shorewall_code/Shorewall-Website/shorewall_index.htm

914 lines
40 KiB
HTML
Raw Normal View History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
<title>Shoreline Firewall (Shorewall) 2.0</title>
<base target="_self">
<meta name="GENERATOR" content="OpenOffice.org 1.1.1 (Linux)">
<meta name="CREATED" content="20040920;15031500">
<meta name="CHANGED" content="20040920;15183300">
</head>
<body dir="ltr" lang="en-US">
<h1>Shorewall 2.x</h1>
<p><b>Tom Eastep</b><br>
<br>
The information on this site applies only
to 2.x releases of Shorewall. For older versions:</p>
<ul>
<li>
<p style="margin-bottom: 0in;">The 1.4 site is <a
href="http://www.shorewall.net/1.4" target="_top">here.</a></p>
</li>
<li>
<p style="margin-bottom: 0in;">The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a> </p>
</li>
<li>
<p>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>. </p>
</li>
</ul>
<p>The current 2.2 Stable Release is 2.2.0 -- Here are the <a
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.0/releasenotes.txt">release
notes</a> and here are the <a
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.0/known_problems.txt">known
problems</a> and <a
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.0/errata/">updates</a>.<br>
</p>
<p><a
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
style="font-weight: bold;">End of
support life for Shorewall 1.4 -- Upgrading to Shorewall 2.2</span></a><br>
<br>
Copyright © 2001-2005 Thomas M. Eastep</p>
<p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software
Foundation; with no Invariant Sections, with no Front-Cover, and with
no Back-Cover Texts. A copy of the license is included in the section
entitled “<a href="GnuCopyright.htm" target="_self">GNU
Free Documentation License</a>”.</p>
<p>2005-02-05</p>
<hr>
<h3>Table of Contents</h3>
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
to Shorewall</a></p>
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a href="#Glossary">Glossary</a><br>
<a href="#WhatIs">What
is Shorewall?</a><br>
<a href="#GettingStarted">Getting Started with
Shorewall</a><br>
<a href="#Info">Looking for Information?</a><br>
<a href="#Mandrake">Running
Shorewall on Mandrake® with a two-interface setup?</a><br>
<a href="#License">License</a></p>
<p style="margin-bottom: 0in; margin-left: 40px;"><a href="#2_0_10">News</a></p>
<p style="margin-left: 0.83in; margin-bottom: 0in;"><span
style="text-decoration: underline;"></span><a href="#2_0_16">Shorewall
2.0.16</a><br>
<a href="#2_2_0">Shorewall
2.2.0</a><br>
<br>
</p>
<div style="margin-left: 40px;"><a href="#Leaf">Leaf</a><br>
<br>
<a href="#OpenWRT">OpenWRT</a><br>
</div>
<p style="margin-left: 40px;"><a href="#Donations">Donations</a></p>
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
<h3><a name="Glossary"></a>Glossary</h3>
<ul>
<li>
<p style="margin-bottom: 0in;"><a href="http://www.netfilter.org/"
target="_top">Netfilter</a> - the packet filter facility built into
the 2.4 and later Linux kernels. </p>
</li>
<li>
<p style="margin-bottom: 0in;">ipchains - the packet filter
facility built into the 2.2 Linux kernels. Also the name of the utility
program used to configure and control that facility. Netfilter can be
used in ipchains compatibility mode. </p>
</li>
<li>
<p>iptables - the utility program used to configure and control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode). </p>
</li>
</ul>
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
<p style="margin-left: 0.42in;">The Shoreline Firewall, more commonly
known as "Shorewall", is a high-level tool for configuring
Netfilter. You describe your firewall/gateway requirements using
entries in a set of configuration files. Shorewall reads those
configuration files and with the help of the iptables utility,
Shorewall configures Netfilter to match your requirements. Shorewall
can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system. Shorewall
does not use Netfilter's ipchains compatibility mode and can thus
take advantage of Netfilter's <a
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
target="_top">connection
state tracking capabilities</a>.<br>
<br>
Shorewall is <u>not</u> a
daemon. Once Shorewall has configured Netfilter, it's job is
complete. After that, there is no Shorewall code running although the
<a href="starting_and_stopping_shorewall.htm">/sbin/shorewall program
can be used at any time to monitor the Netfilter firewall</a>.</p>
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
<p style="margin-left: 0.42in;">New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely matches your environment and follow the step by
