From 1698bf7e20ea97fb5bac6f1edff49dfccc184982 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 13 Dec 2003 00:25:04 +0000 Subject: [PATCH] Modify sourceforge_index.htm for HTML 4.01 Transitional Compatibility git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@838 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/sourceforge_index.htm | 745 +++++++++++++++------------ 1 file changed, 420 insertions(+), 325 deletions(-) diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 638222ebc..9af25e3a2 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -1,425 +1,520 @@ - - Shoreline Firewall (Shorewall) 1.4 - + + +Shoreline Firewall (Shorewall) 1.4 +
- - - -
-

Site Problem

-The server that normally hosts www.shorewall.net and ftp.shorewall.net -is currently down. Until it is back up, a small server with very -limited bandwidth is being used temporarly. You will likely experience -better response time from the Sourceforge site -or from one of the other mirrors. -Sorry for the inconvenience.
-
-

Introduction
-

-
    -
  • Netfilter - the -packet filter facility built into the 2.4 and later Linux kernels.
    • -
  • ipchains - the packet filter facility built into the 2.2 -Linux kernels. Also the name of the utility program used to configure -and control that facility. Netfilter can be used in ipchains + + + + - - +Netfilter rule generated by the entry. It is now applied to all +entries. + + +

    More News

    + + + +

    + + + +

    +"(Leaf Jacques Nilo and Eric Wolzak have a LEAF +(router/firewall/gateway on a floppy, CD or compact flash) +distribution called Bering that features Shorewall-1.4.2 and +Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    + +Congratulations to Jacques and Eric on the recent release of +Bering 1.2!!!
    + + +

    +

    + + + +

    + + + +

    This site is hosted by the generous folks at SourceForge.net

    + +
    +
    + + +

    Donations

    + + + +
    +

    Site Problem

    + +The server that normally hosts www.shorewall.net and +ftp.shorewall.net is currently down. Until it is back up, a small +server with very limited bandwidth is being used temporarly. You +will likely experience better response time from the Sourceforge +site or from one of the other mirrors. Sorry for the +inconvenience.
    +
    + + +

    Introduction
    +

    + +
      +
    • Netfilter - the packet +filter facility built into the 2.4 and later Linux kernels.
      • + +
    • ipchains - the packet filter facility built into the 2.2 Linux +kernels. Also the name of the utility program used to configure and +control that facility. Netfilter can be used in ipchains compatibility mode.
      -
      • -
    • iptables - the utility program used to configure and -control Netfilter. The term 'iptables' is often used to refer to the +
      • + +
    • iptables - the utility program used to configure and control +Netfilter. The term 'iptables' is often used to refer to the combination of iptables+Netfilter (with Netfilter not in ipchains compatibility mode).
      -
      • -
    + + + The Shoreline Firewall, more commonly known as "Shorewall", is high-level tool for configuring Netfilter. You describe your -firewall/gateway requirements using entries in a set of configuration -files. Shorewall reads those configuration files and with the help of -the iptables utility, Shorewall configures Netfilter to match your -requirements. Shorewall can be used on a dedicated firewall system, a -multi-function gateway/router/server or on a standalone GNU/Linux -system. Shorewall does not use Netfilter's ipchains compatibility mode -and can thus take advantage of Netfilter's connection state tracking -capabilities. -

    This program is free software; you can redistribute it and/or -modify it under the terms of Version 2 of the GNU -General Public License as published by the Free Software Foundation.
    -
    +firewall/gateway requirements using entries in a set of +configuration files. Shorewall reads those configuration files and +with the help of the iptables utility, Shorewall configures +Netfilter to match your requirements. Shorewall can be used on a +dedicated firewall system, a multi-function gateway/router/server +or on a standalone GNU/Linux system. Shorewall does not use +Netfilter's ipchains compatibility mode and can thus take advantage +of Netfilter's connection state tracking capabilities. + +

