diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 4b6a2229a..8fc36687b 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-03-28 + 2004-05-15 2001-2004 @@ -128,7 +128,6 @@ url="Documentation.htm#Hosts">hostspolicyrulescommonmasqproxyarpnat - 2004-05-04 + 2004-05-18 2001-2004 @@ -31,8 +31,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -46,6 +45,22 @@ Answer: Check out the QuickStart Guides. + +
+ (FAQ 37) I just installed Shorewall on Debian and the + /etc/shorewall directory is empty!!! + + If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is + intentional. The released configuration file skeletons may be found on + your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies. + + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do + not modify it. +
@@ -53,8 +68,8 @@
(FAQ 1) I want to forward UDP port 7777 to my my personal PC with - IP address 192.168.1.5. I've looked everywhere and can't find how to do - it. + IP address 192.168.1.5. I've looked everywhere and can't find + how to do it. Answer: The first example in the rules file documentation @@ -62,7 +77,7 @@ port-forwarding rule to a local system is as follows: #ACTION SOURCE DEST PROTO DEST PORT -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: @@ -71,19 +86,18 @@ DNAT net loc:<local IP address>[:< If you want to forward requests directed to a particular address ( - <external IP> ) on your firewall to an + <external IP> ) on your firewall to an internal system: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> Finally, if you need to forward a range of ports, in the PORT - column specify the range as - <low-port>:<high-port>. + column specify the range as <low-port>:<high-port>.
- (FAQ 1a) Ok -- I followed those instructions but it doesn't + <title>(FAQ 1a) Ok -- I followed those instructions but it doesn't work Answer: That is usually the @@ -92,14 +106,14 @@ DNAT net loc:<local IP address>[:< You are trying to test from inside your firewall (no, that - won't work -- see ). + won't work -- see ). You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your - firewall's internal interface). + firewall's internal interface). @@ -109,42 +123,40 @@ DNAT net loc:<local IP address>[:< You are running Mandrake Linux and have configured Internet Connection Sharing. In that case, the name of your local zone is - 'masq' rather than 'loc' (change all instances of 'loc' to 'masq' - in your rules). You may want to consider re-installing Shorewall - in a configuration which matches the Shorewall documentation. See - the two-interface QuickStart - Guide for details. + 'masq' rather than 'loc' (change all instances of + 'loc' to 'masq' in your rules). You may want to + consider re-installing Shorewall in a configuration which matches + the Shorewall documentation. See the two-interface QuickStart Guide for + details.
- (FAQ 1b) I'm still having problems with port forwarding + (FAQ 1b) I'm still having problems with port forwarding Answer: To further diagnose this problem: - As root, type iptables -t nat - -Z. This clears the NetFilter counters in the - nat table. + As root, type iptables -t nat -Z. + This clears the NetFilter counters in the nat table. - Try to connect to the redirected port from an external - host. + Try to connect to the redirected port from an external host. - As root type shorewall show - nat + As root type shorewall show nat Locate the appropriate DNAT rule. It will be in a chain - called <source zone>_dnat - (net_dnat in the above examples). + called <source zone>_dnat (net_dnat + in the above examples). @@ -153,7 +165,7 @@ DNAT net loc:<local IP address>[:< redirected to the server. In this case, the problem is usually a missing or incorrect default gateway setting on the local system (the system you are trying to forward to -- its default gateway - should be the IP address of the firewall's interface to that + should be the IP address of the firewall's interface to that system). @@ -170,13 +182,12 @@ DNAT net loc:<local IP address>[:< you are trying to connect to a secondary IP address on your firewall and your rule is only redirecting the primary IP address (You need to specify the secondary IP address in the - ORIG. DEST. column in your DNAT rule); - or + ORIG. DEST. column in your DNAT rule); or - your DNAT rule doesn't match the connection request in - some other way. In that case, you may have to use a packet + your DNAT rule doesn't match the connection request + in some other way. In that case, you may have to use a packet sniffer such as tcpdump or ethereal to further diagnose the problem. @@ -198,8 +209,8 @@ DNAT net loc:192.168.3:22 tcp 1022
- (FAQ 30) I'm confused about when to use DNAT rules and when to - use ACCEPT rules. + (FAQ 30) I'm confused about when to use DNAT rules and when + to use ACCEPT rules. It would be a good idea to review the QuickStart Guide @@ -221,7 +232,7 @@ DNAT net loc:192.168.3:22 tcp 1022 (FAQ 2) I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients - can't. + can't. Answer: I have two objections to this setup. @@ -230,7 +241,7 @@ DNAT net loc:192.168.3:22 tcp 1022 Having an internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is - compromised, there's nothing between that server and your other + compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - assuming that the Server can be located @@ -239,11 +250,11 @@ DNAT net loc:192.168.3:22 tcp 1022 The accessibility problem is best solved using Bind Version 9 - views (or using a separate DNS server for - local clients) such that www.mydomain.com resolves to 130.141.100.69 - externally and 192.168.1.5 internally. That's what I do here at - shorewall.net for my local systems that use one-to-one NAT. + url="shorewall_setup_guide.htm#DNS">Bind Version 9 views + (or using a separate DNS server for local clients) such that + www.mydomain.com resolves to 130.141.100.69 externally and + 192.168.1.5 internally. That's what I do here at shorewall.net + for my local systems that use one-to-one NAT. @@ -259,11 +270,9 @@ DNAT net loc:192.168.3:22 tcp 1022 If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later. - Otherwise: - In this configuration, all loc->loc traffic will look to - the server as if it came from the firewall rather than from the - original client! - + Otherwise:In this configuration, all loc->loc + traffic will look to the server as if it came from the firewall rather + than from the original client! @@ -283,8 +292,7 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - That rule only works of course if you have a static external IP address. If you have a dynamic IP address and are running - Shorewall 1.3.4 or later then include this in - /etc/shorewall/init: + Shorewall 1.3.4 or later then include this in /etc/shorewall/init: ETH0_IP=`find_interface_address eth0` @@ -304,14 +312,14 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - (FAQ 2a) I have a zone <quote>Z</quote> with an RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external - (non-RFC1918 addresses) so they can't access each other using their - DNS names. + (non-RFC1918 addresses) so they can't access each other using + their DNS names. If the ALL INTERFACES column in /etc/shorewall/nat is empty or contains Yes, you will also see log messages like the following when trying to access a host in Z from another host in Z - using the destination hosts's public address: + using the destination hosts's public address: Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 @@ -322,19 +330,19 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - Answer: This is another problem that is best solved using Bind Version 9 views. It allows both external and internal clients to access a NATed host using - the host's DNS name. + the host's DNS name. Another good way to approach this problem is to switch from one-to-one NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address. - If you don't like those solutions and prefer routing all Z->Z - traffic through your firewall then: + If you don't like those solutions and prefer routing all + Z->Z traffic through your firewall then: - Set the Z->Z policy to ACCEPT. + Set the Z->Z policy to ACCEPT. @@ -350,7 +358,7 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - Yes. - In this configuration, all Z->Z traffic will look to + In this configuration, all Z->Z traffic will look to the server as if it came from the firewall rather than from the original client! I DO NOT RECOMMEND THIS SETUP. @@ -398,13 +406,13 @@ eth2 192.168.2.0/24 following:
- > I know PoM -ng is going to address this issue, but till it - is ready, and > all the extras are ported to it, is there any way - to use the h.323 > contrack module kernel patch with a 2.6 kernel? - > Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade - is not > an option... The module is not ported yet to 2.6, sorry. - > Do I have any options besides a gatekeeper app (does not work in - my > network) or a proxy (would prefer to avoid them)? I suggest + > I know PoM -ng is going to address this issue, but till it + is ready, and > all the extras are ported to it, is there any way + to use the h.323 > contrack module kernel patch with a 2.6 kernel? + > Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade + is not > an option... The module is not ported yet to 2.6, sorry. + > Do I have any options besides a gatekeeper app (does not work in + my > network) or a proxy (would prefer to avoid them)? I suggest everyone to setup a proxy (gatekeeper) instead: the module is really dumb and does not deserve to exist at all. It was an excellent tool to debug/develop the newnat interface. @@ -413,8 +421,7 @@ eth2 192.168.2.0/24 Look here for a solution for MSN IM but be aware that there are significant security risks involved with this solution. Also check the Netfilter - mailing list archives at http://www.netfilter.org. + mailing list archives at http://www.netfilter.org.