step instructions.</p>
<h3><a name="Info"></a>Looking for Information?</h3>
<p style="margin-left: 0.42in;">The <a href="Documentation_Index.html">Documentation
Index</a> is a good place to start as is the Quick Search in the
frame above. </p>
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
two-interface setup?</h3>
<p style="margin-left: 0.42in;">If so, the documentation on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<br>
<b>Update: </b>I've been
informed by Mandrake Development that this problem has been corrected
in Mandrake 10.0 Final (the problem still exists in the 10.0
Community release).</p>
<h3><a name="License"></a>License</h3>
<p style="margin-left: 0.42in;">This program is free software; you can
redistribute it and/or modify it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.</p>
<p style="margin-left: 0.42in;">This program is distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more detail.</p>
<p style="margin-left: 0.42in;">You should have received a copy of the
GNU General Public License along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
<p style="margin-left: 0.42in;">Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU
Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
of the license is included in the section entitled "GNU Free
Documentation License". </p>
<hr>
<h2><a name="News"></a>News</h2>
<span style="font-weight: bold;"><a name="2_0_16"></a>02/01/2005
Shorewall 2.0.16<br>
</span><br>
This release back-ports the DROPINVALID shorewall.conf option from
2.2.0.<br>
<ol>
<li>Recent 2.6 kernels include code that evaluates TCP packets based
on TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.<br>
<br>
The new kernel code can be disabled by including this command in your
/etc/shorewall/init file:<br>
<br>
echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal<br>
<br>
Additional kernel logging about INVALID TCP packets may be obtained by
adding this command to /etc/shorewall/init:<br>
<br>
echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid<br>
<br>
Traditionally, Shorewall has dropped INVALID TCP packets early. The new
DROPINVALID option allows INVALID packets to be passed through the
normal rules chains by setting DROPINVALID=No.<br>
<br>
If not specified or if specified as empty (e.g., DROPINVALID="") then
DROPINVALID=Yes is assumed.<br>
</li>
</ol>
<span style="font-weight: bold;"><a name="2_2_0"></a>02/01/2005
Shorewall 2.2.0<br>
<br>
</span>New Features:<br>
<ol>
<li>ICMP packets that are in the INVALID state are now dropped by the
Reject and Drop default actions. They do so using the new 'dropInvalid'
builtin action. An 'allowInvalid' builtin action is also provided which
accepts packets in that state.</li>
<li>The /etc/shorewall/masq file INTERFACE column now allows
additional options.<br>
<br>
Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT rules
defined in the /etc/shorewall/nat file. If you preceed the interface
name with a plus sign ("+") then the rule will be evaluated before
one-to-one NAT.<br>
<br>
Examples:<br>
<br>
+eth0<br>
+eth1:192.0.2.32/27<br>
<br>
Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an entry by
following the interface name by ":" but no digit. <br>
<br>
Examples:<br>
<br>
eth0:<br>
eth1::192.0.2.32/27<br>
+eth3:<br>
<br>
</li>
<li>Similar to 2), the /etc/shorewall/nat file INTERFACE column now
allows you to override the setting of ADD_IP_ALIASES=Yes by following
the interface name with ":" but no digit.</li>
<li>All configuration files in the Shorewall distribution with the
exception of shorewall.conf are now empty. In particular, the
/etc/shorewall/zones, /etc/shorewall/policy and /etc/shorewall/tos
files now have no active entries. Hopefully this will stop the
questions on the support and development lists regarding why the
default entries are the way they are.</li>
<li>Previously, including a log level (and optionally a log tag) on a
rule that specified a user-defined (or Shorewall-defined) action would
log all traffic passed to the action. Beginning with this release,
specifying a log level in a rule that specifies a user- or
Shorewall-defined action will cause each rule in the action to be
logged with the specified level (and tag).<br>
<br>
The extent to which logging of action rules occurs is goverend by the
following:</li>
<ul>
<li>When you invoke an action and specify a log level, only those
rules in the action that have no log level will be changed to log at
