Changes for 1.3.9

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@265 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs/FAQ.htm

@@ -1,101 +1,122 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Shorewall FAQ</title>
+ content="text/html; charset=windows-1252">
-<meta name="Microsoft Theme" content="none">
+     
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Shorewall FAQ</title>
+         
+  <meta name="Microsoft Theme" content="none">
 </head>
+  <body>
     
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" width="100%" id="AutoNumber4"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
+ bgcolor="#400169" height="90">
+    <tbody>
      <tr>
       <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Shorewall FAQs</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
       </td>
     </tr>
+     
+  </tbody> 
 </table>
     
-<p align="left"><b>1. </b><a href="#faq1">&nbsp;I want to <b>forward</b> UDP <b>
+<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
-port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
+ port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked 
-everywhere and can't find <b>how to do it</b>.</a></p>
+ everywhere and can't find <b>how to do it</b>.</a></p>
-<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
+   
-but it doesn't work.</a></p>
+<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
-<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests to www.mydomain.com (IP
+ but it doesn't work.</a></p>
-130.151.100.69) to system 192.168.1.5 in my local network. <b>External clients can browse</b>
+   
-http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
+<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
-<p align="left"><b>2a. </b><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 
+to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local 
-subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts in 
+network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal 
-Z. Hosts in Z cannot communicate with each other using their external 
+clients can't</b>.</a></p>
-(non-RFC1918 addresses) so they <b>can't access each other using their DNS 
+   
-names.</b></a></p>
+<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
+ subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts 
+in  Z. Hosts in Z cannot communicate with each other using their external 
+ (non-RFC1918 addresses) so they <b>can't access each other using their DNS 
+ names.</b></a></p>
+    
+<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN 
+Messenger </b>with  Shorewall. What do I do?</a></p>
+   
+<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
+to  check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
+ Why?</a></p>
    
-<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting </b>with 
-Shorewall. What do I do?</a></p>
-<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner to 
-check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b> 
-Why?</a></p>
 <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
-of my firewall and it showed 100s of ports as open!!!!</a></p>
+ of my firewall and it showed 100s of ports as open!!!!</a></p>
-<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now I <b>
+   
-can't ping</b> through the firewall</a></p>
+<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now 
+I <b> can't ping</b> through the firewall</a></p>
     
 <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
-written and&nbsp; how do I <b>change the destination</b>?</a></p>
+ written and  how do I <b>change the destination</b>?</a></p>
     
 <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
-that work with Shorewall?</a></p>
+ that work with Shorewall?</a></p>
     
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
 'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
-work?</a></p>
+ work?</a></p>
     
-<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall on RedHat 7.x</b>, I
+<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
-get messages about insmod failing -- what's wrong?</a></p>
+on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
     
-<p align="left"><b>9. </b><a href="#faq9"><b>Why </b>does Shorewall <b>only accept IP addresses</b> as
+<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
-opposed to FQDNs?</a></p>
+my  interfaces </b>properly?</a></p>
            
-<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does it 
+<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
-work with?</a></p>
+it  work with?</a></p>
     
 <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
 support?</a></p>
     
 <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
     
-<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>&quot;Shorewall&quot;?</b></a></p>
+<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
-<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem and it has an internel 
-web server that allows me to configure/monitor it but as expected if I enable <b>
-rfc1918 blocking</b> for my eth0 interface, it also blocks the <b>cable modems 
-web server</b></a>.</p>
-<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public IP 
-addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 
-filtering on my external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
    
-<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see out to 
+<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
-the net</b></a></p>
+and it has an internel  web server that allows me to configure/monitor it 
+but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface, 
+it also blocks the <b>cable modems  web server</b></a>.</p>
+   
+<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
+IP  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+1918  filtering on my external interface, <b>my DHCP client cannot renew its
+lease</b>.</a></p>
+    
+<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
+out to  the net</b></a></p>
     
 <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
-all over my console</b> making it unusable!</a></p>
+ all over my console</b> making it unusable!</a></p>
        
-<p align="left"><b>17. </b><a href="#faq17">Why can't Shorewall <b>detect my 
-interfaces </b>properly?</a></p>
-<blockquote>
-<p align="left">&nbsp;</p>
-</blockquote>
 <hr>  
-<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
+<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
-address 192.168.1.5. I've looked everywhere and can't find how to do it.</h4>
+my my personal PC with IP address 192.168.1.5. I've looked everywhere and 
-<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
+can't find how to do it.</h4>
-file documentation</a> shows how to do port forwarding under Shorewall. Assuming
+   
-that you have a dynamic external IP address, the format of a port-forwarding
+<p align="left"><b>Answer: </b>The <a
-rule to a local system is as follows:</p>
+ href="Documentation.htm#PortForward"> first example</a> in the <a
+ href="Documentation.htm#Rules">rules file documentation</a> shows how to 
+do port forwarding under Shorewall. Assuming that you have a dynamic external 
+IP address, the format of a port-forwarding rule to a local system is as follows:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber1">
+      <tbody>
        <tr>
         <td><u><b>ACTION</b></u></td>
         <td><u><b>SOURCE</b></u></td>
@@ -111,15 +132,21 @@ rule to a local system is as follows:</p>
         <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
         <td><i>&lt;protocol&gt;</i></td>
         <td><i>&lt;port #&gt;</i></td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
-<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
+   
-rule is:</p>
+<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, 
+the rule is:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber1">
+      <tbody>
        <tr>
         <td><u><b>ACTION</b></u></td>
         <td><u><b>SOURCE</b></u></td>
@@ -135,18 +162,25 @@ rule is:</p>
         <td>loc:192.168.1.5</td>
         <td>udp</td>
         <td>7777</td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
+   
 <div align="left">  
 <pre align="left"><font face="Courier">     DNAT net loc:192.168.1.5 udp 7777</font></pre>
-</div>
+  </div>
+   
 <p align="left">If you want to forward requests directed to a particular
 address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber1">
+      <tbody>
        <tr>
         <td><u><b>ACTION</b></u></td>
         <td><u><b>SOURCE</b></u></td>
@@ -165,46 +199,63 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
         <td>-</td>
         <td><i>&lt;external IP&gt;</i></td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
-<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions but 
+   
-it doesn't work</h4>
+<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
+but  it doesn't work</h4>
+   
 <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
+   
 <ul>
-  <li>You are trying to test from inside your firewall (no, that 
+    <li>You are trying to test from inside your firewall (no, that  won't 
-won't work -- see <a href="#faq2">FAQ #2</a>).</li>
+work -- see <a href="#faq2">FAQ #2</a>).</li>
     <li>You have a more basic problem with your local system such as an 
-incorrect default gateway configured (it should be set to the IP address of your 
+incorrect default gateway configured (it should be set to the IP address
-firewall's internal interface).</li>
+of your  firewall's internal interface).</li>
+   
 </ul>
-<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
+   
-130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
+<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
-http://www.mydomain.com but internal clients can't.</h4>
+(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients 
+can browse http://www.mydomain.com but internal clients can't.</h4>
+   
 <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
+   
 <ul>
-  <li>Having an internet-accessible server in your local network
+    <li>Having an internet-accessible server in your local network     is 
-    is like raising foxes in the corner of your hen house. If the server is
+like raising foxes in the corner of your hen house. If the server is     compromised,
-    compromised, there's nothing between that server and your other internal
+there's nothing between that server and your other internal     systems.
-    systems. For the cost of another NIC and a cross-over cable, you can put
+For the cost of another NIC and a cross-over cable, you can put      your
-    your server in a DMZ such that it is isolated from your local systems -
+server in a DMZ such that it is isolated from your local systems -     assuming
-    assuming that the Server can be located near the Firewall, of course :-)</li>
+that the Server can be located near the Firewall, of course :-)</li>
-  <li>The accessibility problem is best solved using 
+    <li>The accessibility problem is best solved using    <a
-  <a href="shorewall_setup_guide.htm#DNS">Bind Version
+ href="shorewall_setup_guide.htm#DNS">Bind Version     9 "views"</a> (or using
-    9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
+a separate DNS server for local clients) such that www.mydomain.com resolves
-    externally and 192.168.1.5 internally. That's what I do here at
+to 130.141.100.69     externally and 192.168.1.5 internally. That's what
-    shorewall.net for my local systems that use static NAT.</li>
+I do here at     shorewall.net for my local systems that use static NAT.</li>
+   
 </ul>
+   
 <p align="left">If you insist on an IP solution to the accessibility problem 
-rather than a DNS solution, then assuming that your external interface is eth0 
+ rather than a DNS solution, then assuming that your external interface is 
-and your internal interface is eth1 
+eth0  and your internal interface is eth1  and that eth1 has IP address 192.168.1.254 
-and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
+with subnet 192.168.1.0/24, do the following:</p>
-<p align="left">a) In /etc/shorewall/interfaces, specify &quot;multi&quot; as an option 
+   
-for eth1.</p>
+<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
+ for eth1.</p>
+   
 <div align="left">  
-<p align="left">b) In /etc/shorewall/rules, add:</div>
+<p align="left">b) In /etc/shorewall/rules, add:</p>
+ </div>
+   
 <div align="left">  
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber1">
+      <tbody>
        <tr>
         <td><u><b>ACTION</b></u></td>
         <td><u><b>SOURCE</b></u></td>
@@ -223,25 +274,35 @@ for eth1.</p>
         <td>-</td>
         <td>130.151.100.69:192.168.1.254</td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
-</div>
+  </div>
+   
 <div align="left">  
-<pre align="left">     <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre>
+<pre align="left">     <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
-</div>
+  </div>
+   
 <div align="left">  
-<p align="left">That rule only works of course if you have a static external IP 
+<p align="left">That rule only works of course if you have a static external 
-address. If you 
+IP  address. If you  have a dynamic IP address and are running Shorewall 1.3.4
-have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in 
+or later then include this in  /etc/shorewall/params:</p>
-/etc/shorewall/params:</div>
+ </div>
+   
 <div align="left">  
 <pre>     ETH0_IP=`find_interface_address eth0`</pre>
-</div>
+  </div>
+   
 <div align="left">  
-<p align="left">and make your DNAT rule:</div>
+<p align="left">and make your DNAT rule:</p>
+ </div>
+   
 <div align="left">  
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber1">
+      <tbody>
        <tr>
         <td><u><b>ACTION</b></u></td>
         <td><u><b>SOURCE</b></u></td>
@@ -260,37 +321,50 @@ have a dynamic IP address and are running Shorewall 1.3.4 or later then include
         <td>-</td>
         <td>$ETH0_IP:192.168.1.254</td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
-</div>
+  </div>
+   
 <div align="left">  
 <p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
-client to automatically restart Shorewall each time that you get a new IP 
+ client to automatically restart Shorewall each time that you get a new IP 
-address.</div>
+ address.</p>
-<h4 align="left"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
+ </div>
-use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
+   
-communicate with each other using their external (non-RFC1918 addresses) so they
+<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
-can't access each other using their DNS names.</h4>
+subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. 
-<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
+Hosts in Z cannot communicate with each other using their external (non-RFC1918 
-&quot;views&quot;. It allows both external and internal clients to access a
+addresses) so they can't access each other using their DNS names.</h4>
-NATed host using the host's DNS name.</p>
+   
+<p align="left"><b>Answer: </b>This is another problem that is best solved 
+using Bind Version 9 "views". It allows both external and internal clients 
+to access a NATed host using the host's DNS name.</p>
+   
 <p align="left">Another good way to approach this problem is to switch from
-static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and
+ static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses 
-can be accessed externally and internally using the same address.&nbsp;</p>
+and can be accessed externally and internally using the same address. </p>
+   
 <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
 traffic through your firewall then:</p>
-<p align="left">a) Specify &quot;multi&quot; on the entry for Z's interface in
+   
-/etc/shorewall/interfaces.<br>
+<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.<br>
-b) Set the Z-&gt;Z policy to ACCEPT.<br>
+  b) Set the Z-&gt;Z policy to ACCEPT.<br>
-c) Masquerade Z to itself.<br>
+  c) Masquerade Z to itself.<br>
-<br>
+  <br>
-Example:</p>
+  Example:</p>
+   
 <p align="left">Zone: dmz<br>
-Interface: eth2<br>
+  Interface: eth2<br>
-Subnet: 192.168.2.0/24</p>
+  Subnet: 192.168.2.0/24</p>
+   
 <p align="left">In /etc/shorewall/interfaces:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber2">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber2">
+      <tbody>
        <tr>
         <td><u><b>ZONE</b></u></td>
         <td><u><b>INTERFACE</b></u></td>
@@ -303,11 +377,17 @@ Subnet: 192.168.2.0/24</p>
         <td>192.168.2.255</td>
         <td>multi</td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
+   
 <p align="left">In /etc/shorewall/policy:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+      <tbody>
        <tr>
         <td><u><b>SOURCE </b></u></td>
         <td><u><b>DESTINATION</b></u></td>
@@ -318,16 +398,23 @@ Subnet: 192.168.2.0/24</p>
         <td>dmz</td>
         <td>dmz</td>
         <td>ACCEPT</td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
+   
 <div align="left">  
-<pre align="left">     dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre>
+<pre align="left">     dmz    dmz    ACCEPT</pre>
-</div>
+  </div>
+   
 <p align="left">In /etc/shorewall/masq:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" width="369">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3" width="369">
+      <tbody>
        <tr>
         <td width="93"><u><b>INTERFACE </b></u></td>
         <td width="31"><u><b>SUBNET</b></u></td>
@@ -336,154 +423,198 @@ Subnet: 192.168.2.0/24</p>
       <tr>
         <td width="93">eth2</td>
         <td width="31">192.168.2.0/24</td>
-      <td width="120">&nbsp;</td>
+        <td width="120"> </td>
       </tr>
-  </table>
-</blockquote>
-<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?</h4>
-<p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
-Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
          
-  <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner to 
+    </tbody>   
-  check my firewall and it shows some ports as 'closed' rather than 'blocked'. 
+  </table>
+  </blockquote>
+   
+<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger 
+with Shorewall. What do I do?</h4>
+   
+<p align="left"><b>Answer: </b>There is an <a
+ href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
+tracking/NAT module</a> that may help. Also check the Netfilter mailing list 
+archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. 
+</p>
+      
+<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
+to    check my firewall and it shows some ports as 'closed' rather than 'blocked'. 
    Why?</h4>
       
-  <p align="left"><b>Answer: </b>The common.def included with version 1.3.x always 
+<p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
-  rejects connection requests on TCP port 113 rather than dropping them. This is 
+always    rejects connection requests on TCP port 113 rather than dropping 
-  necessary to prevent outgoing connection problems to services that use the 
+them. This is    necessary to prevent outgoing connection problems to services 
-  'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP 
+that use the    'Auth' mechanism for identifying requesting users. Shorewall 
-  ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are 
+also rejects TCP    ports 135, 137 and 139 as well as UDP ports 137-139. These
-  used by Windows (Windows <u>can</u> be configured to use the DCE cell locator 
+are ports that are    used by Windows (Windows <u>can</u> be configured to
-  on port 135). Rejecting these connection requests rather than dropping them 
+use the DCE cell locator    on port 135). Rejecting these connection requests 
-  cuts down slightly on the amount of Windows chatter on LAN segments connected 
+rather than dropping them    cuts down slightly on the amount of Windows chatter
-  to the Firewall. </p>
+on LAN segments connected    to the Firewall. </p>
       
-  <p align="left">If you are seeing port 80 being 'closed', that's probably your 
+<p align="left">If you are seeing port 80 being 'closed', that's probably 
-  ISP preventing you from running a web server in violation of your Service 
+your    ISP preventing you from running a web server in violation of your 
-  Agreement.</p>
+Service    Agreement.</p>
       
-  <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
+<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
    firewall and it showed 100s of ports as open!!!!</h4>
       
-  <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about 
+<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
-  UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports 
+section about    UDP scans. If nmap gets <b>nothing</b> back from your firewall 
-  the port as open. If you want to see which UDP ports are really open, 
+then it reports    the port as open. If you want to see which UDP ports are 
-  temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do 
+really open,    temporarily change your net-&gt;all policy to REJECT, restart 
-  the nmap UDP scan again.</p>
+Shorewall and do    the nmap UDP scan again.</p>
+    
+<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
+can't ping through the firewall</h4>
+   
+<p align="left"><b>Answer: </b>If you want your firewall to be totally open 
+for "ping": </p>
+   
+<p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
+  b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
+  c) Add the following to /etc/shorewall/icmpdef: </p>
    
