shorewall_code/STABLE/documentation/sourceforge_index.htm

490 lines
27 KiB
HTML
Raw Normal View History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br>
</a></h1>
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used
on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in the
hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of
the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2>
<b> </b>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b><EFBFBD><EFBFBD><EFBFBD> Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b><EFBFBD><EFBFBD><EFBFBD> New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition). To
use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
<20><br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> LOGFORMAT="fp=%s:%d a=%s "<br>
<20><br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log messages
in the 'show log', 'status' and 'hits' commands. This part should not
be omitted (the LOGFORMAT should not begin with "%") and the leading part
should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the filter
table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br>
</p>
This version primarily corrects the documentation included in the
.tgz and in the .rpm. In addition: <br>
<ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
<20><> a) tcp - RST<br>
<20><> b) udp - ICMP port unreachable<br>
<20><> c) icmp - ICMP host unreachable<br>
<20><> d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
<20><> a) tcp - RST<br>
<20><> b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
<20><><EFBFBD> <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if Netfilter
connection tracking is confused.</li>
</ol>
<20><><EFBFBD> <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"><EFBFBD></a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
file.</li>
<li value="2">You may now change the leading portion
of the --log-prefix used by Shorewall using the LOGMARKER variable in
shorewall.conf. By default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> <20></b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> <20></b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint
and is best viewed using Internet Explorer (although Konqueror also
seems to work reasonably well as does Opera 7.1.0). Neither Opera
6 nor Netscape work well to view the presentation.</blockquote>
<p><b></b></p>
<blockquote>
<ol>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.2!!!
</b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
<20></p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and find
it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>