the level specified at the action invocation.<br>
<br>
Example:<br>
<br>
/etc/shorewall/action.foo:<br>
<br>
ACCEPT&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp; 22<br>
bar:info<br>
<br>
/etc/shorewall/rules:<br>
<br>
foo:debug&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; net<br>
<br>
Logging in the invoked 'foo' action will be:<br>
<br>
ACCEPT:debug&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp; 22<br>
bar:info<br>
<br>
</li>
<li>If you follow the log level with "!" then logging will be at
that level for all rules recursively invoked by the action<br>
<br>
Example: /etc/shorewall/action.foo:<br>
<br>
ACCEPT&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp; 22<br>
bar:info<br>
<br>
/etc/shorewall/rules:<br>
<br>
foo:debug!&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; net<br>
<br>
Logging in the invoke 'foo' action will be:<br>
<br>
ACCEPT:debug&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp; 22<br>
bar:debug!<br>
<br>
</li>
</ul>
</ol>
<div style="margin-left: 40px;">This change has an effect on extension
scripts used with user-defined actions. If you define an action 'acton'
and you have an /etc/shorewall/acton script then when that script is
invoked, the following three variables will be set for use by the
script:<br>
<br>
<div style="margin-left: 40px;">$CHAIN = the name of the chain where
your rules are to be placed. When logging is used on an action
invocation, Shorewall creates a chain with a slightly different name
from the action itself.<br>
$LEVEL = Log level. If empty, no logging was specified.<br>
$TAG&nbsp;&nbsp; = Log Tag.<br>
<br>
</div>
Example:<br>
<br>
/etc/shorewall/rules:<br>
&nbsp;&nbsp;&nbsp; <br>
acton:info:test<br>
<br>
Your /etc/shorewall/acton file will be run with:<br>
<br>
<div style="margin-left: 40px;">$CHAIN="%acton1<br>
$LEVEL="info"<br>
$TAG="test"<br>
</div>
</div>
<br>
<ol start="6">
<li>The /etc/shorewall/startup_disabled file is no longer created
when
Shorewall is first installed. Rather, the variable STARTUP_ENABLED is
set to 'No' in /etc/shorewall/shorewall.conf. In order to get Shorewall
to start, that variable's value must be set to 'Yes'. This change
accomplishes two things:</li>
<ul>
<li>It prevents Shorewall from being started prematurely by the
user's initialization scripts.</li>
<li>It causes /etc/shorewall/shorewall.conf to be modified so that
it won't be replaced by upgrades using RPM.<br>
<br>
</li>
</ul>
<li>Support has been added for the 2.6 Kernel IPSEC implementation.
To use this support, you must have installed the IPSEC policy match
patch and the four IPSEC/Netfilter patches from Patch-0-Matic-ng. The
policy match patch affects both your kernel and iptables. There are two
ways to specify that IPSEC is to be used when communicating with a set
of hosts; both methods involve the new /etc/shorewall/ipsec file:</li>
<ol style="list-style-type: lower-alpha;">
<li>If encrypted communication is used with all hosts in a zone,
then you can designate the zone as an "ipsec" zone by placing 'Yes" in
the IPSEC ONLY column in /etc/shorewall/ipsec:<br>
<br>
<span style="font-family: monospace;">#ZONE&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; IPSEC&nbsp;&nbsp;&nbsp; OPTIONS ...</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">#&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; ONLY</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Yes</span><span
style="font-family: sans-serif;"></span><br>
<br>
The hosts in the zone (if any) must be specified in
/etc/shorewall/hosts but you do not need to specify the 'ipsec' option
on the entries in that file (see below). Dynamic zones involving IPSEC
must use that technique.<br>
<br>
Example:Under 2.4 Kernel FreeS/Wan:<br>
<br>
/etc/shorewall/zones:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
Net&nbsp;&nbsp;&nbsp; The big bad Internet</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
VPN&nbsp;&nbsp;&nbsp; Remote Network</span><br>
<br>
/etc/shorewall/interfaces:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp; ...</span><br style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
ipsec0&nbsp;&nbsp;&nbsp; ...</span><br>
<br>
Under 2.6 Kernel with this new support:<br>
<br>
/etc/shorewall/zones:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
Net&nbsp;&nbsp;&nbsp; The big bad Internet</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
VPN&nbsp;&nbsp;&nbsp; Remote Network</span><br>
<br>
/etc/shorewall/interfaces:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp; ...</span><br>
<br>
/etc/shorewall/hosts:<br>
<br>
