diff --git a/Shorewall-docs/errata.xml b/Shorewall-docs/errata.xml index 7f22bb3d0..fea471724 100644 --- a/Shorewall-docs/errata.xml +++ b/Shorewall-docs/errata.xml @@ -15,7 +15,7 @@ - 2003-12-17 + 2003-12-28 2001-2003 @@ -67,6 +67,15 @@
Problems in Version 1.4 +
+ All Versions + + Here + is the most up to date version of the rfc1918 file. +
+
Shorewall 1.4.8 @@ -424,4 +433,12 @@ Aborted (core dumped) kernel patch and precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.
+ + + Revision History + + 1.22003-12-29TEUpdated + RFC1918 file1.12003-12-17TEInitial + Conversion to Docbook XML + \ No newline at end of file diff --git a/Shorewall-docs/myfiles.xml b/Shorewall-docs/myfiles.xml index 707623d74..17a12be18 100644 --- a/Shorewall-docs/myfiles.xml +++ b/Shorewall-docs/myfiles.xml @@ -60,9 +60,9 @@ - One-to-one NAT for Ursa (my XP System that dual-boots Mandrake - 9.2) - Internal address 192.168.1.5 and external address - 206.124.146.178. + One-to-one NAT for Ursa (my personal system that dual-boots + Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and + external address 206.124.146.178. @@ -71,18 +71,18 @@ - SNAT through 206.124.146.179 for  my Linux system - (Wookie), my Wife's system (Tarry), and our  laptop - (Tipper) which connects through the Wireless Access Point (wap) via a - Wireless Bridge (bridge).While the distance between the - WAP and where I usually use the laptop isn't very far (25 feet or - so), using a WAC11 (CardBus wireless card) has proved very - unsatisfactory (lots of lost connections). By replacing the WAC11 with - the WET11 wireless bridge, I have virtually eliminated these problems - (Being an old radio tinkerer (K7JPV), I was also able to eliminate the - disconnects by hanging a piece of aluminum foil on the family room - wall. Needless to say, my wife Tarry rejected that as a permanent - solution :-). + SNAT through 206.124.146.179 for  my SuSE 8.1 Linux + system (Wookie), my Wife's Windows XP system (Tarry), and + our  Windows XP laptop (Tipper) which connects through the + Wireless Access Point (wap) via a Wireless Bridge (bridge).While + the distance between the WAP and where I usually use the laptop + isn't very far (25 feet or so), using a WAC11 (CardBus wireless + card) has proved very unsatisfactory (lots of lost connections). By + replacing the WAC11 with the WET11 wireless bridge, I have virtually + eliminated these problems (Being an old radio tinkerer (K7JPV), I was + also able to eliminate the disconnects by hanging a piece of aluminum + foil on the family room wall. Needless to say, my wife Tarry rejected + that as a permanent solution :-). diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index 52bc16e76..35285d9d8 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -1,276 +1,397 @@ - - + - - - - - - Shoreline Firewall (Shorewall) 1.4 - - - - -

Site Problem

The server that normally hosts - www.shorewall.net and ftp.shorewall.net is currently down. Until it is back - up, a small server with very limited bandwidth is being used temporarly. You - will likely experience better response time from the Sourceforge site - or from one of the other mirrors. Sorry - for the inconvenience.

Introduction to Shorewall

-

This is the Shorewall 1.4 Web Site

The information on this site - applies only to 1.4.x releases of Shorewall. For older versions:
- -

Glossary

  • Netfilter - - the packet filter facility built into the 2.4 and later Linux kernels.
  • ipchains - - the packet filter facility built into the 2.2 Linux kernels. Also the name - of the utility program used to configure and control that facility. - Netfilter can be used in ipchains compatibility mode.
  • iptables - the - utility program used to configure and control Netfilter. The term - 'iptables' is often used to refer to the combination of - iptables+Netfilter (with Netfilter not in ipchains compatibility mode).
-

What is Shorewall?

The Shoreline Firewall, more commonly known as - "Shorewall", is high-level tool for configuring Netfilter. You - describe your firewall/gateway requirements using entries in a set of - configuration files. Shorewall reads those configuration files and with the - help of the iptables utility, Shorewall configures Netfilter to match your - requirements. Shorewall can be used on a dedicated firewall system, a - multi-function gateway/router/server or on a standalone GNU/Linux system. - Shorewall does not use Netfilter's ipchains compatibility mode and can - thus take advantage of Netfilter's connection state tracking - capabilities.

Shorewall is not a daemon. Once Shorewall has - configured Netfilter, it's job is complete although the /sbin/shorewall program can be - used at any time to monitor the Netfilter firewall.

Getting - Started with Shorewall

New to Shorewall? Start by selecting the QuickStart Guide that most closely - match your environment and follow the step by step instructions.
-

Looking for Information?

The Documentation Index - is a good place to start as is the Quick Search in the frame above. -

License

This program is free software; you can redistribute it - and/or modify it under the terms of Version 2 of the GNU General - Public License as published by the Free Software Foundation.
-

This program is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - more detail.

You should have received a copy of the GNU General - Public License along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

Permission is - granted to copy, distribute and/or modify this document under the terms of - the GNU Free Documentation License, Version 1.2 or any later version - published by the Free Software Foundation; with no Invariant Sections, with - no Front-Cover, and with no Back-Cover Texts. A copy of the license is - included in the section entitled "GNU Free Documentation License".

Copyright - © 2001-2003 Thomas M. Eastep

Running Shorewall on Mandrake with a - two-interface setup?

