forked from extern/shorewall_code
Updates to the XML docs
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1345 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3fde9a627f
commit
0213183738
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-28</pubdate>
|
||||
<pubdate>2004-05-15</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -128,7 +128,6 @@
|
||||
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Common">common</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-26</pubdate>
|
||||
<pubdate>2004-05-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -74,9 +74,9 @@
|
||||
<programlisting>MODULE_SUFFIX="o gz ko o.gz ko.gz"</programlisting>
|
||||
|
||||
<para>The version of <command>insmod</command> shipped with 10.0 also does
|
||||
not comprehend these module files so you will also need to change
|
||||
<filename>/usr/share/shorewall/firewall</filename> -- replace the line
|
||||
that reads:</para>
|
||||
not comprehend these module files so you will also need Shorewall 2.0.2 or
|
||||
later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
|
||||
-- replace the line that reads:</para>
|
||||
|
||||
<programlisting> insmod $modulefile $*</programlisting>
|
||||
|
||||
@ -278,22 +278,22 @@ jbd 47860 2 [ext3]
|
||||
<para>If your FTP helper modules are compressed and have the names
|
||||
<emphasis>ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz</emphasis> then you
|
||||
will need Shorewall 1.4.7 or later if you want Shorewall to load them for
|
||||
you.</para>
|
||||
you. If your helper modules have names <emphasis>ip_nat_ftp.ko.gz and
|
||||
ip_conntrack_ftp.ko.gz</emphasis> then you will need Shorewall 2.0.2 or
|
||||
later if you want Shorewall to load them for you.</para>
|
||||
</section>
|
||||
|
||||
<para>Server configuration is covered in the <ulink type=""
|
||||
url="Documentation.htm#Rules">/etc/shorewall/rules documentation</ulink>,</para>
|
||||
|
||||
<para>For a client, you must open outbound TCP port 21.</para>
|
||||
<section>
|
||||
<title>FTP on Non-standard Ports</title>
|
||||
|
||||
<para>The above discussion about commands and responses makes it clear
|
||||
that the FTP connection-tracking and NAT helpers must scan the traffic on
|
||||
the control connection looking for PASV and PORT commands as well as PASV
|
||||
responses. If you run an FTP server on a nonstandard port or you need to
|
||||
access such a server, you must therefore let the helpers know by
|
||||
specifying the port in /etc/shorewall/modules entries for the helpers. For
|
||||
example, if you run an FTP server that listens on port 49 or you need to
|
||||
access a server on the internet that listens on that port then you would
|
||||
have:</para>
|
||||
specifying the port in /etc/shorewall/modules entries for the helpers.
|
||||
<caution><para>You must have modularized FTP connection tracking support
|
||||
in order to use FTP on a non-standard port.</para></caution></para>
|
||||
|
||||
<example>
|
||||
<title>if you run an FTP server that listens on port 49 or you need to
|
||||
@ -317,54 +317,52 @@ options ip_nat_ftp ports=21,49</programlisting>
|
||||
/etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
|
||||
the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<para>One problem that I see occasionally involves active mode and the FTP
|
||||
server in my DMZ. I see the active data connection to <emphasis
|
||||
role="bold">certain client IP addresses</emphasis> being continuously
|
||||
rejected by my firewall. It is my conjecture that there is some broken
|
||||
client out there that is sending a PORT command that is being either
|
||||
missed or mis-interpreted by the FTP connection tracking helper yet it is
|
||||
being accepted by my FTP server. My solution is to add the following rule:</para>
|
||||
<section id="Rules">
|
||||
<title>Rules</title>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
<para>If the policy from the source zone to the destination zone is ACCEPT
|
||||
and you don't need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
|
||||
then <emphasis role="bold">you need no rule</emphasis>.</para>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
<para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
|
||||
rule:</para>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DESTINATION
|
||||
ACCEPT or <<emphasis>source</emphasis>> <<emphasis>destination</emphasis>> tcp 21 <external IP addr> if
|
||||
DNAT ACTION = DNAT</programlisting>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
<para>You need an entry in the ORIGINAL DESTINATION column only if the
|
||||
ACTION is DNAT, you have multiple external IP addresses and you want a
|
||||