-<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
-firewall</h4>
-<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
-&quot;ping&quot;: </p>
-<p align="left">a) Do NOT specify 'noping' on any interface in
-/etc/shorewall/interfaces.<br>
-b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
-c) Add the following to /etc/shorewall/icmpdef: </p>
 <blockquote>    
-<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
+  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
-ACCEPT </p>
+-j ACCEPT </p>
-</blockquote>
+  </blockquote>
+   
 <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
-and&nbsp; how do I change the destination?</h4>
+ and  how do I change the destination?</h4>
-<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
+   
-syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
+<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
-&quot;man openlog&quot;) and you get to choose the log level (again, see
+(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
-&quot;man syslog&quot;) in your <a href="Documentation.htm#Policy">policies</a>
+(see "man openlog") and you get to choose the log level (again, see "man
-and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
+syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
-logged by syslog is controlled by /etc/syslog.conf (see &quot;man
+ href="Documentation.htm#Rules">rules</a>. The destination for messaged  logged
-syslog.conf&quot;). When you have changed /etc/syslog.conf, be sure to restart
+by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
-syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
+you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
-<p align="left">By default, older versions of Shorewall ratelimited log messages through
+system, "service syslog restart"). </p>
-<a href="Documentation.htm#Conf">settings</a>
+   
-in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
+<p align="left">By default, older versions of Shorewall ratelimited log messages 
+through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf 
+-- If you want to log all messages, set: </p>
+   
 <div align="left">  
-<pre align="left">     LOGLIMIT=&quot;&quot;
+<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""</pre>
-     LOGBURST=&quot;&quot;</pre>
+  </div>
-</div>
+   
 <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
-with Shorewall?</h4>
+ with Shorewall?</h4>
-<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
+   
+<p align="left"><b>Answer: </b>Here are several links that may be helpful: 
+</p>
+   
 <blockquote>    
-<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
+  <p align="left"><a
-http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
+ href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
-<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
+  <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
-<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
+  <a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
-</blockquote>
+  </blockquote>
+   
 <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
-stop', I can't connect to anything. Why doesn't that command work?</h4>
+ stop', I can't connect to anything. Why doesn't that command work?</h4>
-<p align="left">The 'stop' command is intended to place your firewall into a
+   
-safe state whereby only those interfaces/hosts having the 'routestopped' option
+<p align="left">The 'stop' command is intended to place your firewall into 
-in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
+a safe state whereby only those interfaces/hosts having the 'routestopped' 
-to totally open up your firewall, you must use the 'shorewall clear' command. </p>
+option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. 
+If you want to totally open up your firewall, you must use the 'shorewall 
+clear' command. </p>
+   
 <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
-7.x, I get messages about insmod failing -- what's wrong?</h4>
+ 7.x, I get messages about insmod failing -- what's wrong?</h4>
-<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
+   
-<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
+<p align="left"><b>Answer: </b>The output you will see looks something like 
-     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
+this:</p>
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
+   
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
+<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
-     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
+   
-     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
+<p align="left">This is usually cured by the following sequence of commands: 
-     Perhaps iptables or your kernel needs to be upgraded.</pre>
+</p>
-<p align="left">This is usually cured by the following sequence of commands: </p>
+   
 <div align="left">  
-<pre align="left">     service ipchains stop
+<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
-     chkconfig --delete ipchains
+  </div>
-     rmmod ipchains</pre>
+   
-</div>
 <div align="left">  
-<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for 
+<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
-problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
+for  problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
-<h4 align="left">     <a name="faq9"></a>9. Why does Shorewall only accept IP
+ </div>
-addresses as opposed to FQDNs?</h4><p align="left">     <b>Answer: </b>FQDNs in iptables rules 
+   
-aren't nearly as useful as they first appear. When a DNS name appears in a rule, 
+<h4 align="left">     
-the iptables utility resolves the name to one or more IP addresses and inserts 
+<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
-those addresses into the rule. So change in the DNS-&gt;IP address relationship 
+properly?</h4>
-that occur after the firewall has started have absolutely no effect on the 
+      </h4>
-firewall's ruleset.</p>
+<p align="left">I just installed Shorewall and when I issue the start command, 
-<p align="left">     I'm also trying to protect
+   I see the following:</p>
-people from themselves. If your firewall rules include FQDN's then:</p>
+    
-<ul>
+<div align="left">    
-  <li>If your /etc/resolv.conf is wrong then your firewall won't
+<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
-    start.</li>
+  </div>
-  <li>If your /etc/nsswitch.conf is wrong then your firewall won't
+   
-    start.</li>
+<div align="left">    
-  <li>If your Name Server(s) is(are) down then your firewall won't
+<p align="left">Why can't Shorewall detect my interfaces properly?</p>
-    start.</li>
+ </div>
-  <li>Factors totally outside your control (your ISP's router is
+   
-    down for example), can prevent your firewall from starting.</li>
+<div align="left">    
-</ul>
+<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
-    <h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
+   zone is defined as all hosts that are connected through eth0 and the local
+   zone is defined as all hosts connected through eth1</p>
+ </div>
+       
+<h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
     with?</h4>
-    <p align="left">Shorewall works with any GNU/Linux distribution that includes 
+       
-    the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left">11. What Features does it have?</h4>
+<p align="left">Shorewall works with any GNU/Linux distribution that includes 
-    <p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature 
+     the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
-    List</a>.<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
+ 
-    <p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing 
+<h4 align="left">11. What Features does it have?</h4>
-    other things. I guess I just don't care enough if Shorewall has a GUI to 
+       
-    invest the effort to create one myself. There are several Shorewall GUI 
+<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall 
-    projects underway however and I will publish links to them when the authors 
+Feature      List</a>.</p>
-    feel that they are ready. <h4 align="left">
+ 
-<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?</h4>
+<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
-    <p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the 
+       
-    city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left">
+<p align="left"><b>Answer: </b>Every time I've started to work on one, I find
-<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an 
+myself doing      other things. I guess I just don't care enough if Shorewall
-internal web server that allows me to configure/monitor it but as expected if I 
+has a GUI to      invest the effort to create one myself. There are several
-enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks 
+Shorewall GUI      projects underway however and I will publish links to
-the cable modems web server.</h4>
+them when the authors      feel that they are ready. </p>
-    <p align="left">Is there any way it can add a rule before the 
+ 
-rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address 
+<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
-of the modem in/out but still block all other rfc1918 addresses.</p>
+       
-    <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than 
+<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
-    1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
+(<a href="http://www.cityofshoreline.com">the      city where I live</a>) 
-  <pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
+and "Fire<u>wall</u>".</p>
-</div>
+ 
+<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
+and it has an  internal web server that allows me to configure/monitor it 
+but as expected if I  enable rfc1918 blocking for my eth0 interface (the internet
+one), it also blocks  the cable modems web server.</h4>
+       
+<p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
+that will let all traffic to and from the 192.168.100.1 address  of the modem 
+in/out but still block all other rfc1918 addresses.</p>
+       
+<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
+than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
+ 
 <div align="left">    
-  <p align="left">If you are running version 1.3.1 or later, simply add the 
+<pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
-  following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
+  </div>
+   
 <div align="left">    
-  <blockquote>
+<p align="left">If you are running version 1.3.1 or later, simply add the 
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+   following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
+ </div>
+   
+<div align="left">    
+<blockquote>        
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+        <tbody>
        <tr>
           <td><u><b>SUBNET </b></u></td>
           <td><u><b>TARGET</b></u></td>
@@ -492,88 +623,71 @@ of the modem in/out but still block all other rfc1918 addresses.</p>
           <td>192.168.100.1</td>
           <td>RETURN</td>
         </tr>
+           
+    </tbody>   
   </table>
     </blockquote>
-</div>
+  </div>
-  <div align="left">
-  <p align="left">Be sure that you add the entry ABOVE the entry for 
-  192.168.0.0/16.</div>
-  <div align="left">
-  <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP 
-  addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 
-  filtering on my external interface, my DHCP client cannot renew its lease.</h4>
-</div>
-  <div align="left">
-  <p align="left">The solution is the same as FAQ 14 above. Simply substitute 
-  the IP address of your ISPs DHCP server.</div>
-<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to the 
-net</h4>
      
-<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder 
+<div align="left">    
-where the poster bought computers with eyes and what those computers will &quot;see&quot; 
+<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.</p>
-when things are working properly. That aside, the most common causes of this 
+ </div>
-problem are:</p>
+     
+<div align="left">    
+<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
+   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
+1918    filtering on my external interface, my DHCP client cannot renew its
+lease.</h4>
+  </div>
+     
+<div align="left">    
+<p align="left">The solution is the same as FAQ 14 above. Simply substitute 
+   the IP address of your ISPs DHCP server.</p>
+ </div>
+   
+<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to 
+the  net</h4>
+    
+<p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
+the net", I wonder  where the poster bought computers with eyes and what those
+computers will "see"  when things are working properly. That aside, the most
+common causes of this  problem are:</p>
     
 <ol>
-  <li><p align="left">The default gateway on each local system isn't set to the 
+    <li>     
-  IP address of the local firewall interface.</p>
+    <p align="left">The default gateway on each local system isn't set to 
-
+the    IP address of the local firewall interface.</p>
      </li>
-  <li><p align="left">The entry for the local network in the /etc/shorewall/masq 
+    <li>     
+    <p align="left">The entry for the local network in the /etc/shorewall/masq 
    file is wrong or missing.</p>
-
      </li>
-  <li><p align="left">The DNS settings on the local systems are wrong or the 
+    <li>     
-  user is running a DNS server on the firewall and hasn't enabled UDP and TCP 
+    <p align="left">The DNS settings on the local systems are wrong or the 
-  port 53 from the firewall to the internet.</p>
+   user is running a DNS server on the firewall and hasn't enabled UDP and 
-
+TCP    port 53 from the firewall to the internet.</p>
      </li>
+   
 </ol>
-<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages all 
-over my console making it unusable!</h4>
    
-  <p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup 
+<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
-  scripts or place it in /etc/shorewall/start. Under RedHat, the max log level 
+all  over my console making it unusable!</h4>
-  that is sent to the console is specified in /etc/sysconfig/init in the 
-  LOGLEVEL variable.</p>
       
-  <h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my 
+<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
-  interfaces properly?</h4>
+to your startup    scripts or place it in /etc/shorewall/start. Under RedHat, 
-
+the max log level    that is sent to the console is specified in /etc/sysconfig/init 
-  <p align="left">I just installed Shorewall and when I issue the start command, 
+in the    LOGLEVEL variable.</p>
-  I see the following:</p>
       
 <div align="left">
-  <pre>     Processing /etc/shorewall/shorewall.conf ...
+<p align="left"></p>
-     Processing /etc/shorewall/params ...
+ </div>
-     Starting Shorewall...
-     Loading Modules...
-     Initializing...
-     Determining Zones...
-     Zones: net loc
-     Validating interfaces file...
-     Validating hosts file...
-     Determining Hosts in Zones...
-<b>     Net Zone: eth0:0.0.0.0/0
-     Local Zone: eth1:0.0.0.0/0
-</b>     Deleting user chains...
-     Creating input Chains...
-     ...</pre>
-</div>
-<div align="left">
-  <p align="left">Why can't Shorewall detect my interfaces properly?</div>
-<div align="left">
-  <p align="left"><b>Answer: </b>The above output is perfectly normal. The Net 
-  zone is defined as all hosts that are connected through eth0 and the local 
-  zone is defined as all hosts connected through eth1.</div>
     
-<p align="left"><font size="2">Last updated 
+<p align="left"><font size="2">Last updated 9/23/2002 - <a
-8/24/2002 - <a href="support.htm">Tom
+ href="support.htm">Tom Eastep</a></font></p>
-Eastep</a></font></p>
     
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+   <br>
+ <br>
 </body>
-
 </html>

Shorewall-docs/Shorewall_index_frame.htm

@@ -1,106 +1,106 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<meta name="ProgId" content="FrontPage.Editor.Document">
-<title>Shorewall Index</title>
-<base target="main">
-<meta name="Microsoft Theme" content="none">
-</head>
                  
-<body>
+  <meta http-equiv="Content-Language" content="en-us">
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90">
+                 
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+                 
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+                 
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Shorewall Index</title>
+                  <base target="main">             
+  <meta name="Microsoft Theme" content="none">
+</head>
+  <body>
+         
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ bgcolor="#4b017c" height="90">
+       <tbody>
         <tr>
          <td width="100%" height="90">                                 
-    <h3 align="center"><font color="#FFFFFF">Shorewall</font></h3>
+      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
          </td>
        </tr>
        <tr>
-    <td width="100%" bgcolor="#FFFFFF">
+         <td width="100%" bgcolor="#ffffff">                            
+    
       <ul>
-      <li>
+           <li> <a href="seattlefirewall_index.htm">Home</a></li>
-<a href="seattlefirewall_index.htm">Home</a></li>
+                   <li> <a href="shorewall_features.htm">Features</a></li>
-      <li>
+           <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
-<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
+           <li> <a href="download.htm">Download</a></li>
-      <li>
+           <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
-<a href="shorewall_features.htm">Features</a></li>
+           <li> <a href="Install.htm">Installation/Upgrade/</a><br>
-      <li>
+     <a href="Install.htm">Configuration</a></li>
-<a href="shorewall_prerequisites.htm">Requirements</a></li>
+           <li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
-      <li>
+           <li> <a href="Documentation.htm">Reference Manual</a></li>
-<a href="download.htm">Download</a></li>
+           <li> <a href="FAQ.htm">FAQs</a></li>
-      <li>
+            <li><a href="useful_links.html">Useful Links</a><br>
-<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
+            </li>
-      <li>
+           <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
-<a href="Install.htm">Installation/Upgrade/</a><br>
+           <li> <a href="errata.htm">Errata</a></li>
-<a href="Install.htm">Configuration</a></li>
+           <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
-      <li>
+           <li> <a href="support.htm">Support</a></li>
-<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
+           <li> <a href="mailing_list.htm">Mailing Lists</a></li>
-      <li>
+           <li> <a href="shorewall_mirrors.htm">Mirrors</a>             
-<a href="Documentation.htm">Reference Manual</a></li>
+                              
-      <li>
+          <ul>
-<a href="FAQ.htm">FAQs</a></li>
+             <li><a target="_top" href="http://slovakia.shorewall.net">Slovak
-      <li>
+  Republic</a></li>
-<a href="troubleshoot.htm">Troubleshooting</a></li>
+             <li><a target="_top" href="http://shorewall.infohiiway.com">Texas,
-      <li>
+  USA</a></li>
-<a href="errata.htm">Errata</a></li>
-      <li>
-<a href="upgrade_issues.htm">Upgrade Issues</a></li>
-      <li>
-<a href="support.htm">Support</a></li>
-      <li>
-<a href="mailing_list.htm">Mailing Lists</a></li>
-      <li>
-<a href="shorewall_mirrors.htm">Mirrors</a><ul>
-        <li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
-        <li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
              <li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
-        <li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
+             <li><a target="_top"
+ href="http://shorewall.correofuego.com.ar">Argentina</a></li>
              <li><a target="_top" href="http://france.shorewall.net">France</a></li>
+                                                       
           </ul>
            </li>
+                                     
       </ul>
+                                     
       <ul>
-      <li>
+           <li>   <a href="News.htm">News Archive</a></li>
-  <a href="News.htm">News Archive</a></li>
+           <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
-      <li>
+           <li> <a href="quotes.htm">Quotes from Users</a></li>
-<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
+           <li> <a href="shoreline.htm">About the Author</a></li>
-      <li>
+           <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
-<a href="quotes.htm">Quotes from Users</a></li>
+                                     
-      <li>
-<a href="shoreline.htm">About the Author</a></li>
-      <li>
-<a href="seattlefirewall_index.htm#Donations">Donations</a></li>
       </ul>
          </td>
        </tr>
+                 
+  </tbody>    
 </table>
           
-<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch" >
+<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
-  <p>
+             
-  <strong>Quick Search</strong><br>
+  <p>   <strong>Quick Search</strong><br>
-  <font face="Arial" size="-1">
+       <font face="Arial" size="-1">     <input type="text" name="words"
-    <input type=text name=words size=15></font><font size="-1"> </font>
+ size="15"></font><font size="-1"> </font>   <font face="Arial"
-  <font face="Arial" size="-1">
+ size="-1">     <input type="hidden" name="format" value="long">     <input
-    <input type=hidden name=format value=long>
+ type="hidden" name="method" value="and">     <input type="hidden"
-    <input type=hidden name=method value=and>
+ name="config" value="htdig">     <input type="submit" value="Search"></font> 
-    <input type=hidden name=config value=htdig>
-    <input type="submit" value="Search"></font>
     </p>
-  <font face="Arial">
+       <font face="Arial">   <input type="hidden" name="exclude"
-  <input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
+ value="[http://www.shorewall.net/pipermail/*]">   </font> </form>
-  </font>
-</form>
                     
-<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
+<p><b><a href="htdig/search.html">Extended Search</a></b></p>
           
-<p><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><a href="copyright.htm"><font size="2">Copyright</font>  © <font
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
+ size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
-
-<p><a href="http://www.shorewall.net" target="_top">
-<img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p>
           
+<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
+ src="images/shorewall.jpg" width="119" height="38" hspace="0">
+    </a></p>
+      <br>
+    <br>
+   <br>
+  <br>
+ <br>
 </body>
-
 </html>

Shorewall-docs/configuration_file_basics.htm

@@ -1,41 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="ProgId" content="FrontPage.Editor.Document">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<title>Configuration File Basics</title>
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+     
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Configuration File Basics</title>
 </head>
+  <body>
     
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
+    <tbody>
      <tr>
       <td width="100%">            
-    <h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
+      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
       </td>
     </tr>
+     
+  </tbody> 
 </table>
-      <p><b><font color="#FF0000">Warning: </font>If you copy or edit your 
+         
+<p><b><font color="#ff0000">Warning: </font>If you copy or edit your     
   configuration files on a system running Microsoft Windows, you <u>must</u> 
-      run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
+       run them through <a
-      dos2unix</a> before you use them with Shorewall.</b></p>
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/">       dos2unix</a> 
+before you use them with Shorewall.</b></p>
                             
+<h2>Files</h2>
                             
-      <h2>Files</h2>
+<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
                             
-     
+<ul>
-      <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
-            
-     
-      <ul>
           <li>/etc/shorewall/shorewall.conf - used to set several firewall
          parameters.</li>
-        <li>/etc/shorewall/params - use this file to set shell variables that you will
+          <li>/etc/shorewall/params - use this file to set shell variables 
-    expand in other files.</li>
+that you will     expand in other files.</li>
-        <li>/etc/shorewall/zones - partition the firewall's view of the world
+          <li>/etc/shorewall/zones - partition the firewall's view of the 
-        into <i>zones.</i></li>
+world         into <i>zones.</i></li>
           <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
           <li>/etc/shorewall/interfaces - describes the interfaces on the
         firewall system.</li>
@@ -44,190 +52,249 @@
           <li>/etc/shorewall/masq - directs the firewall where to use many-to-one 
          (dynamic) Network Address Translation (a.k.a. Masquerading) and Source
          Network Address Translation (SNAT).</li>
-        <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
+          <li>/etc/shorewall/modules - directs the firewall to load kernel 
-        <li>/etc/shorewall/rules - defines rules that are exceptions to the
+modules.</li>
-        overall policies established in /etc/shorewall/policy.</li>
+          <li>/etc/shorewall/rules - defines rules that are exceptions to 
+the         overall policies established in /etc/shorewall/policy.</li>
           <li>/etc/shorewall/nat - defines static NAT rules.</li>
           <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
-        <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts 
+          <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines 
-  accessible when Shorewall is stopped.</li>
+hosts    accessible when Shorewall is stopped.</li>
-        <li>/etc/shorewall/tcrules - defines marking of packets for later use by
+          <li>/etc/shorewall/tcrules - defines marking of packets for later 
-    traffic control/shaping or policy routing.</li>
+use by     traffic control/shaping or policy routing.</li>
-        <li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
+          <li>/etc/shorewall/tos - defines rules for setting the TOS field 
-        headers.</li>
+in packet         headers.</li>
-        <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
+          <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels 
-        the firewall system.</li>
+with end-points on         the firewall system.</li>
-        <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
+          <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
+addresses.</li>
+   
 </ul>
-      <h2>Comments</h2>
          
+<h2>Comments</h2>
                             
-      <p>You may place comments in configuration files by making the first non-whitespace
+<p>You may place comments in configuration files by making the first non-whitespace
-      character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by
+       character a pound sign ("#"). You may also place comments at the end 
-      delimiting the comment from the rest of the line with a pound sign.</p>
+of any line, again by       delimiting the comment from the rest of the line 
+with a pound sign.</p>
                             
+<p>Examples:</p>
                             
-      <p>Examples:</p>
+<pre># This is a comment</pre>
  
+<pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
    
-      <pre># This is a comment</pre><pre>ACCEPT	net	fw	tcp	www	#This is an end-of-line comment</pre>
 <h2>Line Continuation</h2>
                             
+<p>You may continue lines in the configuration files using the usual backslash 
+("\") followed        immediately by a new line character.</p>
                             
-      <p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed 
+<p>Example:</p>
-      immediately by a new line character.</p>
                             
+<pre>ACCEPT	net	fw	tcp \<br>smtp,www,pop3,imap  #Services running on the firewall</pre>
    
-      <p>Example:</p>
+<h2><a name="dnsnames"></a>Using DNS Names</h2>
     
+<p align="left">     </p>
  
-      <pre>ACCEPT	net	fw	tcp \
+<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
-smtp,www,pop3,imap  #Services running on the firewall</pre>
+ using DNS names in Shorewall configuration files. If you use DNS names and
-<h2>Complementing an Address or Subnet</h2>
+ you are called out of bed at 2:00AM because Shorewall won't start as a result
+of DNS problems then don't say that you were not forewarned. <br>
+  </b></p>
    