If so, the documentation on this site will - not apply directly to your setup. If you want to use the documentation that - you find here, you will want to consider uninstalling what you have and - installing a setup that matches the documentation on this site. See the Two-interface QuickStart Guide for details.
-

News

12/07/2003 - Shorewall 1.4.9 Beta 1 (New)

-

Problems Corrected since version 1.4.8:

  1. There has been - a low continuing level of confusion over the terms "Source NAT" - (SNAT) and "Static NAT". To avoid future confusion, all instances of - "Static NAT" have been replaced with "One-to-one NAT" in the - documentation and configuration files.
  2. The description of NEWNOTSYN - in shorewall.conf has been reworded for clarity.
  3. Wild-card rules - (those involving "all" as SOURCE or DEST) will no longer produce an - error if they attempt to add a rule that would override a NONE policy. The - logic for expanding these wild-card rules now simply skips those - (SOURCE,DEST) pairs that have a NONE policy.

Migration Issues:
-     None.

New Features:

  1. To - cut down on the number of "Why are these ports closed rather than - stealthed?" questions, the SMB-related rules in - /etc/shorewall/common.def have been changed from 'reject' to - 'DROP'.
  2. For easier identification, packets logged under the - 'norfc1918' interface option are now logged out of chains named - 'rfc1918'. Previously, such packets were logged under chains named - 'logdrop'.
  3. Distributors and developers seem to be regularly - inventing new naming conventions for kernel modules. To avoid the need to - change Shorewall code for each new convention, the MODULE_SUFFIX option has - been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for - module names in your particular distribution. If MODULE_SUFFIX is not set in - shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    -
    To see what suffix is used by your distribution:

    ls - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter

    All of the - files listed should have the same suffix (extension). Set MODULE_SUFFIX to - that suffix.

    Examples:

    -      If all files end in ".kzo" then set - MODULE_SUFFIX="kzo"
         If all - files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
  4. Support - for user defined rule ACTIONS has been implemented through two new files:
    -
    /etc/shorewall/actions - used to list the user-defined ACTIONS.
    - /etc/shorewall/action.template - For each user defined <action>, - copy this file to /etc/shorewall/action.<action> and add the - appropriate rules for that <action>. Once an <action> has - been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP, - etc.) in /etc/shorewall/rules.

    Example: You want an action that - logs a packet at the 'info' level and accepts the connection.
    -
    In /etc/shorewall/actions, you would add:

    -      LogAndAccept

    You would then - copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in - that file, you would add the two rules:
    -         LOG:info
    -         ACCEPT
    -

12/03/2003 - Support Torch Passed (New)

- Effective today, I am reducing my participation in the day-to-day support of - Shorewall. As part of this shift to community-based Shorewall support a new - Shorewall - Newbies mailing list has been established to field questions and - problems from new users. I will not monitor that list personally. I will - continue my active development of Shorewall and will be available via the - development list to handle development issues -- Tom.

11/07/2003 - - Shorewall 1.4.8

 Problems Corrected since version - 1.4.7:

  1. Tuomo Soini has supplied a correction to a problem - that occurs using some versions of 'ash'. The symptom is that - "shorewall start" fails with:
     
       - local: --limit: bad variable name
       iptables v1.2.8: - Couldn't load match `-j':/lib/iptables/libipt_-j.so:
    -    cannot open shared object file: No such file or directory
    -    Try `iptables -h' or 'iptables --help' for more - information.
  2. Andres Zhoglo has supplied a correction that avoids - trying to use the multiport match iptables facility on ICMP rules.
    -  
       Example of rule that previously caused - "shorewall start" to fail:
     
    -            - ACCEPT      loc  $FW  - icmp    0,8,11,12

  3. Previously, if - the following error message was issued, Shorewall was left in an - inconsistent state.
     
       Error: Unable to - determine the routes through interface xxx

  4. Handling of - the LOGUNCLEAN option in shorewall.conf has been corrected.
  5. In - Shorewall 1.4.2, an optimization was added. This optimization involved - creating a chain named "<zone>_frwd" for most zones defined - using the /etc/shorewall/hosts file. It has since been discovered that in - many cases these new chains contain redundant rules and that the - "optimization" turns out to be less than optimal. The implementation - has now been corrected.
  6. When the MARK value in a tcrules entry is - followed by ":F" or ":P", the ":F" or ":P" - was previously only applied to the first Netfilter rule generated by the - entry. It is now applied to all entries.
  7. An incorrect comment - concerning Debian's use of the SUBSYSLOCK option has been removed from - shorewall.conf.
  8. Previously, neither the 'routefilter' - interface option nor the ROUTE_FILTER parameter were working properly. This - has been corrected (thanks to Eric Bowles for his analysis and patch). The - definition of the ROUTE_FILTER option has changed however. Previously, - ROUTE_FILTER=Yes was documented as enabling route filtering on all - interfaces (which didn't work). Beginning with this release, setting - ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up - while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist - with the use of the 'routefilter' option in the interfaces file.
  9. If - MAC verification was enabled on an interface with a /32 address and a - broadcast address then an error would occur during startup.
  10. he NONE - policy's intended use is to suppress the generating of rules that - can't possibly be traversed. This means that a policy of NONE is - inappropriate where the source or destination zone is $FW or "all". - Shorewall now generates an error message if such a policy is given in - /etc/shorewall/policy. Previously such a policy caused "shorewall - start" to fail.
  11. The 'routeback' option was broken for - wildcard interfaces (e.g., "tun+"). This has been corrected so that - 'routeback' now works as expected in this case.
- Migration Issues:
  1. The definition of the ROUTE_FILTER option in - shorewall.conf has changed as described in item 8) above.
- New Features:
  1. A new QUEUE action has been introduced for - rules. QUEUE allows you to pass connection requests to a user-space filter - such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows - for effective filtering of p2p applications such as Kazaa. For example, to - use ftwall to filter P2P clients in the 'loc' zone, you would add - the following rules:

       QUEUE   - loc         - net    tcp
       QUEUE   - loc         - net    udp
       QUEUE   - loc         - fw     udp

    You would normally want - to place those three rules BEFORE any ACCEPT rules for loc->net udp or - tcp.

