mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 16:43:21 +01:00
a30b326a4b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@756 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
488 lines
25 KiB
HTML
488 lines
25 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type"
|
|
content="text/html; charset=windows-1252">
|
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
|
<base target="_self">
|
|
</head>
|
|
<body>
|
|
<table cellpadding="0" cellspacing="4"
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
|
bgcolor="#3366ff">
|
|
<tbody>
|
|
<tr>
|
|
<td width="33%" height="90" valign="middle" align="center"><a
|
|
href="http://www.cityofshoreline.com"> </a>
|
|
<div align="center"> <img src="images/Logo1.png"
|
|
alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<div align="center">
|
|
<div align="center"> </div>
|
|
<center>
|
|
<div align="center"> </div>
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
|
<tbody>
|
|
<tr>
|
|
<td width="90%">
|
|
<h2>Introduction<br>
|
|
</h2>
|
|
<ul>
|
|
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
|
Linux kernels. Also the name of the utility program used to configure
|
|
and control that facility. Netfilter can be used in ipchains
|
|
compatibility mode.<br>
|
|
</li>
|
|
<li>iptables - the utility program used to configure and
|
|
control
|
|
Netfilter. The term 'iptables' is often used to refer to the
|
|
combination of iptables+Netfilter (with Netfilter not in
|
|
ipchains compatibility mode).<br>
|
|
</li>
|
|
</ul>
|
|
The Shoreline Firewall, more commonly known as "Shorewall", is
|
|
high-level tool for configuring Netfilter. You describe your
|
|
firewall/gateway requirements using entries in a set of configuration
|
|
files. Shorewall reads those configuration files and with the help of
|
|
the iptables utility, Shorewall configures Netfilter to match your
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
|
and can thus take advantage of Netfilter's connection state tracking
|
|
capabilities.<br>
|
|
<br>
|
|
This program is free software; you can redistribute it and/or modify it
|
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
2 of the GNU
|
|
General Public License</a> as published by the Free Software Foundation.<br>
|
|
<p> This program is distributed in the hope that it will be
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.<br>
|
|
<br>
|
|
You should have received a copy of the GNU General Public License along
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
|
|
Eastep</a></p>
|
|
<h2>This is the Shorewall 1.4 Web Site</h2>
|
|
The information on this site applies only to 1.4.x releases of
|
|
Shorewall. For older versions:<br>
|
|
<ul>
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
|
target="_top">here.</a></li>
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
target="_top">here</a>.<br>
|
|
</li>
|
|
</ul>
|
|
<h2>Getting Started with Shorewall</h2>
|
|
New to Shorewall? Start by selecting the <a
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
|
closely match your environment
|
|
and follow the step by step instructions.<br>
|
|
<h2>Looking for Information?</h2>
|
|
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
|
Index</a> is a good place to start as is the Quick Search to your
|
|
right.
|
|
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
|
If so, the documentation<b> </b>on
|
|
this site will not apply directly to your setup. If you want
|
|
to use the documentation that you find here, you will want to consider
|
|
uninstalling what you have and installing a setup that matches the
|
|
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
|
QuickStart Guide</a> for details.<br>
|
|
<h2>News</h2>
|
|
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
|
style="border: 0px solid ; width: 28px; height: 12px;"
|
|
src="images/new10.gif" alt="(New)" title=""><br>
|
|
</b></p>
|
|
<b>Problems Corrected since version 1.4.6 (Those in bold font
|
|
were corrected since 1.4.7 RC2)</b><br>
|
|
<ol>
|
|
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
|
variable was being tested before it was set.</li>
|
|
<li>Corrected handling of MAC addresses in the SOURCE column of
|
|
the tcrules file. Previously, these addresses resulted in an invalid
|
|
iptables command.</li>
|
|
<li>The "shorewall stop" command is now disabled when
|
|
/etc/shorewall/startup_disabled exists. This prevents people from
|
|
shooting themselves in the foot prior to having configured Shorewall.</li>
|
|
<li>A change introduced in version 1.4.6 caused error messages
|
|
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
|
|
were being added to a PPP interface; the addresses were successfully
|
|
added in spite of the messages.<br>
|
|
<br>
|
|
The firewall script has been modified to eliminate the error messages</li>
|
|
<li>Interface-specific dynamic blacklisting chains are
|
|
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
|
(previously named "Dynamic Chain").</li>
|
|
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
|
<li>The 'shorewall reject' and
|
|
'shorewall drop' commands now delete any existing rules for the subject
|
|
