurations:</p>
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p>
<ul>
<li>Linux system</li>
@ -44,31 +44,31 @@ one of its most common configurations:</p>
</ul>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this
program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -84,12 +84,12 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
during Shorewall installation).</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -112,11 +112,11 @@ zone is defined:</p>
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -124,11 +124,11 @@ another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common (the samples
provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
@ -176,14 +176,15 @@ the following policies:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
you wish.</p>
<h2 align="left">External Interface</h2>
@ -194,26 +195,26 @@ you wish.</p>
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the external
interface is <b>eth0</b>. If your configuration is different, you will have
to modify the sample /etc/shorewall/interfaces file accordingly. While you
are there, you may wish to review the list of options that are specified
for the interface. Some hints:</p>
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, you
will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
</li>
</ul>
@ -224,7 +225,7 @@ list. </p>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
for use in private networks:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -233,14 +234,14 @@ for use in private networks:</p>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -249,7 +250,7 @@ remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p
<div align="left">
<p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p>
firewall, the general format is:</p>
</div>
<div align="left">
@ -332,7 +333,7 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -372,7 +373,7 @@ shell access to your firewall from the internet, use SSH:</p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    At this point, edit /etc/shorewall/rules to add other connections
as desired.</p>
as desired.</p>
</div>
<div align="left">
@ -383,43 +384,45 @@ as desired.</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have added
an entry for the IP address that you are connected from to <a
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall try"
command</a>.</p>
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
<p align="left"><font size="2">Last updated 11/21/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>

42
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -61,11 +61,11 @@ run-level editor.</p>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
@ -118,8 +118,8 @@ table (iptables -t mangle -L -n -v)</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet
log messages in the current /var/log/messages file.</li>
<li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4"
@ -127,38 +127,43 @@ the zones, interfaces, hosts, rules and policy files. <font size="4"
generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
- Restart shorewall using the specified configuration and if an error
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using
the standard configuration.</li>
has been up for that many seconds then shorewall is restarted using the
standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the contents
Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a
href="#Configs"> Shorewall configuration</a> to use:</p>
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
@ -170,8 +175,8 @@ from interface ipsec0 from zone vpn1<br>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
. If the file is present in the <i>configuration-directory</i>, that
file will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -225,7 +230,7 @@ from interface ipsec0 from zone vpn1<br>
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -237,5 +242,6 @@ from interface ipsec0 from zone vpn1<br>
<br>
<br>
<br>
<br>
</body>
</html>

73
Shorewall-docs/support.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td>
</tr>
@ -29,31 +30,37 @@
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p>
- <font size="2"> Wietse Venem<br>
</font></span></p>
<h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon
fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are a number of sources for problem solution information.</p>
<p>There are also a number of sources for problem solution information.</p>
<ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li>
<li>The Mailing List Archives search facility can locate posts about
similar problems:</li>
contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download
updated components.</li>
<li>The Mailing List Archives search facility can locate posts
about similar problems:</li>
</ul>
@ -89,33 +96,44 @@ contains a number of tips to help you solve common problems.</li>
type="submit" value="Search"> </p>
</form>
<h3 align="left">Problem Reporting Guidelines</h3>
<h3 align="left">Problem Reporting Guideline</h3>
<ul>
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when
you exercise the function that is giving you problems?</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application
that isn't working? For example, if "ssh" isn't able to connect, using
the "-v" option gives you a lot of valuable diagnostic information.</li>
<li>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
</ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b></b>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
@ -135,14 +153,11 @@ you custom configuration files. We're here to answer your questions
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