    Note: When the protocol specified is TCP ("tcp", - "TCP" or "6"), Shorewall will only pass connection requests - (SYN packets) to user space. This is for compatibility with ftwall.
  2. A - BLACKLISTNEWNONLY option has been added to shorewall.conf. When this option - is set to "Yes", the blacklists (dynamic and static) are only - consulted for new connection requests. When set to "No" (the default - if the variable is not set), the blacklists are consulted on every packet.
    -
    Setting this option to "No" allows blacklisting to stop - existing connections from a newly blacklisted host but is more expensive in - terms of packet processing time. This is especially true if the blacklists - contain a large number of entries.
  3. Chain names used in the - /etc/shorewall/accounting file may now begin with a digit ([0-9]) and may - contain embedded dashes ("-").

10/26/2003 - - Shorewall 1.4.7a and 1.4.7b win brown paper bag awards Shorewall - 1.4.7c released.

  1. The saga with "<zone>_frwd" - chains continues. The 1.4.7c script produces a ruleset that should work for - everyone even if it is not quite optimal. My apologies for this ongoing - mess.

10/24/2003 - Shorewall 1.4.7b

This is - a bugfx rollup of the 1.4.7a fixes plus:

  1. The fix for - problem 5 in 1.4.7a was wrong with the result that - "<zone>_frwd" chains might contain too few rules. That wrong - code is corrected in this release.

10/21/2003 - - Shorewall 1.4.7a

This is a bugfix rollup of the following problem - corrections:

  1. Tuomo Soini has supplied a correction to a - problem that occurs using some versions of 'ash'. The symptom is - that "shorewall start" fails with:
     
    -    local: --limit: bad variable name
       - iptables v1.2.8: Couldn't load match - `-j':/lib/iptables/libipt_-j.so:
       cannot open - shared object file: No such file or directory
       Try - `iptables -h' or 'iptables --help' for more information.
    -
  2. Andres Zhoglo has supplied a correction that avoids trying to - use the multiport match iptables facility on ICMP rules.
     
    -    Example of rule that previously caused "shorewall - start" to fail:
     
    -            - ACCEPT      loc  $FW  - icmp    0,8,11,12

  3. Previously, if - the following error message was issued, Shorewall was left in an - inconsistent state.
     
       Error: Unable to - determine the routes through interface xxx

  4. Handling of - the LOGUNCLEAN option in shorewall.conf has been corrected.
  5. In - Shorewall 1.4.2, an optimization was added. This optimization involved - creating a chain named "<zone>_frwd" for most zones defined - using the /etc/shorewall/hosts file. It has since been discovered that in - many cases these new chains contain redundant rules and that the - "optimization" turns out to be less than optimal. The implementation - has now been corrected.
  6. When the MARK value in a tcrules entry is - followed by ":F" or ":P", the ":F" or ":P" - was previously only applied to the first Netfilter rule generated by the - entry. It is now applied to all entries.

More News

(Leaf Logo) Jacques Nilo and Eric Wolzak - have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) - distribution called Bering that features Shorewall-1.4.2 and - Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo
-

Congratulations to Jacques and Eric on the recent release of - Bering 1.2!!!
(Protected by Shorewall)
-

Donations

(Starlight Logo)
- Shorewall is free but if you try it and find it useful, please consider - making a donation to Starlight - Children's Foundation. Thanks!

-

Updated 12/21/2003 - Tom - Eastep

- \ No newline at end of file + + + + Shoreline Firewall (Shorewall) 1.4 + + + +
+ + + + + + +
+

Introduction to Shorewall

+

This is the Shorewall 1.4 Web Site

+The information on this site applies only to 1.4.x releases of +Shorewall. For older versions:
+
    +
  • The 1.3 site is here.
    • +
  • The 1.2 site is here.
    • +
+

Glossary

+
    +
  • Netfilter - the +packet filter facility built into the 2.4 and later Linux kernels.
    • +
  • ipchains - the packet filter facility built into the 2.2 +Linux kernels. Also the name of the utility program used to configure +and control that facility. Netfilter can be used in ipchains +compatibility mode.
    • +
  • iptables - the utility program used to configure and +control Netfilter. The term 'iptables' is often used to refer to the +combination of iptables+Netfilter (with Netfilter not in ipchains +compatibility mode).
    • +
+

What is Shorewall?

+The Shoreline Firewall, more commonly known as "Shorewall", is +high-level tool for configuring Netfilter. You describe your +firewall/gateway requirements using entries in a set of configuration +files. Shorewall reads those configuration files and with the help of +the iptables utility, Shorewall configures Netfilter to match your +requirements. Shorewall can be used on a dedicated firewall system, a +multi-function gateway/router/server or on a standalone GNU/Linux +system. Shorewall does not use Netfilter's ipchains compatibility mode +and can thus take advantage of Netfilter's connection state tracking +capabilities.
+
+Shorewall is not a +daemon. Once Shorewall has configured Netfilter, it's job is complete +although the /sbin/shorewall +program can be used at any time to monitor the Netfilter firewall.
+

Getting Started with Shorewall

+New to Shorewall? Start by selecting the QuickStart Guide that most +closely match your environment and follow the step by step instructions.
+

Looking for Information?