@@ -438,15 +445,14 @@ eth2 192.168.2.0/24 cuts down slightly on the amount of Windows chatter on LAN segments connected to the Firewall. - If you are seeing port 80 being closed, that's + If you are seeing port 80 being closed, that's probably your ISP preventing you from running a web server in violation of your Service Agreement. You can change the default behavior of Shorewall through use of an /etc/shorewall/common file. See the Extension Script - Section. + url="shorewall_extension_scripts.htm">Extension Script Section. @@ -461,16 +467,14 @@ eth2 192.168.2.0/24 the default policy to all zone from the internet is DROP. The Drop action is defined in /etc/shorewall/action.Drop which in turn invokes the RejectAuth - action (defined in - /etc/shorewall/action.RejectAuth). This is - necessary to prevent outgoing connection problems to services that use - the Auth mechanism for identifying requesting users. That - is the only service which the default setup rejects. + action (defined in /etc/shorewall/action.RejectAuth). + This is necessary to prevent outgoing connection problems to services + that use the Auth mechanism for identifying requesting + users. That is the only service which the default setup rejects. If you are seeing closed TCP ports other than 113 (auth) then either you have added rules to REJECT those ports or a router outside of - your firewall is responding to connection requests on those - ports. + your firewall is responding to connection requests on those ports.
(FAQ 4a) I just ran an nmap UDP scan of my firewall and it @@ -480,12 +484,12 @@ eth2 192.168.2.0/24</programlisting> read the nmap man page section about UDP scans. If nmap gets <emphasis role="bold">nothing</emphasis> back from your firewall then it reports the port as open. If you want to see which UDP ports are really open, - temporarily change your net->all policy to REJECT, restart + temporarily change your net->all policy to REJECT, restart Shorewall and do the nmap UDP scan again.</para> </section> <section id="faq4b"> - <title>(FAQ 4b) I have a port that I can't close no matter how I + <title>(FAQ 4b) I have a port that I can't close no matter how I change my rules. I had a rule that allowed telnet from my local network to my @@ -503,9 +507,8 @@ eth2 192.168.2.0/24 (FAQ 4c) How to I use Shorewall with PortSentry? Here's - a writeup on a nice integration of Shorewall and - PortSentry. + url="http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt">Here's + a writeup on a nice integration of Shorewall and PortSentry.
@@ -514,8 +517,8 @@ eth2 192.168.2.0/24 Connection Problems
- (FAQ 5) I've installed Shorewall and now I can't ping through the - firewall + (FAQ 5) I've installed Shorewall and now I can't ping + through the firewall Answer: If you want your firewall to be totally open for ping, @@ -523,7 +526,7 @@ eth2 192.168.2.0/24 Create /etc/shorewall/common if it - doesn't already exist. + doesn't already exist. @@ -532,8 +535,7 @@ eth2 192.168.2.0/24 - Add the following to - /etc/shorewall/common + Add the following to /etc/shorewall/common run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT @@ -544,18 +546,18 @@ eth2 192.168.2.0/24
- (FAQ 15) My local systems can't see out to the net + (FAQ 15) My local systems can't see out to the net Answer: Every time I read - systems can't see out to the net, I wonder where the + systems can't see out to the net, I wonder where the poster bought computers with eyes and what those computers will see when things are working properly. That aside, the most common causes of this problem are: - The default gateway on each local system isn't set to the IP - address of the local firewall interface. + The default gateway on each local system isn't set to the + IP address of the local firewall interface. @@ -565,34 +567,32 @@ eth2 192.168.2.0/24 The DNS settings on the local systems are wrong or the user is - running a DNS server on the firewall and hasn't enabled UDP and TCP - port 53 from the firewall to the internet. + running a DNS server on the firewall and hasn't enabled UDP and + TCP port 53 from the firewall to the internet.
- (FAQ 29) FTP Doesn't Work + (FAQ 29) FTP Doesn't Work - See the Shorewall and FTP - page. + See the Shorewall and FTP page.
(FAQ 33) From clients behind the firewall, connections to some sites fail. Connections to the same sites from the firewall itself work - fine. What's wrong. + fine. What's wrong. Answer: Most likely, you need to - set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf. + set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.
(FAQ 35) I have two Ethernet interfaces to my local network which - I have bridged. When Shorewall is started, I'm unable to pass traffic - through the bridge. I have defined the bridge interface (br0) as the - local interface in /etc/shorewall/interfaces; the bridged Ethernet + I have bridged. When Shorewall is started, I'm unable to pass + traffic through the bridge. I have defined the bridge interface (br0) as + the local interface in /etc/shorewall/interfaces; the bridged Ethernet interfaces are not defined to Shorewall. How do I tell Shorewall to allow traffic through the bridge? @@ -610,39 +610,37 @@ eth2 192.168.2.0/24 the destination? Answer: NetFilter uses the - kernel's equivalent of syslog (see man syslog) to log - messages. It always uses the LOG_KERN (kern) facility (see man - openlog) and you get to choose the log level (again, see - man syslog) in your man syslog) to log + messages. It always uses the LOG_KERN (kern) facility (see + man openlog) and you get to choose the log level (again, + see man syslog) in your policies and rules. The destination for - messaged logged by syslog is controlled by - /etc/syslog.conf (see man - syslog.conf). When you have changed /etc/syslog.conf, be sure to - restart syslogd (on a RedHat system, service syslog - restart). + messaged logged by syslog is controlled by /etc/syslog.conf + (see man syslog.conf). When you have changed + /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, + service syslog restart). By default, older versions of Shorewall ratelimited log messages through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: - LOGLIMIT="" -LOGBURST="" + LOGLIMIT="" +LOGBURST="" Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.