-      <p>Where specifying an IP address, a subnet or an interface, you can 
+<p align="left"><b>    -Tom<br>
-      precede the item with &quot;!&quot; to specify the complement of the item. For 
+  </b></p>
-      example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
    
-      <h2>Comma-separated Lists</h2>
+<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall 
+configuration files may be specified either as IP addresses or as DNS Names.<br>
+  <br>
+ DNS names in iptables rules  aren't nearly as useful as they first appear. 
+When a DNS name appears in a rule,  the iptables utility resolves the name 
+to one or more IP addresses and inserts  those addresses into the rule. So 
+change in the DNS-&gt;IP address relationship  that occur after the firewall 
+has started have absolutely no effect on the  firewall's ruleset.    </p>
  
-      <p>Comma-separated lists are allowed in a number of contexts within the 
+<p align="left">     If your firewall rules include DNS names then:</p>
-      configuration files. A comma separated list:</p>
+      
+<ul>
+   <li>If your /etc/resolv.conf is wrong then your firewall won't     start.</li>
+   <li>If your /etc/nsswitch.conf is wrong then your firewall won't     start.</li>
+   <li>If your Name Server(s) is(are) down then your firewall won't     start.</li>
+   <li>If your startup scripts try to start your firewall before starting 
+your DNS server then your firewall won't start.<br>
+  </li>
+   <li>Factors totally outside your control (your ISP's router is     down
+ for example), can prevent your firewall from starting.</li>
+  <li>You must bring up your network interfaces prior to starting your firewall.<br>
+  </li>
  
-      <ul>
-        <li>Must not have any embedded white space.<br>
-        Valid: routestopped,dhcp,norfc1918<br>
-        Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp; 
-        norfc1818</li>
-        <li>If you use line continuation to break a comma-separated list, the 
-        continuation line(s) must begin in column 1 (or there would be embedded 
-        white space)</li>
-        <li>Entries in a comma-separated list may appear in any order.</li>
 </ul>
    
-      <h2>Port Numbers/Service Names</h2>
+<p align="left"> Each DNS name much be fully qualified and include a minumum 
+of two periods (although one may be trailing). This restriction is imposed 
+by Shorewall to insure backward compatibility with existing configuration 
+files.<br>
+  <br>
+  Examples of valid DNS names:<br>
+  </p>
  
-      <p>Unless otherwise specified, when giving a port number you can use 
+<ul>
+   <li>mail.shorewall.net</li>
+   <li>shorewall.net.</li>
+ 
+</ul>
+  Examples of invalid DNS names:<br>
+   
+<ul>
+   <li>mail (not fully qualified)</li>
+   <li>shorewall.net (only one period)</li>
+ 
+</ul>
+  DNS names may not be used as:<br>
+   
+<ul>
+   <li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
+   <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
+   <li>In the /etc/shorewall/nat file.</li>
+ 
+</ul>
+  These are iptables restrictions and are not simply imposed for your inconvenience 
+by Shorewall. <br>
+  <br>
+ 
+<h2>Complementing an Address or Subnet</h2>
+                 
+<p>Where specifying an IP address, a subnet or an interface, you can     
+  precede the item with "!" to specify the complement of the item. For   
+    example, !192.168.1.4 means "any host but 192.168.1.4".</p>
+                 
+<h2>Comma-separated Lists</h2>
+                 
+<p>Comma-separated lists are allowed in a number of contexts within the 
+      configuration files. A comma separated list:</p>
+                 
+<ul>
+          <li>Must not have any embedded white space.<br>
+          Valid: routestopped,dhcp,norfc1918<br>
+          Invalid: routestopped,     dhcp,              norfc1818</li>
+          <li>If you use line continuation to break a comma-separated list, 
+the          continuation line(s) must begin in column 1 (or there would be
+embedded          white space)</li>
+          <li>Entries in a comma-separated list may appear in any order.</li>
+   
+</ul>
+                 
+<h2>Port Numbers/Service Names</h2>
+                 
+<p>Unless otherwise specified, when giving a port number you can use     
   either an integer or a service name from /etc/services. </p>
                  
-      <h2>Port Ranges</h2>
+<h2>Port Ranges</h2>
                  
-      <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
+<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low 
        port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
                  
-      <h2>Using Shell Variables</h2>
+<h2>Using Shell Variables</h2>
                  
-      <p>You may use the file /etc/shorewall/params 
+<p>You may use the file /etc/shorewall/params     file to set shell variables 
-   file to set shell variables that you can then use in some of the other 
+that you can then use in some of the other    configuration files.</p>
-  configuration files.</p>
                              
-      <p>It is suggested that variable names begin with an upper case letter<font size="1">
+<p>It is suggested that variable names begin with an upper case letter<font
-     </font>to distinguish them from variables used internally within the 
+ size="1">      </font>to distinguish them from variables used internally 
-Shorewall    programs</p>
+within the  Shorewall    programs</p>
                              
-      <p>Example:</p>
+<p>Example:</p>
                              
-      <blockquote>                       
+<blockquote>                                   
-        <pre>NET_IF=eth0
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
-NET_BCAST=130.252.100.255
-NET_OPTIONS=noping,norfc1918</pre>
        </blockquote>
                                    
-        <p><br>
+<p><br>
        Example (/etc/shorewall/interfaces record):</p>
-                       
+                            <font
-  <font face="Century Gothic, Arial, Helvetica">    
+ face="Century Gothic, Arial, Helvetica">                      
-       
+<blockquote>                                         
-        <blockquote>                           
   <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
        </blockquote>
-                           
                                          </font>                        
                                   
-          <p>The result will be the same as if the record had been written</p>
+<p>The result will be the same as if the record had been written</p>
-                           
+                                <font
-  <font face="Century Gothic, Arial, Helvetica">    
+ face="Century Gothic, Arial, Helvetica">                        
-       
+<blockquote>                                               
-          <blockquote>                               
   <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
        </blockquote>
-                               
                                              </font>                    
                                             
-            <p>Variables may be used anywhere in the 
+<p>Variables may be used anywhere in the              other configuration 
-            other configuration files.</p>
+files.</p>
                                          
-      <h2>Using MAC Addresses</h2>
+<h2>Using MAC Addresses</h2>
                  
-      <p>Media Access Control (MAC) 
+<p>Media Access Control (MAC)        addresses can be used to specify packet 
-      addresses can be used to specify packet source in several of the 
+source in several of the        configuration files. To use this feature, 
-      configuration files. To use this feature, your kernel must have MAC 
+your kernel must have MAC        Address Match support (CONFIG_IP_NF_MATCH_MAC) 
-      Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
+included.</p>
-      <p>MAC addresses are 48 bits wide and each Ethernet Controller has a 
+         
+<p>MAC addresses are 48 bits wide and each Ethernet Controller has a     
   unique MAC address.<br>
         <br>
-      In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers 
+        In GNU/Linux, MAC addresses are usually written as a series of 6
-      separated by colons. Example:<br>
+hex numbers        separated by colons. Example:<br>
         <br>
-&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
+       [root@gateway root]# ifconfig eth0<br>
-&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
+       eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
-&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255 
+       inet addr:206.124.146.176 Bcast:206.124.146.255        Mask:255.255.255.0<br>
-      Mask:255.255.255.0<br>
+       UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
-&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
+       RX packets:2398102 errors:0 dropped:0 overruns:0        frame:0<br>
-&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0 
+       TX packets:3044698 errors:0 dropped:0 overruns:0        carrier:0<br>
-      frame:0<br>
+       collisions:30394 txqueuelen:100<br>
-&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0 
+       RX bytes:419871805 (400.4 Mb) TX bytes:1659782221        (1582.8 Mb)<br>
-      carrier:0<br>
+       Interrupt:11 Base address:0x1800<br>
-&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
-&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 
-      (1582.8 Mb)<br>
-&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
         <br>
-      Because Shorewall uses colons as a separator for address fields, Shorewall requires 
+        Because Shorewall uses colons as a separator for address fields,
-      MAC addresses to be written in another way. In Shorewall, MAC addresses 
+Shorewall requires        MAC addresses to be written in another way. In
-      begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by 
+Shorewall, MAC addresses        begin with a tilde ("~") and consist of 6
-      hyphens. In Shorewall, the MAC address in the example above would be 
+hex numbers separated by        hyphens. In Shorewall, the MAC address in
-      written &quot;~02-00-08-E3-FA-55&quot;.</p>
+the example above would be        written "~02-00-08-E3-FA-55".</p>
                  
-      <h2>Shorewall Configurations</h2>
+<h2>Shorewall Configurations</h2>
-      <p>
+         
- Shorewall allows you to have configuration 
+<p>  Shorewall allows you to have configuration  directories other than /etc/shorewall. 
-directories other than /etc/shorewall. The <a href="#Starting">shorewall start
+The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
-and restart</a>
     commands allow you to specify an alternate configuration directory and 
-Shorewall will use the files in the alternate directory rather than the corresponding
+ Shorewall will use the files in the alternate directory rather than the corresponding
  files in /etc/shorewall. The alternate directory need not contain a complete
  configuration; those files not in the alternate directory will be read from
  /etc/shorewall.</p>
-      <p>
+         
- This facility permits you to easily create a test or temporary configuration 
+<p>  This facility permits you to easily create a test or temporary configuration 
-by:</p>
+ by:</p>
-      <ol>
+         
-        <li>
+<ol>
- copying the files that need modification from /etc/shorewall to a separate 
+          <li>  copying the files that need modification from /etc/shorewall 
-    directory;</li>
+to a separate      directory;</li>
-        <li>
+          <li>  modify those files in the separate directory; and</li>
- modify those files in the separate directory; and</li>
+          <li>  specifying the separate directory in a shorewall start or 
-        <li>
+shorewall     restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
- specifying the separate directory in a shorewall start or shorewall    
+ ).</li>
-restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
+         
-).</li>
+</ol>
-      </ol>
                                                                         
                                                                         
                                                                         
-                                                                                  <p><font size="2">
+                                    
-  Updated 8/6/2002 - <a href="support.htm">Tom 
+<p><font size="2">   Updated 9/24/2002 - <a href="support.htm">Tom  Eastep</a>
-Eastep</a>
     </font></p>
                                                                         
                                                                         
                              
-  <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
                                                                         
                                                                         
-                       
+                            <br>
-  </body>
+ <br>
-
+</body>
 </html>

Shorewall-docs/download.htm

@@ -36,21 +36,21 @@
 <ul>
     <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>          
   Linux PPC</b> or     <b> TurboLinux</b> distribution     with a 2.4 kernel, 
-you can use the  RPM version (note: the             RPM should also work
+you can use the  RPM version (note: the             RPM should also work with
-with other distributions that             store init scripts in /etc/init.d
+other distributions that             store init scripts in /etc/init.d and
-and that             include chkconfig or insserv). If you find that it works
+that             include chkconfig or insserv). If you find that it works 
 in other cases, let <a href="mailto:teastep@shorewall.net">     me</a>   
             know so that I can mention them here. See the   <a
  href="Install.htm">Installation Instructions</a> if you have problems   
- installing the RPM.</li>
+installing the RPM.</li>
     <li>If you are running LRP, download the .lrp file (you might also want 
 to     download the .tgz so you will have a copy of the documentation).</li>
-   <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would 
+    <li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
-    like a .deb package, Shorewall is in both the    <a
+would      like a .deb package, Shorewall is in both the    <a
- href="http://packages.debian.org/testing/net/shorewall.html">Debian    
+ href="http://packages.debian.org/testing/net/shorewall.html">Debian     Testing
-Testing Branch</a> and the    <a
+Branch</a> and the    <a
  href="http://packages.debian.org/unstable/net/shorewall.html">Debian    
- Unstable Branch</a>.</li>
+Unstable Branch</a>.</li>
     <li>Otherwise, download the <i>shorewall</i>             module (.tgz)</li>
    
 </ul>
@@ -59,8 +59,8 @@ Testing Branch</a> and the    <a
 and  there is an documentation .deb that also contains the documentation.</p>
          
 <p>Please verify the version that you have        downloaded -- during the 
-release of a new version of Shorewall, the links        below may  point
+release of a new version of Shorewall, the links        below may  point to
-to a newer or an older version than is shown below.</p>
+a newer or an older version than is shown below.</p>
    
 <ul>
     <li>RPM - "rpm -qip LATEST.rpm"</li>
@@ -78,12 +78,10 @@ that you have       downloaded.</font></p>
    
 <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY 
 INSTALL THE RPM  AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION 
-IS REQUIRED BEFORE THE  FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
+IS REQUIRED BEFORE THE  FIREWALL WILL START. Once you have completed configuration
-AND THE FIREWALL FAILS TO  START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
+of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
-TRAFFIC. IF THIS HAPPENS,  ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
-CONNECTIVITY.</b></font></p>
    
-<p>Download Latest Version (<b>1.3.8</b>): <b>Remember that updates to the
+<p>Download Latest Version (<b>1.3.9</b>): <b>Remember that updates to the 
 mirrors  occur 1-12 hours after an update to the primary site.</b></p>
    
 <blockquote>      
@@ -295,11 +293,12 @@ cvs.shorewall.net</a> contains the latest snapshots of the each  Shorewall
 component. There's no guarantee that what you find there will work at  all.</p>
    </blockquote>
    
-<p align="left"><font size="2">Last Updated 9/2/2002 - <a
+<p align="left"><font size="2">Last Updated 9/26/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
     
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    <br>
+ <br>
 </body>
 </html>

Shorewall-docs/errata.htm

@@ -2,115 +2,120 @@
 <html>
 <head>
                  
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
   <title>Shorewall 1.3 Errata</title>
                               
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                  
   <meta name="ProgId" content="FrontPage.Editor.Document">
                          
-       
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
- <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+      
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ bgcolor="#400169" height="90">
+      <tbody>
       <tr>
         <td width="100%">                    
-     <h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
         </td>
       </tr>
- </table>
           
- <p align="center">
+  </tbody>  
-      <b><u>IMPORTANT</u></b></p>
+</table>
                    
- <ol>
+<p align="center">       <b><u>IMPORTANT</u></b></p>
+                   
+<ol>
       <li>                         
-            
+    <p align="left">          <b><u>I</u>f you use a Windows system to download
- <p align="left">
+ a corrected     script, be sure to run the script through <u>        <a
-  
+ href="http://www.megaloman.com/%7Ehany/software/hd2u/"
-      <b><u>I</u>f you use a Windows system to download a corrected     script, be sure to
+ style="text-decoration: none;"> dos2unix</a></u>      after you have moved
-run the script through <u> 
+ it to your Linux system.</b></p>
-      <a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
-dos2unix</a></u>
-     after you have moved it to your Linux system.</b></p>
-            
                    </li>
       <li>                         
-            
+    <p align="left">          <b>If you are installing Shorewall for the
- <p align="left">
+first time and plan to use the        .tgz and install.sh script, you can
-  
+untar the archive, replace the        'firewall' script in the untarred directory
-      <b>If you are installing Shorewall for the first time and plan to use the 
+ with the one you downloaded        below, and then run install.sh.</b></p>
-      .tgz and install.sh script, you can untar the archive, replace the 
-      'firewall' script in the untarred directory with the one you downloaded 
-      below, and then run install.sh.</b></p>
-            
                    </li>
       <li>                         
-            
+    <p align="left">          <b>When the instructions say to install a corrected
- <p align="left">
+ firewall script in        /etc/shorewall/firewall, /usr/lib/shorewall/firewall
-  
+or /var/lib/shorewall/firewall,  use the 'cp' (or 'scp') utility to overwrite
-      <b>When the instructions say to install a corrected firewall script in 
+the        existing file. DO  NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
-      /etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the 
-      existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall 
        or /var/lib/shorewall/firewall  before you do that. /etc/shorewall/firewall
        and /var/lib/shorewall/firewall  are symbolic links that point   
     to the 'shorewall' file used by your  system initialization scripts to
        start Shorewall during boot. It is  that file that must be overwritten
        with the corrected script. </b></p>
-            
                    </li>
- </ol>
       
- <ul>
+</ol>
+                   
+<ul>
       <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
-   <li>
+      <li>                            <b><a href="#V1.3">Problems in Version
-                
+ 1.3</a></b></li>
-          <b><a href="#V1.3">Problems in Version 1.3</a></b></li>
+      <li>                            <b><a href="errata_2.htm">Problems
-   <li>
+in  Version 1.2</a></b></li>
-                
+      <li>                            <b><font color="#660066">  <a
-          <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
+ href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
-   <li>
+      <li>                            <b><font color="#660066"><a
-                
+ href="#iptables">    Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
-          <b><font color="#660066">
+      <li>                            <b><a href="#Debug">Problems with kernels
- <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
+ &gt;= 2.4.18 and            RedHat iptables</a></b></li>
-   <li>
-                
-          <b><font color="#660066"><a href="#iptables">
-   Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
-   <li>
-                
-          <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and 
-          RedHat iptables</a></b></li>
       <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
       <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
      MULTIPORT=Yes</a></b></li>
- </ul>
- <hr>
       
-          <h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
+</ul>
       
-                              <h3>Version 1.3.7b</h3>
+<hr>                          
+<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
                                                     
-                              <p>DNAT rules where the source zone is 'fw' ($FW) 
+<h3>Version 1.3.8</h3>
+ 
+<ul>
+   <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the 
+policy file doesn't work.</li>
+   <li>A DNAT rule with the same original and new IP addresses but with different 
+port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
+   </li>
+ 
+</ul>
+ Installing                               <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">   
+                           this corrected firewall script</a> in /var/lib/shorewall/firewall
+                                as described above corrects these problems.
+ 
+<h3>Version 1.3.7b</h3>
+                                    
+<p>DNAT rules where the source zone is 'fw' ($FW)                       
         result in an error message. Installing                          
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+    <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                            this corrected firewall script</a> in /var/lib/shorewall/firewall
                                 as described above corrects this problem.</p>
                                     
-                              <h3>Version 1.3.7a</h3>
+<h3>Version 1.3.7a</h3>
                                     
-                              <p>&quot;shorewall refresh&quot; is not creating the proper 
+<p>"shorewall refresh" is not creating the proper                       
         rule for FORWARDPING=Yes. Consequently, after                   
-                              &quot;shorewall refresh&quot;, the firewall will not forward 
+            "shorewall refresh", the firewall will not forward          
                      icmp echo-request (ping) packets. Installing       
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+                       <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                            this corrected firewall script</a> in /var/lib/shorewall/firewall
                                 as described above corrects this problem.</p>
                                     
-                              <h3>Version &lt;= 1.3.7a</h3>
+<h3>Version &lt;= 1.3.7a</h3>
                                     
-                              <p>If &quot;norfc1918&quot; and &quot;dhcp&quot; are both specified as 
+<p>If "norfc1918" and "dhcp" are both specified as                      
          options on a given interface then RFC 1918                     
           checking is occurring before DHCP checking. This              
                  means that if a DHCP client broadcasts using an        
@@ -118,165 +123,174 @@ dos2unix</a></u>
                              reject the broadcast (usually logging it). This
                                 has two problems:</p>
                                     