+The Documentation +Index is a good place to start as is the Quick Search in the frame +above. +

License

+This program is free software; you can redistribute it and/or modify it +under the terms of Version +2 of the GNU General Public License as published by the Free +Software Foundation.
+

This program is distributed in the hope that it will be +useful, but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more detail.

+

You should have received a copy of the GNU General Public +License along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

+Permission is granted to copy, distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.2 or +any later version published by the Free Software Foundation; with no +Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. +A copy of the license is included in the section entitled "GNU Free +Documentation License". +

Copyright © 2001-2003 Thomas M. Eastep

+

Running Shorewall on Mandrake with a two-interface setup?

+If so, the documentation on this site will not apply directly +to your setup. If you want to use the documentation that you find here, +you will want to consider uninstalling what you have and installing a +setup that matches the documentation on this site. See the Two-interface QuickStart Guide for +details.
+

News

+

12/28/2003 - www.shorewall.net/ftp.shorewall.net Back +On-line (New)
+

+

Our high-capacity server has been restored to service -- +please let us know if you +find any problems.
+

+

12/07/2003 - Shorewall 1.4.9 Beta 1

+ +

Problems Corrected since version 1.4.8:

+
    +
  1. There has been a low continuing level of confusion over the +terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, +all instances of "Static NAT" have been replaced with "One-to-one NAT" +in the documentation and configuration files.
    2. +
  2. The description of NEWNOTSYN in shorewall.conf has been +reworded for clarity.
    3. +
  3. Wild-card rules (those involving "all" as SOURCE or DEST) +will no longer produce an error if they attempt to add a rule that +would override a NONE policy. The logic for expanding these wild-card +rules now simply skips those (SOURCE,DEST) pairs that have a NONE +policy.
    4. +
+

Migration Issues:
+    None.
+
+New Features:

+
    +
  1. To cut down on the number of "Why are these ports closed +rather than stealthed?" questions, the SMB-related rules in +/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
    2. +
  2. For easier identification, packets logged under the +'norfc1918' interface option are now logged out of chains named +'rfc1918'. Previously, such packets were logged under chains named +'logdrop'.
    3. +
  3. Distributors and developers seem to be regularly inventing +new naming conventions for kernel modules. To avoid the need to change +Shorewall code for each new convention, the MODULE_SUFFIX option has +been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix +for module names in your particular distribution. If MODULE_SUFFIX is +not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    +
    +To see what suffix is used by your distribution:
    +
    +ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    +
    +All of the files listed should have the same suffix (extension). Set +MODULE_SUFFIX to that suffix.
    +
    +Examples:
    +
    +     If all files end in ".kzo" then set +MODULE_SUFFIX="kzo"
    +     If all files end in ".kz.o" then set +MODULE_SUFFIX="kz.o"
    4. +
  4. Support for user defined rule ACTIONS has been implemented +through two new files:
    +
    +/etc/shorewall/actions - used to list the user-defined ACTIONS.
    +/etc/shorewall/action.template - For each user defined <action>, +copy this file to /etc/shorewall/action.<action> and add the +appropriate rules for that <action>. Once an <action> has +been defined, it may be used like any of the builtin ACTIONS (ACCEPT, +DROP, etc.) in /etc/shorewall/rules.
    +
    +Example: You want an action that logs a packet at the 'info' level and +accepts the connection.
    +
    +In /etc/shorewall/actions, you would add:
    +
    +     LogAndAccept
    +
    +You would then copy /etc/shorewall/action.template to +/etc/shorewall/LogAndAccept and in that file, you would add the two +rules:
    +        LOG:info
    +        ACCEPT
    +
    +
    5. +
+

12/03/2003 - Support Torch Passed (New)

+Effective today, I am reducing my participation in the day-to-day +support of Shorewall. As part of this shift to community-based +Shorewall support a new Shorewall +Newbies mailing list has been established to field questions and +problems from new users. I will not monitor that list personally. I +will continue my active development of Shorewall and will be available +via the development list to handle development issues -- Tom. +

11/07/2003 - Shorewall 1.4.8
+
+ Problems Corrected since version 1.4.7:
+

+
    +
  1. Tuomo Soini has supplied a correction to a problem that +occurs using some versions of 'ash'. The symptom is that "shorewall +start" fails with:

    +   local: --limit: bad variable name
    +   iptables v1.2.8: Couldn't load match +`-j':/lib/iptables/libipt_-j.so:
    +   cannot open shared object file: No such file or directory
    +   Try `iptables -h' or 'iptables --help' for more +information.
    2. +
  2. Andres Zhoglo has supplied a correction that avoids trying +to use the multiport match iptables facility on ICMP rules.

    +   Example of rule that previously caused "shorewall start" +to fail:

    +           +ACCEPT      loc  $FW  +icmp    0,8,11,12
    +
    +
    3. +
  3. Previously, if the following error message was issued, +Shorewall was left in an inconsistent state.