specific IP address to be forwarded to your server.</para>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
|
||||
with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
|
||||
mailing list and they show 20 in the PORT(S) column, I will know that you
|
||||
haven't read this article and I will either ignore your post or tell
|
||||
you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
|
||||
that you run an FTP server on 192.168.1.5 in your local zone using the
|
||||
standard port (21). You need this rule: </para><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DESTINATION
|
||||
DNAT net loc:192.168.1.5 tcp 21</programlisting></example><example><title>Allow
|
||||
your DMZ FTP access to the Internet</title><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DESTINATION
|
||||
ACCEPT dmz net tcp 21</programlisting></example></para>
|
||||
|
||||
<entry align="center">SOURCE PORT(S)</entry>
|
||||
<para>Note that the FTP connection tracking in the kernel cannot handle
|
||||
cases where a PORT command (or PASV reply) is broken across two packets.
|
||||
When such cases occur, you will see a console message similar to this one:</para>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ACCEPT:info</entry>
|
||||
<para> I see this problem occasionally with the FTP server in my DMZ. My
|
||||
solution is to add the following rule:</para>
|
||||
|
||||
<entry>dmz</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>20</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DESTINATION
|
||||
ACCEPT:info dmz net tcp - 20</programlisting>
|
||||
|
||||
<para>The above rule accepts and logs all active mode connections from my
|
||||
DMZ to the net.</para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-09</pubdate>
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -39,6 +39,21 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para>
|
||||
</warning>
|
||||
|
||||
<section id="Install_RPM">
|
||||
<title>Install using RPM</title>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-10</pubdate>
|
||||
<pubdate>2004-05-17</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -87,6 +87,42 @@
|
||||
<section>
|
||||
<title>Problems in Version 2.0</title>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.2</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Temporary restore files with names of the form
|
||||
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
|
||||
/var/lib/shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>"shorewall restore" and "shorewall -f start"
|
||||
do not load kernel modules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specifying a null common action in /etc/shorewall/actions
|
||||
(e.g., :REJECT) results in a startup error.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If <filename>/var/lib/shorewall</filename> does not exist,
|
||||
<command>shorewall start</command> fails.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems are corrected by the <filename>firewall</filename>
|
||||
and <filename>functions</filename> files in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
|
||||
Both files must be installed in <filename>/usr/share/shorewall/firewall</filename>
|
||||
as described above.</para>
|
||||
|
||||
<para>The first two problems are also corrected in Shorewall version
|
||||
2.0.2a while all four problems are corrected in 2.0.2b.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.1</title>
|
||||
|
||||
@ -201,7 +237,9 @@
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
<para><revhistory><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
Alex Wilms's "install.sh" fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
Stefan Engel's "shorewall delete" fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-07-20</pubdate>
|
||||
<pubdate>2004-05-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2003</year>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -89,8 +89,8 @@
|
||||
|
||||
<para>Note that I have built everything I need as modules. You can also
|
||||
build everything into your kernel but if you want to be able to deal with
|
||||
FTP running on a non-standard port then I recommend that you modularize
|
||||
FTP Protocol support.</para>
|
||||
FTP running on a non-standard port then you <emphasis role="bold">must</emphasis>
|
||||
modularize FTP Protocol support.</para>
|
||||
|
||||
<para>Here's the corresponding part of my .config file:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-03</pubdate>
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -97,7 +97,16 @@
|
||||
<filename class="directory">/etc/shorewall</filename> -- for most setups,
|
||||
you will only need to deal with a few of these as described in this guide.
