holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Docs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1972 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-01 20:20:26 +00:00
parent 365a582729
commit 04a32e93c6
5 changed files with 117 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-12-31</pubdate>
<pubdate>2005-03-01</pubdate>
<copyright>
<year>2001-2004</year>
@ -296,19 +296,10 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
<para>If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24.</para>
<para>If you are running Shorewall 1.4.0 or earlier see the <ulink
url="1.3/FAQ.htm#faq2">1.3 FAQ</ulink> for instructions suitable for
those releases.</para>
<para>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.</para>
<para>Otherwise:<warning>
<para>In this configuration, all loc-&gt;loc traffic will look to
the server as if it came from the firewall rather than from the
original client!</para>
192.168.1.254 with subnet 192.168.1.0/24:<warning>
<para>All traffic redirected through use of this hack will look to
the server as if it came from the firewall (192.168.1.254) rather
than from the original client!</para>
</warning></para>
<itemizedlist>
@ -645,11 +636,6 @@ SPT=33120 DPT=5000 LEN=22</programlisting>
<programlisting># TYPE ZONE GATEWAY GATEWAY
# ZONE
generic:udp:5000 net 69.145.71.133</programlisting>
<caution>
<para>You must be running Shorewall 1.4.6 or later to apply this
solution.</para>
</caution>
</section>
</section>
@ -715,53 +701,6 @@ LOGBURST=""</programlisting>
<programlisting>DROP net fw udp 10619</programlisting>
</section>
<section id="faq6c">
<title>(FAQ 6c) All day long I get a steady flow of these DROP
messages from port 53 to some high numbered port. They get dropped,
but what the heck are they?</title>
<programlisting>Jan 8 15:50:48 norcomix kernel:
Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16
DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF
PROTO=UDP SPT=53 DPT=40275 LEN=33</programlisting>
<para><emphasis role="bold">Answer:</emphasis> There are two
possibilities:</para>
<orderedlist>
<listitem>
<para>They are late-arriving replies to DNS queries.</para>
</listitem>
<listitem>
<para>They are corrupted reply packets.</para>
</listitem>
</orderedlist>
<para>You can distinguish the difference by setting the <emphasis
role="bold">logunclean</emphasis> option (<filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:</para>
<programlisting>#
# Include the standard common.def file
#
<command>. /etc/shorewall/common.def</command>
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
<command>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</command></programlisting>
<para>The above file is also include in all of my sample
configurations available in the <ulink
url="shorewall_quickstart_guide.htm">Quick Start Guides</ulink> and in
the common.def file in Shorewall 1.4.0 and later.</para>
</section>
<section id="faq6d">
<title>(FAQ 6d) Why is the MAC address in Shorewall log messages so
long? I thought MAC addresses were only 6 bytes in length.</title>
@ -1817,6 +1756,49 @@ alias ipt_pkttype off</programlisting>
<para>The solution is the same as <xref linkend="faq14" /> above.
Simply substitute the IP address of your ISPs DHCP server.</para>
</section>
<section>
<title>(FAQ 14b) I connect to the internet with PPPoE. When I try to
access the built-in web server in my DSL Modem, I get connection
Refused.</title>
<para>I see the following in my log:</para>
<programlisting>Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 </programlisting>
<para>Answer: The fact that the message is being logged from the
OUTPUT chain means that the destination IP address is not in any
defined zone (see <link linkend="faq17">FAQ 17</link>). You need
to:</para>
<orderedlist>
<listitem>
<para>Add a zone for the modem in /etc/shorewall/zones:</para>
<programlisting>#ZONE DISPLAY COMMENTS
modem ADSLModem Zone for modem</programlisting>
</listitem>
<listitem>
<para>Define the zone to be associated with <filename
class="devicefile">eth0</filename> (or whatever interface connects
to your modem) in /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
modem eth0 detect</programlisting>
</listitem>
<listitem>
<para>Allow web traffic to the modem in
/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw modem tcp 80
ACCEPT loc modem tcp 80</programlisting>
</listitem>
</orderedlist>
</section>
</section>
</section>
@ -2032,6 +2014,16 @@ Verifying Configuration...
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.43</revnumber>
<date>2005-03-01</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 14b.</revremark>
</revision>
<revision>
<revnumber>1.42</revnumber>