    +   Error: Unable to determine the routes through interface xxx
    +
    +
    4. +
  4. Handling of the LOGUNCLEAN option in shorewall.conf has +been corrected.
    5. +
  5. In Shorewall 1.4.2, an optimization was added. This +optimization involved creating a chain named "<zone>_frwd" for +most zones defined using the /etc/shorewall/hosts file. It has since +been discovered that in many cases these new chains contain redundant +rules and that the "optimization" turns out to be less than optimal. +The implementation has now been corrected.
    6. +
  6. When the MARK value in a tcrules entry is followed by ":F" +or ":P", the ":F" or ":P" was previously only applied to the first +Netfilter rule generated by the entry. It is now applied to all entries.
    7. +
  7. An incorrect comment concerning Debian's use of the +SUBSYSLOCK option has been removed from shorewall.conf.
    8. +
  8. Previously, neither the 'routefilter' interface option nor +the ROUTE_FILTER parameter were working properly. This has been +corrected (thanks to Eric Bowles for his analysis and patch). The +definition of the ROUTE_FILTER option has changed however. Previously, +ROUTE_FILTER=Yes was documented as enabling route filtering on all +interfaces (which didn't work). Beginning with this release, setting +ROUTE_FILTER=Yes will enable route filtering of all interfaces brought +up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can +coexist with the use of the 'routefilter' option in the interfaces file.
    9. +
  9. If MAC verification was enabled on an interface with a /32 +address and a broadcast address then an error would occur during +startup.
    10. +
  10. he NONE policy's intended use is to suppress the generating +of rules that can't possibly be traversed. This means that a policy of +NONE is inappropriate where the source or destination zone is $FW or +"all". Shorewall now generates an error message if such a policy is +given in /etc/shorewall/policy. Previously such a policy caused +"shorewall start" to fail.
    11. +
  11. The 'routeback' option was broken for wildcard interfaces +(e.g., "tun+"). This has been corrected so that 'routeback' now works +as expected in this case.
    +
    12. +
+Migration Issues:
+
    +
  1. The definition of the ROUTE_FILTER option in shorewall.conf +has changed as described in item 8) above.
    +
    2. +
+New Features:
+
    +
  1. A new QUEUE action has been introduced for rules. QUEUE +allows you to pass connection requests to a user-space filter such as +ftwall (http://p2pwall.sourceforge.net). The ftwall program allows for +effective filtering of p2p applications such as Kazaa. For example, to +use ftwall to filter P2P clients in the 'loc' zone, you would add the +following rules:
    +
    +   QUEUE   loc    +     net    tcp
    +   QUEUE   loc    +     net    udp
    +   QUEUE   loc    +     fw     udp
    +
    +You would normally want to place those three rules BEFORE any ACCEPT +rules for loc->net udp or tcp.
    +
    +Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), +Shorewall will only pass connection requests (SYN packets) to user +space. This is for compatibility with ftwall.
    2. +
  2. A BLACKLISTNEWNONLY option has been added to +shorewall.conf. When this option is set to "Yes", the blacklists +(dynamic and static) are only consulted for new connection requests. +When set to "No" (the default if the variable is not set), the +blacklists are consulted on every packet.
    +
    +Setting this option to "No" allows blacklisting to stop existing +connections from a newly blacklisted host but is more expensive in +terms of packet processing time. This is especially true if the +blacklists contain a large number of entries.
    3. +
  3. Chain names used in the /etc/shorewall/accounting file may +now begin with a digit ([0-9]) and may contain embedded dashes ("-").
    4. +
+

10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper +bag awards Shorewall +1.4.7c released.

+
    +
  1. The saga with "<zone>_frwd" chains continues. The +1.4.7c script produces a ruleset that should work for everyone even if +it is not quite optimal. My apologies for this ongoing mess.
    +
    2. +
+

10/24/2003 - Shorewall 1.4.7b

+

This is a bugfx rollup of the 1.4.7a fixes plus:
+

+
    +
  1. The fix for problem 5 in 1.4.7a was wrong with the result +that "<zone>_frwd" chains might contain too few rules. That wrong +code is corrected in this release.
    +
    2. +
+

10/21/2003 - Shorewall 1.4.7a

+

This is a bugfix rollup of the following problem corrections:
+

+
    +
  1. Tuomo Soini has supplied a correction to a problem that +occurs using some versions of 'ash'. The symptom is that "shorewall +start" fails with:

    +   local: --limit: bad variable name
    +   iptables v1.2.8: Couldn't load match +`-j':/lib/iptables/libipt_-j.so:
    +   cannot open shared object file: No such file or directory
    +   Try `iptables -h' or 'iptables --help' for more +information.
    +
    +
    2. +
  2. Andres Zhoglo has supplied a correction that avoids trying +to use the multiport match iptables facility on ICMP rules.

    +   Example of rule that previously caused "shorewall start" +to fail:

    +           +ACCEPT      loc  $FW  +icmp    0,8,11,12
    +
    +
    3. +
  3. Previously, if the following error message was issued, +Shorewall was left in an inconsistent state.

    +   Error: Unable to determine the routes through interface xxx
    +
    +
    4. +
  4. Handling of the LOGUNCLEAN option in shorewall.conf has +been corrected.
    5. +
  5. In Shorewall 1.4.2, an optimization was added. This +optimization involved creating a chain named "<zone>_frwd" for +most zones defined using the /etc/shorewall/hosts file. It has since +been discovered that in many cases these new chains contain redundant +rules and that the "optimization" turns out to be less than optimal. +The implementation has now been corrected.
    6. +
  6. When the MARK value in a tcrules entry is followed by ":F" +or ":P", the ":F" or ":P" was previously only applied to the first +Netfilter rule generated by the entry. It is now applied to all entries.
    +
    7. +
+

More News

+

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF +(router/firewall/gateway on a floppy, CD or compact flash) distribution +called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. +You can find their work at: http://leaf.sourceforge.net/devel/jnilo
+