|
||||
Skeleton files are created during the Shorewall <ulink url="Install.htm">Installation
|
||||
Process</ulink>.</para>
|
||||
Process</ulink>.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
|
||||
you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para></warning></para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-22</pubdate>
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -133,6 +133,21 @@
|
||||
files to /etc/shorewall (they will replace files with the same names that
|
||||
were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para>
|
||||
</warning>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
instructions and default entries.</para>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-03</pubdate>
|
||||
<pubdate>2004-05-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,8 +29,7 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -42,7 +41,7 @@
|
||||
url="Install.htm">installation procedure</ulink> attempts to set up the
|
||||
init scripts to start the firewall in run levels 2-5 and stop it in run
|
||||
levels 1 and 6. If you want to configure your firewall differently from
|
||||
this default, you can use your distribution's run-level editor.</para>
|
||||
this default, you can use your distribution's run-level editor.</para>
|
||||
|
||||
<caution>
|
||||
<itemizedlist>
|
||||
@ -50,9 +49,8 @@
|
||||
<para>Shorewall startup is disabled by default. Once you have
|
||||
configured your firewall, you can enable startup by removing the
|
||||
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
|
||||
Users of the .deb package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<quote>startup=1</quote>.</para>
|
||||
Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
|
||||
and set <quote>startup=1</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -72,15 +70,15 @@
|
||||
<listitem>
|
||||
<para><command>shorewall [ -q ] [ -f ] start </command>- starts the
|
||||
firewall. It important to understand that when the firewall is in the
|
||||
<emphasis role="bold">Started</emphasis> state there is <emphasis>no
|
||||
Shorewall Program</emphasis> <emphasis>running</emphasis>. It rather
|
||||
means that Netfilter has been configured to handle traffic as
|
||||
described in your Shorewall configuration files. Please refer to the
|
||||
<link linkend="State">Shorewall State Diagram</link> as shown at the
|
||||
bottom of this page for more information. The -q option was added in
|
||||
Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also
|
||||
beginning with Shorewall version 2.0.2 Beta 1, the -f option may be
|
||||
specified; if this option is given and the file
|
||||
<emphasis role="bold">Started</emphasis> state there is
|
||||
<emphasis>no Shorewall Program</emphasis> <emphasis>running</emphasis>.
|
||||
It rather means that Netfilter has been configured to handle traffic
|
||||
as described in your Shorewall configuration files. Please refer to
|
||||
the <link linkend="State">Shorewall State Diagram</link> as shown at
|
||||
the bottom of this page for more information. The -q option was added
|
||||
in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced.
|
||||
Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may
|
||||
be specified; if this option is given and the file
|
||||
<filename>/var/lib/shorewall/restore</filename> is present (see
|
||||
<command>shorewall save</command> below), then that script is run to
|
||||
restore the state of the firewall to the state when
|
||||
@ -93,10 +91,9 @@
|
||||
<para><command>shorewall stop</command> - stops the firewall; the only
|
||||
traffic permitted through the firewall is from systems listed in
|
||||
<filename>/etc/shorewall/routestopped</filename> (Beginning with
|
||||
version 1.4.7, if ADMINISABSENTMINDED=Yes in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> then in addition,
|
||||
all existing connections are permitted and any new connections
|
||||
originating from the firewall itself are allowed).</para>
|
||||
version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename>
|
||||
then in addition, all existing connections are permitted and any new
|
||||
connections originating from the firewall itself are allowed).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -113,8 +110,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall clear</command> - remove all rules and chains
|
||||
installed by Shoreline Firewall. The firewall is <quote>wide
|
||||
open</quote></para>
|
||||
installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -125,9 +121,9 @@
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall save</command> - Beginning with Shorewall
|
||||
2.0.2 Beta1, this command creates a script
|
||||
<filename>/var/lib/shorewall/restore</filename> which when run will
|
||||
restore the state of the firewall to its current state.</para>
|
||||
2.0.2 Beta1, this command creates a script <filename>/var/lib/shorewall/restore</filename>
|
||||
which when run will restore the state of the firewall to its current
|
||||
state.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -146,14 +142,13 @@
|
||||
<para>If you include the keyword debug as the first argument, then a shell
|
||||
trace of the command is produced as in:</para>
|
||||
|
||||
<para><programlisting> <command>shorewall debug start 2> /tmp/trace</command></programlisting>The
|
||||
<para><programlisting> <command>shorewall debug start 2> /tmp/trace</command></programlisting>The
|
||||
above command would trace the <quote>start</quote> command and place the
|
||||
trace information in the file /tmp/trace</para>
|
||||
|
||||
<para>Beginning with version 1.4.7, shorewall can give detailed help about
|
||||
each of its commands: <programlisting> <command>shorewall help [ command | host | address ]</command></programlisting>The
|
||||
<quote>shorewall</quote> program may also be used to monitor the
|
||||
firewall.</para>
|
||||
<quote>shorewall</quote> program may also be used to monitor the firewall.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -162,24 +157,21 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall show <chain1> [ <chain2> ...