-                              <ol>
+<ol>
-                                <li>If the firewall is running a DHCP server, 
+                                   <li>If the firewall is running a DHCP
-                                the client won't be able to obtain an IP address 
+server,                                   the client won't be able to obtain
-                                lease from that server.</li>
+an IP  address                                  lease from that server.</li>
-                                <li>With this order of checking, the &quot;dhcp&quot; 
+                                   <li>With this order of checking, the "dhcp"
                                   option cannot be used as a noise-reduction
-                                measure where there are both dynamic and static 
+                                  measure where there are both dynamic and
-                                clients on a LAN segment.</li>
+ static                                  clients on a LAN segment.</li>
- </ol>
       
-                              <p>
+</ol>
-                              <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
+                                                    
+<p>                               <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">   
                            This version of the 1.3.7a firewall script </a> 
-                              corrects the problem. It must be installed in /var/lib/shorewall 
+                               corrects the problem. It must be installed
-                              as described above.</p>
+ in /var/lib/shorewall                                as described above.</p>
                                     
-                              <h3>Version 1.3.7</h3>
+<h3>Version 1.3.7</h3>
                                     
-                              <p>Version 1.3.7 dead on arrival -- please use 
+<p>Version 1.3.7 dead on arrival -- please use                          
      version 1.3.7a and check your version against                      
          these md5sums -- if there's a difference, please               
                 download again.</p>
                                     
-                              <pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
+<pre>	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br>	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br>	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
-	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
-	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
- <p>In other words, type &quot;md5sum &lt;<i>whatever package you downloaded</i>&gt; and 
- compare the result with what you see above.</p>
- <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 
- version in each sequence from now on.</p>
       
-          <h3 align="Left">Version 1.3.6</h3>
+<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
+ and   compare the result with what you see above.</p>
       
-          <ul>
+<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
+ .7   version in each sequence from now on.</p>
+                                
+<h3 align="left">Version 1.3.6</h3>
+                                
+<ul>
                <li>                                      
-                
+    <p align="left">If ADD_SNAT_ALIASES=Yes is specified in            /etc/shorewall/shorewall.conf,
-          <p align="Left">If ADD_SNAT_ALIASES=Yes is specified in 
+ an error occurs when the firewall            script attempts to add an SNAT
-          /etc/shorewall/shorewall.conf, an error occurs when the firewall 
+ alias.  </p>
-          script attempts to add an SNAT alias.</li>
+    </li>
     <li>                                      
+    <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
+           cause errors during startup when Shorewall is run with iptables
+ 1.2.7. </p>
+    </li>
    
-          <p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options 
-          cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
 </ul>
                                 
-          <p align="Left">These problems are fixed in
+<p align="left">These problems are fixed in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
        this correct firewall script</a> which must be installed in      
      /var/lib/shorewall/ as described above. These problems are also    
        corrected in version 1.3.7.</p>
                                 
-          <h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
+<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
                                 
-          <p align="Left">A line was inadvertently deleted from the &quot;interfaces 
+<p align="left">A line was inadvertently deleted from the "interfaces   
-          file&quot; -- this line should be added back in if the version that you 
+        file" -- this line should be added back in if the version that you
             downloaded is missing it:</p>
                                 
-          <p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp; 
+<p align="left">net    eth0    detect               routefilter,dhcp,norfc1918</p>
-          routefilter,dhcp,norfc1918</p>
                                 
-          <p align="Left">If you downloaded two-interfaces-a.tgz then the above 
+<p align="left">If you downloaded two-interfaces-a.tgz then the above   
         line should already be in the file.</p>
                                 
-          <h3 align="Left">Version 1.3.5-1.3.5b</h3>
+<h3 align="left">Version 1.3.5-1.3.5b</h3>
                                 
-          <p align="Left">The new 'proxyarp' interface option doesn't work :-( 
+<p align="left">The new 'proxyarp' interface option doesn't work :-(    
-          This is fixed in
+       This is fixed in           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
        this corrected firewall script</a> which must be installed in    
        /var/lib/shorewall/ as described above.</p>
                                 
-          <h3 align="Left">Versions 1.3.4-1.3.5a</h3>
+<h3 align="left">Versions 1.3.4-1.3.5a</h3>
                                 
-          <p align="Left">Prior to version 1.3.4, host file entries such as the 
+<p align="left">Prior to version 1.3.4, host file entries such as the   
         following were allowed:</p>
                                 
-          <div align="left">
+<div align="left">               
-            <pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
+<pre>	adm	eth0:1.2.4.5,eth0:5.6.7.8</pre>
     </div>
- <div align="left">
+      
-   <p align="left">That capability was lost in version 1.3.4 so that it is only 
+<div align="left">      
-   possible to&nbsp; include a single host specification on each line. This 
+<p align="left">That capability was lost in version 1.3.4 so that it is only
-   problem is corrected by
+     possible to  include a single host specification on each line. This
-   <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this 
+    problem is corrected by    <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
      modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
-   as instructed above.</div>
+     as instructed above.</p>
+  </div>
                        
- <div align="left">
+<div align="left">      
-   <p align="left">This problem is corrected in version 1.3.5b.</div>
+<p align="left">This problem is corrected in version 1.3.5b.</p>
+  </div>
                                 
-          <h3 align="Left">Version 1.3.5</h3>
+<h3 align="left">Version 1.3.5</h3>
                                 
-          <p align="Left">REDIRECT rules are broken in this version. Install
+<p align="left">REDIRECT rules are broken in this version. Install      
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
+    <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">   
        this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
             as instructed above. This problem is corrected in version 1.3.5a.</p>
                                 
-          <h3 align="Left">Version 1.3.n, n &lt; 4</h3>
+<h3 align="left">Version 1.3.n, n &lt; 4</h3>
                                 
-          <p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands 
+<p align="left">The "shorewall start" and "shorewall restart" commands  
-          to not verify that the zones named in the /etc/shorewall/policy file 
+         to not verify that the zones named in the /etc/shorewall/policy
-          have been previously defined in the /etc/shorewall/zones file. The 
+file            have been previously defined in the /etc/shorewall/zones
-          &quot;shorewall check&quot; command does perform this verification so it's a 
+file. The            "shorewall check" command does perform this verification
-          good idea to run that command after you have made configuration 
+so it's a            good idea to run that command after you have made configuration
             changes.</p>
                                 
-          <h3 align="Left">Version 1.3.n, n &lt; 3</h3>
+<h3 align="left">Version 1.3.n, n &lt; 3</h3>
                                 
-          <p align="Left">If you have upgraded from Shorewall 1.2 and after 
+<p align="left">If you have upgraded from Shorewall 1.2 and after       
-          &quot;Activating rules...&quot; you see the message: &quot;iptables: No 
+    "Activating rules..." you see the message: "iptables: No            chains/target/match
-          chains/target/match by that name&quot; then you probably have an entry in 
+ by that name" then you probably have an entry in            /etc/shorewall/hosts
-          /etc/shorewall/hosts that specifies an interface that you didn't 
+ that specifies an interface that you didn't            include in /etc/shorewall/interfaces.
-          include in /etc/shorewall/interfaces. To correct this problem, you 
+ To correct this problem, you            must add an entry to /etc/shorewall/interfaces.
-          must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and 
+ Shorewall 1.3.3 and            later versions produce a clearer error message
-          later versions produce a clearer error message in this case.</p>
+ in this case.</p>
                                 
-          <h3 align="Left">Version 1.3.2</h3>
+<h3 align="left">Version 1.3.2</h3>
                                 
-          <p align="Left">Until approximately 2130 GMT on 17 June 2002, the 
+<p align="left">Until approximately 2130 GMT on 17 June 2002, the       
     download sites contained an incorrect version of the .lrp file. That
-          file can be identified by its size (56284 bytes). The correct version 
+           file can be identified by its size (56284 bytes). The correct
-          has a size of 38126 bytes.</p>
+version            has a size of 38126 bytes.</p>
                                 
-          <ul>
+<ul>
                <li>The code to detect a duplicate interface entry in    
        /etc/shorewall/interfaces contained a typo that prevented it from
            working correctly. </li>
-            <li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
+               <li>"NAT_BEFORE_RULES=No" was broken; it behaved just like 
- </ul>
+"NAT_BEFORE_RULES=Yes".</li>
       
-          <p align="Left">Both problems are corrected in
+</ul>
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
-          this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
                                 
-          <ul>
+<p align="left">Both problems are corrected in           <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">   
+       this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
+ as described above.</p>
+                                
+<ul>
                <li>                                      
-                
+    <p align="left">The IANA have just announced the allocation of subnet
-          <p align="Left">The IANA have just announced the allocation of subnet 
+            221.0.0.0/8. This           <a
-          221.0.0.0/8. This
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">    
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
       updated rfc1918</a> file reflects that allocation.</p>
-                
                                 </li>
- </ul>
       
-          <h3 align="Left">Version 1.3.1</h3>
+</ul>
                                 
-          <ul>
+<h3 align="left">Version 1.3.1</h3>
+                                
+<ul>
                <li>TCP SYN packets may be double counted when           
-          LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each 
+LIMIT:BURST  is included in a CONTINUE or ACCEPT policy (i.e., each     
       packet is sent through the limit chain twice).</li>
                <li>An unnecessary jump to the policy chain is sometimes 
           generated for a CONTINUE policy.</li>
                <li>When an option is given for more than one interface in 
              /etc/shorewall/interfaces then depending on the option, Shorewall
-            may ignore all but the first appearence of the option. For example:<br>
+              may ignore all but the first appearence of the option. For
+example:<br>
                <br>
-            net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
+               net    eth0    dhcp<br>
-            loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
+               loc    eth1    dhcp<br>
                <br>
                Shorewall will ignore the 'dhcp' on eth1.</li>
                <li>Update 17 June 2002 - The bug described in the prior bullet
@@ -284,146 +298,139 @@ dos2unix</a></u>
               norfc1918, routefilter, multi, filterping and noping. An additional
               bug has been found that affects only the 'routestopped' option.<br>
                <br>
-            Users who downloaded the corrected script prior to 1850 GMT today 
+               Users who downloaded the corrected script prior to 1850 GMT
-            should download and install the corrected script again to ensure 
+ today              should download and install the corrected script again
-            that this second problem is corrected.</li>
+ to ensure              that this second problem is corrected.</li>
- </ul>
       
-          <p align="Left">These problems are corrected in
+</ul>
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
-          this firewall script</a> which should be installed in 
-          /etc/shorewall/firewall as described above.</p>
                                 
-          <h3 align="Left">Version 1.3.0</h3>
+<p align="left">These problems are corrected in           <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">   
+       this firewall script</a> which should be installed in            /etc/shorewall/firewall
+ as described above.</p>
                                 
-          <ul>
+<h3 align="left">Version 1.3.0</h3>
-            <li>Folks who downloaded 1.3.0 from the links on the download page 
+                                
-            before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than 
+<ul>
-            1.3.0. The &quot;shorewall version&quot; command will tell you which version 
+               <li>Folks who downloaded 1.3.0 from the links on the download
-            that you have installed.</li>
+ page              before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13
+ rather than              1.3.0. The "shorewall version" command will tell
+ you which version              that you have installed.</li>
                <li>The documentation NAT.htm file uses non-existent     
-          wallpaper and bullet graphic files. The
+      wallpaper and bullet graphic files. The           <a
-          <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">    
       corrected version is here</a>.</li>
- </ul>
- <hr>
       
-          <h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
+</ul>
       
-          <p align="Left">The upgrade issues have moved to
+<hr>                          
-          <a href="upgrade_issues.htm">a separate page</a>.</p>
+<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
                                 
- <hr>
+<p align="left">The upgrade issues have moved to           <a
+ href="upgrade_issues.htm">a separate page</a>.</p>
                        
-        <h3 align="Left"><a name="iptables"></a><font color="#660066">
+<hr>                            
- Problem with iptables version 1.2.3</font></h3>
+<h3 align="left"><a name="iptables"></a><font color="#660066">  Problem with
+ iptables version 1.2.3</font></h3>
                    
- <blockquote>
+<blockquote>                            
+  <p align="left">There are a couple of serious bugs in iptables 1.2.3 that 
+         prevent it from working with Shorewall. Regrettably,  RedHat released
+ this buggy iptables in RedHat   7.2. </p>
                               
-        <p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
+  <p align="left"> I have built a <a
-        prevent it from working with Shorewall. Regrettably, 
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> 
-RedHat released this buggy iptables in RedHat   7.2.&nbsp;</p>
+  corrected 1.2.3 rpm which you can download here</a>  and I have also built 
+         an <a
+ href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> 
+iptables-1.2.4   rpm which you can download here</a>. If  you are currently
+ running RedHat 7.1, you can install either of these RPMs            <b><u>before</u>
+   </b>you upgrade to RedHat 7.2.</p>
                         
-        <p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
+  <p align="left"><font color="#ff6633"><b>Update   11/9/2001: </b></font>RedHat
- corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
+ has   released an iptables-1.2.4 RPM of their own which you can download
-        an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
+from<font color="#ff6633">   <a
- iptables-1.2.4   rpm which you can download here</a>. If 
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. 
-you are currently running RedHat 7.1, you can install either of these RPMs 
+   </font>I have installed this RPM   on my firewall and it works fine.</p>
-          <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
                               
-  <p align="Left"><font color="#FF6633"><b>Update
+  <p align="left">If you         would like to patch iptables 1.2.3 yourself,
-  11/9/2001: </b></font>RedHat has
+ the patches are available         for download. This <a
-  released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> 
-  <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
+     which corrects a problem with parsing of the --log-level specification
-  </font>I have installed this RPM
+ while         this <a
-  on my firewall and it works fine.</p>
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> 
+         corrects a problem in handling the  TOS target.</p>
                                 
-        <p align="Left">If you
+  <p align="left">To install one of the above patches:</p>
-        would like to patch iptables 1.2.3 yourself, the patches are available
-        for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
-    which corrects a problem with parsing of the --log-level specification while
-        this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
-        corrects a problem in handling the&nbsp; TOS target.</p>
                  
-          <p align="Left">To install one of the above patches:</p>
   <ul>
              <li>cd iptables-1.2.3/extensions</li>
              <li>patch -p0 &lt; <i>the-patch-file</i></li>
+                 
   </ul>
-         
               </blockquote>
                                                 
-                            <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18              
                and RedHat iptables</h3>
+      
+<blockquote>          
+  <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
+ may     experience the following:</p>
+            
   <blockquote>                
-   <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may 
+    <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
-   experience the following:</p>
-   <blockquote>
-     <pre># shorewall start
-Processing /etc/shorewall/shorewall.conf ...
-Processing /etc/shorewall/params ...
-Starting Shorewall...
-Loading Modules...
-Initializing...
-Determining Zones...
-Zones: net
-Validating interfaces file...
-Validating hosts file...
-Determining Hosts in Zones...
-Net Zone: eth0:0.0.0.0/0
-iptables: libiptc/libip4tc.c:380: do_check: Assertion
-`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
-Aborted (core dumped)
-iptables: libiptc/libip4tc.c:380: do_check: Assertion
-`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
-Aborted (core dumped)
-</pre>
       </blockquote>
+            
   <p>The RedHat iptables RPM is compiled with debugging enabled but the  
-   user-space debugging code was not updated to reflect recent changes in the 
+  user-space debugging code was not updated to reflect recent changes in
-   Netfilter 'mangle' table. You can correct the problem by installing
+ the     Netfilter 'mangle' table. You can correct the problem by installing 
-   <a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
+    <a
+ href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> 
     this iptables RPM</a>. If you are already running a 1.2.5 version of 
    iptables, you will need to specify the --oldpackage option to rpm (e.g.,
-   &quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
+     "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
     </blockquote>
                                                                       
-                              <h3><a name="SuSE"></a>Problems 
+<h3><a name="SuSE"></a>Problems                                installing/upgrading
-                              installing/upgrading RPM on SuSE</h3>
+ RPM on SuSE</h3>
                                     
-                              <p>If you find that rpm complains about a conflict 
+<p>If you find that rpm complains about a conflict                      
          with kernel &lt;= 2.2 yet you have a 2.4 kernel                
-                              installed, simply use the &quot;--nodeps&quot; option to 
+               installed, simply use the "--nodeps" option to           
                     rpm.</p>
                                     
-                              <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
+<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
                                     
-                              <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
+<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
                                     
-                              <h3><a name="Multiport"></a><b>Problems with 
+<h3><a name="Multiport"></a><b>Problems with                            
    iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
                                     
-                              <p>The iptables 1.2.7 release of iptables has made 
+<p>The iptables 1.2.7 release of iptables has made                      
          an incompatible change to the syntax used to                   
             specify multiport match rules; as a consequence,            
                    if you install iptables 1.2.7 you must be running    
                            Shorewall 1.3.7a or later or:</p>
                                     
-                              <ul>
+<ul>
                                    <li>set MULTIPORT=No in              
                    /etc/shorewall/shorewall.conf; or </li>
-                                <li>if you are running Shorewall 1.3.6 you may 
+                                   <li>if you are running Shorewall 1.3.6 
-                                install
+you may                                  install                         
-                                <a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
+       <a
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">   
                              this firewall script</a> in /var/lib/shorewall/firewall
                                   as described above.</li>
- </ul>
+      
- <p><font size="2">
+</ul>
- Last updated 9/1/2002 -
+      
+<p><font size="2">  Last updated 9/28/2002 -                            
   <a href="support.htm">Tom Eastep</a></font> </p>
        
- <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+    <br>
+  <br>
+ <br>
 </body>
-                        </html>
+</html>

Shorewall-docs/mailing_list.htm

@@ -1,139 +1,183 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Shorewall Mailing Lists</title>
+ content="text/html; charset=windows-1252">
-<meta name="Microsoft Theme" content="none">
+     
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Shorewall Mailing Lists</title>
+         
+  <meta name="Microsoft Theme" content="none">
 </head>
+  <body>
     
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ bgcolor="#400169" height="90">
+    <tbody>
      <tr>
       <td width="100%">            
-    <h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
+      <h1 align="center"><a
-<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
+ href="http://www.gnu.org/software/mailman/mailman.html">        <img
-    <p align="right"><font color="#FFFFFF"><b>Powered by Postfix&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+ border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
-    </b></font>
+ height="35">
+       </a><a href="http://www.postfix.org/">       <img
+ src="images/small-picture.gif" align="right" border="0" width="115"
+ height="45">
+       </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
+             
+      <p align="right"><font color="#ffffff"><b>Powered by Postfix       
+  </b></font>     </p>
        </td>
     </tr>
+     
+  </tbody> 
 </table>
     
-<p align="left">
+<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
-<b>Note: </b>The list server limits posts to 120kb.</p>
     
-<h2 align="left">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check
+<h2 align="left">Not getting List Mail? -- <a
-Here</a></h2>
+ href="mailing_list_problems.htm">Check Here</a></h2>
     
 <p align="left">If you experience problems with any of these lists, please
-let <a href="mailto:teastep@shorewall.net">me</a> know</p>
+ let <a href="mailto:teastep@shorewall.net">me</a> know</p>
     
 <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
     
 <p align="left">You can report such problems by sending mail to tom dot eastep 
-at hp dot com.</p>
+ at hp dot com.</p>
           
-      <h2>A Word about SPAM Filters
+<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
-<a href="http://ordb.org">
+ src="images/but3.png" hspace="3" width="88" height="31">
-<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a></h2>
+ </a><a href="http://osirusoft.com/"> </a></h2>
                                         