+ Congratulations to Jacques and Eric on the recent release of +Bering 1.2!!!
+
+ +
(Protected by Shorewall)
+ +
+
+
+

Donations

+

(Starlight Logo)
+ Shorewall is free but if you try it and find it useful, +please consider making a donation to Starlight +Children's Foundation. Thanks!
+

+
+
+

Updated 12/28/2003 - Tom Eastep
+

+ + diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 9af25e3a2..2d35b928f 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -1,52 +1,38 @@ - - -Shoreline Firewall (Shorewall) 1.4 - + + + Shoreline Firewall (Shorewall) 1.4 +
- - - -
-

Site Problem

- -The server that normally hosts www.shorewall.net and -ftp.shorewall.net is currently down. Until it is back up, a small -server with very limited bandwidth is being used temporarly. You -will likely experience better response time from the Sourceforge -site or from one of the other mirrors. Sorry for the -inconvenience.
-
- - -

Introduction
-

- -
    -
  • Netfilter - the packet + + + + - - +

    SourceForge Logo

    + +

    + +

    This site is hosted by the generous folks at SourceForge.net

    +
    +
    +

    Donations

    + + +
    +

    Introduction
    +

    +
      +
    • Netfilter - the +packet filter facility built into the 2.4 and later Linux kernels.
      • - -
    • ipchains - the packet filter facility built into the 2.2 Linux +
    • ipchains - the packet filter facility built into the 2.2 +Linux kernels. Also the name of the utility program used to configure and control that facility. Netfilter can be used in ipchains compatibility mode.
      -
      • - -
    • iptables - the utility program used to configure and control +
      • +
    • iptables - the utility program used to configure and +control Netfilter. The term 'iptables' is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).
      -
      • -
    - + + The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of @@ -56,142 +42,131 @@ Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage -of Netfilter's connection state tracking capabilities. - -

    This program is free software; you can redistribute it and/or -modify it under the terms of Version 2 of the GNU General +of Netfilter's connection state tracking capabilities. +

    This program is free software; you can redistribute it and/or +modify it under the terms of Version 2 of the GNU +General Public License as published by the Free Software Foundation.
    -
    +
    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
    -
    +
    You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    - -

    Copyright 2001, 2002, 2003 Thomas M. -Eastep

    - -

    This is the Shorewall 1.4 Web Site

    - +

    Permission is granted to copy, distribute and/or modify this +document under the terms of the GNU Free Documentation License, Version +1.2 or any later version published by the Free Software Foundation; +with no Invariant Sections, with no Front-Cover, and with no Back-Cover +Texts. A copy of the license is included in the section entitled "GNU +Free Documentation License".

    +

    Copyright © 2001-2003 Thomas M. Eastep

    +

    This is the Shorewall 1.4 Web Site

    The information on this site applies only to 1.4.x releases of Shorewall. For older versions:
    - - -
      -
    • The 1.3 site is here.
      • - -
    • The 1.2 site is here.
      -
      • -
    - -

    Getting Started with Shorewall

    - -New to Shorewall? Start by selecting the QuickStart Guide that most +
      +
    • The 1.3 site is here.
      • +
    • The 1.2 site is here.
      +
      • +
    +

    Getting Started with Shorewall

    +New to Shorewall? Start by selecting the QuickStart Guide that most closely match your environment and follow the step by step instructions.
    - - -

    Looking for Information?

    - -The Documentation +

    Looking for Information?

    +The     Documentation Index is a good place to start as is the Quick Search in the -frame above. - -

    Running Shorewall on Mandrake with a two-interface setup?

    - +frame above. +

    Running Shorewall on Mandrake with a two-interface setup?

    If so, the documentation on this site will not apply directly to your setup. If you want to use the documentation that you find here, you will want to consider uninstalling what you have and installing a setup that matches the documentation on this site. See the Two-interface QuickStart -Guide for details. - -

    News

    - -

    12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
    -

    - - - -

    Problems Corrected since version 1.4.8:
    -

    - -
      -
    1. There has been a low continuing level of confusion over the +Guide for details. +

      News

      +

      12/28/2003 - www.shorewall.net/ftp.shorewall.net Back +On-line (New)
      +

      +

      Our high-capacity server has been restored to service -- +please let us know if you +find any problems.
      +

      +

      12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
      +

      + +

      Problems Corrected since version 1.4.8:
      +

      +
        +
      1. There has been a low continuing level of confusion over the terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, all instances of "Static NAT" have been replaced with "One-to-one NAT" in the documentation and configuration files.
        2. - -
      2. The description of NEWNOTSYN in shorewall.conf has been +
      3. The description of NEWNOTSYN in shorewall.conf has been reworded for clarity.
        4. - -
      4. Wild-card rules (those involving "all" as SOURCE or DEST) will +
      5. Wild-card rules (those involving "all" as SOURCE or DEST) +will no longer produce an error if they attempt to add a rule that would override a NONE policy. The logic for expanding these wild-card rules now simply skips those (SOURCE,DEST) pairs that have a NONE policy.
        -
        6. -
      - -

      Migration Issues:
      -
      +

      2. +
    +

    Migration Issues:
    +
        None.
    -
    +
    New Features:
    -

    - -
      -
    1. To cut down on the number of "Why are these ports closed rather +