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
eth0:0.0.0.0/0</span><br>
<br>
/etc/shorewall/ipsec<br>
<br>
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp; Yes<br>
<br>
</span> </li>
<li>If only part of the hosts in a zone require encrypted
communication, you may use of the new 'ipsec' option in
/etc/shorewall/hosts to designate those hosts.<br>
<br>
Example:<br>
<br>
Under 2.4 Kernel FreeS/Wan:<br>
<br>
/etc/shorewall/zones:<br>
<pre>net&nbsp;&nbsp;&nbsp; Net&nbsp;&nbsp;&nbsp; The big bad Internet<br>loc&nbsp;&nbsp;&nbsp; Local&nbsp; Extended local zone</pre>
/etc/shorewall/interfaces:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp; ...</span><br style="font-family: monospace;">
<span style="font-family: monospace;">loc&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; ...</span><br style="font-family: monospace;">
<span style="font-family: monospace;">loc&nbsp;&nbsp;&nbsp;
ipsec0&nbsp;&nbsp;&nbsp; ...</span><br>
<br>
Under 2.6 Kernel with this new support:<br>
<br>
/etc/shorewall/zones:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; Net&nbsp;&nbsp;&nbsp; The big bad Internet</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp; VPN&nbsp;&nbsp;&nbsp; Remote Network</span><br>
<br>
/etc/shorewall/interfaces:<br>
<br>
<span style="font-family: monospace;">net&nbsp;&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp; ...</span><br style="font-family: monospace;">
<span style="font-family: monospace;">loc&nbsp;&nbsp;&nbsp;
eth1&nbsp;&nbsp;&nbsp; ...</span><br>
<br>
/etc/shorewall/hosts:<br>
<br>
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;
eth0:0.0.0.0/0&nbsp;&nbsp;&nbsp; ipsec,...</span></li>
</ol>
</ol>
<div style="margin-left: 40px;">Regardless of which technique you
choose, you can specify additional SA options for the zone in the
/etc/shorewall/ipsec entry.<br>
<br>
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
input-output, input and output characteristics of the security
associations to be used to decrypt (input) or encrypt (output) traffic
to/from the zone.<br>
<br>
The available options are:<br>
</div>
<ul>
<ul>
<li>reqid[!]=&lt;number&gt; where &lt;number&gt; is specified using
setkey(8) using the 'unique:&lt;number&gt;' option for the SPD level.</li>
<li>spi[!]=&lt;number&gt; where &lt;number&gt; is the SPI of the
SA. Since different SAs are used to encrypt and decrypt traffic, this
option should only be listed in the IN OPTIONS and OUT OPTIONS columns.</li>
<li>proto[!]=ah|esp|ipcomp</li>
<li>mss=&lt;number&gt; (sets the MSS value in TCP SYN packets and
is not related to policy matching)</li>
<li>mode[!]=transport|tunnel</li>
<li>tunnel-src[!]=&lt;address&gt;[/&lt;mask&gt;] (only available
with mode=tunnel)</li>
<li>tunnel-dst[!]=&lt;address&gt;[/&lt;mask&gt;] (only available
with mode=tunnel). Because tunnel source and destination are dependent
on the direction of the traffic, these options should only appear in
the IN OPTIONS and OUT OPTIONS columns.</li>
<li>strict&nbsp; (if specified, packets must match all policies;
policies are delimited by 'next').</li>
<li>next&nbsp;&nbsp;&nbsp; (only available with strict)</li>
</ul>
</ul>
<div style="margin-left: 40px;">Examples:<br>
<br>
<span style="font-family: monospace;">#ZONE&nbsp;&nbsp;&nbsp;
IPSEC&nbsp; OPTIONS&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OUT</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ONLY&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;
OPTIONS&nbsp;&nbsp;&nbsp;&nbsp; OPTIONS</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">vpn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Yes&nbsp;&nbsp;&nbsp; mode=tunnel,proto=esp&nbsp;&nbsp;&nbsp;
spi=1000&nbsp;&nbsp;&nbsp; spi=1001</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">loc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
No&nbsp;&nbsp;&nbsp;&nbsp; reqid=44,mode=transport</span><br>
<br>
The /etc/shorewall/masq file has a new IPSEC column added. If you
specify Yes or yes in that column then the unencrypted packets will
have their source address changed. Otherwise, the unencrypted packets
will not have their source addresses changed. This column may also
contain a comma-separated list of the options specified above in which
case only those packets that will be encrypted by an SA matching the
given options will have their source address changed.<br>
</div>
<ol start="8">
<li>To improve interoperability, tunnels of type 'ipsec' no longer
enforce the use of source port 500 for ISAKMP and OpenVPN tunnels no
longer enforce use of the specified port as both the source and