IP address before adding a new DROP or REJECT rule. Previously, there
|
|
could be many rules for the same IP address in the dynamic chain so
|
|
that multiple 'allow' commands were required to re-enable traffic
|
|
to/from the address.</li>
|
|
<li>When ADD_SNAT_ALIASES=Yes in
|
|
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
|
a startup error:<br>
|
|
<br>
|
|
eth0 eth1
|
|
206.124.146.20-206.124.146.24<br>
|
|
<br>
|
|
</li>
|
|
<li>Shorewall previously choked over
|
|
IPV6 addresses configured on interfaces in contexts where Shorewall
|
|
needed to detect something about the interface (such as when "detect"
|
|
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
|
<li>Shorewall will now load
|
|
module files that are formed from the module name by appending ".o.gz".</li>
|
|
<li>When Shorewall adds a route to a
|
|
proxy ARP host and such a route already exists, two routes resulted
|
|
previously. This has been corrected so that the existing route is
|
|
replaced if it already exists.</li>
|
|
<li>The rfc1918 file has been
|
|
updated to reflect recent allocations.</li>
|
|
<li>The documentation of the
|
|
USER SET column in the rules file has been corrected.</li>
|
|
<li>If there is no policy
|
|
defined for
|
|
the zones specified in a rule, the firewall script previously
|
|
encountered a shell syntax error:<br>
|
|
|
|
<br>
|
|
[: NONE: unexpected operator<br>
|
|
|
|
<br>
|
|
Now, the absence of a policy generates an error message and the
|
|
firewall is stopped:<br>
|
|
|
|
<br>
|
|
No policy defined from zone
|
|
<source> to zone <dest><br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, if neither
|
|
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
|
would fail to start and would not remove the lock file. Failure to
|
|
remove the lock file resulted in the following during subsequent
|
|
attempts to start:<br>
|
|
|
|
<br>
|
|
Loading /usr/share/shorewall/functions...<br>
|
|
Processing /etc/shorewall/params ...<br>
|
|
Processing /etc/shorewall/shorewall.conf...<br>
|
|
Giving up on lock file /var/lib/shorewall/lock<br>
|
|
Shorewall Not Started<br>
|
|
<br>
|
|
Shorewall now reports a fatal error if neither of these two files exist
|
|
and correctly removes the lock fille.</li>
|
|
<li>The order of processing
|
|
the
|
|
various options has been changed such that blacklist entries now take
|
|
precedence over the 'dhcp' interface setting.</li>
|
|
<li>The log message generated
|
|
from the
|
|
'logunclean' interface option has been changed to reflect a disposition
|
|
of LOG rather than DROP.</li>
|
|
<li><span style="font-weight: bold;">When a user name and/or a
|
|
group
|
|
name was specified in the USER SET column and the destination zone was
|
|
qualified with a IP address, the user and/or group name was not being
|
|
used to qualify the rule.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:<br>
|
|
<br>
|
|
</span></li>
|
|
<li><span style="font-weight: bold;">The /etc/shorewall/masq
|
|
file has had the spurious "/" character at the front removed.</span></li>
|
|
</ol>
|
|
<b>Migration Issues:</b><br>
|
|
<ol>
|
|
<li>Shorewall IP Traffic Accounting has changed since snapshot
|
|
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
|
|
details.</li>
|
|
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
|
changed -- see the <a href="UserSets.html">User Set page</a> for
|
|
details.</li>
|
|
<li>The per-interface Dynamic Blacklisting facility introduced
|
|
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
|
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
|
</li>
|
|
</ol>
|
|
<b>New Features:</b><br>
|
|
<ol>
|
|
<li>Thanks to Steve Herber, the 'help' command can now give
|
|
command-specific help (e.g., shorewall help <command>).</li>
|
|
<li>A new option "ADMINISABSENTMINDED" has been added to
|
|
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
|
for existing users which causes Shorewall's 'stopped' state to
|
|
continue as it has been; namely, in the stopped state only traffic
|
|
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
|
<br>
|
|
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
|
addition to traffic to/from the hosts listed in
|
|
/etc/shorewall/routestopped, Shorewall will allow:<br>
|
|
<br>
|
|
a) All traffic originating from the firewall itself; and<br>
|
|
b) All traffic that is part of or related to an
|
|
already-existing connection.<br>
|
|
<br>
|
|
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
|
entered through an ssh session will not kill the session.<br>
|
|
<br>
|
|
Note though that even with ADMINISABSENTMINDED=Yes, it is still
|
|
possible for people to shoot themselves in the foot.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
/etc/shorewall/nat:<br>
|
|
<br>
|
|
206.124.146.178
|
|
eth0:0 192.168.1.5 <br>
|
|
<br>
|
|
/etc/shorewall/rules:<br>
|
|
<br>
|
|
ACCEPT net
|
|
loc:192.168.1.5 tcp 22<br>
|
|
ACCEPT loc
|
|
fw tcp 22<br>
|
|
<br>
|
|
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
|
connection with local system 192.168.1.5. I then create a second SSH
|
|
connection
|
|
from that computer to the firewall and confidently type "shorewall
|
|
stop".