243
Shorewall-docs/three-interface.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
@ -54,9 +55,9 @@
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -67,10 +68,10 @@ for this program:</p>
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you
copy a configuration file from your Windows hard drive to a floppy disk,
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
@ -97,8 +98,8 @@ of these as described in this guide. After you have <a
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, the following
zone names are used:</p>
set of <i>zones.</i> In the three-interface sample configuration, the
following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -133,7 +134,7 @@ of these as described in this guide. After you have <a
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -142,10 +143,10 @@ to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
has the following policies:</p>
@ -218,18 +219,18 @@ samples provide that file for you).</p>
<ol>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network</li>
<li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and make any
changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy file and make
any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -239,37 +240,38 @@ internet</li>
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect using ISDN,
you external interface will be <b>ippp0.</b></p>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular
modem, your External Interface will also be <b>ppp0</b>. If you connect
using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single local
system, you can connect the firewall directly to the computer using a
<i>cross-over </i> cable).</p>
will be connected to the same switch (note: If you have only a single
local system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only a
single DMZ system, you can connect the firewall directly to the computer
computers will be connected to the same switch (note: If you have only
a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub or switch
(even for testing). It won't work the way that you expect it to and you
will end up confused and believing that Shorewall doesn't work at all.</p>
</b></u>Do not connect more than one interface to the same hub or
switch (even for testing). It won't work the way that you expect it to
and you will end up confused and believing that Shorewall doesn't work
at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
@ -299,14 +301,14 @@ you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>Regardless of how the address is assigned, it
will be shared by all of your systems when you access the Internet. You will
have to assign your own addresses for your internal network (the local and
DMZ Interfaces on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>Regardless of how the address is assigned,
it will be shared by all of your systems when you access the Internet.
You will have to assign your own addresses for your internal network (the
local and DMZ Interfaces on your firewall plus your other computers). RFC
1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -316,22 +318,23 @@ several <i>Private </i>IP address ranges for this purpose:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's entry
in /etc/shorewall/interfaces.</p>
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's
entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of a range
of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i> <i>Address</i>.
In Shorewall, a subnet is described using <a href="subnet_masks.htm"><i>Classless
InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet
address followed by "/24". The "24" refers to the number of consecutive
"1" bits from the left of the subnet mask. </p>
subnet. For our purposes, we can consider a subnet to consists of a
range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a <i>Subnet
Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved as the <i>Subnet
Address</i> and x.y.z.255 is reserved as the <i>Subnet Broadcast</i>
<i>Address</i>. In Shorewall, a subnet is described using <a
href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)</a>
notation with consists of the subnet address followed by "/24". The "24"
refers to the number of consecutive "1" bits from the left of the subnet
mask. </p>
</div>
<div align="left">
@ -375,17 +378,17 @@ address followed by "/24". The "24" refers to the number of consecutive
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
systems send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2) should be configured
with their<i> default gateway</i> set to the IP address of the firewall's
internal interface and your DMZ computers ( DMZ Computers 1 &amp; 2)
should be configured with their default gateway set to the IP address
of the firewall's DMZ interface.   </p>
    Your local computers (Local Computers 1 &amp; 2) should be
configured with their<i> default gateway</i> set to the IP address of
the firewall's internal interface and your DMZ computers ( DMZ Computers
1 &amp; 2) should be configured with their default gateway set to the
IP address of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
@ -408,17 +411,18 @@ of the firewall's DMZ interface.
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't forward
packets which have an RFC-1918 destination address. When one of your local
systems (let's assume local computer 1) sends a connection request to an
internet host, the firewall must perform <i>Network Address Translation
packets which have an RFC-1918 destination address. When one of your
local systems (let's assume local computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to be
the address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed accross the internet). When the
firewall receives a return packet, it rewrites the destination address
back to 10.10.10.1 and forwards the packet on to local computer 1. </p>
the address of the firewall's external interface; in other words, the firewall
makes it look as if the firewall itself is initiating the connection. 
This is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed accross the internet).
When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer
1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
@ -445,27 +449,28 @@ back to 10.10.10.1 and forwards the packet on to local computer 1. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your local
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
not need to modify the file provided with the sample. Otherwise, edit
/etc/shorewall/masq and change it to match your configuration.</p>
interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do
not need to modify the file provided with the sample. Otherwise, edit
/etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the third column
in the /etc/shorewall/masq entry if you like although your firewall will
work fine if you leave that column empty. Entering your static IP in column
3 makes processing outgoing packets a little more efficient. </p>
    If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static IP
in column 3 makes processing outgoing packets a little more efficient.
</p>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is
rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to your firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
@ -549,9 +554,9 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your local systems,
you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000 (e.g., connect to <a
<li>Many ISPs block incoming connection requests to port 80. If
you have problems connecting to your web server, try the following rule
and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -661,27 +666,27 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your servers.
</p>
</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. It is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of two
approaches:</p>
primary and secondary name servers. It is <u>your</u> responsibility to
configure the resolver in your internal systems. You can take one of two
approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers
are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
@ -690,12 +695,13 @@ are given in "nameserver" records in that file. </p>
or in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which
also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
If you take this approach, you configure your internal systems to use
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on your
firewall. To allow your local systems to talk to your caching name server,
you must open port 53 (both UDP and TCP) from the local network to the
server; you do that by adding the rules in /etc/shorewall/rules. </p>
the caching name server as their primary (and only) name server. You use
the internal IP address of the firewall (10.10.10.254 in the example above)
for the name server address if you choose to run the name server on
your firewall. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the server; you do that by adding the rules in /etc/shorewall/rules.
</p>
</li>
</ul>
@ -1054,8 +1060,9 @@ uses, look <a href="ports.htm">here</a>.</p>
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1077,11 +1084,11 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The three-interface sample assumes that you want to enable routing
to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) when Shorewall
is stopped. If these two interfaces don't connect to your local network
and DMZ or if you want to enable a different set of hosts, modify /etc/shorewall/routestopped
accordingly.</p>
    The three-interface sample assumes that you want to enable
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
when Shorewall is stopped. If these two interfaces don't connect to
your local network and DMZ or if you want to enable a different set
of hosts, modify /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
@ -1090,12 +1097,12 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 10/22/2002 - <a
<p align="left"><font size="2">Last updated 11/21/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -1106,5 +1113,7 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
<br>
<br>
<br>
<br>
<br>
</body>
</html>