|
||||
]</command> - produce a verbose report about the listed chains
|
||||
(<command>iptables -L chain -n -v</command>) Note: You may only list
|
||||
one chain in the show command when running Shorewall version 1.4.6 and
|
||||
earlier. Version 1.4.7 and later allow you to list multiple chains in
|
||||
one command.</para>
|
||||
<para><command>shorewall show <chain1> [ <chain2> ...
|
||||
]</command> - produce a verbose report about the listed chains (<command>iptables
|
||||
-L chain -n -v</command>) Note: You may only list one chain in the
|
||||
show command when running Shorewall version 1.4.6 and earlier. Version
|
||||
1.4.7 and later allow you to list multiple chains in one command.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall show nat</command> - produce a verbose report
|
||||
about the nat table (<command>iptables -t nat -L -n
|
||||
-v</command>)</para>
|
||||
about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall show tos</command> - produce a verbose report
|
||||
about the mangle table (<command>iptables -t mangle -L -n
|
||||
-v</command>)</para>
|
||||
about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -198,18 +190,17 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall monitor [ <delay> ]</command> -
|
||||
<para><command>shorewall monitor [ <delay> ]</command> -
|
||||
Continuously display the firewall status, last 20 log entries and nat.
|
||||
When the log entry display changes, an audible alarm is sounded. The
|
||||
<emphasis><delay></emphasis> indicates the number of seconds
|
||||
<emphasis><delay></emphasis> indicates the number of seconds
|
||||
between updates with the default being 10 seconds.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall hits</command> - Produces several reports
|
||||
about the Shorewall packet log messages in the current log file named
|
||||
in the LOGFILE variable in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||
in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -219,27 +210,21 @@
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall check</command> - Performs a cursory
|
||||
validation of the zones, interfaces, hosts, rules and policy
|
||||
files.<caution>
|
||||
<para>The <quote><command>check</command></quote> command is
|
||||
totally unsuppored and does not parse and validate the generated
|
||||
iptables commands. Even though the <quote>check</quote> command
|
||||
completes successfully, the configuration may fail to start.
