git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1972 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-03-01 20:20:26 +00:00
parent 365a582729
commit 04a32e93c6
5 changed files with 117 additions and 109 deletions

View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-12-31</pubdate> <pubdate>2005-03-01</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -296,19 +296,10 @@ DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
<para>If you insist on an IP solution to the accessibility problem <para>If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24.</para> 192.168.1.254 with subnet 192.168.1.0/24:<warning>
<para>All traffic redirected through use of this hack will look to
<para>If you are running Shorewall 1.4.0 or earlier see the <ulink the server as if it came from the firewall (192.168.1.254) rather
url="1.3/FAQ.htm#faq2">1.3 FAQ</ulink> for instructions suitable for than from the original client!</para>
those releases.</para>
<para>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.</para>
<para>Otherwise:<warning>
<para>In this configuration, all loc-&gt;loc traffic will look to
the server as if it came from the firewall rather than from the
original client!</para>
</warning></para> </warning></para>
<itemizedlist> <itemizedlist>
@ -645,11 +636,6 @@ SPT=33120 DPT=5000 LEN=22</programlisting>
<programlisting># TYPE ZONE GATEWAY GATEWAY <programlisting># TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
generic:udp:5000 net 69.145.71.133</programlisting> generic:udp:5000 net 69.145.71.133</programlisting>
<caution>
<para>You must be running Shorewall 1.4.6 or later to apply this
solution.</para>
</caution>
</section> </section>
</section> </section>
@ -715,53 +701,6 @@ LOGBURST=""</programlisting>
<programlisting>DROP net fw udp 10619</programlisting> <programlisting>DROP net fw udp 10619</programlisting>
</section> </section>
<section id="faq6c">
<title>(FAQ 6c) All day long I get a steady flow of these DROP
messages from port 53 to some high numbered port. They get dropped,
but what the heck are they?</title>
<programlisting>Jan 8 15:50:48 norcomix kernel:
Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16
DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF
PROTO=UDP SPT=53 DPT=40275 LEN=33</programlisting>
<para><emphasis role="bold">Answer:</emphasis> There are two
possibilities:</para>
<orderedlist>
<listitem>
<para>They are late-arriving replies to DNS queries.</para>
</listitem>
<listitem>
<para>They are corrupted reply packets.</para>
</listitem>
</orderedlist>
<para>You can distinguish the difference by setting the <emphasis
role="bold">logunclean</emphasis> option (<filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:</para>
<programlisting>#
# Include the standard common.def file
#
<command>. /etc/shorewall/common.def</command>
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
<command>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</command></programlisting>
<para>The above file is also include in all of my sample
configurations available in the <ulink
url="shorewall_quickstart_guide.htm">Quick Start Guides</ulink> and in
the common.def file in Shorewall 1.4.0 and later.</para>
</section>
<section id="faq6d"> <section id="faq6d">
<title>(FAQ 6d) Why is the MAC address in Shorewall log messages so <title>(FAQ 6d) Why is the MAC address in Shorewall log messages so
long? I thought MAC addresses were only 6 bytes in length.</title> long? I thought MAC addresses were only 6 bytes in length.</title>
@ -1817,6 +1756,49 @@ alias ipt_pkttype off</programlisting>
<para>The solution is the same as <xref linkend="faq14" /> above. <para>The solution is the same as <xref linkend="faq14" /> above.
Simply substitute the IP address of your ISPs DHCP server.</para> Simply substitute the IP address of your ISPs DHCP server.</para>
</section> </section>
<section>
<title>(FAQ 14b) I connect to the internet with PPPoE. When I try to
access the built-in web server in my DSL Modem, I get connection
Refused.</title>
<para>I see the following in my log:</para>
<programlisting>Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 </programlisting>
<para>Answer: The fact that the message is being logged from the
OUTPUT chain means that the destination IP address is not in any
defined zone (see <link linkend="faq17">FAQ 17</link>). You need
to:</para>
<orderedlist>
<listitem>
<para>Add a zone for the modem in /etc/shorewall/zones:</para>
<programlisting>#ZONE DISPLAY COMMENTS
modem ADSLModem Zone for modem</programlisting>
</listitem>
<listitem>
<para>Define the zone to be associated with <filename
class="devicefile">eth0</filename> (or whatever interface connects
to your modem) in /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
modem eth0 detect</programlisting>
</listitem>
<listitem>
<para>Allow web traffic to the modem in
/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw modem tcp 80
ACCEPT loc modem tcp 80</programlisting>
</listitem>
</orderedlist>
</section>
</section> </section>
</section> </section>
@ -2032,6 +2014,16 @@ Verifying Configuration...