- (FAQ 6a) Are there any log parsers that work with - Shorewall? + (FAQ 6a) Are there any log parsers that work with Shorewall? Answer: Here are several links that may be helpful: http://www.shorewall.net/pub/shorewall/parsefw/ +url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/ http://www.fireparse.com http://cert.uni-stuttgart.de/projects/fwlogwatch http://www.logwatch.org @@ -732,23 +730,10 @@ LOGBURST="" - - Example - - MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00 - - Destination MAC address = 00:04:4c:dc:e2:28 - - - - Source MAC address = 00:b0:8e:cf:3c:4c - - - - Ethernet Frame Type = 08:00 (IP Version 4) - - - + ExampleMAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00Destination + MAC address = 00:04:4c:dc:e2:28Source + MAC address = 00:b0:8e:cf:3c:4cEthernet + Frame Type = 08:00 (IP Version 4)
@@ -757,23 +742,22 @@ LOGBURST="" making it unusable! Answer: If you are running - Shorewall version 1.4.4 or 1.4.4a then check the errata. Otherwise: + Shorewall version 1.4.4 or 1.4.4a then check the errata. + Otherwise: Find where klogd is being started (it will be from one of the files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or the appropriate configuration file so that klogd is started with - -c <n> where - <n> is a log level of 5 or less; - or + -c <n> where + <n> is a log level of 5 or less; or - See the dmesg man page (man - dmesg). You must add a suitable dmesg command - to your startup scripts or place it in /etc/shorewall/start. + See the dmesg man page (man dmesg). + You must add a suitable dmesg command to your startup + scripts or place it in /etc/shorewall/start. @@ -809,10 +793,9 @@ LOGBURST="" man1918 or logdrop - The destination address is listed in - /usr/share/shorewall/rfc1918 with a logdrop target -- see /usr/share/shorewall/rfc1918. + The destination address is listed in /usr/share/shorewall/rfc1918 + with a logdrop target -- see + /usr/share/shorewall/rfc1918. @@ -828,25 +811,23 @@ LOGBURST="" - all2<zone>, <zone>2all or all2all + all2<zone>, <zone>2all or all2all - You have a policy that specifies a log - level and this packet is being logged under that policy. If you - intend to ACCEPT this traffic then you need a rule to that effect. + You have a policy + that specifies a log level and this packet is being logged under + that policy. If you intend to ACCEPT this traffic then you need a + rule to that effect. - <zone1>2<zone2> + <zone1>2<zone2> - Either you have a policy for <zone1> to <zone2> that specifies a log level + Either you have a policy + for <zone1> to <zone2> that specifies a log level and this packet is being logged under that policy or this packet matches a rule that includes a log level. @@ -854,13 +835,11 @@ LOGBURST="" - <interface>_mac + <interface>_mac - The packet is being logged under the maclist interface - option. + The packet is being logged under the maclist + interface option. @@ -868,10 +847,8 @@ LOGBURST="" logpkt - The packet is being logged under the logunclean interface - option. + The packet is being logged under the logunclean + interface option. @@ -879,12 +856,10 @@ LOGBURST="" badpkt - The packet is being logged under the dropunclean interface option as - specified in the LOGUNCLEAN - setting in /etc/shorewall/shorewall.conf. + The packet is being logged under the dropunclean + interface option + as specified in the LOGUNCLEAN + setting in /etc/shorewall/shorewall.conf. @@ -906,9 +881,8 @@ LOGBURST="" The packet is being logged because it is a TCP packet that is not part of any current connection yet it is not a syn packet. Options affecting the logging of such packets include NEWNOTSYN and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf. + role="bold">NEWNOTSYN and LOGNEWNOTSYN + in /etc/shorewall/shorewall.conf. @@ -916,12 +890,12 @@ LOGBURST="" INPUT or FORWARD - The packet has a source IP address that isn't in any of your - defined zones (shorewall check and look at the + The packet has a source IP address that isn't in any of + your defined zones (shorewall check and look at the printed zone definitions) or the chain is FORWARD and the - destination IP isn't in any of your defined zones. Also see for another cause of packets being logged in - the FORWARD chain. + destination IP isn't in any of your defined zones. Also see + for another cause of packets being logged + in the FORWARD chain. @@ -931,8 +905,7 @@ LOGBURST="" The packet is being logged because it failed the checks implemented by the tcpflags - interface - option. + interface option. @@ -942,23 +915,22 @@ LOGBURST="" Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 +role="bold">IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP +role="bold">PROTO=UDP SPT=1803 DPT=53 LEN=47 - Let's look at the important parts of this message: + Let's look at the important parts of this message: all2all:REJECT - This packet was REJECTed out of the all2all chain -- the packet was rejected - under the all->all REJECT - policy ( above). + This packet was REJECTed out of the all2all + chain -- the packet was rejected under the all->all + REJECT policy ( above). @@ -1019,8 +991,7 @@ LOGBURST="" url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3. In this case, 192.168.2.2 was in the dmz zone and - 192.168.1.3 is in the loc zone. I was missing the - rule: + 192.168.1.3 is in the loc zone. I was missing the rule: ACCEPT dmz loc udp 53 @@ -1061,15 +1032,15 @@ LOGBURST="" UDP port 2857. This causes a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the - packet to 206.124.146.179 but doesn't reset the DST IP in the original - DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), - your firewall has no record of having sent a DNS reply to 172.16.1.10 so - this ICMP doesn't appear to be related to anything that was sent. The - final result is that the packet gets logged and dropped in the all2all - chain. I have also seen cases where the source IP in the ICMP itself - isn't set back to the external IP of the remote NAT gateway; that causes - your firewall to log and drop the packet out of the rfc1918 chain - because the source IP is reserved by RFC 1918. + packet to 206.124.146.179 but doesn't reset the DST IP in the + original DNS response similarly. When the ICMP reaches your firewall + (192.0.2.3), your firewall has no record of having sent a DNS reply to + 172.16.1.10 so this ICMP doesn't appear to be related to anything + that was sent. The final result is that the packet gets logged and + dropped in the all2all chain. I have also seen cases where the source IP + in the ICMP itself isn't set back to the external IP of the remote + NAT gateway; that causes your firewall to log and drop the packet out of + the rfc1918 chain because the source IP is reserved by RFC 1918. @@ -1116,8 +1087,7 @@ eth1 eth2 url="http://www.lartc.org">LARTC HOWTO and has not been verified by the author. If you have questions or problems with the instructions given below, please post to the LARTC mailing - list. + url="http://www.lartc.org/#mailinglist">LARTC mailing list. A common configuration is the following, in which there are two @@ -1153,17 +1123,15 @@ eth1 eth2 Let us first set some symbolical names. Let $IF1 be the name of the first interface (if1 in the picture above) and $IF2 the name - of the second interface. Then let $IP1 be the IP address associated with - $IF1 and $IP2 the IP address associated with $IF2. Next, let $IP1 + be the IP address associated with $IF1 + and $IP2 the IP address associated + with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of - the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P1_NET + be the IP network $P1 is in, and + $P2_NET the IP network $P2 is in. One creates two additional routing tables, say Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected - to that neighbour. Note the `src' arguments, they make sure the right - outgoing IP address is chosen. + to that neighbour. Note the `src' arguments, they make sure the + right outgoing IP address is chosen. ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 @@ -1207,8 +1175,8 @@ ip rule add from $IP2 table T2 on a particular interface get answered from that interface. - 'If $P0_NET is the local network and $IF0 is its interface, - the following additional entries are desirable: + 'If $P0_NET is the local network and $IF0 is its + interface, the following additional entries are desirable: ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 @@ -1252,9 +1220,9 @@ ip route add 127.0.0.0/8 dev lo table T2 Furthermore, if you really want to do this, you probably also - want to look at Julian Anastasov's patches at http://www.ssi.bg/~ja/#routes - , Julian's route patch page. They will make things nicer to work + , Julian's route patch page. They will make things nicer to work with. @@ -1279,8 +1247,7 @@ ip route add 127.0.0.0/8 dev lo table T2 url="http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound">http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound For the use of multiple outbound links to the Internet, there - are a number of different techniques. The simplest is identified - here: + are a number of different techniques. The simplest is identified here: http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-outbound @@ -1288,8 +1255,7 @@ ip route add 127.0.0.0/8 dev lo table T2 Better (and more robust) techniques are available after a kernel routing patch by Julian Anastasov. See the famous nano-howto. - http://www.ssi.bg/~ja/ + http://www.ssi.bg/~ja/ @@ -1298,20 +1264,19 @@ ip route add 127.0.0.0/8 dev lo table T2 Starting and Stopping
- (FAQ 7) When I stop Shorewall using <quote>shorewall - stop</quote>, I can't connect to anything. Why doesn't that command - work? + (FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>, + I can't connect to anything. Why doesn't that command work? The stop command is intended to place your firewall into a safe state whereby only those hosts listed in - /etc/shorewall/routestopped' are activated. If you - want to totally open up your firewall, you must use the + /etc/shorewall/routestopped' are activated. If + you want to totally open up your firewall, you must use the shorewall clear command.
