2002-08-07 16:28:04 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
content="text/html; charset=windows-1252">
|
2003-03-18 16:16:33 +01:00
|
|
|
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
<base target="_self">
|
2002-08-07 16:28:04 +02:00
|
|
|
|
</head>
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<body>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<table border="0" cellpadding="0" cellspacing="4"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
|
|
|
|
bgcolor="#4b017c">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td
|
|
|
|
|
width="100%" height="90">
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<h1 align="center"> <font size="4"><i> <a
|
2002-09-30 20:11:25 +02:00
|
|
|
|
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
|
|
|
|
alt="Shorwall Logo" height="70" width="85" align="left"
|
|
|
|
|
src="images/washington.jpg" border="0">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</a></i></font><a
|
2003-03-18 16:16:33 +01:00
|
|
|
|
href="http://www.shorewall.net" target="_top"><img border="1"
|
|
|
|
|
src="images/shorewall.jpg" width="119" height="38" hspace="4"
|
|
|
|
|
alt="(Shorewall Logo)" align="right" vspace="4">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</a></h1>
|
|
|
|
|
<small><small><small><small><a
|
|
|
|
|
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
|
2003-04-13 17:28:32 +02:00
|
|
|
|
<div align="center">
|
|
|
|
|
<h1><font color="#ffffff"><EFBFBD> <20> <20> <20> <20> <20> <20>Shorewall 1.4</font><i><font
|
|
|
|
|
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
|
|
|
|
|
href="1.3" target="_top"><font color="#ffffff"><br>
|
|
|
|
|
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
|
|
|
|
|
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
|
|
|
|
|
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
|
|
|
|
|
|
|
|
|
|
</h1>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
</tbody>
|
2002-09-16 19:02:45 +02:00
|
|
|
|
</table>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
|
|
|
|
<div align="center">
|
|
|
|
|
<center>
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td
|
|
|
|
|
width="90%">
|
2003-03-18 16:16:33 +01:00
|
|
|
|
<h2 align="left">What is it?</h2>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
|
|
|
|
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
|
|
|
|
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
|
|
|
|
that can be used on a dedicated firewall system, a multi-function
|
|
|
|
|
gateway/router/server or on a standalone GNU/Linux system.</p>
|
|
|
|
|
|
|
|
|
|
<p>This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the
|
|
|
|
|
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
|
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
|
|
|
Software Foundation.<br>
|
|
|
|
|
<br>
|
|
|
|
|
This program is
|
|
|
|
|
distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the
|
|
|
|
|
implied warranty of MERCHANTABILITY or FITNESS
|
|
|
|
|
FOR A PARTICULAR PURPOSE. See the GNU General
|
|
|
|
|
Public License for more details.<br>
|
|
|
|
|
<br>
|
|
|
|
|
You should have
|
|
|
|
|
received a copy of the GNU General Public
|
|
|
|
|
License along with this program; if
|
|
|
|
|
not, write to the Free Software Foundation,
|
|
|
|
|
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|
|
|
|
|
2003-03-18 16:16:33 +01:00
|
|
|
|
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
2003-03-18 16:16:33 +01:00
|
|
|
|
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
|
|
|
|
border="0" src="images/leaflogo.gif" width="49" height="36">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</a>Jacques Nilo
|
|
|
|
|
and Eric Wolzak have a LEAF (router/firewall/gateway
|
|
|
|
|
on a floppy, CD or compact flash) distribution
|
|
|
|
|
called <i>Bering</i> that features
|
|
|
|
|
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
|
|
|
|
their work at: <a
|
2003-03-18 16:16:33 +01:00
|
|
|
|
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</a></p>
|
|
|
|
|
|
|
|
|
|
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
|
|
|
|
1.1!!! </b><br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
|
|
|
|
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
|
|
|
|
|
2002-11-09 19:10:22 +01:00
|
|
|
|
<h2>News</h2>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
|
|
|
|
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
|
2003-02-08 21:48:47 +01:00
|
|
|
|
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</b><br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p><b><EFBFBD><EFBFBD><EFBFBD> Problems Corrected:</b></p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<ol>
|
|
|
|
|
<li>TCP connection requests rejected out of the <b>common</b> chain
|
|
|
|
|
are now properly rejected with TCP RST; previously, some of these requests
|
|
|
|
|
were rejected with an ICMP port-unreachable response.</li>
|
|
|
|
|
<li>'traceroute -I' from behind the firewall previously timed out
|
|
|
|
|
on the first hop (e.g., to the firewall). This has been worked around.</li>
|
|
|
|
|
</ol>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p><b><EFBFBD><EFBFBD><EFBFBD> New Features:</b></p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<ol>
|
|
|
|
|
<li>Where an entry in the/etc/shorewall/hosts file specifies a
|
|
|
|
|
particular host or network, Shorewall now creates an intermediate chain for
|
|
|
|
|
handling input from the related zone. This can substantially reduce the number
|
|
|
|
|
of rules traversed by connections requests from such zones.<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>Any file may include an INCLUDE directive. An INCLUDE directive
|
|
|
|
|
consists of the word INCLUDE followed by a file name and causes the contents
|
|
|
|
|
of the named file to be logically included into the file containing the INCLUDE.