<title>Revision History</title> <title>Revision History</title>
<para><revhistory> <para><revhistory>
<revision>
<revnumber>1.43</revnumber>
<date>2005-03-01</date>
<authorinitials>TE</authorinitials>
<revremark>Added FAQ 14b.</revremark>
</revision>
<revision> <revision>
<revnumber>1.42</revnumber> <revnumber>1.42</revnumber>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-02-05</pubdate> <pubdate>2005-02-26</pubdate>
<copyright> <copyright>
<year>2001</year> <year>2001</year>
@ -60,6 +60,28 @@
<para>To install Shorewall using the RPM:</para> <para>To install Shorewall using the RPM:</para>
<orderedlist> <orderedlist>
<listitem>
<para><emphasis role="bold">Be sure that you have the correct RPM
package!</emphasis></para>
<para>The standard RPM package from shorewall.net and the mirrors is
known to work with <emphasis
role="bold"><trademark>Suse</trademark></emphasis>, <emphasis
role="bold"><trademark>Power PPC</trademark></emphasis>, <emphasis
role="bold"><trademark>Trustix</trademark></emphasis> and <emphasis
role="bold"><trademark>TurboLinux</trademark></emphasis>. There is
also an RPM package provided by Simon Matter that is taylored for
<trademark><emphasis role="bold">RedHat/Fedora</emphasis></trademark>
and another package from Jack Coates that is customized for <emphasis
role="bold"><trademark>Mandrake</trademark></emphasis>. All of these
are available from the <ulink
url="http://www.shorewall.net/download.htm">download
page</ulink>.</para>
<para>If you try to install the wrong package, it probably won't
work.</para>
</listitem>
<listitem> <listitem>
<para>Install the RPM</para> <para>Install the RPM</para>
@ -85,15 +107,15 @@
</note> </note>
<note> <note>
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the <para>Shorewall is dependent on the iproute package. Unfortunately,
iproute package. Unfortunately, some distributions call this package some distributions call this package iproute2 which will cause the
iproute2 which will cause the installation of Shorewall to fail with installation of Shorewall to fail with the diagnostic:</para>
the diagnostic:</para>
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting> <programlisting>error: failed dependencies:iproute is needed by shorewall-2.2.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of <para>This problem should not occur if you are using the correct RPM
rpm.</para> package (see 1., above) but may be worked around by using the
--nodeps option of rpm.</para>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting>
</note> </note>
@ -261,17 +283,19 @@ INIT="rc.firewall"</programlisting>
<para>If you already have the Shorewall RPM installed and are upgrading to <para>If you already have the Shorewall RPM installed and are upgrading to
a new version:</para> a new version:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist> <orderedlist>
<listitem>
<para><emphasis role="bold">Be sure that you have the correct RPM
package!</emphasis></para>
<para>The standard RPM package from shorewall.net and the mirrors is
known to work with Suse, Power PPC, Trustix and TurboLinux. There is
also an RPM package provided by Simon Matter that is taylored for
RedHat/Fedora and another package from Jack Coates that is customized
for Mandrake. If you try to upgrade using the wrong package, it
probably won't work.</para>
</listitem>
<listitem> <listitem>
<para>Upgrade the RPM</para> <para>Upgrade the RPM</para>
@ -323,16 +347,6 @@ INIT="rc.firewall"</programlisting>
<para>If you already have Shorewall installed and are upgrading to a new <para>If you already have Shorewall installed and are upgrading to a new
version using the tarball:</para> version using the tarball:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink
url="errata.htm#Upgrade">the upgrade issues</ulink> for details.</para>
</important>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>unpack the tarball.</para> <para>unpack the tarball.</para>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-02-28</pubdate> <pubdate>2005-03-01</pubdate>
<copyright> <copyright>
<year>2003-2005</year> <year>2003-2005</year>
@ -175,7 +175,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>* On your firewall system, issue the following command</para> <para>On your firewall system, issue the following command</para>