destination ports.</li>
<li>A new 'allowBcast' builtin action has been added -- it silently
allows broadcasts and multicasts.</li>
<li>The -c option in /sbin/shorewall commands is now deprecated. The
commands where -c was previously allowed now permit you to specify a
configuration directory after the command:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; shorewall check&nbsp;&nbsp; [
&lt;configuration-directory&gt; ]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; shorewall restart [
&lt;configuration-directory&gt; ]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; shorewall start&nbsp;&nbsp; [
&lt;configuration-directory&gt; ]<br>
<br>
</li>
<li>Normally, when SNAT or MASQUERADE is applied to a tcp or udp
connection, Netfilter attempts to retain the source port number. If it
has to change to port number to avoid&nbsp; &lt;source
address&gt;,&lt;source port&gt; conflicts, it tries to do so within
port ranges ( &lt; 512, 512-1023, and &gt; 1023). You may now specify
an explicit range of source ports to be used by following the address
or address range (if any) in the ADDRESS column with ":" and a port
range in the format &lt;low-port&gt;-&lt;high-port&gt;. You must
specify either "tcp" or "udp" in the PROTO column.<br>
<br>
Examples 1 -- MASQUERADE with tcp source ports 4000-5000:<br>
<br>
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp; #INTERFACE
SUBNET&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;
ADDRESS&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; PROTO</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24&nbsp;
:4000-5000&nbsp;&nbsp;&nbsp;&nbsp; tcp</span><br
style="font-family: monospace;">
<br>
Example 2 -- SNAT with udp source ports 7000-8000:<br>
<br>
&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">#INTERFACE
SUBNET&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;
ADDRESS&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PROTO</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;
eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
10.0.0.0/8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
192.0.2.44:7000-8000&nbsp;&nbsp;&nbsp; udp<br>
<br>
</span></li>
<li>You may now account by user/group ID for outbound traffic from
the firewall itself with entries in /etc/shorewall/accounting. Such
accounting rules must be placed in the OUTPUT chain. See the comments
at the top of /etc/shorewall/accounting for details.</li>
<li>Shorewall now verifies that your kernel and iptables have physdev
match support if BRIDGING=Yes in shorewall.conf.</li>
<li>Beginning with this release, if your kernel and iptables have
iprange match support (see the output from "shorewall check"), then
with the exception of the /etc/shorewall/netmap file, anywhere that a
network address may appear an IP address range of the form &lt;low
address&gt;-&lt;high address&gt; may also appear.</li>
<li>Support has been added for the iptables CLASSIFY target. That
target allows you to classify packets for traffic shaping directly
rather than indirectly through fwmark. Simply enter the
&lt;major&gt;:&lt;minor&gt; classification in the first column of
/etc/shorewall/tcrules:<br>
<br>
Example:<br>
<br>
<span style="font-family: monospace;">#MARK/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
SOURCE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
DEST&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PROTO&nbsp;&nbsp;&nbsp;&nbsp; PORT(S)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">#CLASSIFY</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">1:30&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; &nbsp; tcp&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; 25</span><br>
<br>
Note that when using this form of rule, it is acceptable to include the
name of an interface in the DEST column.<br>
<br>
Marking using the CLASSIFY target always occurs in the POSTROUTING
chain of the mangle table and is not affected by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf.</li>
<li>During "shorewall start", IP addresses to be added as a
consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly
deleted when /etc/shorewall/nat and /etc/shorewall/masq are processed
then they are re-added later. This is done to help ensure that the
addresses can be added with the specified labels but can have the
undesirable side effect of causing routes to be quietly deleted. A new
RETAIN_ALIASES option has been added to shorewall.conf; when this
option is set to Yes, existing addresses will not be deleted.