(FAQ 8) When I try to start Shorewall on RedHat, I get messages - about insmod failing -- what's wrong? + about insmod failing -- what's wrong? Answer: The output you will see looks something like this: @@ -1321,7 +1286,7 @@ Hint: insmod errors can be caused by incorrect module parameters, including inva /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed -iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) +iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This problem is usually corrected through the following sequence @@ -1340,13 +1305,12 @@ rmmod ipchains message referring me to FAQ #8 Answer: This is usually cured - by the sequence of commands shown above in . + by the sequence of commands shown above in .
- (FAQ 9) Why can't Shorewall detect my interfaces properly at + <title>(FAQ 9) Why can't Shorewall detect my interfaces properly at startup? I just installed Shorewall and when I issue the start command, I @@ -1368,18 +1332,18 @@ Deleting user chains... Creating input Chains... ... - Why can't Shorewall detect my interfaces properly? + Why can't Shorewall detect my interfaces properly? Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1. If you are running Shorewall 1.4.10 or later, you can consider setting the - detectnets interface option on your local - interface (eth1 in the above - example). That will cause Shorewall to restrict the local zone to only - those networks routed through that interface. + detectnets + interface option on your local interface (eth1 in the above example). That will + cause Shorewall to restrict the local zone to only those networks routed + through that interface.
@@ -1387,24 +1351,24 @@ Creating input Chains... Shorewall starts. Which file do I put them in? You can place these commands in one of the Shorewall Extension - Scripts. Be sure that you look at the contents of the chain(s) - that you will be modifying with your commands to be sure that the - commands will do what they are intended. Many iptables commands - published in HOWTOs and other instructional material use the -A command - which adds the rules to the end of the chain. Most chains that Shorewall - constructs end with an unconditional DROP, ACCEPT or REJECT rule and any - rules that you add after that will be ignored. Check man - iptables and look at the -I (--insert) command. + url="shorewall_extension_scripts.htm">Shorewall Extension Scripts. + Be sure that you look at the contents of the chain(s) that you will be + modifying with your commands to be sure that the commands will do what + they are intended. Many iptables commands published in HOWTOs and other + instructional material use the -A command which adds the rules to the + end of the chain. Most chains that Shorewall constructs end with an + unconditional DROP, ACCEPT or REJECT rule and any rules that you add + after that will be ignored. Check man iptables and look + at the -I (--insert) command.
(FAQ 34) How can I speed up start (restart)? Using a light-weight shell such as ash can - dramatically decrease the time required to start or restart - Shorewall. See the SHOREWALL_SHELL variable in start + or restart Shorewall. See the + SHOREWALL_SHELL variable in shorewall.conf. Beginning with Shorewall version 2.0.2 Beta 1, Shorewall supports @@ -1421,9 +1385,8 @@ Creating input Chains... Use the -f option to the start command (e.g., shorewall -f start). This - causes Shorewall to look for the - /var/lib/shorewall/restore script and if that - script exists, it is run. Running + causes Shorewall to look for the /var/lib/shorewall/restore + script and if that script exists, it is run. Running /var/lib/shorewall/restore takes much less time than a full shorewall start. @@ -1453,19 +1416,18 @@ Creating input Chains... Likewise, if you change your Shorewall configuration then once you are satisfied that it is working properly, you must do another shorewall save. Otherwise at the next reboot, you - will revert to the old configuration stored in - /var/lib/shorewall/restore. + will revert to the old configuration stored in /var/lib/shorewall/restore.
(FAQ 34a) I get errors about a host or network not found when I run<filename>/var/lib/shorewall/restore</filename>. The - <command>shorewall restore</command> and <command>shorewall -f - start</command> commands gives the same result. + shorewall restore and shorewall -f start + commands gives the same result. Answer: iptables 1.2.9 is broken with respect to iptables-save and the connection tracking match extension. You must patch your - iptables using the patch available from the Shorewall errata page. + iptables using the patch available from the Shorewall + errata page.
@@ -1477,8 +1439,7 @@ Creating input Chains... (FAQ 10) What Distributions does it work with? Shorewall works with any GNU/Linux distribution that includes the - proper - prerequisites. + proper prerequisites.
@@ -1510,15 +1471,14 @@ Creating input Chains...
(FAQ 23) Why do you use such ugly fonts on your web site? - The Shorewall web site is almost font neutral (it doesn't + The Shorewall web site is almost font neutral (it doesn't explicitly specify fonts except on a few pages) so the fonts you see are - largely the default fonts configured in your browser. If you don't like - them then reconfigure your browser. + largely the default fonts configured in your browser. If you don't + like them then reconfigure your browser.
- (FAQ 25) How to I tell which version of Shorewall I am - running? + (FAQ 25) How to I tell which version of Shorewall I am running? At the shell prompt, type: @@ -1539,8 +1499,7 @@ Creating input Chains... - Tear Drop: Sending packets that contain overlapping - fragments? + Tear Drop: Sending packets that contain overlapping fragments? Answer: This is the responsibility of the IP stack, not the @@ -1558,8 +1517,7 @@ Creating input Chains... blacklisting facility. Shorewall versions 2.0.0 and later filter these packets under the nosmurfs interface option in - /etc/shorewall/interfaces. + /etc/shorewall/interfaces. @@ -1569,8 +1527,8 @@ Creating input Chains... Answer: Yes, if the routefilter interface - option is selected. + url="Documentation.htm#Interfaces">routefilter interface option + is selected. @@ -1579,10 +1537,10 @@ Creating input Chains... Answer: Shorewall has facilities for limiting SYN and ICMP - packets. Netfilter as included in standard Linux kernels doesn't - support per-remote-host limiting except by explicit rule that - specifies the host IP address; that form of limiting is supported - by Shorewall. + packets. Netfilter as included in standard Linux kernels + doesn't support per-remote-host limiting except by explicit + rule that specifies the host IP address; that form of limiting is + supported by Shorewall. @@ -1603,22 +1561,20 @@ Creating input Chains...
(FAQ 36) Does Shorewall Work with the 2.6 Linux Kernel? - Shorewall works with the 2.6 Kernels with a couple of - caveats: + Shorewall works with the 2.6 Kernels with a couple of caveats: - Netfilter/iptables doesn't fully support IPSEC in the 2.6 + Netfilter/iptables doesn't fully support IPSEC in the 2.6 Kernels -- there are interim instructions linked from the Shorewall IPSEC page. The 2.6 Kernels do not provide support for the logunclean and - dropunclean options in - /etc/shorewall/interfaces. Note that support - for those options was also removed from Shorewall in version - 2.0.0. + dropunclean options in /etc/shorewall/interfaces. + Note that support for those options was also removed from Shorewall + in version 2.0.0.