70
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-05</pubdate>
<pubdate>2005-02-26</pubdate>
<copyright>
<year>2001</year>
@ -60,6 +60,28 @@
<para>To install Shorewall using the RPM:</para>
<orderedlist>
<listitem>
<para><emphasis role="bold">Be sure that you have the correct RPM
package!</emphasis></para>
<para>The standard RPM package from shorewall.net and the mirrors is
known to work with <emphasis
role="bold"><trademark>Suse</trademark></emphasis>, <emphasis
role="bold"><trademark>Power PPC</trademark></emphasis>, <emphasis
role="bold"><trademark>Trustix</trademark></emphasis> and <emphasis
role="bold"><trademark>TurboLinux</trademark></emphasis>. There is
also an RPM package provided by Simon Matter that is taylored for
<trademark><emphasis role="bold">RedHat/Fedora</emphasis></trademark>
and another package from Jack Coates that is customized for <emphasis
role="bold"><trademark>Mandrake</trademark></emphasis>. All of these
are available from the <ulink
url="http://www.shorewall.net/download.htm">download
page</ulink>.</para>
<para>If you try to install the wrong package, it probably won't
work.</para>
</listitem>
<listitem>
<para>Install the RPM</para>
@ -85,15 +107,15 @@
</note>
<note>
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with
the diagnostic:</para>
<para>Shorewall is dependent on the iproute package. Unfortunately,
some distributions call this package iproute2 which will cause the
installation of Shorewall to fail with the diagnostic:</para>
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
<programlisting>error: failed dependencies:iproute is needed by shorewall-2.2.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of
rpm.</para>
<para>This problem should not occur if you are using the correct RPM
package (see 1., above) but may be worked around by using the
--nodeps option of rpm.</para>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note>
@ -261,17 +283,19 @@ INIT="rc.firewall"</programlisting>
<para>If you already have the Shorewall RPM installed and are upgrading to
a new version:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para><emphasis role="bold">Be sure that you have the correct RPM
package!</emphasis></para>
<para>The standard RPM package from shorewall.net and the mirrors is
known to work with Suse, Power PPC, Trustix and TurboLinux. There is
also an RPM package provided by Simon Matter that is taylored for
RedHat/Fedora and another package from Jack Coates that is customized
for Mandrake. If you try to upgrade using the wrong package, it
probably won't work.</para>
</listitem>
<listitem>
<para>Upgrade the RPM</para>
@ -323,16 +347,6 @@ INIT="rc.firewall"</programlisting>
<para>If you already have Shorewall installed and are upgrading to a new
version using the tarball:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para>unpack the tarball.</para>

8
Shorewall-docs2/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-28</pubdate>
<pubdate>2005-03-01</pubdate>
<copyright>
<year>2003-2005</year>
@ -175,7 +175,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<orderedlist>
<listitem>
<para>* On your firewall system, issue the following command</para>
<para>On your firewall system, issue the following command</para>
<programlisting><command>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</command></programlisting>
</listitem>
@ -184,7 +184,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip rule add fwmark 0xCA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -257,7 +257,7 @@ chkconfig --level 35 iptables on</command></programlisting>
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip rule add fwmark 0xCA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi</command></programlisting>

4
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-14</pubdate>
<pubdate>2005-02-22</pubdate>
<copyright>
<year>2004</year>
@ -445,7 +445,7 @@ ln -s net.eth0 net.br0
# Remove net.eth*, add net.br0 and bridge.
rc-update del net.eth0
rc-update del net.eth1
rc-update add net,br0 default
rc-update add net.br0 default
rc-update add bridge boot

20
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-17</pubdate>
<pubdate>2005-02-25</pubdate>
<copyright>
<year>2001-2005</year>
@ -53,10 +53,10 @@
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running
in Bridge mode) is connected to eth2 and has IP address 192.168.1.1
(factory default). The modem is configured in <quote>bridge</quote> mode
so PPPoE is not involved. I have a local network connected to eth3 (subnet
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
connected to eth2 and has IP address 192.168.1.1 (factory default). The
modem is configured in <quote>bridge</quote> mode so PPPoE is not
involved. I have a local network connected to eth3 (subnet
192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
the same IP address on both <filename class="devicefile">eth1</filename>
@ -73,7 +73,7 @@
<listitem>
<para>I use one-to-one NAT for Eastepnc6000 (My work system -- Windows
XP SP1). Internal address 192.168.1.7 and external address
XP SP1). Internal address 192.168.1.6 and external address
206.124.146.180.</para>
</listitem>
@ -214,6 +214,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<blockquote>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
POPSERVERS=&lt;list of POP3 servers that I get mail from using 'fetchmail' on the DMZ server&gt;
LOG=ULOG
WIFI_IF=eth0
EXT_IF=eth2
@ -613,9 +614,10 @@ ACCEPT dmz net udp
REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
# Some FTP clients insist on sending the PORT command in two separate packets. The FTP
# connection tracker in the kernel cannot parse the command and therefore cannot set
# up the proper expectations. We thus allow all outbound tcp traffic from local port 20
# but log it so we can keep an eye on it.
#
ACCEPT:$LOG dmz net tcp 1024: 20
##########################################################################################################################################################################