-      <p>Before subscribing please read my <a href="spam_filters.htm">policy
+<p>Before subscribing please read my <a href="spam_filters.htm">policy   
    about list traffic that bounces.</a> Also please note that the mail server 
-      at shorewall.net checks the sender of incoming mail against the open relay 
+       at shorewall.net checks the sender of incoming mail against the open 
-      databases at <a href="http://ordg.org">ordb.org</a> and at
+relay        databases at <a href="http://ordb.org">ordb.org.</a></p>
-      <a href="http://osirusoft.com">osirusoft.com</a>.</p>
                                         
-      <h2>Search the Mailing List Archives</h2>
+<h2></h2>
                                   
-<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
+<h2 align="left">Mailing Lists Archive Search</h2>
-<p>
+   
-<font size="-1">
+<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
-Match: <select name="method">
+  <p> <font size="-1"> Match: 
-<option value="and">All
+  <select name="method">
-<option value="or">Any
+  <option value="and">All </option>
-<option value="boolean">Boolean
+  <option value="or">Any </option>
-</select>
+  <option value="boolean">Boolean </option>
-Format: <select name="format">
+  </select>
-<option value="builtin-long">Long
+ Format: 
-<option value="builtin-short">Short
+  <select name="format">
-</select>
+  <option value="builtin-long">Long </option>
-Sort by: <select name="sort">
+  <option value="builtin-short">Short </option>
-<option value="score">Score
+  </select>
-<option value="time">Time
+ Sort by: 
-<option value="title">Title
+  <select name="sort">
-<option value="revscore">Reverse Score
+  <option value="score">Score </option>
-<option value="revtime">Reverse Time
+  <option value="time">Time </option>
-<option value="revtitle">Reverse Title
+  <option value="title">Title </option>
-</select>
+  <option value="revscore">Reverse Score </option>
-</font>
+  <option value="revtime">Reverse Time </option>
-<input type="hidden" name="config" value="htdig">
+  <option value="revtitle">Reverse Title </option>
-<input type="hidden" name="restrict" value="[http://www.shorewall.net/pipermail/.*]">
+  </select>
-<input type="hidden" name="exclude" value="">
+ </font> <input type="hidden" name="config" value="htdig"> <input
-<br>
+ type="hidden" name="restrict"
-Search:
+ value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
-<input type="text" size="30" name="words" value="">
+ name="exclude" value=""> <br>
-<input type="submit" value="Search"> </p>
+ Search: <input type="text" size="30" name="words" value=""> <input
-</form>
+ type="submit" value="Search"> </p>
+ </form>
                                   
 <h2 align="left">Shorewall Users Mailing List</h2>
-<p align="left">The Shorewall Users Mailing list provides a way for users to get
+   
-answers to questions and to report problems.
+<p align="left">The Shorewall Users Mailing list provides a way for users 
-Information of general interest to the Shorewall user community is also posted
+to get answers to questions and to report problems. Information of general 
-to this list.</p>
+interest to the Shorewall user community is also posted to this list.</p>
-<p align="left"><b>Before posting a problem report to this list, please see the
+   
-<a href="support.htm">problem reporting guidelines</a>.</b></p>
+<p align="left"><b>Before posting a problem report to this list, please see 
-<p align="left">To subscribe to the mailing list, go to
+the <a href="support.htm">problem reporting guidelines</a>.</b></p>
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
+   
-<p align="left">To post to the list, post to <a href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
+<p align="left">To subscribe to the mailing list, go to <a
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
-<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <a href="http://sourceforge.net">Sourceforge</a>.
+   
-The archives from that list may be found at <a href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
+<p align="left">To post to the list, post to <a
+ href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
+   
+<p align="left">The list archives are at <a
+ href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
+   
+<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
+<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
+may be found at <a
+ href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
+   
 <h2 align="left">Shorewall Announce Mailing List</h2>
+   
 <p align="left">This list is for announcements of general interest to the
-Shorewall community. To subscribe, go to
+ Shorewall community. To subscribe, go to <a
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
+   
+<p align="left">The list archives are at <a
+ href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
+   
 <h2 align="left">Shorewall Development Mailing List</h2>
-<p align="left">The Shorewall Development Mailing list provides a forum for the
+   
-exchange of ideas about the future of Shorewall and for coordinating ongoing
+<p align="left">The Shorewall Development Mailing list provides a forum for 
+the exchange of ideas about the future of Shorewall and for coordinating ongoing
 Shorewall Development.</p>
-<p align="left">To subscribe to the mailing list, go to
+   
-<a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
+<p align="left">To subscribe to the mailing list, go to <a
-<p align="left">To post to the list, post to <a href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>.&nbsp;</p>
+ href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
-<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
+   
-<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of the 
+<p align="left">To post to the list, post to <a
-Mailing Lists</h2>
+ href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
+   
+<p align="left">The list archives are at <a
+ href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
+   
+<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of 
+the  Mailing Lists</h2>
+   
 <p align="left">There seems to be near-universal confusion about unsubscribing 
-from Mailman-managed lists. To unsubscribe:</p>
+ from Mailman-managed lists. To unsubscribe:</p>
+   
 <ul>
     <li>      
-<p align="left">Follow the same link above that you used to subscribe to the 
+    <p align="left">Follow the same link above that you used to subscribe 
-list.</p>
+to the  list.</p>
     </li>
     <li>      
-<p align="left">Down at the bottom of that page is the following text: &quot;To 
+    <p align="left">Down at the bottom of that page is the following text: 
-change your subscription (set options like digest and delivery modes, get a 
+"To  change your subscription (set options like digest and delivery modes, 
-reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), enter 
+get a  reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;),
-your subscription email address:&quot;. Enter your email address in the box and click 
+enter  your subscription email address:". Enter your email address in the
-on the &quot;Edit Options&quot; button.</p>
+box and click  on the "Edit Options" button.</p>
     </li>
     <li>      
-<p align="left">There will now be a box where you can enter your password and 
+    <p align="left">There will now be a box where you can enter your password 
-click on &quot;Unsubscribe&quot;; if you have forgotten your password, there is another 
+and  click on "Unsubscribe"; if you have forgotten your password, there is 
-button that will cause your password to be emailed to you.</p>
+another  button that will cause your password to be emailed to you.</p>
     </li>
+   
 </ul>
+   
 <hr>  
 <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
+   
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 7/26/2002 - <a href="support.htm">Tom
-Eastep</a></font></p>
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
-<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
    
+<p align="left"><font size="2">Last updated 9/27/2002 - <a
+ href="support.htm">Tom Eastep</a></font></p>
+   
+<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+   <br>
+ <br>
 </body>
-
 </html>

Shorewall-docs/myfiles.htm

@@ -33,22 +33,24 @@
                              
 <blockquote>                               
   <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
-My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
+ My DSL   "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) 
 is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) 
   and a DMZ connected to eth1 (192.168.2.0/24). </p>
                                
   <p> I use:<br>
    </p>
+   
   <ul>
      <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 
 and external address 206.124.146.178.</li>
      <li>Proxy ARP for wookie (my Linux System). This system has two IP addresses: 
 192.168.1.3/24 and 206.124.146.179/24.</li>
-    <li>SNAT through the primary gateway address (206.124.146.176) for  my
+     <li>SNAT through the primary gateway address (206.124.146.176) for 
-Wife's system (tarry)  and the Wireless Access Point (wap)</li>
+my Wife's system (tarry)  and the Wireless Access Point (wap)</li>
+   
   </ul>
                                
-  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.</p>
+  <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
                                
   <p> Wookie  runs Samba and acts as the a WINS server.  Wookie is in its 
 own 'whitelist' zone  called 'me'.</p>
@@ -60,8 +62,8 @@ PopTop server running on my firewall. </p>
                                
   <p> The single system in the DMZ (address 206.124.146.177) runs postfix, 
 Courier  IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
-(Pure-ftpd). The system   also runs fetchmail to fetch our email from our 
+ (Pure-ftpd). The system   also runs fetchmail to fetch our email from our
-old and current ISPs. That server is managed through Proxy ARP.</p>
+ old and current ISPs. That server is managed through Proxy ARP.</p>
                                
   <p> The firewall system itself runs a DHCP server that serves the local 
   network.</p>
@@ -106,8 +108,8 @@ of                           the entry in /etc/shorewall/proxyarp (see below).</
 <h3>Interfaces File: </h3>
                                  
 <blockquote>                                   
-  <p> This is set up so that I can start the firewall before bringing up
+  <p> This is set up so that I can start the firewall before bringing up my
-my Ethernet  interfaces. </p>
+Ethernet  interfaces. </p>
       </blockquote>
        
 <pre><font face="Courier" size="2">	#ZONE    INTERFACE	BROADCAST 	OPTIONS<br>	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping<br>	loc	eth2 		192.168.1.255	dhcp<br>	dmz	eth1 		206.124.146.255	-<br>	net	eth3		206.124.146.255 norfc1918<br>	-	texas 		-<br>	loc	ppp+<br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@@ -156,10 +158,11 @@ my Ethernet  interfaces. </p>
        
 <pre><font face="Courier" size="2">     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL<br>	#                       				PORT(S) PORT(S)	PORT(S)	DEST<br>	#<br>	# Local Network to Internet - Reject attempts by Trojans to call home<br>	#<br>	REJECT:info 	loc 		net 			tcp	6667<br>	#<br>	# Local Network to Firewall <br>	#<br>	ACCEPT		loc		fw 			tcp 	ssh<br>	ACCEPT		loc		fw			tcp	time<br>	#<br>	# Local Network to DMZ <br>	#<br>	ACCEPT 		loc 		dmz 			udp	domain<br>	ACCEPT		loc		dmz			tcp	smtp<br>	ACCEPT		loc		dmz			tcp	domain<br>	ACCEPT		loc		dmz			tcp	ssh<br>	ACCEPT		loc		dmz			tcp	auth<br>	ACCEPT		loc		dmz			tcp	imap<br>	ACCEPT		loc		dmz			tcp	https<br>	ACCEPT		loc		dmz			tcp	imaps<br>	ACCEPT		loc		dmz			tcp	cvspserver<br>	ACCEPT 		loc 		dmz 			tcp 	www<br>	ACCEPT		loc		dmz			tcp	ftp<br>	ACCEPT		loc		dmz			tcp	pop3<br>	ACCEPT		loc		dmz			icmp	echo-request<br>	#<br>	# Internet to DMZ <br>	#<br>	ACCEPT		net		dmz 			tcp	www<br>	ACCEPT		net		dmz			tcp	smtp<br>	ACCEPT		net		dmz			tcp	ftp<br>	ACCEPT		net		dmz			tcp	auth<br>	ACCEPT		net		dmz			tcp	https<br>	ACCEPT		net		dmz			tcp	imaps<br>	ACCEPT		net		dmz			tcp	domain<br>	ACCEPT		net		dmz			tcp	cvspserver<br>	ACCEPT		net		dmz			udp	domain<br>	ACCEPT		net		dmz			icmp	echo-request<br>	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync<br>	#<br>	# Net to Me (ICQ chat and file transfers) <br>	#<br>	ACCEPT		net		me			tcp	4000:4100<br>	#<br>	# Net to Local <br>	#<br>	ACCEPT		net		loc			tcp	auth<br>	REJECT		net		loc			tcp	www<br>	#<br>	# DMZ to Internet<br>	#<br>	ACCEPT		dmz		net			icmp	echo-request<br>	ACCEPT		dmz		net			tcp	smtp<br>	ACCEPT		dmz		net			tcp	auth<br>	ACCEPT		dmz		net			tcp	domain<br>	ACCEPT		dmz		net			tcp	www<br>	ACCEPT		dmz		net			tcp	https<br>	ACCEPT		dmz		net			tcp	whois<br>	ACCEPT		dmz		net			tcp	echo<br>	ACCEPT		dmz		net			udp	domain<br>	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3<br>	#<br>	# The following compensates for a bug, either in some FTP clients or in the<br>	# Netfilter connection tracking code that occasionally denies active mode<br>	# FTP clients<br>	#<br>	ACCEPT:info 	dmz 		net			tcp	1024:	20<br>	#<br>	# DMZ to Firewall -- snmp<br>	#<br>	ACCEPT 		dmz 		fw 			tcp	snmp<br>	ACCEPT		dmz		fw			udp	snmp<br>	#<br>	# DMZ to Local Network <br>	#<br>	ACCEPT 		dmz 		loc			tcp	smtp<br>	ACCEPT		dmz		loc			tcp	auth<br>	ACCEPT		dmz		loc			icmp	echo-request<br>	# Internet to Firewall<br>	#<br>	ACCEPT		net		fw			tcp	1723<br>	ACCEPT		net		fw			gre<br>	REJECT 		net		fw			tcp	www<br>	#<br>	# Firewall to Internet<br>	#<br>	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp<br>	ACCEPT		fw		net			udp	domain<br>	ACCEPT		fw		net			tcp	domain<br>	ACCEPT		fw		net			tcp	www<br>	ACCEPT		fw		net			tcp	https<br>	ACCEPT		fw		net			tcp	ssh<br>	ACCEPT		fw		net			tcp	whois<br>	ACCEPT		fw		net 			icmp	echo-request<br>	#<br>	# Firewall to DMZ<br>	#<br>	ACCEPT 		fw 		dmz 			tcp 	www<br>	ACCEPT 		fw 		dmz 			tcp 	ftp<br>	ACCEPT 		fw 		dmz 			tcp 	ssh<br>	ACCEPT 		fw 		dmz 			tcp 	smtp<br>	ACCEPT 		fw 		dmz 			udp 	domain<br>	#<br>	# Let Texas Ping<br>	#<br>	ACCEPT 		tx 		fw 			icmp 	echo-request<br>	ACCEPT		tx 		loc 			icmp 	echo-request<br><br>	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
                                                   
-<p><font size="2"> Last updated 9/14/2002  - </font><font size="2">     
+<p><font size="2"> Last updated 9/19/2002  - </font><font size="2">      
                                       <a href="support.htm">Tom Eastep</a></font>
    </p>
     <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+ <br>
 </body>
 </html>

Shorewall-docs/quotes.htm

@@ -1,96 +1,101 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+ 
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ 
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Quotes from Shorewall Users</title>
+ content="text/html; charset=windows-1252">
+ 
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ 
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Quotes from Shorewall Users</title>
 </head>
+  <body>
   
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
+   <tbody>
     <tr>
      <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1>
+      <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
      </td>
    </tr>
+ 
+  </tbody>
 </table>
                                                         
+<p>"I just installed Shorewall after weeks of messing with       ipchains/iptables
+and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
+</p>
+"My case was almost like [the one above]. Well. instead of 'weeks' it was
+'months' for me, and I think I needed two minutes more:<br>
+<ul>
+  <li>One to see that I had no Internet access from the firewall itself.</li>
+  <li>Other to see that this was the default configuration, and it was enough
+to uncomment a line in /etc/shorewall/policy.<br>
+  </li>
+</ul>
+Minutes instead of months! Congratulations and thanks for such a simple and
+well documented thing for something as huge as iptables." -- JV, Spain. 
                                                                
-      <p>&quot;I just installed Shorewall after weeks of messing with
+<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1       without
-      ipchains/iptables and I had it up and running in under 20 minutes!&quot;
+any problems. Your documentation is great and I really appreciate       your
-      -- JL, Ohio
+network configuration info. That really helped me out alot.       THANKS!!!"
+-- MM.           </p>
+                                                                 
+<p>"[Shorewall is a] great, great project. I've used/tested may       firewall
+scripts but this one is till now the best." -- B.R,       Netherlands   
        </p>
                                                                  
+<p>"Never in my +12 year career as a sys admin have I witnessed       someone
+so relentless in developing a secure, state of the art, save and       useful
+product as the Shorewall firewall package for no cost or obligation     
+ involved." -- Mario Kericki, Toronto           </p>
                                                                  
-      <p>&quot;I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
+<p>"one time more to report, that your great shorewall in the latest    
-      without any problems. Your documentation is great and I really appreciate
+   release       1.2.9 is working fine for me with SuSE Linux 7.3! I now
-      your network configuration info. That really helped me out alot.
+have 7 machines up       and running with shorewall on several versions -
-      THANKS!!!&quot; -- MM.
+starting with 1.2.2 up to       the new 1.2.9 and I never have encountered
-          </p>
+any problems!" -- SM, Germany</p>
                                                                  
+<p>"You have the best support of any other package I've ever       used."
+-- SE, US           </p>
                                     
-      <p>&quot;[Shorewall is a] great, great project. I've used/tested may
+<p>"Because our company has information which has been classified by the
-      firewall scripts but this one is till now the best.&quot; -- B.R,
+ national government as secret, our security doesn't stop by putting a fence
-      Netherlands
+ around our company. Information security is a hot issue. We also make use
-          </p>
+of  checkpoint firewalls, but not all of the internet servers are guarded
+by  checkpoint, some of them are running....Shorewall." -- Name withheld
+by request,  Europe</p>
   
+<p>"thanx for all your efforts you put into shorewall - this product stands
+out  against a lot of commercial stuff i´ve been working with in terms of
+ flexibillity, quality &amp; support" -- RM, Austria</p>
   
-      <p>&quot;Never in my +12 year career as a sys admin have I witnessed
+<p>"I have never seen such a complete firewall package that is so easy to
-      someone so relentless in developing a secure, state of the art, save and
+ configure. I searched the Debian package system for firewall scripts and
-      useful product as the Shorewall firewall package for no cost or obligation
+ Shorewall won hands down." -- RG, Toronto</p>
-      involved.&quot; -- Mario Kericki, Toronto
-          </p>
   
+<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
+is a  wonderful piece of software. I've just sent out an email to about 30
+people  recommending it. :-)<br>
+ While I had previously taken the time (maybe 40 hours) to really understand
+ ipchains, then spent at least an hour per server customizing and carefully
+ scrutinizing firewall rules, I've got shorewall running on my home firewall,
+ with rulesets and policies that I know make sense, in under 20 minutes."
+-- RP,  Guatamala<br>
+ <br>
+  </p>
   
-      <p>&quot;one time more to report, that your great shorewall in the latest 
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
-      release
+- <a href="support.htm">Tom Eastep</a>      </font>                     
-      1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up
-      and running with shorewall on several versions - starting with 1.2.2 up to
-      the new 1.2.9 and I never have encountered any problems!&quot; -- SM, Germany</p>
-                                  
-                      
-      <p>&quot;You have the best support of any other package I've ever
-      used.&quot; -- SE, US
-          </p>
-                                  
-<p>&quot;Because our company has information which has been classified by the 
-national government as secret, our security doesn't stop by putting a fence 
-around our company. Information security is a hot issue. We also make use of 
-checkpoint firewalls, but not all of the internet servers are guarded by 
-checkpoint, some of them are running....Shorewall.&quot; -- Name withheld by request, 
-Europe</p>
-
-<p>&quot;thanx for all your efforts you put into shorewall - this product stands out 
-against a lot of commercial stuff i´ve been working with in terms of 
-flexibillity, quality &amp; support&quot; -- RM, Austria</p>
-
-<p>&quot;I have never seen such a complete firewall package that is so easy to 
-configure. I searched the Debian package system for firewall scripts and 
-Shorewall won hands down.&quot; -- RG, Toronto</p>
-
-<p>&quot;My respects... I've just found and installed Shorewall 1.3.3-1 and it is a 
-wonderful piece of software. I've just sent out an email to about 30 people 
-recommending it. :-)<br>
-While I had previously taken the time (maybe 40 hours) to really understand 
-ipchains, then spent at least an hour per server customizing and carefully 
-scrutinizing firewall rules, I've got shorewall running on my home firewall, 
-with rulesets and policies that I know make sense, in under 20 minutes.&quot; -- RP, 
-Guatamala<br>
-<br>
-&nbsp;</p>
-
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
-7/9/2002 - <a href="support.htm">Tom Eastep</a>
-     </font>
-                                          
                        </p>
   