|
||||
Problem reports that complain about errors that the
|
||||
<quote>check</quote> command does not detect will not be
|
||||
accepted.</para>
|
||||
|
||||
<para>See the recommended way to make configuration changes
|
||||
described below.</para>
|
||||
</caution></para>
|
||||
validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
|
||||
<quote><command>check</command></quote> command is totally unsuppored
|
||||
and does not parse and validate the generated iptables commands. Even
|
||||
though the <quote>check</quote> command completes successfully, the
|
||||
configuration may fail to start. Problem reports that complain about
|
||||
errors that the <quote>check</quote> command does not detect will not
|
||||
be accepted.</para><para>See the recommended way to make configuration
|
||||
changes described below.</para></caution></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall try
|
||||
<<errortype>configuration-directory</errortype>> [
|
||||
<timeout> ]</command> - Restart shorewall using the specified
|
||||
configuration and if an error occurs or if the
|
||||
<emphasis><timeout></emphasis> option is given and the new
|
||||
<para><command>shorewall try <<errortype>configuration-directory</errortype>>
|
||||
[ <timeout> ]</command> - Restart shorewall using the
|
||||
specified configuration and if an error occurs or if the
|
||||
<emphasis><timeout></emphasis> option is given and the new
|
||||
configuration has been up for that many seconds then shorewall is
|
||||
restarted using the standard configuration.</para>
|
||||
</listitem>
|
||||
@ -256,17 +241,16 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall ipcalc [ <address> <mask> |
|
||||
<address>/<vlsm> ] </command>- displays the network
|
||||
<para><command>shorewall ipcalc [ <address> <mask> |
|
||||
<address>/<vlsm> ] </command>- displays the network
|
||||
address, broadcast address, network in CIDR notation and netmask
|
||||
corresponding to the input[s].</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall iprange
|
||||
<address1>-<address2></command> - Decomposes the specified
|
||||
range of IP addresses into the equivalent list of network/host
|
||||
addresses</para>
|
||||
<para><command>shorewall iprange <address1>-<address2></command>
|
||||
- Decomposes the specified range of IP addresses into the equivalent
|
||||
list of network/host addresses</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -275,19 +259,19 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall drop <ip address list></command> -
|
||||
<para><command>shorewall drop <ip address list></command> -
|
||||
causes packets from the listed IP addresses to be silently dropped by
|
||||
the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall reject <ip address list></command> -
|
||||
<para><command>shorewall reject <ip address list></command> -
|
||||
causes packets from the listed IP addresses to be rejected by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall allow <ip address list></command> -
|
||||
<para><command>shorewall allow <ip address list></command> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
drop or reject command.</para>
|
||||
</listitem>
|
||||
@ -296,7 +280,7 @@
|
||||
<para><command>shorewall save</command> - save the dynamic
|
||||
blacklisting configuration so that it will be automatically restored
|
||||
the next time that the firewall is restarted. Beginning with Shorewall
|
||||
version 2.0.2 Beta1, this command also creats the
|
||||
version 2.0.2 Beta1, this command also creates the
|
||||
<filename>/var/lib/shorewall/restore</filename> script as described
|
||||
above.</para>
|
||||
</listitem>
|
||||
@ -312,15 +296,15 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall add <interface>[:<host>]
|
||||
<zone></command> - Adds the specified interface (and host if
|
||||
<para><command>shorewall add <interface>[:<host>]
|
||||
<zone></command> - Adds the specified interface (and host if
|
||||
included) to the specified zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><command>shorewall delete <interface>[:<host>]
|
||||
<zone></command> - Deletes the specified interface (and host if
|
||||
included) from the specified zone.</para>
|
||||
<para><command>shorewall delete <interface>[:<host>]
|
||||
<zone></command> - Deletes the specified interface (and host
|
||||
if included) from the specified zone.</para>
|
||||
|
||||
<para>Examples:<programlisting> <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
|
||||
<command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
|
||||
@ -331,11 +315,11 @@
|
||||
<section>
|
||||
<title>Error Handling</title>
|
||||
|
||||
<para>When <command>shorewall start</command>, <command>shorewall
|
||||
restart</command> or <command>shorewall refresh</command> encounter an
|
||||
error, the behavior depends on which version of Shorewall you are running
|
||||
and whether there is a <filename>/var/lib/shorewall/restore</filename>
|
||||
script available (see <command>shorewall save</command> above).</para>