      +
        +
      1. To cut down on the number of "Why are these ports closed +rather than stealthed?" questions, the SMB-related rules in /etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
        2. - -
      2. For easier identification, packets logged under the 'norfc1918' +
      3. For easier identification, packets logged under the +'norfc1918' interface option are now logged out of chains named 'rfc1918'. Previously, such packets were logged under chains named 'logdrop'.
        4. - -
      4. Distributors and developers seem to be regularly inventing new +
      5. Distributors and developers seem to be regularly inventing +new naming conventions for kernel modules. To avoid the need to change Shorewall code for each new convention, the MODULE_SUFFIX option has been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for module names in your particular distribution. If MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
        -
        +
        To see what suffix is used by your distribution:
        -
        +
        ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
        -
        +
        All of the files listed should have the same suffix (extension). Set MODULE_SUFFIX to that suffix.
        -
        +
        Examples:
        -
        +
             If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
             If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
        6. - -
      6. Support for user defined rule ACTIONS has been implemented +
      7. Support for user defined rule ACTIONS has been implemented through two new files:
        -
        +
        /etc/shorewall/actions - used to list the user-defined ACTIONS.
        /etc/shorewall/action.template - For each user defined <action>, copy this file to @@ -199,54 +174,45 @@ through two new files:
        for that <action>. Once an <action> has been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules.
        -
        +
        Example: You want an action that logs a packet at the 'info' level and accepts the connection.
        -
        +
        In /etc/shorewall/actions, you would add:
        -
        +
             LogAndAccept
        -
        +
        You would then copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in that file, you would add the two rules:
                LOG:info
                ACCEPT
        8. -
      - -

      12/03/2003 - Support Torch Passed (New)

      - +
    +

    12/03/2003 - Support Torch Passed (New)

    Effective today, I am reducing my participation in the day-to-day support of Shorewall. As part of this shift to community-based -Shorewall support a new Shorewall +Shorewall support a new Shorewall Newbies mailing list has been established to field questions and problems from new users. I will not monitor that list personally. I will continue my active development of Shorewall and will be available via the development list to handle development -issues -- Tom. - -

    11/01/2003 - Shorewall 1.4.8 RC2 (New)

    - +issues -- Tom. +

    11/01/2003 - Shorewall 1.4.8 RC2 (New)

    Given the small number of new features and the relatively few lines of code that were changed, there will be no Beta for 1.4.8.
    - - -

    http://shorewall.net/pub/shorewall/Beta
    - - ftp://shorewall.net/pub/shorewall/Beta
    -
    -     Problems Corrected since version 1.4.7:
    -

    - -
      -
    1. Tuomo Soini has supplied a correction to a problem that occurs +

      http://shorewall.net/pub/shorewall/Beta
      + ftp://shorewall.net/pub/shorewall/Beta
      +
      +       Problems Corrected since version 1.4.7:
      +

      +
        +
      1. Tuomo Soini has supplied a correction to a problem that +occurs using some versions of 'ash'. The symptom is that "shorewall start" fails with:
         
        @@ -257,8 +223,8 @@ fails with:
        directory
           Try `iptables -h' or 'iptables --help' for more information.
        2. - -
      2. Andres Zhoglo has supplied a correction that avoids trying to +
      3. Andres Zhoglo has supplied a correction that avoids trying +to use the multiport match iptables facility on ICMP rules.
         
           Example of rule that previously caused "shorewall @@ -267,36 +233,34 @@ start" to fail:
                   ACCEPT      loc  $FW  icmp    0,8,11,12
        -
        -
        4. - -
      4. Previously, if the following error message was issued, +
        +
        5. +
      5. Previously, if the following error message was issued, Shorewall was left in an inconsistent state.
         
           Error: Unable to determine the routes through interface xxx
        -
        -
        6. - -
      6. Handling of the LOGUNCLEAN option in shorewall.conf has been +
        +
        7. +
      7. Handling of the LOGUNCLEAN option in shorewall.conf has +been corrected.
        8. - -
      8. In Shorewall 1.4.2, an optimization was added. This +
      9. In Shorewall 1.4.2, an optimization was added. This optimization involved creating a chain named "<zone>_frwd" for most zones defined using the /etc/shorewall/hosts file. It has since been discovered that in many cases these new chains contain redundant rules and that the "optimization" turns out to be less than optimal. The implementation has now been corrected.
        10. - -
      10. When the MARK value in a tcrules entry is followed by ":F" or +
      11. When the MARK value in a tcrules entry is followed by ":F" +or ":P", the ":F" or ":P" was previously only applied to the first Netfilter rule generated by the entry. It is now applied to all entries.
        12. - -
      12. An incorrect comment concerning Debian's use of the SUBSYSLOCK +
      13. An incorrect comment concerning Debian's use of the +SUBSYSLOCK option has been removed from shorewall.conf.
        14. - -
      14. Previously, neither the 'routefilter' interface option nor the +
      15. Previously, neither the 'routefilter' interface option nor +the ROUTE_FILTER parameter were working properly. This has been corrected (thanks to Eric Bowles for his analysis and patch). The definition of the ROUTE_FILTER option has changed however. @@ -306,96 +270,87 @@ this release, setting ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist with the use of the 'routefilter' option in the interfaces file.
        16. - -
      16. If MAC verification was enabled on an interface with a /32 +
      17. If MAC verification was enabled on an interface with a /32 address and a broadcast address then an error would occur during startup.
        18. -
      - +
    Migration Issues:
    - - -
      -
    1. The definition of the ROUTE_FILTER option in shorewall.conf has +
        +
      1. The definition of the ROUTE_FILTER option in shorewall.conf +has changed as described in item 8) above.
        -
        2. -
      - +
      2. +
    New Features:
    - - -
      -
    1. A new QUEUE action has been introduced for rules. QUEUE allows +
        +
      1. A new QUEUE action has been introduced for rules. QUEUE +allows you to pass connection requests to a user-space filter such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows for effective filtering of p2p applications such as Kazaa. For example, to use ftwall to filter P2P clients in the 'loc' zone, you would add the following rules:
        -
        +
           QUEUE   loc         net    tcp
           QUEUE   loc         net    udp
           QUEUE   loc         fw     udp
        -
        +
        You would normally want to place those three rules BEFORE any ACCEPT rules for loc->net udp or tcp.
        -
        +
        Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), Shorewall will only pass connection requests (SYN packets) to user space. This is for compatibility with ftwall.
        2. - -
      2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. +
      3. A BLACKLISTNEWNONLY option has been added to +shorewall.conf. When this option is set to "Yes", the blacklists (dynamic and static) are only consulted for new connection requests. When set to "No" (the default if the variable is not set), the blacklists are consulted on every packet.
        -
        +
        Setting this option to "No" allows blacklisting to stop existing connections from a newly blacklisted host but is more expensive in terms of packet processing time. This is especially true if the blacklists contain a large number of entries.
        4. - -
      4. Chain names used in the /etc/shorewall/accounting file may now +
      5. Chain names used in the /etc/shorewall/accounting file may +now begin with a digit ([0-9]) and may contain embedded dashes ("-").
        6. -
      - -