<programlisting><command>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</command></programlisting> <programlisting><command>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</command></programlisting>
</listitem> </listitem>
@ -184,7 +184,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
<para>In /etc/shorewall/init, put:</para> <para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202 ip rule add fwmark 0xCA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache ip route flush cache
echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -257,7 +257,7 @@ chkconfig --level 35 iptables on</command></programlisting>
<para>In /etc/shorewall/init, put:</para> <para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then <programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202 ip rule add fwmark 0xCA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache ip route flush cache
fi</command></programlisting> fi</command></programlisting>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-01-14</pubdate> <pubdate>2005-02-22</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -445,7 +445,7 @@ ln -s net.eth0 net.br0
# Remove net.eth*, add net.br0 and bridge. # Remove net.eth*, add net.br0 and bridge.
rc-update del net.eth0 rc-update del net.eth0
rc-update del net.eth1 rc-update del net.eth1
rc-update add net,br0 default rc-update add net.br0 default
rc-update add bridge boot rc-update add bridge boot

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-02-17</pubdate> <pubdate>2005-02-25</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -53,10 +53,10 @@
</caution> </caution>
<para>I have DSL service and have 5 static IP addresses <para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200 running (206.124.146.176-180). My DSL <quote>modem</quote> (Westell 2200) is
in Bridge mode) is connected to eth2 and has IP address 192.168.1.1 connected to eth2 and has IP address 192.168.1.1 (factory default). The
(factory default). The modem is configured in <quote>bridge</quote> mode modem is configured in <quote>bridge</quote> mode so PPPoE is not
so PPPoE is not involved. I have a local network connected to eth3 (subnet involved. I have a local network connected to eth3 (subnet
192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0, 192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0,
and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure
the same IP address on both <filename class="devicefile">eth1</filename> the same IP address on both <filename class="devicefile">eth1</filename>
@ -73,7 +73,7 @@
<listitem> <listitem>
<para>I use one-to-one NAT for Eastepnc6000 (My work system -- Windows <para>I use one-to-one NAT for Eastepnc6000 (My work system -- Windows
XP SP1). Internal address 192.168.1.7 and external address XP SP1). Internal address 192.168.1.6 and external address
206.124.146.180.</para> 206.124.146.180.</para>
</listitem> </listitem>
@ -214,6 +214,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<blockquote> <blockquote>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt; <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt; NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
POPSERVERS=&lt;list of POP3 servers that I get mail from using 'fetchmail' on the DMZ server&gt;
LOG=ULOG LOG=ULOG
WIFI_IF=eth0 WIFI_IF=eth0
EXT_IF=eth2 EXT_IF=eth2
@ -613,9 +614,10 @@ ACCEPT dmz net udp
REJECT:$LOG dmz net udp 1025:1031 REJECT:$LOG dmz net udp 1025:1031
ACCEPT dmz net:$POPSERVERS tcp pop3 ACCEPT dmz net:$POPSERVERS tcp pop3
# #
# Something is wrong with the FTP connection tracking code or there is some client out there # Some FTP clients insist on sending the PORT command in two separate packets. The FTP
# that is sending a PORT command which that code doesn't understand. Either way, # connection tracker in the kernel cannot parse the command and therefore cannot set
# the following works around the problem. # up the proper expectations. We thus allow all outbound tcp traffic from local port 20
# but log it so we can keep an eye on it.
# #
ACCEPT:$LOG dmz net tcp 1024: 20 ACCEPT:$LOG dmz net tcp 1024: 20
########################################################################################################################################################################## ##########################################################################################################################################################################