shorewall_code/Shorewall-docs/sourceforge_index.htm

378 lines
20 KiB
HTML
Raw Normal View History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a>
</h1>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on
a dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
<br>
You
should have received a copy of the GNU
General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2>
<b> </b>
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<20></b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<20></b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b><EFBFBD></b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation<6F></b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is
best viewed using Internet Explorer (although Konqueror also seems to
work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b><EFBFBD><EFBFBD><EFBFBD> Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been worked
around.</li>
</ol>
</blockquote>
<p><b><EFBFBD><EFBFBD><EFBFBD> New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command. <br>
<20><br>
<20><> Examples:<br>
<20><> shorewall/params.mgmt:<br>
<20><> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
<20><> TIME_SERVERS=4.4.4.4<br>
<20><> BACKUP_SERVERS=5.5.5.5<br>
<20><> ----- end params.mgmt -----<br>
<20><br>
<20><br>
<20><> shorewall/params:<br>
<20><> # Shorewall 1.3 /etc/shorewall/params<br>
<20><> [..]<br>
<20><> #######################################<br>
<20><br>
<20><> INCLUDE params.mgmt<6D><74><EFBFBD> <br>
<20> <br>
<20><> # params unique to this host here<br>
<20><> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
<20><> ----- end params -----<br>
<20><br>
<20><br>
<20><> shorewall/rules.mgmt:<br>
<20><> ACCEPT net:$MGMT_SERVERS<52><53><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> $FW<46><57><EFBFBD> tcp<63><70><EFBFBD> 22<br>
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$TIME_SERVERS<52><53><EFBFBD> udp<64><70><EFBFBD> 123<br>
<20><> ACCEPT $FW<46><57><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net:$BACKUP_SERVERS<52> tcp<63><70><EFBFBD> 22<br>
<20><> ----- end rules.mgmt -----<br>
<20><br>
<20><> shorewall/rules:<br>
<20><> # Shorewall version 1.3 - Rules File<br>
<20><> [..]<br>
<20><> #######################################<br>
<20><br>
<20><> INCLUDE rules.mgmt<6D><74><EFBFBD><EFBFBD> <br>
<20> <br>
<20><> # rules unique to this host here<br>
<20><> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
<20><> ----- end rules -----<br>
<20><br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that this
should never happen, people continue to want to do it. To limit the
damage that such nonsense produces, I have added a new 'routeback' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
<20><br>
The 'routeback' option is similar to the old 'multi' option
with two exceptions:<br>
<20><br>
<20><> a) The option pertains to a particular zone,interface,address
tuple.<br>
<20><br>
<20><> b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
<20><br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the
recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<20></p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 5/10/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>