@@ -1628,10 +1584,10 @@ Creating input Chains... RFC 1918
- (FAQ 14) I'm connected via a cable modem and it has an internal - web server that allows me to configure/monitor it but as expected if I - enable rfc1918 blocking for my eth0 interface (the internet one), it - also blocks the cable modems web server. + (FAQ 14) I'm connected via a cable modem and it has an + internal web server that allows me to configure/monitor it but as + expected if I enable rfc1918 blocking for my eth0 interface (the + internet one), it also blocks the cable modems web server. Is there any way it can add a rule before the rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address of the @@ -1649,8 +1605,7 @@ Creating input Chains... first copy /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918): - Be sure that you add the entry ABOVE the entry for - 192.168.0.0/16. + Be sure that you add the entry ABOVE the entry for 192.168.0.0/16. #SUBNET TARGET 192.168.100.1 RETURN @@ -1668,9 +1623,10 @@ Creating input Chains...
- (FAQ 14a) Even though it assigns public IP addresses, my ISP's - DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on - my external interface, my DHCP client cannot renew its lease. + (FAQ 14a) Even though it assigns public IP addresses, my + ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 + filtering on my external interface, my DHCP client cannot renew its + lease. The solution is the same as above. Simply substitute the IP address of your ISPs DHCP server. @@ -1696,9 +1652,9 @@ Creating input Chains...
(FAQ 19) I have added entries to /etc/shorewall/tcrules but they - don't seem to do anything. Why? + don't seem to do anything. Why? - You probably haven't set TC_ENABLED=Yes in + You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so the contents of the tcrules file are simply being ignored.
@@ -1707,21 +1663,19 @@ Creating input Chains... (FAQ 20) I have just set up a server. Do I have to change Shorewall to allow access to my server from the internet? - Yes. Consult the QuickStart guide that you - used during your initial setup for information about how to set up rules - for your server. + Yes. Consult the QuickStart + guide that you used during your initial setup for information + about how to set up rules for your server.
- (FAQ 24) How can I allow conections to let's say the ssh port + <title>(FAQ 24) How can I allow conections to let's say the ssh port only from specific IP Addresses on the internet? In the SOURCE column of the rule, follow net by a - colon and a list of the host/subnet addresses as a comma-separated - list. + colon and a list of the host/subnet addresses as a comma-separated list. - net:<ip1>,<ip2>,... + net:<ip1>,<ip2>,... Example: @@ -1733,16 +1687,15 @@ Creating input Chains...
(FAQ 26) When I try to use any of the SYN options in nmap on or behind the firewall, I get <quote>operation not permitted</quote>. How - can I use nmap with Shorewall?" + can I use nmap with Shorewall?" - Edit /etc/shorewall/shorewall.conf and change - NEWNOTSYN=No to NEWNOTSYN=Yes then restart - Shorewall. + Edit /etc/shorewall/shorewall.conf and change NEWNOTSYN=No + to NEWNOTSYN=Yes then restart Shorewall.
(FAQ 26a) When I try to use the <quote>-O</quote> option of - nmap from the firewall system, I get <quote>operation not - permitted</quote>. How do I allow this option? + nmap from the firewall system, I get operation not permitted. + How do I allow this option? Add this command to your /etc/shorewall/start file: @@ -1751,35 +1704,34 @@ Creating input Chains...
- (FAQ 27) I'm compiling a new kernel for my firewall. What should - I look out for? + (FAQ 27) I'm compiling a new kernel for my firewall. What + should I look out for? First take a look at the Shorewall kernel configuration page. You probably also want to be sure that you have selected the NAT of local connections (READ HELP) on the Netfilter Configuration menu. - Otherwise, DNAT rules with your firewall as the source zone won't work - with your new kernel. + Otherwise, DNAT rules with your firewall as the source zone won't + work with your new kernel.
(FAQ 27a) I just built and installed a new kernel and now - Shorewall won't start. I know that my kernel options are - correct. + Shorewall won't start. I know that my kernel options are correct. The last few lines of a startup trace are these: + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE -+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. -0/0 -j MASQUERADE' ']' ++ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j +MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. +0/0 -j MASQUERADE' ']' + run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument -+ '[' -z '' ']' ++ '[' -z '' ']' + stop_firewall + set +x @@ -1801,275 +1753,37 @@ iptables: Invalid argument Revision History - - - 1.25 - - 2004-04-25 - - TE - - Update for Shorewall 2.0.2 - - - - 1.24 - - 2004-04-25 - - TE - - Add MA Brown's notes on multi-ISP routing. - - - - 1.23 - - 2004-04-22 - - TE - - Refined SNAT rule in FAQ #2. - - - - 1.22 - - 2004-04-06 - - TE - - Added FAQ 36. - - - - 1.21 - - 2004-03-05 - - TE - - Added Bridging link. - - - - 1.20 - - 2004-02-27 - - TE - - Added FAQ 35. - - - - 1.19 - - 2004-02-22 - - TE - - Added mention of nosmurfs option under FAQ - 31. - - - - 1.18 - - 2004-02-15 - - TE - - Added FAQ 34. - - - - 1.17 - - 2004-02-11 - - TE - - Added FAQ 33. - - - - 1.16 - - 2004-02-03 - - TE - - Updated for Shorewall 2.0. - - - - 1.15 - - 2004-01-25 - - TE - - Updated FAQ 32 to mention masquerading. Remove - tables. - - - - 1.14 - - 2004-01-24 - - TE - - Added FAQ 27a regarding kernel/iptables - incompatibility. - - - - 1.13 - - 2004-01-24 - - TE - - Add a note about the detectnets interface option in FAQ - 9. - - - - 1.12 - - 2004-01-20 - - TE - - Improve FAQ 16 answer. - - - - 1.11 - - 2004-01-14 - - TE - - Corrected broken link - - - - 1.10 - - 2004-01-09 - - TE - - Added a couple of more legacy FAQ numbers. - - - - 1.9 - - 2004-01-08 - - TE - - Corrected typo in FAQ 26a. Added warning to FAQ 2 - regarding source address of redirected requests. - - - - 1.8 - - 2003-12-31 - - TE - - Additions to FAQ 4. - - - - 1.7 - - 2003-12-30 - - TE - - Remove dead link from FAQ 1. - - - - 1.6 - - 2003.12-18 - - TE - - Add external link reference to FAQ 17. - - - - 1.5 - - 2003-12-16 - - TE - - Added a link to a Sys Admin article about multiple - internet interfaces. Added Legal Notice. Moved "abstract" to the - body of the document. Moved Revision History to this - Appendix. - - - - 1.4 - - 2003-12-13 - - TE - - Corrected formatting problems - - - - 1.3 - - 2003-12-10 - - TE - - Changed the title of FAQ 17 - - - - 1.2 - - 2003-12-09 - - TE - - Added Copyright and legacy FAQ numbers - - - - 1.1 - - 2003-12-04 - - MN - - Converted to Simplified DocBook XML - - - - 1.0 - - 2002-08-13 - - TE - - Initial revision - - + 1.252004-05-18TEEmpty + /etc/shorewall on Debian.1.252004-05-08TEUpdate + for Shorewall 2.0.21.242004-04-25TEAdd + MA Brown's notes on multi-ISP routing.1.232004-04-22TERefined + SNAT rule in FAQ #2.1.222004-04-06TEAdded + FAQ 36.1.212004-03-05TEAdded + Bridging link.1.202004-02-27TEAdded + FAQ 35.1.192004-02-22TEAdded + mention of nosmurfs option under FAQ 31.1.182004-02-15TEAdded + FAQ 34.1.172004-02-11TEAdded + FAQ 33.1.162004-02-03TEUpdated + for Shorewall 2.0.1.152004-01-25TEUpdated + FAQ 32 to mention masquerading. Remove tables.1.142004-01-24TEAdded + FAQ 27a regarding kernel/iptables incompatibility.1.132004-01-24TEAdd + a note about the detectnets interface + option in FAQ 9.1.122004-01-20TEImprove + FAQ 16 answer.1.112004-01-14TECorrected + broken link1.102004-01-09TEAdded + a couple of more legacy FAQ numbers.1.92004-01-08TECorrected + typo in FAQ 26a. Added warning to FAQ 2 regarding source address of + redirected requests.1.82003-12-31TEAdditions + to FAQ 4.1.72003-12-30TERemove + dead link from FAQ 1.1.62003.12-18TEAdd + external link reference to FAQ 17.1.52003-12-16TEAdded + a link to a Sys Admin article about multiple internet interfaces. Added + Legal Notice. Moved "abstract" to the body of the document. Moved + Revision History to this Appendix.1.42003-12-13TECorrected + formatting problems1.32003-12-10TEChanged + the title of FAQ 171.22003-12-09TEAdded + Copyright and legacy FAQ numbers1.12003-12-04MNConverted + to Simplified DocBook XML1.02002-08-13TEInitial + revision \ No newline at end of file diff --git a/Shorewall-docs2/FTP.xml b/Shorewall-docs2/FTP.xml index 6b3c96afe..0d11ccf5c 100644 --- a/Shorewall-docs2/FTP.xml +++ b/Shorewall-docs2/FTP.xml @@ -15,7 +15,7 @@ - 2004-04-26 + 2004-05-19 2003 @@ -74,9 +74,9 @@ MODULE_SUFFIX="o gz ko o.gz ko.gz" The version of insmod shipped with 10.0 also does - not comprehend these module files so you will also need to change - /usr/share/shorewall/firewall -- replace the line - that reads: + not comprehend these module files so you will also need Shorewall 2.0.2 or + later OR you need to change /usr/share/shorewall/firewall + -- replace the line that reads: insmod $modulefile $* @@ -278,22 +278,22 @@ jbd 47860 2 [ext3] If your FTP helper modules are compressed and have the names ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz then you will need Shorewall 1.4.7 or later if you want Shorewall to load them for - you. + you. If your helper modules have names ip_nat_ftp.ko.gz and + ip_conntrack_ftp.ko.gz then you will need Shorewall 2.0.2 or + later if you want Shorewall to load them for you. +