|
|
|
|
|
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
|
|
|
|
|
or in an alternate configuration directory if one has been specified for the
|
|
|
|
|
command. <br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> Examples:<br>
|
|
|
|
|
<20><> shorewall/params.mgmt:<br>
|
|
|
|
|
<20><> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
|
|
|
|
|
<20><> TIME_SERVERS=4.4.4.4<br>
|
|
|
|
|
<20><> BACKUP_SERVERS=5.5.5.5<br>
|
|
|
|
|
<20><> ----- end params.mgmt -----<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> shorewall/params:<br>
|
|
|
|
|
<20><> # Shorewall 1.3 /etc/shorewall/params<br>
|
|
|
|
|
<20><> [..]<br>
|
|
|
|
|
<20><> #######################################<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> INCLUDE params.mgmt<6D><74><EFBFBD> <br>
|
|
|
|
|
<20> <br>
|
|
|
|
|
<20><> # params unique to this host here<br>
|
|
|
|
|
<20><> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
|
|
|
|
|
<20><> ----- end params -----<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> shorewall/rules.mgmt:<br>
|
|
|
|
|
<20><> ACCEPT net:$MGMT_SERVERS<52><53><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> $FW<46><57><EFBFBD> tcp<63><70><EFBFBD> 22<br>
|
|
|
|
|
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$TIME_SERVERS<52><53><EFBFBD> udp<64><70><EFBFBD> 123<br>
|
|
|
|
|
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$BACKUP_SERVERS<52> tcp<63><70><EFBFBD> 22<br>
|
|
|
|
|
<20><> ----- end rules.mgmt -----<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> shorewall/rules:<br>
|
|
|
|
|
<20><> # Shorewall version 1.3 - Rules File<br>
|
|
|
|
|
<20><> [..]<br>
|
|
|
|
|
<20><> #######################################<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> INCLUDE rules.mgmt<6D><74><EFBFBD><EFBFBD> <br>
|
|
|
|
|
<20> <br>
|
|
|
|
|
<20><> # rules unique to this host here<br>
|
|
|
|
|
<20><> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
|
|
|
|
|
<20><> ----- end rules -----<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
|
|
|
|
|
are ignored with a warning message.<br>
|
|
|
|
|
<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>Routing traffic from an interface back out that interface continues
|
|
|
|
|
to be a problem. While I firmly believe that this should never happen, people
|
|
|
|
|
continue to want to do it. To limit the damage that such nonsense produces,
|
|
|
|
|
I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts.
|
|
|
|
|
When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
|
|
|
|
|
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
|
|
|
|
|
interface. The 'routeback' option CAN be specified however on individual group
|
|
|
|
|
entries in /etc/shorewall/hosts.<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
The 'routeback' option is similar to the old 'multi' option with two exceptions:<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> a) The option pertains to a particular zone,interface,address tuple.<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
<20><> b) The option only created infrastructure to pass traffic from (zone,interface,address)
|
|
|
|
|
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
|
|
|
|
|
tuples associated with the given 'interface').<br>
|
|
|
|
|
<20><br>
|
|
|
|
|
See the '<a href="file:///Z:/Shorewall-docs/upgrade_issues.htm">Upgrade
|
|
|
|
|
Issues</a>' for information about how this new option may affect your configuration.<br>
|
|
|
|
|
</li>
|
|
|
|
|
</ol>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p><b></b></p>
|
|
|
|
|
|
2003-03-18 16:16:33 +01:00
|
|
|
|
<p><a href="News.htm">More News</a></p>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<h2><a name="Donations"></a>Donations</h2>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</td>
|
|
|
|
|
<td
|
|
|
|
|
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
</tbody>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
</table>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</center>
|
|
|
|
|
</div>
|
|
|
|
|
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<table border="0" cellpadding="5" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
|
|
|
|
bgcolor="#4b017c">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="100%"
|
|
|
|
|
style="margin-top: 1px;">
|
2002-09-16 19:02:45 +02:00
|
|
|
|
<p align="center"><a href="http://www.starlight.org"> <img
|
|
|
|
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
|
|
|
|
hspace="10">
|
2003-04-13 17:28:32 +02:00
|
|
|
|
</a></p>
|
|
|
|
|
|
|
|
|
|
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
|
|
|
|
if you try it and find it useful, please consider making a donation
|
|
|
|
|
to <a
|
|
|
|
|
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
|
|
|
|
Foundation.</font></a> Thanks!</font></p>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
</tbody>
|
2003-03-18 16:16:33 +01:00
|
|
|
|
</table>
|
2003-04-13 17:28:32 +02:00
|
|
|
|
|
|
|
|
|
<p><font size="2">Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
|
|
|
|
|
<br>
|
|
|
|
|
</p>
|
2003-03-23 19:47:54 +01:00
|
|
|
|
<br>
|
2002-09-16 19:02:45 +02:00
|
|
|
|
</body>
|
|
|
|
|
</html>
|