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+  <br>
 </body>
-
 </html>

Shorewall-docs/seattlefirewall_index.htm

@@ -2,37 +2,44 @@
 <html>
 <head>
                                                                         
+               
   <meta http-equiv="Content-Type"
  content="text/html; charset=windows-1252">
   <title>Shoreline Firewall (Shorewall) 1.3</title>
                                                                         
-  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-                     
-  <meta name="ProgId" content="FrontPage.Editor.Document">
                <base target="_self">
-  <meta name="Microsoft Theme" content="none">
 </head>
   <body>
                                                                         
+      
 <table border="0" cellpadding="0" cellspacing="4"
  style="border-collapse: collapse;" width="100%" id="AutoNumber3"
  bgcolor="#4b017c">
                           <tbody>
                      <tr>
-           <td width="100%">           
+                            <td width="100%" height="90">               
+                                                                        
+                                         
       <h1 align="center"> <font size="4"><i>           <a
- href="http://www.cityofshoreline.com">       <img border="0"
+ href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
- src="images/washington.jpg" align="right" width="100" height="82">
+ alt="Shorwall Logo" height="70" width="85" align="left"
-      <img border="0" src="images/washington.jpg" align="left"
+ src="images/washington.jpg" border="0">
- width="100" height="82">
+                       </a></i></font><font color="#ffffff">Shorewall 1.3 
-      </a></i></font><font color="#ffffff">Shorewall 1.3 - <font
+-        <font size="4">"<i>iptables made easy"</i></font></font></h1>
- size="4">"<i>iptables made easy"</i></font></font></h1>
+                                                                         
+     
+      <div align="center"><a href="1.2" target="_top"><font
+ color="#ffffff">Shorewall 1.2 Site here</font></a><br>
+                </div>
+                <br>
                             </td>
                           </tr>
                                                                          
+ 
   </tbody>                 
 </table>
                                                                         
+       
 <div align="center">                          
 <center>                          
 <table border="0" cellpadding="0" cellspacing="0"
@@ -41,185 +48,208 @@
                      <tr>
                               <td width="90%">                          
                                                                         
+                                                                 
       <h2 align="left">What is it?</h2>
                                                                         
-      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
+                                                                        
-a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
+                                    
-firewall        that can be used on a dedicated firewall system, a multi-function
+      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is a
+      <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
+       that can be used on a dedicated firewall system, a multi-function 
       gateway/router/server or on a standalone GNU/Linux system.</p>
                                                                         
+                                                                        
+                                   
       <p>This program is free software; you can redistribute it and/or modify 
-it        under the terms of <a
+        it        under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU
+ href="http://www.gnu.org/licenses/gpl.html">Version        2 of the GNU General
-General Public License</a> as published by the Free Software        Foundation.<br>
+Public License</a> as published by the Free Software        Foundation.<br>
                            <br>
-           This program is distributed in the hope that it will be useful,
+                            This program is distributed in the hope that
-but        WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+it  will   be  useful,    but        WITHOUT ANY WARRANTY; without even the 
-       or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+implied   warranty  of MERCHANTABILITY           or FITNESS FOR A PARTICULAR 
-       for more details.<br>
+PURPOSE.   See the  GNU General Public License          for more details.<br>
                            <br>
-           You should have received a copy of the GNU General Public License
+                            You should have received a copy of the GNU General
-       along with this program; if not, write to the Free Software Foundation,
+   Public    License          along with this program; if not, write to the
-       Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
+  Free Software    Foundation,          Inc., 675 Mass Ave, Cambridge, MA
+02139,   USA</p>
+                                                                        
+                                                                        
                                    
       <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
                                                                         
-      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
+                                                                        
+                                                      
+      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
  border="0" src="images/leaflogo.gif" width="49" height="36">
-      </a>Jacques        Nilo and Eric Wolzak have a LEAF distribution called
+                       </a>Jacques        Nilo and Eric Wolzak have a LEAF
-      <i>Bering</i> that        features Shorewall-1.3.3 and Kernel-2.4.18.
+ distribution       called        <i>Bering</i> that        features Shorewall-1.3.3
-You can find their work at:   <a
+ and  Kernel-2.4.18.      You can find their work at:   <a
  href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></p>
                                                                         
+                                                                        
+                                                      
       <h2>News</h2>
                                                                         
-      <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
+                                                                        
- src="file:///vfat/Shorewall/Shorewall-docs/images/new10.gif" width="28"
+                      
- height="12">
+      <p><b>9/28/2002 - Shorewall 1.3.9</b></p>
- </b></p>
                                  
       <p>In this version:<br>
      </p>
                                  
       <ul>
-        <li>A NEWNOTSYN option has been added to shorewall.conf. This option
+            <li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
-determines whether Shorewall accepts TCP packets which are not part of an
+  are now allowed in Shorewall config files (although I recommend against
-established connection and that are not 'SYN' packets (SYN flag on and ACK
+using  them).</li>
-flag off).</li>
+            <li>The connection SOURCE may now be qualified by both interface
-        <li>The need for the 'multi' option to communicate between zones
+  and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
-za and zb on the same interface is removed in the case where the chain 'za2zb'
+            <li>Shorewall startup is now disabled after initial installation
-and/or 'zb2za' exists. 'za2zb' will exist if:</li>
+  until the file /etc/shorewall/startup_disabled is removed. This avoids
-        <ul>
+nasty   surprises at reboot for users who install Shorewall but don't configure
-          <li>       
+it.</li>
-            <blockquote>There is a policy for za to zb; or</blockquote>
+           <li>The 'functions' and 'version' files and the 'firewall' symbolic 
+link have been  moved from /var/lib/shorewall to /usr/lib/shorewall to appease 
+the LFS police at Debian.<br>
            </li>
-          <li>       
+                               
-            <blockquote>There is at least one rule for za to zb.</blockquote>
-     </li>
-        </ul>
       </ul>
                                  
+      <p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability 
+   Restored</b><b> </b><b><img border="0" src="images/new10.gif"
+ width="28" height="12" alt="(New)">
+                  </b><br>
+             </p>
+           <img src="images/j0233056.gif" alt="Brown Paper Bag"
+ width="50" height="86" align="left">
+       A couple of recent configuration changes at www.shorewall.net broke
+ the  Search facility:<br>
+                                                         
+      <blockquote>                                             
+        <ol>
+               <li>Mailing List Archive Search was not available.</li>
+               <li>The Site Search index was incomplete</li>
+               <li>Only one page of matches was presented.</li>
+                                                                 
+        </ol>
+           </blockquote>
+        Hopefully these problems are now corrected.                     
+                           
+      <p><b>9/18/2002 -  Debian 1.3.8 Packages Available </b><b><img
+ border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
+                  </b><br>
+                  </p>
+                                                                        
+                               
+      <p>Apt-get sources listed at <a
+ href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
+              <b> </b>                                                  
+                                       
+      <p><b>9/16/2002 - Shorewall 1.3.8 </b><b><img border="0"
+ src="images/new10.gif" width="28" height="12" alt="(New)">
+                  </b></p>
+                                                                        
+                                                               
+      <p>In this version:<br>
+                  </p>
+                                                                        
+                                                               
       <ul>
-        <li>The /etc/shorewall/blacklist file now contains three columns.
+                         <li>A NEWNOTSYN option has been added to shorewall.conf. 
-In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL and
+    This   option  determines whether Shorewall accepts TCP packets which 
-PORT columns to block only certain applications from the blacklisted addresses.<br>
+are    not part   of an  established connection and that are not 'SYN' packets 
+  (SYN  flag on   and ACK  flag off).</li>
+                         <li>The need for the 'multi' option to communicate 
+ between     zones    za and zb on the same interface is removed in the case 
+ where the    chain 'za2zb'   and/or 'zb2za' exists. 'za2zb' will exist if: 
+                                                                         
+                                                                        
+                                                            
+          <ul>
+                            <li>There is a policy for za to zb; or</li>
+                            <li>There is at least one rule for za to zb.
                                     </li>
+                                                                        
+                                                                        
+                                             
           </ul>
+                        </li>
+                                                                        
+                                                      
+      </ul>
+                                                                        
+                                                               
+      <ul>
+                         <li>The /etc/shorewall/blacklist file now contains 
+ three    columns.     In addition to the SUBNET/ADDRESS column, there are 
+ optional    PROTOCOL and    PORT columns to block only certain applications 
+ from the   blacklisted addresses.<br>
+                    </li>
+                                                                        
+                                                              
+      </ul>
+                                                                        
                                                                
       <p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
                                                                         
+                                                                        
+                      
       <p>Apt-get sources listed at <a
  href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
                                                                         
+                                                                        
+                      
       <p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
                                                                         
+                                                                        
+                      
       <p>This is a role up of a fix for "DNAT" rules where the source zone 
-is $FW   (fw).</p>
+        is $FW   (fw).</p>
+                                                                        
+                                                                        
                       
       <p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
                                                                         
+                                                                        
+                      
       <p>This is a role up of the "shorewall refresh" bug fix and the change 
-which   reverses the order of "dhcp" and "norfc1918" checking.</p>
+        which   reverses the order of "dhcp" and "norfc1918" checking.</p>
+                                                                        
+                                                                        
                       
       <p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
                                                                         
+                                                                        
+                      
       <p><a target="_blank"
  href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> 
-is now available.</p>
+        is now available.</p>
+                                                                        
+                                                                        
                       
       <p><b>8/25/2002 - Shorewall Mirror in France </b></p>
                                                                         
+                                                                        
+                      
       <p>Thanks to a Shorewall user in Paris, the Shorewall web site is now 
-mirrored   at <a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
+        mirrored   at <a target="_top"
+ href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
                                                                         
-      <p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
                                                                         
-      <p>Lorenzo Martignoni reports that the packages for version 1.3.7a
- are available at <a
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
-                                 
-      <p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for
-its Author   -- Shorewall 1.3.7a released  <img border="0"
- src="images/j0233056.gif" width="50" height="80" align="middle">
-      </b></p>
-                                 
-      <p>1.3.7a corrects problems occurring in  rules file processing when
-starting Shorewall   1.3.7.</p>
-                                 
-      <p><b>8/22/2002 - Shorewall 1.3.7 Released</b></p>
-                                 
-      <p>Features in this release include:</p>
-                                      
-      <ul>
-         <li>The 'icmp.def' file is now empty! The rules in that file were
-         required in ipchains firewalls but are not required in Shorewall.
-Users          who have ALLOWRELATED=No in <a
- href="Documentation.htm#Conf">         shorewall.conf</a> should see the
-          <a href="errata.htm#Upgrade">Upgrade          Issues</a>.</li>
-         <li>A 'FORWARDPING' option has been added to         <a
- href="Documentation.htm#Conf">shorewall.conf</a>. The effect of        
- setting this variable to Yes is the same as the effect of adding an    
-     ACCEPT rule for ICMP echo-request in         <a
- href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.     
-    Users who have such a rule in icmpdef are encouraged to switch to   
-      FORWARDPING=Yes.</li>
-         <li>The loopback CLASS A Network (127.0.0.0/8) has been added to
-the          rfc1918 file.</li>
-         <li>Shorewall now works with iptables 1.2.7.</li>
-         <li>The documentation and Web site no longer use FrontPage themes.</li>
-       
-      </ul>
-                                 
-      <p>I would like to thank John Distler for his valuable input regarding
-TCP SYN   and ICMP treatment in Shorewall. That input has led to marked improvement
-in   Shorewall in the last two releases.</p>
-                                 
-      <p><b>8/13/2002 - Documentation in the <a target="_top"
- href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS Repository</a></b></p>
-                                 
-      <p>The Shorewall-docs project now contains just the HTML and image
-files - the   Frontpage files have been removed.</p>
-                                 
-      <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a
- target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">  CVS
-Repository</a></b></p>
-                                 
-      <p>This branch will only be updated after I release a new version of
-Shorewall   so you can always update from this branch to get the latest stable
-tree.</p>
-                                 
-      <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
-added   to the <a href="errata.htm">Errata Page</a></b></p>
-                                 
-      <p>Now there is one place to go to look for issues involved with upgrading
-to   recent versions of Shorewall.</p>
-                                 
-      <p><b>8/7/2002 - Shorewall 1.3.6</b></p>
-                                 
-      <p>This is primarily a bug-fix rollup with a couple of new features:</p>
-                                 
-      <ul>
-    <li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides
-          </a>    including the <a href="shorewall_setup_guide.htm">Shorewall
-Setup Guide.</a></li>
-    <li>Shorewall will now DROP TCP packets that are not part of or related
-to an     existing connection and that are not SYN packets. These "New not
-SYN" packets     may be optionally logged by setting the LOGNEWNOTSYN option
-in <a href="Documentation.htm#Conf">    /etc/shorewall/shorewall.conf</a>.</li>
-    <li>The processing of "New not SYN" packets may be extended by commands
-in     the new <a href="shorewall_extension_scripts.htm">newnotsyn extension
-script</a>.</li>
-  
-      </ul>
                       
       <p><a href="News.htm">More News</a></p>
                                                                         
+                                                                        
+                                                      
       <h2><a name="Donations"></a>Donations</h2>
                                                                  </td>
-             <td width="88" bgcolor="#4b017c" valign="top"
+                              <td width="88" bgcolor="#4b017c"
- align="center">             <a href="http://sourceforge.net">M</a></td>
+ valign="top" align="center">             <a
+ href="http://sourceforge.net">M</a></td>
                             </tr>
                                                                         
+   
   </tbody>                 
 </table>
                           </center>
@@ -231,26 +261,35 @@ script</a>.</li>
                      <tbody>
                      <tr>
                        <td width="100%" style="margin-top: 1px;">       
+                                                                        
+                                            
       <p align="center"><a href="http://www.starlight.org">        <img
  border="4" src="images/newlog.gif" width="57" height="100" align="left"
  hspace="10">
-      <img border="4" src="images/newlog.gif" width="57" height="100"
+                        </a></p>
- align="right" hspace="10">
-      </a></p>
                                                                         
-      <p align="center"><font size="4" color="#ffffff">Shorewall is free
+                                                                     
-but if       you try it and find it useful, please consider making a donation
+      <p align="center"><font size="4" color="#ffffff">Shorewall is free but
-to       <a href="http://www.starlight.org"><font color="#ffffff">Starlight
+if       you try it and find it useful, please consider making a donation 
-Children's Foundation.</font></a> Thanks!</font></p>
+        to       <a href="http://www.starlight.org"><font
+ color="#ffffff">Starlight         Children's Foundation.</font></a> Thanks!</font></p>
                        </td>
                      </tr>
                                                                       
   </tbody>                 
 </table>
                                                                 
-<p><font size="2">Updated       9/16/2002 - <a href="support.htm">Tom Eastep</a> 
+<p><font size="2">Updated       9/27/2002 - <a href="support.htm">Tom Eastep</a></font>
-     </font>                                                            
+                                                                        
+  <br>
          </p>
           <br>
+       <br>
+      <br>
+     <br>
+    <br>
+   <br>
+  <br>
+ <br>
 </body>
 </html>

Shorewall-docs/shoreline.htm

@@ -2,49 +2,44 @@
 <html>
 <head>
      
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
   <title>About the Shorewall Author</title>
          
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
      
   <meta name="ProgId" content="FrontPage.Editor.Document">
          
-   
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
             
-
+<table border="0" cellpadding="0" cellspacing="0"
-  
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
-      <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ bgcolor="#400169" height="90">
+         <tbody>
     <tr>
            <td width="100%">           
-          <h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1>
+      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
            </td>
          </tr>
-      </table>
        
+  </tbody>
+</table>
                     
+<p align="center">       <img border="3" src="images/Hiking1.jpg"
+ alt="Tom on the PCT - 1991" width="374" height="365">
+</p>
                     
-      <p align="Center">
+<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass, 
-      <img border="3" src="images/Hiking1.jpg" alt="Tom on the PCT - 1991" width="374" height="365"></p>
+     Washington  -- Sept       1991.<br>
+       <font size="2">Photo       by Ken Mazawa</font></p>
              
-      
+<ul>
-  
-      <p align="Center">Tom on the Pacific Crest Trail north of Stevens Pass,
-      Washington&nbsp; -- Sept
-      1991.<br>
-      <font size="2">Photo
-      by Ken Mazawa</font></p>
-  
-      
-  <ul>
      <li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
-State</a>
+ State</a> .</li>
-.</li>
      <li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
-University</a>
+ University</a>  1967</li>
- 1967</li>
      <li>MA Mathematics from <a href="http://www.washington.edu">University 
 of Washington</a> 1969</li>
      <li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a> 
@@ -52,57 +47,65 @@ of Washington</a> 1969</li>
      <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> 
  (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
      <li>Married 1969 - no children.</li>
-  </ul>
    
-      <p>I am currently a member of the design team for the next-generation
+</ul>
+         
+<p>I am currently a member of the design team for the next-generation   
    operating system from the NonStop Enterprise Division of HP. </p>
          
-      <p>I became interested in Internet Security
+<p>I became interested in Internet Security when I established a home office
-when I established a home office in 1999 and had DSL service installed in our
+in 1999 and had DSL service installed in our       home. I investigated ipchains
-      home. I investigated
+and developed the scripts which are now collectively known as <a
-ipchains and developed the scripts which are now collectively known as <a href="http://seawall.sourceforge.net"> Seattle
+ href="http://seawall.sourceforge.net"> Seattle       Firewall</a>. Expanding
-      Firewall</a>. Expanding on what I learned from Seattle Firewall, I then
+on what I learned from Seattle Firewall, I then       designed and wrote
-      designed and wrote Shorewall. </p>
+Shorewall. </p>
          
-      <p>I telework from our home in&nbsp;<a href="http://www.cityofshoreline.com">Shoreline, 
+<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
-Washington</a>
+ Washington</a>  where I live with my wife Tarry. </p>
- where I live with my wife Tarry. </p>
          
-      <p>Our current home network consists of: </p>
+<p>Our current home network consists of: </p>
      
-  <ul>
+<ul>
-    <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX 
+     <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
-    (Tulip) NIC - My personal Windows system.</li>
+and LNE100TX      (Tulip) NIC - My personal Windows system.</li>
-    <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My 
+     <li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
-    personal Linux System which runs Samba configured as a WINS server. This 
+My      personal Linux System which runs Samba configured as a WINS server.
-    system also has <a href="http://www.vmware.com/">VMware</a> installed and 
+This      system also has <a href="http://www.vmware.com/">VMware</a> installed
-    can run both <a href="http://www.debian.org">Debian</a> and
+and      can run both <a href="http://www.debian.org">Debian</a> and    
     <a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
-    <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
+     <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
-- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server 
+&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server      (Bind).</li>
-    (Bind).</li>
+     <li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
-    <li>PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3 
+- 3      LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
-    LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP  
+1.3.9 (Yep -- I run them before I release them) and a DHCP     server.  Also
-  server.  Also  runs PoPToP for     road warrior access.</li>
+ runs PoPToP for     road warrior access.</li>
-    <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's     personal system.</li>
+     <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's 
-    <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and     EEPRO100
+   personal system.</li>
-in expansion base and LinkSys WAC11 - My main work system.</li>
+     <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
-  </ul>
+and     EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
-  <p>For more about our network see <a href="myfiles.htm">my Shorewall
-  Configuration</a>.</p>
    