- Server configuration is covered in the /etc/shorewall/rules documentation, - - For a client, you must open outbound TCP port 21. +
+ FTP on Non-standard Ports The above discussion about commands and responses makes it clear that the FTP connection-tracking and NAT helpers must scan the traffic on the control connection looking for PASV and PORT commands as well as PASV responses. If you run an FTP server on a nonstandard port or you need to access such a server, you must therefore let the helpers know by - specifying the port in /etc/shorewall/modules entries for the helpers. For - example, if you run an FTP server that listens on port 49 or you need to - access a server on the internet that listens on that port then you would - have: + specifying the port in /etc/shorewall/modules entries for the helpers. + You must have modularized FTP connection tracking support + in order to use FTP on a non-standard port. if you run an FTP server that listens on port 49 or you need to @@ -317,54 +317,52 @@ options ip_nat_ftp ports=21,49</programlisting> /etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para> </example> + </section> - <para>One problem that I see occasionally involves active mode and the FTP - server in my DMZ. I see the active data connection to <emphasis - role="bold">certain client IP addresses</emphasis> being continuously - rejected by my firewall. It is my conjecture that there is some broken - client out there that is sending a PORT command that is being either - missed or mis-interpreted by the FTP connection tracking helper yet it is - being accepted by my FTP server. My solution is to add the following rule:</para> + <section id="Rules"> + <title>Rules - - - - - ACTION + If the policy from the source zone to the destination zone is ACCEPT + and you don't need DNAT (see FAQ 30) + then you need no rule. - SOURCE + Otherwise, for FTP you need exactly one + rule: - DESTINATION + #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL +# PORT(S) DESTINATION +ACCEPT or <source> <destination> tcp 21 <external IP addr> if +DNAT ACTION = DNAT - PROTOCOL + You need an entry in the ORIGINAL DESTINATION column only if the + ACTION is DNAT, you have multiple external IP addresses and you want a + specific IP address to be forwarded to your server. - PORT(S) + Note that you do NOT need a rule + with 20 (ftp-data) in the PORT(S) column. If you post your rules on the + mailing list and they show 20 in the PORT(S) column, I will know that you + haven't read this article and I will either ignore your post or tell + you to RTFM.Server running behind a Masquerading GatewaySuppose + that you run an FTP server on 192.168.1.5 in your local zone using the + standard port (21). You need this rule: #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL +# PORT(S) DESTINATION +DNAT net loc:192.168.1.5 tcp 21Allow + your DMZ FTP access to the Internet#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL +# PORT(S) DESTINATION +ACCEPT dmz net tcp 21 - SOURCE PORT(S) + Note that the FTP connection tracking in the kernel cannot handle + cases where a PORT command (or PASV reply) is broken across two packets. + When such cases occur, you will see a console message similar to this one: - ORIGINAL DESTINATION - - + Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1 - - - ACCEPT:info + I see this problem occasionally with the FTP server in my DMZ. My + solution is to add the following rule: - dmz - - net - - tcp - - - - - 20 - - - - - - + #ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL +# PORT(S) DESTINATION +ACCEPT:info dmz net tcp - 20 The above rule accepts and logs all active mode connections from my DMZ to the net. diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml index eba86f739..eb22fc6c0 100644 --- a/Shorewall-docs2/Install.xml +++ b/Shorewall-docs2/Install.xml @@ -15,7 +15,7 @@ - 2004-05-09 + 2004-05-18 2001 @@ -39,6 +39,21 @@ + + Note to Debian Users + + If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is + intentional. The released configuration file skeletons may be found on + your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies. + + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do + not modify it. + +
Install using RPM diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 3c525d0ff..3c899de0b 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2004-05-10 + 2004-05-17 2001-2004 @@ -87,6 +87,42 @@
Problems in Version 2.0 +
+ Shorewall 2.0.2 + + + + Temporary restore files with names of the form + restore-nnnnn are left in + /var/lib/shorewall. + + + + "shorewall restore" and "shorewall -f start" + do not load kernel modules. + + + + Specifying a null common action in /etc/shorewall/actions + (e.g., :REJECT) results in a startup error. + + + + If /var/lib/shorewall does not exist, + shorewall start fails. + + + + These problems are corrected by the firewall + and functions files in this directory. + Both files must be installed in /usr/share/shorewall/firewall + as described above. + + The first two problems are also corrected in Shorewall version + 2.0.2a while all four problems are corrected in 2.0.2b. +
+
Shorewall 2.0.1 @@ -201,7 +237,9 @@ Revision History - 1.142004-05-10TEAdd + 1.162004-05-17TEAdded + null common action bug.1.152004-05-16TEAdded + 2.0.2 bugs1.142004-05-10TEAdd link to Netfilter CVS1.132004-05-04TEAdd Alex Wilms's "install.sh" fix.1.122004-05-03TEAdd Stefan Engel's "shorewall delete" fix.1.112004-04-28TEAdd diff --git a/Shorewall-docs2/kernel.xml b/Shorewall-docs2/kernel.xml index 9d102e3cf..5afb99701 100644 --- a/Shorewall-docs2/kernel.xml +++ b/Shorewall-docs2/kernel.xml @@ -15,10 +15,10 @@ - 2003-07-20 + 2004-05-19 - 2001-2003 + 2001-2004 Thomas M. Eastep @@ -89,8 +89,8 @@ Note that I have built everything I need as modules. You can also build everything into your kernel but if you want to be able to deal with - FTP running on a non-standard port then I recommend that you modularize - FTP Protocol support. + FTP running on a non-standard port then you must + modularize FTP Protocol support. Here's the corresponding part of my .config file: diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index 88da3221c..f9fe77b3c 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2004-04-03 + 2004-05-18 2001-2004 @@ -97,7 +97,16 @@ /etc/shorewall -- for most setups, you will only need to deal with a few of these as described in this guide. Skeleton files are created during the Shorewall Installation - Process. + Process.Note to Debian UsersIf + you install using the .deb, you will find that your /etc/shorewall directory is empty. This is + intentional. The released configuration file skeletons may be found on + your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies.Note + that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do + not modify it. As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index 93f7968c0..acf6281db 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -15,7 +15,7 @@ - 2004-04-22 + 2004-05-18 2002-2004 @@ -133,6 +133,21 @@ files to /etc/shorewall (they will replace files with the same names that were placed in /etc/shorewall during Shorewall installation). + + Note to Debian Users + + If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is + intentional. The released configuration file skeletons may be found on + your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies. + + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do + not modify it. + + As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration instructions and default entries. diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index 6ee0a628a..07f6d7a78 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2004-05-03 + 2004-05-14 2001-2004 @@ -29,8 +29,7 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation - License. + GNU Free Documentation License. @@ -42,7 +41,7 @@ url="Install.htm">installation procedure attempts to set up the init scripts to start the firewall in run levels 2-5 and stop it in run levels 1 and 6. If you want to configure your firewall differently from - this default, you can use your distribution's run-level editor. + this default, you can use your distribution's run-level editor. @@ -50,9 +49,8 @@ Shorewall startup is disabled by