mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-26 08:08:59 +01:00
52629f9049
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
590 lines
35 KiB
HTML
590 lines
35 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
<html>
|
||
<head>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<meta http-equiv="Content-Type"
|
||
content="text/html; charset=windows-1252">
|
||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<base target="_self">
|
||
</head>
|
||
<body>
|
||
|
||
|
||
|
||
|
||
<table border="0" cellpadding="0" cellspacing="4"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%"
|
||
height="90">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h1 align="center"> <font size="4"><i> <a
|
||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||
src="images/washington.jpg" border="0">
|
||
|
||
</a></i></font><a
|
||
href="http://www.shorewall.net" target="_top"><img border="1"
|
||
src="images/shorewall.jpg" width="119" height="38" hspace="4"
|
||
alt="(Shorewall Logo)" align="right" vspace="4">
|
||
</a></h1>
|
||
<small><small><small><small><a
|
||
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
|
||
|
||
<div align="center">
|
||
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
|
||
color="#ffffff"> <small><small><small>"iptables made easy"<22></small></small></small></font></i></h1>
|
||
</div>
|
||
|
||
|
||
<p><a href="http://www.shorewall.net" target="_top">
|
||
</a> </p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
|
||
color="#ffffff">Shorewall 1.3 Site is here</font></a> <20> <20> <20> <20> <20> <20> <20> <20> <20>
|
||
<EFBFBD> <20> <20> <20> <20> <20> <br>
|
||
|
||
</div>
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
|
||
<div align="center">
|
||
|
||
<center>
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="90%">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<h2 align="left">What is it?</h2>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||
firewall that can be used on a dedicated firewall system, a multi-function
|
||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p>This program is free software; you can redistribute it and/or modify
|
||
it under the
|
||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||
2 of the GNU General Public License</a> as published by the Free
|
||
Software Foundation.<br>
|
||
|
||
<br>
|
||
|
||
This program is distributed
|
||
in the hope that it will be useful, but
|
||
WITHOUT ANY WARRANTY; without even the implied
|
||
warranty of MERCHANTABILITY or FITNESS FOR
|
||
A PARTICULAR PURPOSE. See the GNU General Public License
|
||
for more details.<br>
|
||
|
||
<br>
|
||
|
||
You should have received
|
||
a copy of the GNU General Public License
|
||
along with this program; if not, write
|
||
to the Free Software Foundation, Inc., 675
|
||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||
|
||
</a>Jacques Nilo
|
||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||
on a floppy, CD or compact flash) distribution
|
||
called <i>Bering</i> that features
|
||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||
their work at: <a
|
||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||
</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||
Bering 1.1!!! </b><br>
|
||
</p>
|
||
|
||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||
|
||
<h2>News</h2>
|
||
|
||
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
|
||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
</b><b> </b></p>
|
||
Shorewall 1.4 represents
|
||
the next step in the evolution of Shorewall. The main thrust of the
|
||
initial release is simply to remove the cruft that has accumulated in
|
||
Shorewall over time. <br>
|
||
<br>
|
||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||
('ip' utility).</b><br>
|
||
<br>
|
||
Function from 1.3 that has been omitted from this version
|
||
include:<br>
|
||
|
||
|
||
<ol>
|
||
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
|
||
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||
<br>
|
||
</li>
|
||
<li>Interface names of the form <device>:<integer>
|
||
in /etc/shorewall/interfaces now generate an error.<br>
|
||
<br>
|
||
</li>
|
||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||
of the 'noping' or 'filterping' interface options.<br>
|
||
<br>
|
||
</li>
|
||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||
an error at startup if specified.<br>
|
||
<br>
|
||
</li>
|
||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||
longer accepted.<br>
|
||
<br>
|
||
</li>
|
||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||
<br>
|
||
</li>
|
||
<li>The icmp.def file has been removed.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
Changes for 1.4 include:<br>
|
||
|
||
|
||
<ol>
|
||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||
reorganized into logical sections.<br>
|
||
<br>
|
||
</li>
|
||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||
<br>
|
||
</li>
|
||
<li>The firewall script, common functions file and version file
|
||
are now installed in /usr/share/shorewall.<br>
|
||
<br>
|
||
</li>
|
||
<li>Late arriving DNS replies are now silently dropped in the
|
||
common chain by default.<br>
|
||
<br>
|
||
</li>
|
||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||
1.4 no longer unconditionally accepts outbound ICMP packets. So if
|
||
you want to 'ping' from the firewall, you will need the appropriate rule
|
||
or policy.<br>
|
||
<br>
|
||
</li>
|
||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||
<br>
|
||
</li>
|
||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||
now support the 'maclist' option.<br>
|
||
<br>
|
||
</li>
|
||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
|
||
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||
file. To use this facility:<br>
|
||
<br>
|
||
a) You must be running kernel 2.4.20<br>
|
||
b) You must have applied the patch in<br>
|
||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||
c) You must have iptables 1.2.7a installed.<br>
|
||
<br>
|
||
</li>
|
||
<li>The /etc/shorewall/params file is now processed first so that
|
||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||
<br>
|
||
</li>
|
||
<li value="10">Shorewall now gives a more helpful diagnostic when
|
||
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
|
||
command is issued.<br>
|
||
<br>
|
||
</li>
|
||
<li>The SHARED_DIR variable has been removed from shorewall.conf.