|
|
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
|
SSH
|
|
connection to 192.168.1.5!!!</li>
|
|
<li>Given the wide range of VPN software, I can never hope to
|
|
add specific support for all of it. I have therefore decided to add
|
|
"generic" tunnel support.<br>
|
|
<br>
|
|
Generic tunnels work pretty much like any of the other tunnel types.
|
|
You usually add a zone to represent the systems at the other end of the
|
|
tunnel and you add the appropriate rules/policies to<br>
|
|
implement your security policy regarding traffic to/from those systems.<br>
|
|
<br>
|
|
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
|
|
<br>
|
|
generic:<protocol>[:<port>] <zone> <ip
|
|
address> <gateway zones><br>
|
|
<br>
|
|
where:<br>
|
|
<br>
|
|
<protocol> is the protocol
|
|
used by the tunnel<br>
|
|
<port> if the protocol
|
|
is 'udp' or 'tcp' then this is the destination port number used by the
|
|
tunnel.<br>
|
|
<zone> is the zone of
|
|
the remote tunnel gateway<br>
|
|
<ip address> is the IP
|
|
address of the remote tunnel gateway.<br>
|
|
<gateway zone>
|
|
Optional. A comma-separated list of zone names. If specified, the
|
|
remote gateway is to be considered part of these zones.</li>
|
|
<li>An 'arp_filter' option has been added to the
|
|
/etc/shorewall/interfaces file. This option causes
|
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
|
result that this interface will only answer ARP 'who-has' requests from
|
|
hosts that are routed out through that interface. Setting this option
|
|
facilitates testing of your firewall where multiple firewall interfaces
|
|
are connected to the same HUB/Switch (all interfaces connected to the
|
|
single HUB/Switch should have this option specified). Note that using
|
|
such a configuration in a production environment is strongly
|
|
recommended against.</li>
|
|
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
|
comma-separated list of addresses and/or address ranges. Netfilter will
|
|
use all listed addresses/ranges in round-robin fashion. \</li>
|
|
<li>An /etc/shorewall/accounting file has been added to allow
|
|
for traffic accounting. See the <a href="Accounting.html">accounting
|
|
documentation</a> for a description of this facility.</li>
|
|
<li>Bridge interfaces (br[0-9]) may now be used in
|
|
/etc/shorewall/maclist.</li>
|
|
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
|
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
|
|
rules, rate limiting occurs in the nat table DNAT rule; the
|
|
corresponding ACCEPT rule in the filter table is not rate limited. If
|
|
you want to limit the filter table rule, you will need o create two
|
|
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
|
|
separately.<br>
|
|
<br>
|
|
<span style="font-weight: bold;">Warning: </span>When rate
|
|
limiting is specified on a rule with "all" in the SOURCE or DEST
|
|
fields, the limit will apply to each pair of zones individually rather
|
|
than as a single limit for all pairs of covered by the rule.<br>
|
|
<br>
|
|
To specify a rate limit, <br>
|
|
<br>
|
|
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
|
<br>
|
|
<
|
|
<rate>/<interval>[:<burst>] ><br>
|
|
<br>
|
|
|
|
where<br>
|
|
<br>
|
|
<rate> is the sustained rate per
|
|
<interval><br>
|
|
<interval> is "sec" or "min"<br>
|
|
<burst> is the largest burst
|
|
accepted within an <interval>. If not given, the default of 5 is
|
|
assumed.<br>
|
|
<br>
|
|
There may be no white space between the ACTION and "<" nor there may
|
|
be any white space within the burst specification. If you want to
|
|
specify logging of a rate-limited rule, the ":" and log level comes
|
|
after the ">" (e.g., ACCEPT<2/sec:4>:info ).<br>
|
|
<br>
|
|
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
|
|
file. You may specify the rate limit there in the format:<br>
|
|
<br>
|
|
|
|
<rate>/<interval>[:<burst>]<br>
|
|
<br>
|
|
Let's take an example:<br>
|
|
<br>
|
|
|
|
ACCEPT<2/sec:4>
|
|
net dmz
|
|
tcp 80<br>
|
|
<br>
|
|
The first time this rule is reached, the packet will be accepted; in
|
|
fact, since the burst is 4, the first four packets will be accepted.