-      <p>All of our 
+</ul>
-      other systems are made by <a href="http://www.compaq.com">Compaq</a> (part 
-      of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a>
-      FA310TXs.</p>
    
+<p>For more about our network see <a href="myfiles.htm">my Shorewall   Configuration</a>.</p>
          
- <p><a href="http://www.redhat.com"><img border="0" src="images/poweredby.png" width="88" height="31"></a><a href="http://www.compaq.com"><img border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"></a><a href="http://www.pureftpd.org"><img border="0" src="images/pure.jpg" width="88" height="31"></a><font size="4"><a href="http://www.apache.org"><img border="0" src="images/apache_pb1.gif" hspace="2" width="170" height="20"></a>
+<p>All of our        other systems are made by <a
- </font></p>
+ href="http://www.compaq.com">Compaq</a> (part        of the new <a
+ href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
+ href="http://www.netgear.com">Netgear</a>       FA310TXs.</p>
            
+<p><a href="http://www.redhat.com"><img border="0"
+ src="images/poweredby.png" width="88" height="31">
+</a><a href="http://www.compaq.com"><img border="0"
+ src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
+</a><a href="http://www.pureftpd.org"><img border="0"
+ src="images/pure.jpg" width="88" height="31">
+</a><font size="4"><a href="http://www.apache.org"><img border="0"
+ src="images/apache_pb1.gif" hspace="2" width="170" height="20">
+</a>  </font></p>
                
-      <p><font size="2">Last updated 8/16/2002 - </font><font size="2">
+<p><font size="2">Last updated 9/19/2002 - </font><font size="2">       <a
-      <a href="support.htm">Tom Eastep</a></font>
+ href="support.htm">Tom Eastep</a></font>  </p>
- </p>
    <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-  © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
+   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
+</body>
+</html>

Shorewall-docs/shorewall_prerequisites.htm

@@ -1,40 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+ 
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ 
-<meta name="ProgId" content="FrontPage.Editor.Document">
+  <meta http-equiv="Content-Type"
-<title>Shorewall Prerequisites</title>
+ content="text/html; charset=windows-1252">
+ 
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+ 
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+  <title>Shorewall Prerequisites</title>
 </head>
+  <body>
   
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+ id="AutoNumber1" bgcolor="#400169" height="90">
+   <tbody>
     <tr>
      <td width="100%">     
-    <h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1>
+      <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
      </td>
    </tr>
+ 
+  </tbody>
 </table>
+ 
 <ul>
-  <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre2. <a href="kernel.htm">
+   <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
-    Check here for kernel configuration       information.</a>
+    <a href="kernel.htm">     Check here for kernel configuration       information.</a> 
-     If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
+     If you are looking for a firewall for use with 2.2 kernels, <a
-    see       the Seattle Firewall site</a>
+ href="http://www.shorewall.net/seawall">     see       the Seattle Firewall
-    .</li>
+site</a>     .</li>
-  <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>.
+   <li>iptables 1.2 or later  but beware version 1.2.3 -- see the <a
-  <font color="#FF0000"><b>WARNING: </b></font>The buggy iptables version 1.2.3 
+ href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: </b></font>The
-  is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to 
+buggy iptables version 1.2.3    is included in RedHat 7.2 and you should
-  installing Shorewall. Version 1.2.4 is available
+upgrade to iptables 1.2.4 prior to    installing Shorewall. Version 1.2.4
-  <a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> 
+is available   <a
-  and in the <a href="errata.htm">Shorewall Errata</a>. If you are going to be 
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
-  running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM 
+   and in the <a href="errata.htm">Shorewall Errata</a>. If you are going
-  will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. </li>
+to be    running kernel 2.4.18 or later, NO currently-available RedHat iptables
-  <li>Some features require iproute ("ip" utility). The iproute package is
+RPM    will work -- again, see the <a href="errata.htm">Shorewall Errata</a>.
-    included with most distributions but may not be installed by default. The
+  </li>
-    official download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
+   <li>Some features require iproute ("ip" utility). The iproute package
-  <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
+is     included with most distributions but may not be installed by default.
+The     official download site is <a
+ href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">   <font
+ face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. 
   </li>
    <li>A Bourne shell or derivative such as bash or ash. Must have correct
       support for variable expansion formats ${<i>variable</i>%<i>pattern</i> 
@@ -42,13 +55,14 @@
     } and       ${<i>variable</i>##<i>pattern</i>}.</li>
    <li>The firewall monitoring display is greatly improved if you have awk
       (gawk) installed.</li>
+ 
 </ul>
-<p align="left"><font size="2">Last updated 8/24/2002 - <a href="support.htm">Tom
-Eastep</a></font></p>
  
-<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
+<p align="left"><font size="2">Last updated 9/19/2002 - <a
-<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ href="support.htm">Tom Eastep</a></font></p>
   
+<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+  <br>
 </body>
-
 </html>

Shorewall-docs/shorewall_quickstart_guide.htm

@@ -30,8 +30,8 @@
   </tbody> 
 </table>
     
-<p align="center">With thanks to Richard who reminded me once again that
+<p align="center">With thanks to Richard who reminded me once again that we
-we must  all first walk before we can run.</p>
+must  all first walk before we can run.</p>
     
 <h2>The Guides</h2>
    
@@ -54,8 +54,8 @@ as a    firewall/router for a small local network and a DMZ.</li>
    
 <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines 
  the steps necessary to set up a firewall where there are multiple public 
-IP  addresses involved or if you want to learn more about Shorewall than
+IP  addresses involved or if you want to learn more about Shorewall than is
-is  explained in the single-address guides above.</p>
+ explained in the single-address guides above.</p>
    
 <ul>
     <li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@@ -67,7 +67,8 @@ and Routing</a>
       <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
       <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
       <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
-     <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
+      <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
+Protocol</a></li>
          
     </ul>
          
@@ -77,6 +78,7 @@ and Routing</a>
     </ul>
     </li>
     <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a> 
+    
     <ul>
       <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
          
@@ -84,6 +86,7 @@ and Routing</a>
          
     <ul>
       <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> 
+        
         <ul>
         <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
         <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@@ -125,6 +128,8 @@ features</a>
       <li>Port Numbers/Service Names</li>
       <li>Port Ranges</li>
       <li>Using Shell Variables</li>
+      <li>Using DNS Names<br>
+ </li>
       <li>Complementing an IP address or Subnet</li>
       <li>Shorewall Configurations (making a test configuration)</li>
       <li>Using MAC Addresses in Shorewall</li>
@@ -132,6 +137,7 @@ features</a>
     </ul>
     </li>
     <li><a href="Documentation.htm">Configuration File Reference Manual</a> 
+    
     <ul>
       <li>   <a href="Documentation.htm#Variables">params</a></li>
       <li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
@@ -198,5 +204,6 @@ to a      remote network.</li>
     
 <p><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
    <br>
+ <br>
 </body>
 </html>

Shorewall-docs/standalone.htm

@@ -1,74 +1,99 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="ProgId" content="FrontPage.Editor.Document">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<title>Standalone Firewall</title>
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+     
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Standalone Firewall</title>
 </head>
+  <body>
     
-<body>
+<table border="0" cellpadding="0" cellspacing="0"
-
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
-<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90">
+ id="AutoNumber6" bgcolor="#400169" height="90">
+    <tbody>
      <tr>
       <td width="100%">         
-
+      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
-<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1>
-
        </td>
     </tr>
+     
+  </tbody> 
 </table>
     
 <h2 align="center">Version 2.0.1</h2>
-<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the 
+   
-documentation.</p>
+<p align="left">Setting up Shorewall on a standalone Linux system is very 
+easy if you understand the basics and follow the  documentation.</p>
+   
 <p>This guide doesn't attempt to acquaint you with all of the features of 
-Shorewall. It rather focuses on what is required to configure Shorewall in one 
+ Shorewall. It rather focuses on what is required to configure Shorewall in
-of its 
+one  of its  most common configurations:</p>
-most common configurations:</p>
+   
 <ul>
     <li>Linux system</li>
     <li>Single external IP address</li>
     <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
+   
 </ul>
-<p>This guide assumes that you have the iproute/iproute2 package installed (on 
+   
-RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this 
+<p>This guide assumes that you have the iproute/iproute2 package installed 
-package is installed by the presence of an <b>ip</b> program on your firewall 
+(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if 
-system. As root, you can use the 'which' command to check for this program:</p>
+this  package is installed by the presence of an <b>ip</b> program on your 
-<pre>     [root@gateway root]# which ip
+firewall  system. As root, you can use the 'which' command to check for this 
-     /sbin/ip
+program:</p>
-     [root@gateway root]#</pre><p>I recommend that you read through the guide 
+   
-first to familiarize yourself with what's involved then go back through it again 
+<pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-making your configuration changes.&nbsp; Points at which configuration changes 
+ 
-are recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
+<p>I recommend that you read through the guide  first to familiarize yourself 
-<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp; 
+with what's involved then go back through it again  making your configuration 
-If you edit your configuration files on a Windows system, you must save them as 
+changes.  Points at which configuration changes  are recommended are flagged 
-Unix files if your editor supports that option or you must run them through 
+with <img border="0" src="images/BD21298_.gif" width="13" height="13">
-dos2unix before trying to use them. Similarly, if you copy a configuration file 
+ .</p>
-from your Windows hard drive to a floppy disk, you must run dos2unix against the 
+   
-copy before using it with Shorewall.</p>
+<p><img border="0" src="images/j0213519.gif" width="60" height="60">
+      If you edit your configuration files on a Windows system, you must
+save them as  Unix files if your editor supports that option or you must
+run them through  dos2unix before trying to use them. Similarly, if you copy
+a configuration file  from your Windows hard drive to a floppy disk, you
+must run dos2unix against the  copy before using it with Shorewall.</p>
+   
 <ul>
-  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of 
+    <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-  dos2unix</a></li>
+of    dos2unix</a></li>
-  <li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of 
+    <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version 
-  dos2unix</a></li>
+of    dos2unix</a></li>
+   
 </ul>
+   
 <h2 align="left">Shorewall Concepts</h2>
+   
 <p>The configuration files for Shorewall are contained in the directory 
 /etc/shorewall -- for simple setups, you  only need to deal with a few of
-these as described in this guide.  After you have <a href="Install.htm">installed Shorewall</a>, 
+ these as described in this guide.  After you have <a href="Install.htm">installed
-download the <a href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, un-tar it 
+Shorewall</a>,  download the <a
-(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall 
+ href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
-(they will replace files with the same names that were placed in /etc/shorewall 
+un-tar it  (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
-during Shorewall installation).</p>
+ (they will replace files with the same names that were placed in /etc/shorewall
-<p>As each file is introduced, I suggest that you 
+ during Shorewall installation).</p>
-look through the actual file on your system -- each file contains detailed 
+   
-configuration instructions and default entries.</p>
+<p>As each file is introduced, I suggest that you  look through the actual 
-<p>Shorewall views the network where it is running as being composed of a set of 
+file on your system -- each file contains detailed  configuration instructions 
-<i>zones.</i> In the one-interface sample configuration, only one zone is 
+and default entries.</p>
-defined:</p>
+   
-<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
+<p>Shorewall views the network where it is running as being composed of a 
+set of  <i>zones.</i> In the one-interface sample configuration, only one 
+zone is  defined:</p>
+   
+<table border="0" style="border-collapse: collapse;" cellpadding="3"
+ cellspacing="0" id="AutoNumber2">
+    <tbody>
      <tr>
       <td><u><b>Name</b></u></td>
       <td><u><b>Description</b></u></td>
@@ -77,30 +102,41 @@ defined:</p>
       <td><b>net</b></td>
       <td><b>The Internet</b></td>
     </tr>
-  </table>
-<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
-/etc/shorewall/zones</a>.</p>
-<p>Shorewall also recognizes the firewall system as its own zone - by default, 
-the firewall itself is known as <b>fw</b>.</p>
-<p>Rules about what traffic to allow and what traffic to deny are expressed in 
-terms of zones.</p>
-<ul>
-  <li>You express your default policy for connections from one zone to another 
-  zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
-  <li>You define exceptions to those default policies in the
-  <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
-</ul>
-<p>For each connection request entering the firewall, the request is first checked against the 
-/etc/shorewall/rules file. If no rule in that file matches the connection 
-request then the first policy in /etc/shorewall/policy that matches the 
        
-request is applied. If that policy is REJECT or DROP&nbsp; the request is first 
+  </tbody> 
-checked against the rules in /etc/shorewall/common (the samples provide that 
+</table>
-file for you).</p>
+   
-<p>The /etc/shorewall/policy file included with the one-interface sample has the 
+<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
-following policies:</p>
+   
+<p>Shorewall also recognizes the firewall system as its own zone - by default, 
+ the firewall itself is known as <b>fw</b>.</p>
+   
+<p>Rules about what traffic to allow and what traffic to deny are expressed 
+in  terms of zones.</p>
+   
+<ul>
+    <li>You express your default policy for connections from one zone to
+another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+    </a>file.</li>
+    <li>You define exceptions to those default policies in the   <a
+ href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
+   
+</ul>
+   
+<p>For each connection request entering the firewall, the request is first 
+checked against the  /etc/shorewall/rules file. If no rule in that file matches 
+the connection  request then the first policy in /etc/shorewall/policy that 
+matches the    request is applied. If that policy is REJECT or DROP  the request
+is first  checked against the rules in /etc/shorewall/common (the samples
+provide that  file for you).</p>
+   
+<p>The /etc/shorewall/policy file included with the one-interface sample has
+the  following policies:</p>
+   
 <blockquote>      
-  <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber3">
+      <tbody>
        <tr>
         <td><u><b>SOURCE ZONE</b></u></td>
         <td><u><b>DESTINATION ZONE</b></u></td>
@@ -112,87 +148,115 @@ following policies:</p>
         <td>fw</td>
         <td>net</td>
         <td>ACCEPT</td>
-      <td>&nbsp;</td>
+        <td> </td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
       <tr>
         <td>net</td>
         <td>net</td>
         <td>DROP</td>
         <td>info</td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
       <tr>
         <td>all</td>
         <td>all</td>
         <td>REJECT</td>
         <td>info</td>
-      <td>&nbsp;</td>
+        <td> </td>
       </tr>
+         
+    </tbody>   
   </table>
-</blockquote>
+  </blockquote>
-<pre>     fw		net	ACCEPT
+   
-     net	all	DROP	info
+<pre>     fw		net	ACCEPT<br>     net	all	DROP	info<br>     all	all	REJECT	info</pre>
-     all	all	REJECT	info</pre>
+   
 <p>The above policy will:</p>
+   
 <ol>
     <li>allow all connection requests from the firewall to the internet</li>
     <li>drop (ignore) all connection requests from the internet to your firewall</li>
     <li>reject all other connection requests (Shorewall requires this catchall 
    policy).</li>
+   
 </ol>
-<p>At this point, edit your /etc/shorewall/policy and make any changes that you 
+   
-wish.</p>
+<p>At this point, edit your /etc/shorewall/policy and make any changes that 
+you  wish.</p>
+   
 <h2 align="left">External Interface</h2>
+   
 <p align="left">The firewall has a single network interface. Where Internet 
-connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i> 
+ connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
-will be the ethernet adapter (<b>eth0</b>) that is connected to that &quot;Modem&quot;&nbsp;
+ will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
-<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
+ <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
-over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
+ over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a <b>ppp0</b>. If you connect via a regular modem, your External 
+ <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-Interface will also be <b>ppp0</b>. If you connect using ISDN, your external 
+a <b>ppp0</b>. If you connect via a regular modem, your External  Interface 
-interface will be<b> ippp0.</b></p>
+will also be <b>ppp0</b>. If you connect using ISDN, your external  interface 
-<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; The Shorewall one-interface sample configuration assumes that 
+will be<b> ippp0.</b></p>
-the external interface is <b>eth0</b>. 
+   
-If your configuration is different, you will have to modify the sample 
+<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
-/etc/shorewall/interfaces file accordingly. While you are there, you may wish to 
+ height="13">
-review the list of options that are specified for the interface. Some hints:</p>
+     The Shorewall one-interface sample configuration assumes that  the external 
+interface is <b>eth0</b>.  If your configuration is different, you will have 
+to modify the sample  /etc/shorewall/interfaces file accordingly. While you 
+are there, you may wish to  review the list of options that are specified 
+for the interface. Some hints:</p>
+   
 <ul>
     <li>        
-  <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the 
+    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-  &quot;detect&quot; in the second column with &quot;-&quot;.</li>
+you can replace the    "detect" in the second column with "-".   </p>
+   </li>
    <li>        
-  <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP 
+    <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-  address, you can remove &quot;dhcp&quot; from the option list.</li>
+or if you have a static IP    address, you can remove "dhcp" from the option 
+list. </p>
+   </li>
+ 
 </ul>
+   
 <div align="left">    
-  <h2 align="left">IP Addresses</h2>
+<h2 align="left">IP Addresses</h2>
-</div>
+  </div>
+   
 <div align="left">  
-<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges for 
+<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges 
-use in private networks:</p>
+for  use in private networks:</p>
+   
 <div align="left">    
-  <pre>     10.0.0.0    - 10.255.255.255
+<pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-     172.16.0.0  - 172.31.255.255
+  </div>
-     192.168.0.0 - 192.168.255.255</pre>
+     
-</div>
+<p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
-  <p align="left">These addresses are sometimes referred to as <i>non-routable</i> 
    because the Internet backbone routers will not forward a packet whose 
-  destination address is reserved by RFC 1918. In some cases though, ISPs are 
+  destination address is reserved by RFC 1918. In some cases though, ISPs 
-  assigning these addresses then using <i>Network Address Translation </i>to 
+are    assigning these addresses then using <i>Network Address Translation 
-  rewrite packet headers when forwarding to/from the internet.</p>
+</i>to    rewrite packet headers when forwarding to/from the internet.</p>
-  <p align="left"><img border="0" src="images/BD21298_.gif" align="left" width="13" height="13">&nbsp;&nbsp;&nbsp;&nbsp; 
+     
-  Before starting Shorewall, you should look at the IP address of your external 
+<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
-  interface and if it is one of the above ranges, you should remove the 
+ width="13" height="13">
-  'norfc1918' option from the entry in /etc/shorewall/interfaces.</div>
+         Before starting Shorewall, you should look at the IP address of
+your external    interface and if it is one of the above ranges, you should
+remove the    'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
+ </div>
+   
 <div align="left">    
-  <h2 align="left">Enabling other Connections</h2>
+<h2 align="left">Enabling other Connections</h2>
-</div>
+  </div>
+   
 <div align="left">    
-  <p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div>
+<p align="left">If you wish to enable connections from the internet to your 
+firewall, the general format is:</p>
+ </div>
+   
 <div align="left">    
-  <blockquote>
+<blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+        <tbody>
        <tr>
           <td><u><b>ACTION</b></u></td>
           <td><u><b>SOURCE</b></u></td>
@@ -208,18 +272,25 @@ use in private networks:</p>
           <td>fw</td>
           <td><i>&lt;protocol&gt;</i></td>
           <td><i>&lt;port&gt;</i></td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
         </tr>
+           
+    </tbody>   
   </table>
     </blockquote>
-</div>
+  </div>
+   
 <div align="left">    
-  <p align="left">Example - You want to run a Web Server and a POP3 Server on your firewall 
+<p align="left">Example - You want to run a Web Server and a POP3 Server on
-  system:</div>
+your firewall    system:</p>
+ </div>
+   
 <div align="left">    
-  <blockquote>
+<blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber5">
+        <tbody>
        <tr>
           <td><u><b>ACTION</b></u></td>
           <td><u><b>SOURCE</b></u></td>
@@ -235,8 +306,8 @@ use in private networks:</p>
           <td>fw</td>
           <td>tcp</td>
           <td>80</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
         </tr>
         <tr>
           <td>ACCEPT</td>
@@ -244,22 +315,31 @@ use in private networks:</p>
           <td>fw</td>
           <td>tcp</td>
           <td>110</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
         </tr>
+           
+    </tbody>   
   </table>
     </blockquote>
-</div>
+  </div>
+   
 <div align="left">    
-  <p align="left">If you don't know what port and protocol a particular 
+<p align="left">If you don't know what port and protocol a particular    application
-  application uses, see <a href="ports.htm">here</a>.</div>
+uses, see <a href="ports.htm">here</a>.</p>
+ </div>
+   
 <div align="left">    
-  <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
+<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
-  the internet because it uses clear text (even for login!). If you want shell 
+   the internet because it uses clear text (even for login!). If you want 
-  access to your firewall from the internet, use SSH:</div>
+shell    access to your firewall from the internet, use SSH:</p>
+ </div>
+   
 <div align="left">    
-  <blockquote>
+<blockquote>        
-    <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
+  <table border="1" cellpadding="2" style="border-collapse: collapse;"
+ id="AutoNumber4">
+        <tbody>
        <tr>
           <td><u><b>ACTION</b></u></td>
           <td><u><b>SOURCE</b></u></td>
@@ -275,46 +355,72 @@ use in private networks:</p>
           <td>fw</td>
           <td>tcp</td>
           <td>22</td>
-        <td>&nbsp;</td>
+          <td> </td>
-        <td>&nbsp;</td>
+          <td> </td>
         </tr>
+           
+    </tbody>   
   </table>
     </blockquote>
-</div>
+  </div>
-<div align="left">
-  <pre>     ACCEPT	net	fw	tcp	22</pre>
-</div>
-<div align="left">
-  <p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit 
-  /etc/shorewall/rules to add other connections as desired.</div>
-<div align="left">
-  <h2 align="left">Starting and Stopping Your Firewall</h2>
-</div>
-<div align="left">
-  <p align="left">The <a href="Install.htm">installation procedure </a>
-  configures your system to start Shorewall at system boot.</div>
-<div align="left">
-  <p align="left">The firewall is started using the &quot;shorewall start&quot; command 
-  and stopped using &quot;shorewall stop&quot;. When the firewall is stopped, routing is 
-  enabled on those hosts that have an entry in
-  <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
-  running firewall may be restarted using the &quot;shorewall restart&quot; command. If 
-  you want to totally remove any trace of Shorewall from your Netfilter 
-  configuration, use &quot;shorewall clear&quot;.</div>
-<div align="left">
-  <p align="left"><b>WARNING: </b>If you are connected to your firewall from the 
-  internet, do not issue a &quot;shorewall stop&quot; command unless you have added an 
-  entry for the IP address that you are connected from to
-  <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
-  Also, I don't recommend using &quot;shorewall restart&quot;; it is better to create an
-  <i><a href="Documentation.htm#Configs">alternate configuration</a></i> and 
-  test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div>
-<p align="left"><font size="2">Last updated 
-7/23/2002 - <a href="support.htm">Tom
-Eastep</a></font></p>
    