      10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag -awards Shorewall +

    +

    10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper +bag +awards Shorewall 1.4.7c released.

    - -
      -
    1. The saga with "<zone>_frwd" chains continues. The 1.4.7c +
        +
      1. The saga with "<zone>_frwd" chains continues. The +1.4.7c script produces a ruleset that should work for everyone even if it is not quite optimal. My apologies for this ongoing mess.
        2. -
      - -

      10/24/2003 - Shorewall 1.4.7b (New)

      - -

      This is a bugfx rollup of the 1.4.7a fixes plus:
      -

      - -
        -
      1. The fix for problem 5 in 1.4.7a was wrong with the result that +
      +

      10/24/2003 - Shorewall 1.4.7b (New)

      +

      This is a bugfx rollup of the 1.4.7a fixes plus:
      +

      +
        +
      1. The fix for problem 5 in 1.4.7a was wrong with the result +that "<zone>_frwd" chains might contain too few rules. That wrong code is corrected in this release.
        -
        2. -
      - -

      10/21/2003 - Shorewall 1.4.7a

      - -

      This is a bugfix rollup of the following problem +

      2. +
    +

    10/21/2003 - Shorewall 1.4.7a

    +

    This is a bugfix rollup of the following problem corrections:
    -

    - -
      -
    1. Tuomo Soini has supplied a correction to a problem that occurs +

      +
        +
      1. Tuomo Soini has supplied a correction to a problem that +occurs using some versions of 'ash'. The symptom is that "shorewall start" fails with:
         
        @@ -406,10 +361,10 @@ fails with:
        directory
           Try `iptables -h' or 'iptables --help' for more information.
        -
        -
        2. - -
      2. Andres Zhoglo has supplied a correction that avoids trying to +
        +
        3. +
      3. Andres Zhoglo has supplied a correction that avoids trying +to use the multiport match iptables facility on ICMP rules.
         
           Example of rule that previously caused "shorewall @@ -418,103 +373,80 @@ start" to fail:
                   ACCEPT      loc  $FW  icmp    0,8,11,12
        -
        -
        4. - -
      4. Previously, if the following error message was issued, +
        +
        5. +
      5. Previously, if the following error message was issued, Shorewall was left in an inconsistent state.
         
           Error: Unable to determine the routes through interface xxx
        -
        -
        6. - -
      6. Handling of the LOGUNCLEAN option in shorewall.conf has been +
        +
        7. +
      7. Handling of the LOGUNCLEAN option in shorewall.conf has +been corrected.
        8. - -
      8. In Shorewall 1.4.2, an optimization was added. This +
      9. In Shorewall 1.4.2, an optimization was added. This optimization involved creating a chain named "<zone>_frwd" for most zones defined using the /etc/shorewall/hosts file. It has since been discovered that in many cases these new chains contain redundant rules and that the "optimization" turns out to be less than optimal. The implementation has now been corrected.
        10. - -
      10. When the MARK value in a tcrules entry is followed by ":F" or +
      11. When the MARK value in a tcrules entry is followed by ":F" +or ":P", the ":F" or ":P" was previously only applied to the first Netfilter rule generated by the entry. It is now applied to all entries.
        12. -
      - -

      More News

      - - - -

      - - - -

      -"(Leaf Jacques Nilo and Eric Wolzak have a LEAF +

    +

    More News

    + +

    + +

    (Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.4.2 and -Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    - -Congratulations to Jacques and Eric on the recent release of +Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    + Congratulations to Jacques and Eric on the recent release of Bering 1.2!!!
    - - -

    -

    - - - -

    - - - -

    This site is hosted by the generous folks at SourceForge.net

    - -
    -
    - - -

    Donations

    - -
    - - - - - + + - - + + +
    -

    Starlight Foundation Logo

    - -


    - Shorewall is free but if you try it and find it -useful, please consider making a donation to Starlight +

    +

    Starlight Foundation Logo

    +


    + Shorewall is free but if you try it and find it +useful, please consider making a donation to Starlight Children's Foundation. Thanks!

    -
    - -

    Updated 12/07/2003 - Tom +

    Updated 12/28/2003 - Tom Eastep

    -