|
||||
<para>When <command>shorewall start</command>, <command>shorewall restart</command>
|
||||
or <command>shorewall refresh</command> encounter an error, the behavior
|
||||
depends on which version of Shorewall you are running and whether there is
|
||||
a <filename>/var/lib/shorewall/restore</filename> script available (see
|
||||
<command>shorewall save</command> above).</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -347,8 +331,8 @@
|
||||
<listitem>
|
||||
<para>If you have executed a <command>shorewall save</command> command
|
||||
without a subsequent <command>shorewall forget</command>, then the
|
||||
firewall is restored to the state when <command>shorewall
|
||||
save</command> was executed.</para>
|
||||
firewall is restored to the state when <command>shorewall save</command>
|
||||
was executed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
@ -356,23 +340,21 @@
|
||||
<section>
|
||||
<title>Alternate Configurations</title>
|
||||
|
||||
<para>The <command>shorewall start</command>, <command>shorewall
|
||||
restart</command>, <command>shorewall check</command>, and
|
||||
<command>shorewall try </command>commands allow you to specify which
|
||||
Shorewall configuration to use:</para>
|
||||
<para>The <command>shorewall start</command>, <command>shorewall restart</command>,
|
||||
<command>shorewall check</command>, and <command>shorewall try </command>commands
|
||||
allow you to specify which Shorewall configuration to use:</para>
|
||||
|
||||
<programlisting> <command>shorewall [ -c <configuration-directory> ] {start|restart|check}</command>
|
||||
<command>shorewall try <configuration-directory></command></programlisting>
|
||||
<programlisting> <command>shorewall [ -c <configuration-directory> ] {start|restart|check}</command>
|
||||
<command>shorewall try <configuration-directory> [ <timeout> ]</command></programlisting>
|
||||
|
||||
<para>If a <emphasis><configuration-directory</emphasis>> is
|
||||
<para>If a <emphasis><configuration-directory</emphasis>> is
|
||||
specified, each time that Shorewall is going to use a file in <filename
|
||||
class="directory">/etc/shorewall</filename> it will first look in
|
||||
the<emphasis> <configuration-directory></emphasis> . If the file is
|
||||
present in the <emphasis><configuration-directory>,</emphasis> that
|
||||
file will be used; otherwise, the file in <filename
|
||||
class="directory">/etc/shorewall</filename> will be used. When changing
|
||||
the configuration of a production firewall, I recommend the
|
||||
following:</para>
|
||||
class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
|
||||
<configuration-directory></emphasis> . If the file is present in
|
||||
the <emphasis><configuration-directory>,</emphasis> that file will
|
||||
be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
|
||||
will be used. When changing the configuration of a production firewall, I
|
||||
recommend the following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -384,8 +366,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></para>
|
||||
<para><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -393,7 +375,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><correct any errors found by check and check again></para>
|
||||
<para><correct any errors found by check and check again></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -401,10 +383,10 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If the configuration starts but doesn't work, just <quote>shorewall
|
||||
restart</quote> to restore the old configuration. If the new configuration
|
||||
fails to start, the <quote>try</quote> command will automatically start
|
||||
the old one for you.</para>
|
||||
<para>If the configuration starts but doesn't work, just
|
||||
<quote>shorewall restart</quote> to restore the old configuration. If the
|
||||
new configuration fails to start, the <quote>try</quote> command will
|
||||
automatically start the old one for you.</para>
|
||||
|
||||
<para>When the new configuration works then just:</para>
|
||||
|
||||
@ -432,8 +414,7 @@
|
||||
|
||||
<para>You will note that the commands that result in state transitions use
|
||||
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
|
||||
That is because the actual transitions are done by
|
||||
<command>/usr/share/shorewall/firewall</command>;
|
||||
That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
|
||||
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
|
||||
to the following table:</para>
|
||||
|
||||
@ -478,8 +459,7 @@
|
||||
|
||||
<entry>firewall restart</entry>
|
||||
|
||||
<entry>Logically equivalent to <quote>firewall stop;firewall
|
||||
start</quote></entry>
|
||||
<entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -527,7 +507,7 @@
|
||||
<row>
|
||||
<entry>shorewall try</entry>
|
||||
|
||||
<entry>firewall -c <new configuration> restart If
|
||||
<entry>firewall -c <new configuration> restart If
|
||||
unsuccessful then firewall start (standard configuration) If
|
||||