118
Shorewall-docs/troubleshoot.htm
View File

@ -28,60 +28,61 @@
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version of
the firewall.</p>
sure that there isn't an update that you are missing for your version
of the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li>
what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the
way that the Linux kernel respond to ARP "who-has" requests, this type
of setup does NOT work the way that you expect it to.</li>
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter
to your rule set and they represent a big security hole in the event that
you forget to remove them later.</p>
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
@ -97,13 +98,13 @@ it may be an indication that you are missing one or more rules -- see <a
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
@ -115,9 +116,14 @@ LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</f
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">Other Gotchas</h3>
@ -126,60 +132,60 @@ is in the "loc" zone. I was missing the rule:</p>
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?);
or</li>
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
you?); or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you have the
following in /etc/shorewall/nat:<br>
The ramifications of this can be subtle. For example, if you have
the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 between
the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need
to be configured with their default gateway set to the IP address of
their nearest firewall interface. One often overlooked aspect of routing
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell
with broken variable expansion. <a
<li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless you
have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external
addresses to be use with NAT unless you have set <a
<li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul>
@ -190,10 +196,10 @@ addresses to be use with NAT unless you have set <a
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

171
Shorewall-docs/two-interface.htm
View File

@ -68,9 +68,9 @@ for this program:</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
run them through dos2unix before trying to use them. Similarly, if you
copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -82,10 +82,10 @@ run dos2unix against the copy before using it with Shorewall.</p>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
@ -139,11 +139,11 @@ to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
the request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -212,11 +212,12 @@ has the following policies:</p>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>allow all connection requests from your local network to the
internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -231,15 +232,15 @@ the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
your external interface will be <b>ippp0.</b></p>
a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
your External Interface will also be <b>ppp0</b>. If you connect via ISDN,
your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -256,9 +257,9 @@ using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface to the same
hub or switch (even for testing). It won't work the way that you think that
it will and you will end up confused and believing that Shorewall doesn't
work at all.</p>
hub or switch (even for testing). It won't work the way that you think
that it will and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
@ -292,8 +293,8 @@ connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You
will have to assign your own addresses in your internal network (the Internal
will be shared by all of your systems when you access the Internet. You will
have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
@ -304,10 +305,10 @@ several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the external interface's entry
in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -316,11 +317,11 @@ several <i>Private </i>IP address ranges for this purpose:</p>
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1" bits
from the left of the subnet mask. </p>
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
</div>
<div align="left">
@ -370,9 +371,9 @@ systems send packets through a<i>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above diagram)
should be configured with their<i> default gateway</i> to be the IP
address of the firewall's internal interface.<i>      </i> </p>
    Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their<i> default gateway</i> to be
the IP address of the firewall's internal interface.<i>      </i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
@ -399,18 +400,18 @@ address of the firewall's internal interface.<i>
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address
is reserved by RFC 1918 can't be routed across the internet so the remote
host can't address its response to computer 1). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
@ -432,8 +433,8 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, you do not need
to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
    If your external firewall interface is <b>eth0</b>, you do not
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
and change the first column to the name of your external interface and
the second column to the name of your internal interface.</p>
@ -450,14 +451,14 @@ the second column to the name of your internal interface.</p>
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -479,7 +480,7 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
@ -524,13 +525,13 @@ port&gt;</i>]</td>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2 or
on the firewall). If you want to be able to access your web server using
the IP address of your external interface, see <a
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule
and try connecting to port 5000.</li>
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
</ul>
@ -563,15 +564,15 @@ and try connecting to port 5000.</li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any DNAT rules
that you require.</p>
that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of
a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
@ -579,25 +580,25 @@ in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers
are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
take this approach, you configure your internal systems to use the firewall
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</li>
</ul>
@ -807,13 +808,12 @@ network to the firewall; you do that by adding the following rules in
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your
firewall"</p>
listed above under "You can configure a Caching Name Server on your firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -855,7 +855,7 @@ application uses, look <a href="ports.htm">here</a>.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Now edit your /etc/shorewall/rules file to add or delete other
connections as required.</p>
connections as required.</p>
</div>
<div align="left">
@ -867,14 +867,14 @@ connections as required.</p>
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start Shorewall
before configuration is complete. Once you have completed configuration of
your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
and set 'startup=1'.</font><br>
and set 'startup=1'.</font><br>
</p>
</div>
@ -893,7 +893,7 @@ and set 'startup=1'.</font><br>
height="13">
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
</div>
@ -903,12 +903,12 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 10/9/2002 - <a
<p align="left"><font size="2">Last updated 11/21/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -918,5 +918,6 @@ your local network isn't connected to <b>eth1</b> or if you wish to enable
<br>
<br>
<br>
<br>
</body>
</html>

11
Shorewall-docs/useful_links.html
View File

@ -48,17 +48,16 @@
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
align="middle" hspace="4" border="0">
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
align="middle" border="0">
</a><br>
</h3>
<br>
<font size="2">Last updated 9/16/2002 - <a
href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a
href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>