    This program is free software; you can redistribute it and/or +modify it under the terms of Version 2 of the GNU General +Public License as published by the Free Software +Foundation.
    +
    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General -Public License for more details.
    -
    -You should have received a copy of the GNU General Public License along -with this program; if not, write to the Free Software Foundation, Inc., -675 Mass Ave, Cambridge, MA 02139, USA

    -

    Copyright 2001, 2002, 2003 Thomas M. +General Public License for more details.
    +
    +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    + +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    -

    This is the Shorewall 1.4 Web Site

    + +

    This is the Shorewall 1.4 Web Site

    + The information on this site applies only to 1.4.x releases of Shorewall. For older versions:
    -
      -
    • The 1.3 site is here.
      • -
    • The 1.2 site is here.
      -
      • -
    -

    Getting Started with Shorewall

    -New to Shorewall? Start by selecting the QuickStart Guide that most -closely match your environment and follow the step by step instructions.
    -

    Looking for Information?

    -The Documentation -Index is a good place to start as is the Quick Search in the frame -above. -

    Running Shorewall on Mandrake with a two-interface setup?

    -If so, the documentation on this site will not apply directly -to -your setup. If you want to use the documentation that you find here, -you will want to consider uninstalling what you have and installing a -setup that matches the documentation on this site. See the Two-interface QuickStart Guide for -details. -

    -

    News

    -

    12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
    -

    - -

    Problems Corrected since version 1.4.8:
    -

    -
      -
    1. There has been a low continuing level of confusion over the -terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, -all instances of "Static NAT" have been replaced with "One-to-one NAT" -in the documentation and configuration files.
      2. -
    2. The description of NEWNOTSYN in shorewall.conf has been + + +
        +
      • The 1.3 site is here.
        • + +
      • The 1.2 site is here.
        +
        • +
      + +

      Getting Started with Shorewall

      + +New to Shorewall? Start by selecting the QuickStart Guide that most +closely match your environment and follow the step by step +instructions.
      + + +

      Looking for Information?

      + +The Documentation +Index is a good place to start as is the Quick Search in the +frame above. + +

      Running Shorewall on Mandrake with a two-interface setup?

      + +If so, the documentation on this site will not apply +directly to your setup. If you want to use the documentation that +you find here, you will want to consider uninstalling what you have +and installing a setup that matches the documentation on this site. +See the Two-interface QuickStart +Guide for details. + +

      News

      + +

      12/07/2003 - Shorewall 1.4.9 Beta 1 (New)
      +

      + + + +

      Problems Corrected since version 1.4.8:
      +

      + +
        +
      1. There has been a low continuing level of confusion over the +terms "Source NAT" (SNAT) and "Static NAT". To avoid future +confusion, all instances of "Static NAT" have been replaced with +"One-to-one NAT" in the documentation and configuration files.
        2. + +
      2. The description of NEWNOTSYN in shorewall.conf has been reworded for clarity.
        3. -
      3. Wild-card rules (those involving "all" as SOURCE or DEST) -will no longer produce an error if they attempt to add a rule that -would override a NONE policy. The logic for expanding these wild-card + +
      4. Wild-card rules (those involving "all" as SOURCE or DEST) will +no longer produce an error if they attempt to add a rule that would +override a NONE policy. The logic for expanding these wild-card rules now simply skips those (SOURCE,DEST) pairs that have a NONE policy.
        -
        5. -
      -

      Migration Issues:
      -
      +

      3. +
    + +

    Migration Issues:
    +
        None.
    -
    +
    New Features:
    -

    -
      -
    1. To cut down on the number of "Why are these ports closed -rather than stealthed?" questions, the SMB-related rules in -/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
      2. -
    2. For easier identification, packets logged under the -'norfc1918' interface option are now logged out of chains named -'rfc1918'. Previously, such packets were logged under chains named +