timeout then firewall restart (standard configuration)</entry>
|
||||
|
||||
@ -541,36 +521,12 @@
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.3-1.8</revnumber>
|
||||
|
||||
<date>2004-01-04</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Docbook standards</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.2</revnumber>
|
||||
|
||||
<date>2003-12-31</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added clarification about "Started State"</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
|
||||
<date>2003-12-29</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Docbook conversion</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
<para><revhistory><revision><revnumber>1.10</revnumber><date>2004-05-14</date><authorinitials>TE</authorinitials><revremark>Update
|
||||
"try" syntax in the alternate configuration section to include [
|
||||
<timeout> ]</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Shorewall
|
||||
2.0.2</revremark></revision><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
|
||||
standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
clarification about "Started State"</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook conversion</revremark></revision></revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-15</pubdate>
|
||||
<pubdate>2004-05-16</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -214,8 +214,9 @@
|
||||
|
||||
<listitem>
|
||||
<para>If an error occurs when you try to <quote><command>shorewall
|
||||
start</command></quote>, include a trace (See the Troubleshooting
|
||||
section for instructions).</para>
|
||||
start</command></quote>, include a trace (See the <ulink
|
||||
url="troubleshoot.htm">Troubleshooting section</ulink> for
|
||||
instructions).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -290,7 +291,8 @@
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
|
||||
<para><revhistory><revision><revnumber>1.5</revnumber><date>2003-05-16</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
link to the troubleshooting section</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
|
||||
Newbies Mailing List.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
|
||||
against including "iptables -L" output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
|
||||
.GIF and moved note about unsupported releases. Move Revision History to
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-22</pubdate>
|
||||
<pubdate>2004-05-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -157,12 +157,23 @@
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename>/etc/shorewall</filename> -- for simple setups, you will only
|
||||
need to deal with a few of these as described in this guide. After you
|
||||
have installed Shorewall, download the three-interface sample, un-tar it (<command>tar
|
||||
<option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
|
||||
and and copy the files to <filename>/etc/shorewall</filename> (the files
|
||||
will replace files with the same names that were placed in
|
||||
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
|
||||
need to deal with a few of these as described in this guide.<warning><para><emphasis
|
||||
role="bold">Note to Debian Users</emphasis></para><para>If you install
|
||||
using the .deb, you will find that your <filename class="directory">/etc/shorewall</filename>
|
||||
directory is empty. This is intentional. The released configuration file
|
||||
skeletons may be found on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to /etc/shorewall even if you do not modify it.</para></warning></para>
|
||||
|
||||
<para>After you have installed Shorewall, download the three-interface
|
||||
sample, un-tar it (<command>tar <option>-zxvf</option>
|
||||
<filename>three-interfaces.tgz</filename></command>) and and copy the
|
||||
files to <filename>/etc/shorewall</filename> (the files will replace files
|
||||
with the same names that were placed in <filename>/etc/shorewall</filename>
|
||||
when Shorewall was installed).</para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
|
@ -12,7 +12,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2003-04-22</pubdate>
|
||||
<pubdate>2003-05-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002</year>
|
||||
@ -146,7 +146,18 @@
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you will only need to deal with a few of these as described in
|
||||
this guide. <tip><para>After you have <ulink url="Install.htm">installed
|
||||
this guide.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
|
||||
you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
|
||||
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
to <filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify it.</para></warning></para>
|
||||
|
||||
<para><tip><para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, download the <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
|
||||
sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>
|
||||
|
Loading…
Reference in New Issue
Block a user