default. Once you have configured your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. Note: - Users of the .deb package must edit - /etc/default/shorewall and set - startup=1. + Users of the .deb package must edit /etc/default/shorewall + and set startup=1. @@ -72,15 +70,15 @@ shorewall [ -q ] [ -f ] start - starts the firewall. It important to understand that when the firewall is in the - Started state there is no - Shorewall Program running. It rather - means that Netfilter has been configured to handle traffic as - described in your Shorewall configuration files. Please refer to the - Shorewall State Diagram as shown at the - bottom of this page for more information. The -q option was added in - Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also - beginning with Shorewall version 2.0.2 Beta 1, the -f option may be - specified; if this option is given and the file + Started state there is + no Shorewall Program running. + It rather means that Netfilter has been configured to handle traffic + as described in your Shorewall configuration files. Please refer to + the Shorewall State Diagram as shown at + the bottom of this page for more information. The -q option was added + in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. + Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may + be specified; if this option is given and the file /var/lib/shorewall/restore is present (see shorewall save below), then that script is run to restore the state of the firewall to the state when @@ -93,10 +91,9 @@ shorewall stop - stops the firewall; the only traffic permitted through the firewall is from systems listed in /etc/shorewall/routestopped (Beginning with - version 1.4.7, if ADMINISABSENTMINDED=Yes in - /etc/shorewall/shorewall.conf then in addition, - all existing connections are permitted and any new connections - originating from the firewall itself are allowed). + version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf + then in addition, all existing connections are permitted and any new + connections originating from the firewall itself are allowed). @@ -113,8 +110,7 @@ shorewall clear - remove all rules and chains - installed by Shoreline Firewall. The firewall is wide - open + installed by Shoreline Firewall. The firewall is wide open @@ -125,9 +121,9 @@ shorewall save - Beginning with Shorewall - 2.0.2 Beta1, this command creates a script - /var/lib/shorewall/restore which when run will - restore the state of the firewall to its current state. + 2.0.2 Beta1, this command creates a script /var/lib/shorewall/restore + which when run will restore the state of the firewall to its current + state. @@ -146,14 +142,13 @@ If you include the keyword debug as the first argument, then a shell trace of the command is produced as in: - shorewall debug start 2> /tmp/traceThe + shorewall debug start 2> /tmp/traceThe above command would trace the start command and place the trace information in the file /tmp/trace Beginning with version 1.4.7, shorewall can give detailed help about each of its commands: shorewall help [ command | host | address ]The - shorewall program may also be used to monitor the - firewall. + shorewall program may also be used to monitor the firewall. @@ -162,24 +157,21 @@ - shorewall show <chain1> [ <chain2> ... - ] - produce a verbose report about the listed chains - (iptables -L chain -n -v) Note: You may only list - one chain in the show command when running Shorewall version 1.4.6 and - earlier. Version 1.4.7 and later allow you to list multiple chains in - one command. + shorewall show <chain1> [ <chain2> ... + ] - produce a verbose report about the listed chains (iptables + -L chain -n -v) Note: You may only list one chain in the + show command when running Shorewall version 1.4.6 and earlier. Version + 1.4.7 and later allow you to list multiple chains in one command. shorewall show nat - produce a verbose report - about the nat table (iptables -t nat -L -n - -v) + about the nat table (iptables -t nat -L -n -v) shorewall show tos - produce a verbose report - about the mangle table (iptables -t mangle -L -n - -v) + about the mangle table (iptables -t mangle -L -n -v) @@ -198,18 +190,17 @@ - shorewall monitor [ <delay> ] - + shorewall monitor [ <delay> ] - Continuously display the firewall status, last 20 log entries and nat. When the log entry display changes, an audible alarm is sounded. The - <delay> indicates the number of seconds + <delay> indicates the number of seconds between updates with the default being 10 seconds. shorewall hits - Produces several reports about the Shorewall packet log messages in the current log file named - in the LOGFILE variable in - /etc/shorewall/shorewall.conf. + in the LOGFILE variable in /etc/shorewall/shorewall.conf. @@ -219,27 +210,21 @@ shorewall check - Performs a cursory - validation of the zones, interfaces, hosts, rules and policy - files. - The check command is - totally unsuppored and does not parse and validate the generated - iptables commands. Even though the check command - completes successfully, the configuration may fail to start. - Problem reports that complain about errors that the - check command does not detect will not be - accepted. - - See the recommended way to make configuration changes - described below. - + validation of the zones, interfaces, hosts, rules and policy files.The + check command is totally unsuppored + and does not parse and validate the generated iptables commands. Even + though the check command completes successfully, the + configuration may fail to start. Problem reports that complain about + errors that the check command does not detect will not + be accepted.See the recommended way to make configuration + changes described below. - shorewall try - <configuration-directory> [ - <timeout> ] - Restart shorewall using the specified - configuration and if an error occurs or if the - <timeout> option is given and the new + shorewall try <configuration-directory> + [ <timeout> ] - Restart shorewall using the + specified configuration and if an error occurs or if the + <timeout> option is given and the new configuration has been up for that many seconds then shorewall is restarted using the standard configuration. @@ -256,17 +241,16 @@ - shorewall ipcalc [ <address> <mask> | - <address>/<vlsm> ] - displays the network + shorewall ipcalc [ <address> <mask> | + <address>/<vlsm> ] - displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]. - shorewall iprange - <address1>-<address2> - Decomposes the specified - range of IP addresses into the equivalent list of network/host - addresses + shorewall iprange <address1>-<address2> + - Decomposes the specified range of IP addresses into the equivalent + list of network/host addresses @@ -275,19 +259,19 @@ - shorewall drop <ip address list> - + shorewall drop <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall. - shorewall reject <ip address list> - + shorewall reject <ip address list> - causes packets from the listed IP addresses to be rejected by the firewall. - shorewall allow <ip address list> - + shorewall allow <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop or reject command. @@ -296,7 +280,7 @@ shorewall save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted. Beginning with Shorewall - version 2.0.2 Beta1, this command also creats the + version 2.0.2 Beta1, this command also creates the /var/lib/shorewall/restore script as described above. @@ -312,15 +296,15 @@ - shorewall add <interface>[:<host>] - <zone> - Adds the specified interface (and host if + shorewall add <interface>[:<host>] + <zone> - Adds the specified interface (and host if included) to the specified zone. - shorewall delete <interface>[:<host>] - <zone> - Deletes the specified interface (and host if - included) from the specified zone. + shorewall delete <interface>[:<host>] + <zone> - Deletes the specified interface (and host + if included) from the specified zone. Examples: shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1 shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1 @@ -331,11 +315,11 @@
Error Handling - When shorewall start, shorewall - restart or shorewall refresh encounter an - error, the behavior depends on which version of Shorewall you are running - and whether there is a /var/lib/shorewall/restore - script available (see shorewall save above). + When shorewall start, shorewall restart + or shorewall refresh encounter an error, the behavior + depends on which version of Shorewall you are running and whether there is + a /var/lib/shorewall/restore script available (see + shorewall save above). @@ -347,8 +331,8 @@ If you have executed a shorewall save command without a subsequent shorewall forget, then the - firewall is restored to the state when shorewall - save was executed. + firewall is restored to the state when shorewall save + was executed.