      + +
        +
      1. To cut down on the number of "Why are these ports closed rather +than stealthed?" questions, the SMB-related rules in +/etc/shorewall/common.def have been changed from 'reject' to +'DROP'.
        2. + +
      2. For easier identification, packets logged under the 'norfc1918' +interface option are now logged out of chains named 'rfc1918'. +Previously, such packets were logged under chains named 'logdrop'.
        3. -
      3. Distributors and developers seem to be regularly inventing -new naming conventions for kernel modules. To avoid the need to change -Shorewall code for each new convention, the MODULE_SUFFIX option has -been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix -for module names in your particular distribution. If MODULE_SUFFIX is -not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
        -
        + +
      4. Distributors and developers seem to be regularly inventing new +naming conventions for kernel modules. To avoid the need to change +Shorewall code for each new convention, the MODULE_SUFFIX option +has been added to shorewall.conf. MODULE_SUFFIX may be set to the +suffix for module names in your particular distribution. If +MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the +list "o gz ko o.gz".
        +
        To see what suffix is used by your distribution:
        -
        +
        ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
        -
        -All of the files listed should have the same suffix (extension). Set -MODULE_SUFFIX to that suffix.
        -
        +
        +All of the files listed should have the same suffix (extension). +Set MODULE_SUFFIX to that suffix.
        +
        Examples:
        -
        +
             If all files end in ".kzo" then set MODULE_SUFFIX="kzo"
             If all files end in ".kz.o" then set MODULE_SUFFIX="kz.o"
        5. -
      5. Support for user defined rule ACTIONS has been implemented + +
      6. Support for user defined rule ACTIONS has been implemented through two new files:
        -
        +
        /etc/shorewall/actions - used to list the user-defined ACTIONS.
        -/etc/shorewall/action.template - For each user defined <action>, -copy this file to /etc/shorewall/action.<action> and add the -appropriate rules for that <action>. Once an <action> has -been defined, it may be used like any of the builtin ACTIONS (ACCEPT, -DROP, etc.) in /etc/shorewall/rules.
        -
        -Example: You want an action that logs a packet at the 'info' level and -accepts the connection.
        -
        +/etc/shorewall/action.template - For each user defined +<action>, copy this file to +/etc/shorewall/action.<action> and add the appropriate rules +for that <action>. Once an <action> has been defined, +it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.) +in /etc/shorewall/rules.
        +
        +Example: You want an action that logs a packet at the 'info' level +and accepts the connection.
        +
        In /etc/shorewall/actions, you would add:
        -
        +
             LogAndAccept
        -
        +
        You would then copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in that file, you would add the two rules:
                LOG:info
                ACCEPT
        7. -
      -

      12/03/2003 - Support Torch Passed (New)

      -Effective today, I am reducing my participation in the -day-to-day support of Shorewall. As part of this shift to -community-based Shorewall support a new Shorewall -Newbies mailing list -has been established to field questions and problems from new users. I -will not monitor that list personally. I will continue my active -development of Shorewall -and will be available via the development list to handle development -issues -- Tom. -

      11/01/2003 - Shorewall 1.4.8 RC2 (New)

      -Given the small number of new features and the relatively few lines of -code that were changed, there will be no Beta for 1.4.8.
      -

      http://shorewall.net/pub/shorewall/Beta
      - ftp://shorewall.net/pub/shorewall/Beta
      -
      -       Problems Corrected since version 1.4.7:
      -

      -
        -
      1. Tuomo Soini has supplied a correction to a problem that -occurs +
      + +

      12/03/2003 - Support Torch Passed (New)

      + +Effective today, I am reducing my participation in the day-to-day +support of Shorewall. As part of this shift to community-based +Shorewall support a new Shorewall +Newbies mailing list has been established to field questions +and problems from new users. I will not monitor that list +personally. I will continue my active development of Shorewall and +will be available via the development list to handle development +issues -- Tom. + +

      11/01/2003 - Shorewall 1.4.8 RC2 (New)