Regardless of the setting of RETAIN_ALIASES, addresses added during
"shorewall start" are still deleted at a subsequent "shorewall stop" or
"shorewall restart".</li>
<li>Users with a large black list (from /etc/shorewall/blacklist) may
want to set the new DELAYBLACKLISTLOAD option in shorewall.conf. When
DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before
loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it
can substantially reduce the time that all new connections are disabled
during "shorewall [re]start".</li>
<li>Using the default LOGFORMAT, chain names longer than 11
characters (such as in user-defined actions) may result in log prefix
truncation. A new shorewall.conf action&nbsp; LOGTAGONLY has been added
to deal with this problem. When LOGTAGONLY=Yes, logging rules that
specify a log tag will substitute the tag for the chain name in the log
prefix.<br>
<br>
Example -- file /etc/shorewall/action.thisisaverylogactionname:<br>
<br>
&nbsp;&nbsp;&nbsp; Rule:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span
style="font-family: monospace;">DROP:info:ftp&nbsp;&nbsp;&nbsp;
0.0.0.0/0&nbsp;&nbsp;&nbsp; 0.0.0.0/0&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 21</span><br>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; Log prefix with LOGTAGONLY=No:<br>
<br>
&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; <span style="font-family: monospace;">Shorewall:thisisaverylongacti</span><br>
<br>
&nbsp;&nbsp;&nbsp; Log prefix with LOGTAGONLY=Yes:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span
style="font-family: monospace;">Shorewall:ftp:DROP</span><br>
<br>
</li>
<li>Shorewall now resets the 'accept_source_route' flag for all
interfaces. If you wish to accept source routing on an interface, you
must specify the new 'sourceroute' interface option in
/etc/shorewall/interfaces.</li>
<li>The default Drop and Reject actions now invoke the new standard
action 'AllowICMPs'. This new action accepts critical ICMP types:<br>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; Type 3 code 4 (fragmentation needed)<br>
&nbsp;&nbsp;&nbsp; Type 11&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (TTL
exceeded)<br>
<br>
</li>
<li>Explicit control over the kernel's Martian logging is now
provided using the new 'logmartians' interface option. If you include
'logmartians' in the interface option list then logging of Martian
packets on will be enabled on the specified interface. If you wish to
globally enable martian logging, you can set LOG_MARTIANS=Yes in
shorewall.conf.</li>
<li>You may now cause Shorewall to use the '--set-mss' option of the
TCPMSS target. In other words, you can cause Shorewall to set the MSS
field of SYN packets passing through the firewall to the value you
specify. This feature extends the existing CLAMPMSS option in
/etc/shorewall/shorewall.conf by allowing that option to have a numeric
value as well as the values "Yes" and "No".<br>
<br>
Example:<br>
<br>
&nbsp;&nbsp;&nbsp; CLAMPMSS=1400<br>
<br>
</li>
<li>Shorewall now includes support for the ipp2p match facility. This
is a departure from my usual policy in that the ipp2p match facility is
included in Patch-O-Matic-NG and is unlikely to ever be included in the
kernel.org source tree. Questions about how to install the patch or how
to build your kernel and/or iptables should not be posted on the
Shorewall mailing lists.<br>
<br>
In the following files, the "PROTO" or "PROTOCOL" column may contain
"ipp2p":<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /etc/shorewall/rules<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /etc/shorewall/tcrules<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /etc/shorewall/accounting<br>
<br>
When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a
list of the options and their meaning, at a root prompt:<br>
<br>
&nbsp;&nbsp;&nbsp; iptables -m ipp2p --help<br>
<br>
You must not include the leading "--" on the option; Shorewall will
supply those characters for you. If you do not include an option then
"ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</li>
<li>Shorewall now has support for the CONNMARK target from iptables.