|
|
After this, it will be 500ms (1 second divided by the rate<br>
|
|
of 2) before a packet will be accepted from this rule, regardless of
|
|
how many packets reach it. Also, every 500ms which passes without
|
|
matching a packet, one of the bursts will be regained; if no packets
|
|
hit the rule for 2 second, the burst will be fully recharged; back
|
|
where we started.<br>
|
|
</li>
|
|
<li>Multiple chains may now be displayed in one "shorewall
|
|
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
|
<li>Output rules (those with $FW as the SOURCE) may now be
|
|
limited to a set of local users and/or groups. See <a
|
|
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
|
for details.<br>
|
|
<br>
|
|
</li>
|
|
</ol>
|
|
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
|
<p>Thanks to Dave Kempe and Solutions First (<a
|
|
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
|
there is now a Shorewall Mirror in Australia:</p>
|
|
<p style="margin-left: 40px;"><a
|
|
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
|
|
size="3"><br>
|
|
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
|
|
</p>
|
|
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
|
Guide </b></p>
|
|
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
|
href="shorewall_setup_guide_fr.htm">French translation of the
|
|
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
|
|
</font>
|
|
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <br>
|
|
</b></p>
|
|
<b>Problems Corrected since version 1.4.6:</b><br>
|
|
<ol>
|
|
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
|
then Shorewall would fail to start with the error "ERROR: Traffic
|
|
Control requires Mangle"; that problem has been corrected.</li>
|
|
<li>Corrected handling of MAC addresses in the SOURCE column of
|
|
the
|
|
tcrules file. Previously, these addresses resulted in an invalid
|
|
iptables
|
|
command.</li>
|
|
<li>The "shorewall stop" command is now disabled when
|
|
/etc/shorewall/startup_disabled
|
|
exists. This prevents people from shooting themselves in the foot prior
|
|
to
|
|
having configured Shorewall.</li>
|
|
<li>A change introduced in version 1.4.6 caused error messages
|
|
during
|
|
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
|
being
|
|
added to a PPP interface; the addresses were successfully added in
|
|
spite
|
|
of the messages.<br>
|
|
<br>
|
|
The firewall script has been modified to eliminate the error messages.<br>
|
|
</li>
|
|
</ol>
|
|
<p><b></b></p>
|
|
<ol>
|
|
</ol>
|
|
<p><a href="News.htm">More News</a></p>
|
|
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
|
border="0" src="images/leaflogo.gif" width="49" height="36"
|
|
alt="(Leaf Logo)"> </a>Jacques Nilo and Eric Wolzak have a LEAF
|
|
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
|
called <i>Bering</i> that features Shorewall-1.4.2 and Kernel-2.4.20.
|
|
You can find their work at: <a
|
|
href="http://leaf.sourceforge.net/devel/jnilo">
|
|
http://leaf.sourceforge.net/devel/jnilo<br>
|
|
</a></p>
|
|
<b>Congratulations to Jacques
|
|
and Eric on the recent release of Bering 1.2!!! </b><br>
|
|
<h2><a name="Donations"></a>Donations</h2>
|
|
</td>
|
|
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
|
<form method="post"
|
|
action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
|
|
<font color="#ffffff"><b>Note: </b></font></strong><font
|
|
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
|
|
<strong></strong>
|
|
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
|
<font face="Arial" size="-1"> <input type="text" name="words"
|
|
size="15"></font><font size="-1"> </font> <font face="Arial"
|
|
size="-1"> <input type="hidden" name="format" value="long"> <input
|
|
type="hidden" name="method" value="and"> <input type="hidden"
|
|
name="config" value="htdig"> <input type="submit" value="Search"></font>
|
|
</p>
|
|
<font face="Arial"> <input type="hidden" name="exclude"
|
|
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
|
<p><font color="#ffffff"><b><a
|
|
href="http://lists.shorewall.net/htdig/search.html"><font
|
|
color="#ffffff">Extended Search</font></a></b></font></p>
|
|
<br>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</center>
|
|
</div>
|
|
<table border="0" cellpadding="5" cellspacing="0"
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
|
bgcolor="#3366ff">
|
|
<tbody>
|
|
<tr>
|
|
<td width="100%" style="margin-top: 1px;" valign="middle">
|
|
<p align="center"><a href="http://www.starlight.org"> <img
|
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
|
hspace="10" alt="(Starlight Logo)"> </a></p>
|
|
<p align="center"><font size="4" color="#ffffff"><br>
|
|
<font size="+2"> Shorewall is free but if you try it and find it
|
|
useful, please consider making a donation to <a
|
|
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
|
Children's Foundation.</font></a> Thanks!</font></font></p>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
|
<br>
|
|
</p>
|
|
<br>
|
|
</body>
|
|
</html>
|