      + +Given the small number of new features and the relatively few lines +of code that were changed, there will be no Beta for 1.4.8.
      + + +

      http://shorewall.net/pub/shorewall/Beta
      + + ftp://shorewall.net/pub/shorewall/Beta
      +
      +       Problems Corrected since version 1.4.7:
      +

      + +
        +
      1. Tuomo Soini has supplied a correction to a problem that occurs using some versions of 'ash'. The symptom is that "shorewall start" fails with:
         
           local: --limit: bad variable name
           iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
        -   cannot open shared object file: No such file or directory
        +   cannot open shared object file: No such file or +directory
           Try `iptables -h' or 'iptables --help' for more information.
        2. -
      2. Andres Zhoglo has supplied a correction that avoids trying -to use the multiport match iptables facility on ICMP rules.
        + +
      3. Andres Zhoglo has supplied a correction that avoids trying to +use the multiport match iptables facility on ICMP rules.
         
        -   Example of rule that previously caused "shorewall start" -to fail:
        +   Example of rule that previously caused "shorewall +start" to fail:
         
                   ACCEPT      loc  $FW  icmp    0,8,11,12
        -
        -
        4. -
      4. Previously, if the following error message was issued, +
        +
        5. + +
      5. Previously, if the following error message was issued, Shorewall was left in an inconsistent state.
         