See the /etc/shorewall/tcrules file for details.</li>
<li>A new debugging option LOGALLNEW has been added to
shorewall.conf. When set to a log level, this option causes Shorewall
to generaate a logging rule as the first rule in each builtin chain.<br>
<br>
&nbsp;&nbsp;&nbsp; - The table name is used as the chain name in the
log prefix.<br>
&nbsp;&nbsp;&nbsp; - The chain name is used as the target in the log
prefix.<br>
<br>
Example: Using the default LOGFORMAT, the log prefix for logging from
the nat table's PREROUTING chain is:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;<span style="font-family: monospace;">Shorewall:nat:PREROUTING</span><br>
<br>
IMPORTANT: There is no rate limiting on these logging rules so use
LOGALLNEW at your own risk; it may cause high CPU and disk utilization
and you may not be able to control your firewall after you enable this
option.<br>
<br>
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL BE
SENT TO ANOTHER SYSTEM.<br>
<br>
</li>
<li>The SUBNET column in /etc/shorewall/rfc1918 has been renamed
SUBNETS and it is now possible to specify a list of addresses in that
column.</li>
<li>The AllowNNTP action now also allows NNTP over SSL/TLS (NNTPS).</li>
<li>For consistency, the CLIENT PORT(S) column in the tcrules file
has been renamed SOURCE PORT(S).</li>
<li>The contents of /proc/sys/net/ip4/icmp_echo_ignore_all is now
shown in the output of "shorewall status".</li>
<li>A new IPTABLES option has been added to shorewall.conf. IPTABLES
can be used to designate the iptables executable to be used by
Shorewall. If not specified, the iptables executable determined by the
PATH setting is used.</li>
<li>You can now use the "shorewall show zones" command to display the
current contents of the zones. This is particularly useful if you use
dynamic zones (DYNAMIC_ZONES=Yes in shorewall.conf).<br>
<br>
&nbsp;&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">ursa:/etc/shorewall
# shorewall show zones</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
Shorewall-2.2.0-Beta7 Zones at ursa - Sat Nov 27 11:18:25 PST 2004</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp; loc</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; eth0:192.168.1.0/24</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; eth1:1.2.3.4</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp; &nbsp;&nbsp; </span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; eth0:0.0.0.0/0</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp; WiFi</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; eth1:0.0.0.0/0</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp; sec</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp; eth1:0.0.0.0/0</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
ursa:/etc/shorewall #</span><br>
<br>
</li>
<li>Variable expansion may now be used with the INCLUDE directive.<br>
<br>
&nbsp;&nbsp;&nbsp; Example:<br>
<br>
&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <span
style="font-family: monospace;">FILE=/etc/foo/bar</span><br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Any other config file:<br>
<br>
&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <span
style="font-family: monospace;">INCLUDE $FILE</span><br>
<br>
</li>
<li>The output of "shorewall status" now includes the results of "ip
-stat link ls". This helps diagnose performance problems caused by link
errors.</li>
<li>Previously, when rate-limiting was specified in
/etc/shorewall/policy (LIMIT:BURST column), any traffic which exceeded
the specified rate was silently dropped. Now, if a log level is given
in the entry (LEVEL column) then drops are logged at that level at a
rate of 5/min with a burst of 5.</li>
<li>Recent 2.6 kernels include code that evaluates TCP packets based
on TCP Window analysis. This can cause packets that were previously
classified as NEW or ESTABLISHED to be classified as INVALID.<br>
<br>
The new kernel code can be disabled by including this command in your
/etc/shorewall/init file:<br>
<br>
&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">echo 1 &gt;
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</span><br>
<br>
Additional kernel logging about INVALID TCP packets may be obtained by
adding this command to /etc/shorewall/init:<br>
<br>
&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">echo 1 &gt;
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid</span><br>
<br>
Traditionally, Shorewall has dropped INVALID TCP packets early. The new
DROPINVALID option allows INVALID packets to be passed through the