@@ -356,23 +340,21 @@
Alternate Configurations - The shorewall start, shorewall - restart, shorewall check, and - shorewall try commands allow you to specify which - Shorewall configuration to use: + The shorewall start, shorewall restart, + shorewall check, and shorewall try commands + allow you to specify which Shorewall configuration to use: - shorewall [ -c <configuration-directory> ] {start|restart|check} - shorewall try <configuration-directory> + shorewall [ -c <configuration-directory> ] {start|restart|check} + shorewall try <configuration-directory> [ <timeout> ] - If a <configuration-directory> is + If a <configuration-directory> is specified, each time that Shorewall is going to use a file in /etc/shorewall it will first look in - the <configuration-directory> . If the file is - present in the <configuration-directory>, that - file will be used; otherwise, the file in /etc/shorewall will be used. When changing - the configuration of a production firewall, I recommend the - following: + class="directory">/etc/shorewall it will first look in the + <configuration-directory> . If the file is present in + the <configuration-directory>, that file will + be used; otherwise, the file in /etc/shorewall + will be used. When changing the configuration of a production firewall, I + recommend the following: @@ -384,8 +366,8 @@ - <copy any files that you need to change from /etc/shorewall - to . and change them here> + <copy any files that you need to change from /etc/shorewall + to . and change them here> @@ -393,7 +375,7 @@ - <correct any errors found by check and check again> + <correct any errors found by check and check again> @@ -401,10 +383,10 @@ - If the configuration starts but doesn't work, just shorewall - restart to restore the old configuration. If the new configuration - fails to start, the try command will automatically start - the old one for you. + If the configuration starts but doesn't work, just + shorewall restart to restore the old configuration. If the + new configuration fails to start, the try command will + automatically start the old one for you. When the new configuration works then just: @@ -432,8 +414,7 @@ You will note that the commands that result in state transitions use the word firewall rather than shorewall. - That is because the actual transitions are done by - /usr/share/shorewall/firewall; + That is because the actual transitions are done by /usr/share/shorewall/firewall; /sbin/shorewall runs firewall according to the following table: @@ -478,8 +459,7 @@ firewall restart - Logically equivalent to firewall stop;firewall - start + Logically equivalent to firewall stop;firewall start @@ -527,7 +507,7 @@ shorewall try - firewall -c <new configuration> restart If + firewall -c <new configuration> restart If unsuccessful then firewall start (standard configuration) If timeout then firewall restart (standard configuration) @@ -541,36 +521,12 @@ Revision History - - - 1.3-1.8 - - 2004-01-04 - - TE - - Docbook standards - - - - 1.2 - - 2003-12-31 - - TE - - Added clarification about "Started State" - - - - 1.1 - - 2003-12-29 - - TE - - Initial Docbook conversion - - + 1.102004-05-14TEUpdate + "try" syntax in the alternate configuration section to include [ + <timeout> ]1.92004-05-03TEShorewall + 2.0.21.3-1.82004-01-04TEDocbook + standards1.22003-12-31TEAdded + clarification about "Started State"1.12003-12-29TEInitial + Docbook conversion \ No newline at end of file diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml index 8a922eb04..1452c3f55 100644 --- a/Shorewall-docs2/support.xml +++ b/Shorewall-docs2/support.xml @@ -15,7 +15,7 @@ - 2004-03-15 + 2004-05-16 2001-2004 @@ -214,8 +214,9 @@ If an error occurs when you try to shorewall - start, include a trace (See the Troubleshooting - section for instructions). + start, include a trace (See the Troubleshooting section for + instructions). @@ -290,7 +291,8 @@ Revision History - 1.42003-03-15TERemove + 1.52003-05-16TEAdd + link to the troubleshooting section1.42003-03-15TERemove Newbies Mailing List.1.32003-02-19TEAdmonish against including "iptables -L" output.1.22003-01-01TERemoved .GIF and moved note about unsupported releases. Move Revision History to diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 9ca6c7ac7..fa157dd2c 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2004-04-22 + 2004-05-18 2002-2004 @@ -157,12 +157,23 @@ The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only - need to deal with a few of these as described in this guide. After you - have installed Shorewall, download the three-interface sample, un-tar it (tar - three-interfaces.tgz) - and and copy the files to /etc/shorewall (the files - will replace files with the same names that were placed in - /etc/shorewall when Shorewall was installed). + need to deal with a few of these as described in this guide.Note to Debian UsersIf you install + using the .deb, you will find that your /etc/shorewall + directory is empty. This is intentional. The released configuration file + skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies.Note + that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do not modify it. + + After you have installed Shorewall, download the three-interface + sample, un-tar it (tar + three-interfaces.tgz) and and copy the + files to /etc/shorewall (the files will replace files + with the same names that were placed in /etc/shorewall + when Shorewall was installed). As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index d82768793..d38c3d5c3 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -12,7 +12,7 @@ Eastep - 2003-04-22 + 2003-05-18 2002 @@ -146,7 +146,18 @@ The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in - this guide. After you have installed + this guide.Note to Debian UsersIf + you install using the .deb, you will find that your /etc/shorewall directory is empty. This is + intentional. The released configuration file skeletons may be found on + your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the copies.Note + that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + to /etc/shorewall even if you do + not modify it. + + After you have installed Shorewall, download the two-interface sample, un-tar it (tar