|
||
This variable was for use by package maintainers and was not documented
|
||
for general use.<br>
|
||
<br>
|
||
</li>
|
||
<li>Shorewall now ignores 'default' routes when detecting masq'd
|
||
networks.<br>
|
||
</li>
|
||
|
||
</ol>
|
||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||
target="_top"></a>
|
||
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
|
||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||
</b></p>
|
||
|
||
<p>A roleup of the following bug fixes and other updates:</p>
|
||
|
||
<ul>
|
||
<li>There is an updated rfc1918 file that reflects the resent
|
||
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
|
||
<li>The documentation for the routestopped file claimed that a
|
||
comma-separated list could appear in the second column while the code
|
||
only supported a single host or network address.</li>
|
||
<li>Log messages produced by 'logunclean' and 'dropunclean' were
|
||
not rate-limited. 802.11b devices with names of the form <i>wlan</i><n>
|
||
don't support the 'maclist' interface option.</li>
|
||
<li>Log messages generated by RFC 1918 filtering are not rate
|
||
limited.</li>
|
||
<li>The firewall fails to start in the case
|
||
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
|
||
is through eth1.</li>
|
||
|
||
</ul>
|
||
|
||
|
||
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
|
||
|
||
|
||
<p>New features include</p>
|
||
|
||
|
||
<ol>
|
||
<li>An OLD_PING_HANDLING option has been added
|
||
to shorewall.conf. When set to Yes, Shorewall ping handling is
|
||
as it has always been (see http://www.shorewall.net/ping.html).<br>
|
||
<br>
|
||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
|
||
via rules and policies just like any other connection request.
|
||
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
|
||
'filterping' options in /etc/shorewall/interfaces will all generate
|
||
an error.<br>
|
||
<br>
|
||
</li>
|
||
<li>It is now possible to direct Shorewall to create
|
||
a "label" such as "eth0:0" for IP addresses that it creates under
|
||
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
|
||
the label instead of just the interface name:<br>
|
||
<br>
|
||
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||
</li>
|
||
<li>Support for OpenVPN Tunnels.<br>
|
||
<br>
|
||
</li>
|
||
<li>Support for VLAN devices with names of the
|
||
form $DEV.$VID (e.g., eth0.0)<br>
|
||
<br>
|
||
</li>
|
||
<li>In /etc/shorewall/tcrules, the MARK value may
|
||
be optionally followed by ":" and either 'F' or 'P' to designate that
|
||
the marking will occur in the FORWARD or PREROUTING chains respectively.
|
||
If this additional specification is omitted, the chain used to mark packets
|
||
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
|
||
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||
<br>
|
||
</li>
|
||
<li>When an interface name is entered in the SUBNET
|
||
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
|
||
traffic from only the first subnet defined on that interface. It
|
||
did not masquerade traffic from:<br>
|
||
<br>
|
||
a) The subnets associated with other addresses
|
||
on the interface.<br>
|
||
b) Subnets accessed through local routers.<br>
|
||
<br>
|
||
Beginning with Shorewall 1.3.14, if you enter an interface
|
||
name in the SUBNET column, shorewall will use the firewall's routing
|
||
table to construct the masquerading/SNAT rules.<br>
|
||
<br>
|
||
Example 1 -- This is how it works in 1.3.14.<br>
|
||
<br>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||
<br>
|
||
When upgrading to Shorewall 1.3.14, if you have multiple
|
||
local subnets connected to an interface that is specified in the
|
||
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||
file will need changing. In most cases, you will simply be able to remove
|
||
redundant entries. In some cases though, you might want to change from
|
||
using the interface name to listing specific subnetworks if the change
|
||
described above will cause masquerading to occur on subnetworks that you
|
||
don't wish to masquerade.<br>
|
||
<br>
|
||
Example 2 -- Suppose that your current config is as
|
||
follows:<br>
|
||
<br>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||
<br>
|
||
In this case, the second entry in /etc/shorewall/masq
|
||
is no longer required.<br>
|
||
<br>
|
||
Example 3 -- What if your current configuration is
|
||
like this?<br>
|
||
<br>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
|
||
|
||
|
||
|
||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||
<br>
|
||
In this case, you would want to change the entry
|
||
in /etc/shorewall/masq to:<br>
|
||
|
||
|
||
|
||
|
||
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||
</li>
|
||
|
||
|
||
</ol>
|
||
<br>
|
||
|
||
|
||
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
|
||
</b></p>
|
||
Webmin version 1.060 now has Shorewall support included
|
||
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
|
||
</b>
|
||
|
||
<p><a href="News.htm">More News</a></p>
|
||
|
||
<h2><a name="Donations"></a>Donations</h2>
|
||
|
||
|
||
</td>
|
||
|
||
<td width="88"
|
||
bgcolor="#4b017c" valign="top" align="center"> <a
|
||
href="http://sourceforge.net">M</a></td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
</center>
|
||
|
||
</div>
|
||
|
||
|
||
|
||
|
||
<table border="0" cellpadding="5" cellspacing="0"
|
||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||
bgcolor="#4b017c">
|
||
|
||
<tbody>
|
||
|
||
<tr>
|
||
|
||
<td width="100%"
|
||
style="margin-top: 1px;">
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><a href="http://www.starlight.org"> <img
|
||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||
hspace="10">
|
||
|
||
</a></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||
but if you try it and find it useful, please consider making a donation
|
||
to <a
|
||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||
Children's Foundation.</font></a> Thanks!</font></p>
|
||
|
||
</td>
|
||
|
||
</tr>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
</tbody>
|
||
|
||
</table>
|
||
|
||
|
||
|
||
|
||
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||
|
||
<br>
|
||
</p>
|
||
</body>
|
||
</html>
|