normal rules chains by setting DROPINVALID=No.<br>
<br>
If not specified or if specified as empty (e.g., DROPINVALID="") then
DROPINVALID=Yes is assumed.<br>
<br>
</li>
<li>The "shorewall add" and "shorewall delete" commands now accept a
list of hosts to add or delete.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;<span style="font-family: monospace;"> shorewall add
eth1:1.2.3.4 eth1:2.3.4.5 z12</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp; shorewall delete
eth1:1.2.3.4 eth1:2.3.4.5 z12</span><br>
<br>
&nbsp;&nbsp;&nbsp; The above commands may also be written:<br>
<br>
&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">shorewall add
eth1:1.2.3.4,2.3.4.5 z12</span><br style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp; shorewall delete
eth1:1.2.3.4,2.3.4.5 z12</span><br>
&nbsp;&nbsp; <br>
</li>
<li>TCP OpenVPN tunnels are now supported using the 'openvpn' tunnel
type. OpenVPN entries in /etc/shorewall/tunnels have this format:<br>
<br>
&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">openvpn[:{tcp|udp}][:&lt;port&gt;]&nbsp;&nbsp;&nbsp;
&lt;zone&gt;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &lt;gateway&gt;</span><br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-family: monospace;">openvpn:tcp&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
1.2.3.4&nbsp;&nbsp;&nbsp; # TCP tunnel on port 1194</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
openvpn:3344&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
1.2.3.4&nbsp;&nbsp;&nbsp; # UDP on port 3344</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;
openvpn:tcp:4455&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
1.2.3.4&nbsp;&nbsp;&nbsp; # TCP on port 4455</span><br>
<br>
</li>
<li>A new 'ipsecvpn' script is included in the tarball and in the
RPM. The RPM installs the file in the Documentation directory
(/usr/share/doc/packages/shorewall-2.2.0-0RC1).<br>
<br>
This script is intended for use on Roadwarrior laptops for establishing
an IPSEC SA to/from remote networks. The script has some limitations:</li>
</ol>
<ul>
<ul>
<li>Only one instance of the script may be used at a time.</li>
<li>Only the first SPD accessed will be instantiated at the remote
gateway. So while the script creates SPDs to/from the remote gateway
and each network listed in the NETWORKS setting at the front of the
script, only one of these may be used at a time.</li>
</ul>
</ul>
<ol start="39">
<li>The output of "shorewall status" now lists the loaded netfilter
kernel modules.</li>
<li>The range of UDP ports opened by the AllowTrcrt action has been
increased to 33434:33524.</li>
<li>The IANA has recently registered port 1194 for use by OpenVPN. In
previous versions of Shorewall (and OpenVPN), the default port was 5000
but has been changed to 1194 to conform to the new OpenVPN default.<br>
</li>
</ol>
<p><a href="News.htm">More News</a></p>
<hr>
<h2><a name="Leaf"></a>Leaf</h2>
<p><a href="http://leaf.sourceforge.net/" target="_top"><font
color="#000000"><img src="images/leaflogo.gif" name="Graphic1"
alt="(Leaf Logo)" align="bottom" border="1" height="39" width="52"></font></a>
LEAF is an open source project which provides a Firewall/router on a
floppy, CD or CF. Several LEAF distributions including Bering and
Bering-uClibc use Shorewall as their Netfilter configuration tool.</p>
<hr style="width: 100%; height: 2px;">
<h2><a name="OpenWRT"></a>OpenWRT</h2>
<a href="http://openwrt.org"><img alt="(OpenWRT Logo)"
src="images/openwrt.png"
style="border: 0px solid ; width: 88px; height: 31px;" hspace="4"></a>OpenWRT
is a project which provides open source firmware for Linksys WRT54G
wireless routers. Two different Shorewall packages are available for
OpenWRT.<br>
<hr>
<h2><a name="Donations"></a>Donations</h2>
<p align="left"><a href="http://www.alz.org/" target="_top"><font
color="#000000"><img src="images/alz_logo2.gif" name="Graphic2"
alt="(Alzheimer's Association Logo)" align="right" border="1"
height="63" width="303"></font></a><a href="http://www.starlight.org/"
target="_top"><font color="#000000"><img src="images/newlog.gif"
name="Graphic3" alt="(Starlight Foundation Logo)" align="right"
border="1" height="105" width="62"></font></a><font size="4">Shorewall
is free but if you try it and find it useful, please consider making
a donation to the <a href="http://www.alz.org/" target="_top">Alzheimer's
Association</a> or to the <a href="http://www.starlight.org/"
target="_top">Starlight
Children's Foundation</a>.</font></p>
<p align="left"><font size="4">Thank You<br>
</font></p>
<p align="left"><br>
<br>
</p>
</body>
</html>