        -   Error: Unable to determine the routes through interface xxx
        -
        -
        6. -
      6. Handling of the LOGUNCLEAN option in shorewall.conf has -been corrected.
        7. -
      7. In Shorewall 1.4.2, an optimization was added. This -optimization -involved creating a chain named "<zone>_frwd" for most zones -defined using the /etc/shorewall/hosts file. It has since been -discovered that in many cases these new chains contain redundant rules -and that the "optimization" turns out to be less than optimal. The -implementation has now been corrected.
        8. -
      8. When the MARK value in a tcrules entry is followed by ":F" -or +   Error: Unable to determine the routes through +interface xxx
        +
        +
        9. + +
      9. Handling of the LOGUNCLEAN option in shorewall.conf has been +corrected.
        10. + +
      10. In Shorewall 1.4.2, an optimization was added. This +optimization involved creating a chain named "<zone>_frwd" +for most zones defined using the /etc/shorewall/hosts file. It has +since been discovered that in many cases these new chains contain +redundant rules and that the "optimization" turns out to be less +than optimal. The implementation has now been corrected.
        11. + +
      11. When the MARK value in a tcrules entry is followed by ":F" or ":P", the ":F" or ":P" was previously only applied to the first -Netfilter rule generated by the entry. It is now applied to all entries.
        12. -
      12. An incorrect comment concerning Debian's use of the -SUBSYSLOCK option has been removed from shorewall.conf.
        13. -
      13. Previously, neither the 'routefilter' interface option nor -the -ROUTE_FILTER parameter were working properly. This has been corrected -(thanks to Eric Bowles for his analysis and patch). The definition of -the ROUTE_FILTER option has changed however. Previously, -ROUTE_FILTER=Yes was documented as enabling route filtering on all -interfaces (which didn't work). Beginning with this release, setting -ROUTE_FILTER=Yes will enable route filtering of all interfaces brought -up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can -coexist with the use of the 'routefilter' option in the interfaces file.
        14. -
      14. If MAC verification was enabled on an interface with a /32 -address and -a broadcast address then an error would occur during startup.
        15. -
      +Netfilter rule generated by the entry. It is now applied to all +entries.
      3. + +
    3. An incorrect comment concerning Debian's use of the SUBSYSLOCK +option has been removed from shorewall.conf.
      4. + +
    4. Previously, neither the 'routefilter' interface option nor the +ROUTE_FILTER parameter were working properly. This has been +corrected (thanks to Eric Bowles for his analysis and patch). The +definition of the ROUTE_FILTER option has changed however. +Previously, ROUTE_FILTER=Yes was documented as enabling route +filtering on all interfaces (which didn't work). Beginning with +this release, setting ROUTE_FILTER=Yes will enable route filtering +of all interfaces brought up while Shorewall is started. As a +consequence, ROUTE_FILTER=Yes can coexist with the use of the +'routefilter' option in the interfaces file.
      5. + +
    5. If MAC verification was enabled on an interface with a /32 +address and a broadcast address then an error would occur during +startup.
      6. +
    + Migration Issues:
    -
      -
    1. The definition of the ROUTE_FILTER option in shorewall.conf -has changed as described in item 8) above.
      -
      2. -
    + + +
      +
    1. The definition of the ROUTE_FILTER option in shorewall.conf has +changed as described in item 8) above.
      +
      2. +
    + New Features:
    -
      -
    1. A new QUEUE action has been introduced for rules. QUEUE -allows -you to pass connection requests to a user-space filter such as ftwall -(http://p2pwall.sourceforge.net). The ftwall program -allows for effective filtering of p2p applications such as Kazaa. For + + +
        +
      1. A new QUEUE action has been introduced for rules. QUEUE allows +you to pass connection requests to a user-space filter such as +ftwall (http://p2pwall.sourceforge.net). The ftwall program allows +for effective filtering of p2p applications such as Kazaa. For example, to use ftwall to filter P2P clients in the 'loc' zone, you would add the following rules:
        -
        +
           QUEUE   loc         net    tcp
           QUEUE   loc         net    udp
           QUEUE   loc         fw     udp
        -
        -You would normally want to place those three rules BEFORE any ACCEPT -rules for loc->net udp or tcp.
        -
        +
        +You would normally want to place those three rules BEFORE any +ACCEPT rules for loc->net udp or tcp.
        +
        Note: When the protocol specified is TCP ("tcp", "TCP" or "6"), Shorewall will only pass connection requests (SYN packets) to user space. This is for compatibility with ftwall.
        2. -
      2. A -BLACKLISTNEWNONLY option has been added to shorewall.conf. When this -option is set to "Yes", the blacklists (dynamic and static) are only -consulted for new connection requests. When set to "No" (the default if -the variable is not set), the blacklists are consulted on every packet.
        -
        + +
      3. A BLACKLISTNEWNONLY option has been added to shorewall.conf. +When this option is set to "Yes", the blacklists (dynamic and +static) are only consulted for new connection requests. When set to +"No" (the default if the variable is not set), the blacklists are +consulted on every packet.
        +
        Setting this option to "No" allows blacklisting to stop existing connections from a newly blacklisted host but is more expensive in terms of packet processing time. This is especially true if the blacklists contain a large number of entries.
        4. -
      4. Chain names used in the /etc/shorewall/accounting file may -now begin with a digit ([0-9]) and may contain embedded dashes ("-").
        5. -
      -

      10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper -bag awards Shorewall -1.4.7c released.

      -
        -
      1. The saga with "<zone>_frwd" chains continues. The -1.4.7c script -produces a ruleset that should work for everyone even if it is not -quite optimal. My apologies for this ongoing mess.
        2. -
      -

      10/24/2003 - Shorewall 1.4.7b (New)

      -

      This is a bugfx rollup of the 1.4.7a fixes plus:
      -

      -
        -
      1. The fix for problem 5 in 1.4.7a was wrong with the result -that -"<zone>_frwd" chains might contain too few rules. That wrong code -is corrected in this release.
        -
        2. -
      -

      10/21/2003 - Shorewall 1.4.7a

      -

      This is a bugfix rollup of the following problem corrections:
      -

      -
        -
      1. Tuomo Soini has supplied a correction to a problem that -occurs + +
      2. Chain names used in the /etc/shorewall/accounting file may now +begin with a digit ([0-9]) and may contain embedded dashes +("-").
        3. +
      + +

      10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag +awards Shorewall +1.4.7c released.

      + +
        +
      1. The saga with "<zone>_frwd" chains continues. The 1.4.7c +script produces a ruleset that should work for everyone even if it +is not quite optimal. My apologies for this ongoing mess.
        2. +
      + +

      10/24/2003 - Shorewall 1.4.7b (New)

      + +

      This is a bugfx rollup of the 1.4.7a fixes plus:
      +

      + +
        +
      1. The fix for problem 5 in 1.4.7a was wrong with the result that +"<zone>_frwd" chains might contain too few rules. That wrong +code is corrected in this release.
        +
        2. +
      + +

      10/21/2003 - Shorewall 1.4.7a

      + +

      This is a bugfix rollup of the following problem +corrections:
      +

      + +
        +
      1. Tuomo Soini has supplied a correction to a problem that occurs using some versions of 'ash'. The symptom is that "shorewall start" fails with:
         
           local: --limit: bad variable name
           iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
        -   cannot open shared object file: No such file or directory
        +   cannot open shared object file: No such file or +directory
           Try `iptables -h' or 'iptables --help' for more information.
        -
        -
        2. -
      2. Andres Zhoglo has supplied a correction that avoids trying -to use the multiport match iptables facility on ICMP rules.
        +
        +
        3. + +
      3. Andres Zhoglo has supplied a correction that avoids trying to +use the multiport match iptables facility on ICMP rules.
         
        -   Example of rule that previously caused "shorewall start" -to fail:
        +   Example of rule that previously caused "shorewall +start" to fail:
         
                   ACCEPT      loc  $FW  icmp    0,8,11,12
        -
        -
        4. -
      4. Previously, if the following error message was issued, +
        +
        5. + +
      5. Previously, if the following error message was issued, Shorewall was left in an inconsistent state.
         
           Error: Unable to determine the routes through interface xxx
        -
        -
        6. -
      6. Handling of the LOGUNCLEAN option in shorewall.conf has -been corrected.
        7. -
      7. In Shorewall 1.4.2, an optimization was added. This -optimization -involved creating a chain named "<zone>_frwd" for most zones -defined using the /etc/shorewall/hosts file. It has since been -discovered that in many cases these new chains contain redundant rules -and that the "optimization" turns out to be less than optimal. The -implementation has now been corrected.
        8. -
      8. When the MARK value in a tcrules entry is followed by ":F" -or +
        +
        9. + +
      9. Handling of the LOGUNCLEAN option in shorewall.conf has been +corrected.
        10. + +
      10. In Shorewall 1.4.2, an optimization was added. This +optimization involved creating a chain named "<zone>_frwd" +for most zones defined using the /etc/shorewall/hosts file. It has +since been discovered that in many cases these new chains contain +redundant rules and that the "optimization" turns out to be less +than optimal. The implementation has now been corrected.
        11. + +
      11. When the MARK value in a tcrules entry is followed by ":F" or ":P", the ":F" or ":P" was previously only applied to the first -Netfilter rule generated by the entry. It is now applied to all entries.
        12. -
      -

      More News

      - -

      - -

      (Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF -(router/firewall/gateway on a floppy, CD or compact flash) distribution -called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. -You can find their work at: -http://leaf.sourceforge.net/devel/jnilo

      - Congratulations to Jacques and Eric on the recent release of -Bering 1.2!!!
      -

      SourceForge Logo

      - -

      - -

      This site is hosted by the generous folks at SourceForge.net

      -
      -
      -

      Donations

      -
    - - - - + + - - + + +
    -

    -


    - Shorewall is free but if you try it and find it -useful, please consider making a donation to Starlight +

    +

    Starlight Foundation Logo

    + +


    + Shorewall is free but if you try it and find it +useful, please consider making a donation to Starlight Children's Foundation. Thanks!

    -
    -

    Updated 12/07/2003 - Tom Eastep -
    + +

    Updated 12/07/2003 - Tom +Eastep

    +