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas M. Eastep</font></a></p>
+<div align="left">    
+<pre>     ACCEPT	net	fw	tcp	22</pre>
+  </div>
    
+<div align="left">    
+<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
+ height="13">
+     At this point, edit    /etc/shorewall/rules to add other connections 
+as desired.</p>
+ </div>
+   
+<div align="left">    
+<h2 align="left">Starting and Stopping Your Firewall</h2>
+  </div>
+   
+<div align="left">    
+<p align="left">          <img border="0" src="images/BD21298_2.gif"
+ width="13" height="13" alt="Arrow">
+      The <a href="Install.htm">installation procedure </a>   configures
+your system to start Shorewall at system boot but beginning with Shorewall
+version 1.3.9 startup is disabled so that your system won't try to start
+Shorewall before configuration is complete. Once you have completed configuration
+of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+ </p>
+ 
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb 
+package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
+ </p>
+ </div>
+   
+<div align="left">    
+<p align="left">The firewall is started using the "shorewall start" command 
+   and stopped using "shorewall stop". When the firewall is stopped, routing 
+is    enabled on those hosts that have an entry in   <a
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
+   running firewall may be restarted using the "shorewall restart" command. 
+If    you want to totally remove any trace of Shorewall from your Netfilter 
+   configuration, use "shorewall clear".</p>
+ </div>
+   
+<div align="left">    
+<p align="left"><b>WARNING: </b>If you are connected to your firewall from 
+the    internet, do not issue a "shorewall stop" command unless you have added
+an    entry for the IP address that you are connected from to   <a
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
+  Also, I don't recommend using "shorewall restart"; it is better to create 
+an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
+and    test it using the <a href="Documentation.htm#Starting">"shorewall try"
+command</a>.</p>
+ </div>
+   
+<p align="left"><font size="2">Last updated 9/26/2002 - <a
+ href="support.htm">Tom Eastep</a></font></p>
+    
+<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
+M. Eastep</font></a></p>
+   <br>
+ <br>
 </body>
-
 </html>

Shorewall-docs/starting_and_stopping_shorewall.htm

@@ -1,75 +1,105 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-
 <head>
-<meta http-equiv="Content-Language" content="en-us">
+     
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+  <meta http-equiv="Content-Language" content="en-us">
-<meta name="ProgId" content="FrontPage.Editor.Document">
+     
-<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
-<title>Starting and Stopping Shorewall</title>
+     
+  <meta name="ProgId" content="FrontPage.Editor.Document">
+     
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
+  <title>Starting and Stopping Shorewall</title>
 </head>
-
+  <body>
-<body>
                                                                         
                                                                         
                                  
-                                                                                <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+ id="AutoNumber1" bgcolor="#400169" height="90">
+                                                                        
+           <tbody>
      <tr>
+                                                                        
              <td width="100%">                                          
-                                                                                    <h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
+                                                 
+      <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring 
+the Firewall</font></h1>
+                                                                        
              </td>
+                                                                        
            </tr>
-                                                                                </table>
+                                                                        
+            
+  </tbody> 
+</table>
                                                                         
                                                                         
                                                                         
-                                                                                <p>
+                                
-  If you have a permanent internet connection such as DSL     or Cable, I 
+<p>   If you have a permanent internet connection such as DSL     or Cable, 
-recommend that you start the firewall     automatically at boot. Once you 
+I  recommend that you start the firewall     automatically at boot. Once you
-have installed      "firewall" in your init.d directory, simply type     "chkconfig
+ have installed      "firewall" in your init.d directory, simply type   
---add firewall". This will start the     firewall in run levels 2-5 and stop
+ "chkconfig --add firewall". This will start the     firewall in run levels 
-it in run levels 1 and 6.     If you want to configure your firewall differently
+2-5 and stop it in run levels 1 and 6.     If you want to configure your firewall
-from this     default, you can use the "--level" option in     chkconfig
+differently from this     default, you can use the "--level" option in  
-(see "man chkconfig") or using your     favorite graphical run-level editor.</p>
+  chkconfig (see "man chkconfig") or using your     favorite graphical run-level
+editor.</p>
                                                                         
                                                                         
                                                                         
-                                                                                <p><strong><u>
-  <font color="#000099">
-  Important Note:</font></u> </strong></p>
                                                                         
                                                                         
                                                                         
-                                                                                <p>
-  If you use dialup, you may want to start the firewall     in your /etc/ppp/ip-up.local
- script. I recommend just placing     "shorewall restart" in that script.
                                                                   
+<p><strong><u>   <font color="#000099">   Important Notes:</font></u></strong><br>
+ </p>
+ 
+<ol>
+   <li>Shorewall startup is disabled by default. Once you have configured 
+your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. 
+Note: Users of the .deb package must edit /etc/default/shorewall and set
+'startup=1'.<br>
+   </li>
+   <li>If you use dialup, you may want to start the firewall     in your
+/etc/ppp/ip-up.local   script. I recommend just placing     "shorewall restart"
+in that script.</li>
+ 
+</ol>
+ 
+<p>                                                                      
           </p>
                                                                         
                                                                         
                                                                         
-                                                                                <p>
+                                  
-  You can manually start and stop Shoreline Firewall using     the "shorewall"
+<p>   You can manually start and stop Shoreline Firewall using     the "shorewall"
   shell program: </p>
                                                                         
- <ul>
+    
+<ul>
      <li>shorewall start - starts the firewall</li>
      <li>shorewall stop - stops the firewall</li>
-   <li>shorewall restart - stops the firewall (if it's             running) and
+     <li>shorewall restart - stops the firewall (if it's             running) 
- then starts it again</li>
+and  then starts it again</li>
-   <li>shorewall reset - reset the packet and byte counters             in the 
+     <li>shorewall reset - reset the packet and byte counters           
-firewall</li>
+ in the  firewall</li>
-   <li>shorewall clear - remove all rules and chains             installed by
+     <li>shorewall clear - remove all rules and chains             installed 
-Shoreline  Firewall</li>
+by Shoreline  Firewall</li>
-   <li>shorewall refresh - refresh the rules involving the broadcast         addresses
+     <li>shorewall refresh - refresh the rules involving the broadcast  
- of firewall interfaces and the black and white lists.</li>
+      addresses  of firewall interfaces and the black and white lists.</li>
+   
 </ul>
                                                                         
                                                                         
                                                                         
-                                                                                <p>
-  The "shorewall" program may also be used to monitor the     firewall.</p>
                                   
- <ul>
+<p>   The "shorewall" program may also be used to monitor the     firewall.</p>
+                                                                        
+    
+<ul>
      <li>shorewall status - produce a verbose report about the firewall 
          (iptables -L -n -v)</li>
      <li>shorewall show <i>chain</i> - produce a verbose report about <i>chain 
@@ -79,105 +109,117 @@ Shoreline  Firewall</li>
      <li>shorewall show tos - produce a verbose report about the mangle table 
         (iptables -t mangle -L -n -v)</li>
      <li>shorewall show log - display the last 20 packet log entries.</li>
-   <li>shorewall show connections - displays the IP connections currently being 
+     <li>shorewall show connections - displays the IP connections currently 
-   tracked by the firewall.</li>
+being     tracked by the firewall.</li>
      <li>shorewall                                                      
                               show                                      
-                                                                                    tc 
+                                              tc     - displays information 
-   - displays information about the traffic control/shaping configuration.</li>
+about the traffic control/shaping configuration.</li>
      <li>shorewall monitor [ delay ] - Continuously display the firewall
           status, last 20 log entries and nat. When the log entry display 
           changes, an audible alarm is sounded.</li>
-   <li>shorewall hits - Produces several reports about the Shorewall packet log 
+     <li>shorewall hits - Produces several reports about the Shorewall packet 
-        messages in the current /var/log/messages file.</li>
+log          messages in the current /var/log/messages file.</li>
-   <li>shorewall version -  Displays the installed
+     <li>shorewall version -  Displays the installed     version number.</li>
-    version number.</li>
+     <li>shorewall check -  Performs a <u>cursory</u> validation     of the 
-   <li>shorewall check -  Performs a <u>cursory</u> validation 
+zones, interfaces, hosts, rules and policy files.    <font size="4"
-   of the zones, interfaces, hosts, rules and policy files.
+ color="#ff6666"><b>The "check" command does not parse and     validate the 
-   <font size="4" color="#FF6666"><b>The &quot;check&quot; command does not parse and 
+generated iptables commands so even though the "check" command     completes 
-   validate the generated iptables commands so even though the &quot;check&quot; command 
+successfully, the configuration may fail to start. See the     recommended 
-   completes successfully, the configuration may fail to start. See the 
+way to make configuration changes described below. </b></font>    </li>
-   recommended way to make configuration changes described below. </b></font>
+     <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ]
-   </li>
+-  Restart shorewall using the     specified configuration and if an error 
-   <li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] -  Restart shorewall using the 
+occurs or if the<i> timeout </i>    option is given and the new configuration 
-   specified configuration and if an error occurs or if the<i> timeout </i>
+has been up for that many seconds     then shorewall is restarted using the 
-   option is given and the new configuration has been up for that many seconds 
+standard configuration.</li>
-   then shorewall is restarted using the standard configuration.</li>
+     <li>shorewall deny, shorewall reject, shorewall accept and shorewall 
-   <li>shorewall deny, shorewall reject, shorewall accept and shorewall save 
+save     implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
-   implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
+     <li>shorewall logwatch (added in version 1.3.2) - Monitors the    <a
-   <li>shorewall logwatch (added in version 1.3.2) - Monitors the
+ href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
-   <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall 
     messages are logged.</li>
+   
 </ul>
                                                                         
-                                                                                <p>
- The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>&nbsp;and
- <b>shorewall try </b>commands allow you to specify which <a href="#Configs">
-  Shorewall configuration</a>
-   to use:</p>
                                             
-                                                                                <blockquote>
+<p>  The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
+  <b>shorewall try </b>commands allow you to specify which <a
+ href="#Configs">   Shorewall configuration</a>    to use:</p>
                                                                         
-                                                                                  <p>
+                                           
- shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
+<blockquote>                                                             
+                                                               
+  <p>  shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
    shorewall try <i>configuration-directory</i></p>
    </blockquote>
                                                                         
-                                                                                  <p>
+                                                 
- If a <i>configuration-directory</i> is specified, each time that Shorewall
+<p>  If a <i>configuration-directory</i> is specified, each time that Shorewall
   is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
    . If the file is present in the <i>configuration-directory</i>, that file
   will be used; otherwise, the file in /etc/shorewall will be used.</p>
                                                                         
                                                                         
                                                                         
-                                                                                  <p>
+ 
- When changing the configuration of a production firewall, I recommend the 
+<p>  When changing the configuration of a production firewall, I recommend 
- following:</p>
+the   following:</p>
                                                                         
                                                                         
                                                                         
-                                                                                  <ul>
+ 
+<ul>
+                                                                        
              <li>mkdir /etc/test</li>
+                                                                        
              <li>cd /etc/test</li>
-                                                                                    <li>&lt;copy any files that you need to change from /etc/shorewall to . and change them here&gt;</li>
+                                                                        
+             <li>&lt;copy any files that you need to change from /etc/shorewall 
+to . and change them here&gt;</li>
+                                                                        
              <li>shorewall -c . check</li>
+                                                                        
              <li>&lt;correct any errors found by check and check again&gt;</li>
+                                                                        
              <li>/sbin/shorewall try .</li>
+   
 </ul>
                                                                         
-                                                                                  <p>
+                                                 
- If the configuration starts but doesn't work, just &quot;shorewall restart&quot; to 
+<p>  If the configuration starts but doesn't work, just "shorewall restart" 
- restore the old configuration. If the new configuration fails to start, the 
+to   restore the old configuration. If the new configuration fails to start, 
- &quot;try&quot; command will automatically start the old one for you.</p>
+the   "try" command will automatically start the old one for you.</p>
                                                                         
                                                                         
                                                                         
-                                                                                  <p>
+ 
- When the new configuration works then just </p>
+<p>  When the new configuration works then just </p>
                                                                         
                                                                         
                                                                         
-                                                                                  <ul>
+ 
+<ul>
+                                                                        
              <li>cp * /etc/shorewall</li>
+                                                                        
              <li>cd</li>
+                                                                        
              <li>rm -rf /etc/test</li>
+   
 </ul>
                                                                         
                                                                         
                                                                         
-                                                                                  <p><font size="2">
+ 
-  Updated 8/8/2002 - <a href="support.htm">Tom 
+<p><font size="2">   Updated 9/26/2002 - <a href="support.htm">Tom  Eastep</a>
-Eastep</a>
     </font></p>
                                                                         
                                                                         
                              
-  <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
    © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
                                                                         
                                                                         
-                       
+                            <br>
-  </body>
+ <br>
-
+</body>
 </html>

Shorewall-docs/support.htm

@@ -29,17 +29,18 @@
   </tbody>   
 </table>
         
-<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
+<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
-is easier to post a problem than to use your own brain" </font>-- </i> <font
+easier to post a problem than to use your own brain" </font>-- </i> <font
- size="2">Weitse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
+ size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
         
-<p align="left"> <i>"Any sane computer with tell you how it works -- you
+<p align="left"> <i>"Any sane computer will tell you how it works -- you just
-just  have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
+ have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
         
 <blockquote> </blockquote>
+     
 <p><span style="font-weight: 400;"><i>"It irks me when people believe that 
-free software        comes at no cost. The cost is incredibly high."</i>
+ free software        comes at no cost. The cost is incredibly high."</i> 
-- <font size="2">       Weitse Venema</font></span></p>
+- <font size="2">       Wietse Venema</font></span></p>
        
 <h3 align="left">Before Reporting a Problem</h3>
        
@@ -47,22 +48,18 @@ free software        comes at no cost. The cost is incredibly high."</i>
        
 <ul>
       <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
-   <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains
+      <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
-a    number of tips to help you solve common problems.</li>
+contains  a    number of tips to help you solve common problems.</li>
       <li>The <a href="errata.htm">   Errata</a> has links to download updated 
     components.</li>
-   <li>The Mailing List Archives are a useful source of problem solving  
+      <li>The Mailing List Archives search facility can locate posts about
- information.</li>
+      similar problems:</li>
        
 </ul>
  
-<blockquote> 
+<h4>Mailing List Archive Search</h4>
-  <p>The archives from the  mailing List are at <a
- href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
  
-  <h3>Search the  Mailing List Archives at Shorewall.net</h3>
+<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
-                                
-  <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> 
   <p> <font size="-1"> Match: 
   <select name="method">
   <option value="and">All </option>
@@ -90,28 +87,27 @@ a    number of tips to help you solve common problems.</li>
  Search: <input type="text" size="30" name="words" value=""> <input
  type="submit" value="Search"> </p>
  </form>
-                                </blockquote>
  
 <h3 align="left">Problem Reporting Guidelines</h3>
           
 <ul>
-   <li>When reporting a problem, give as much information as you can. Reports 
+      <li>When reporting a problem, give as much information as you can.
-that say "I tried XYZ and it didn't work" are not at all helpful.</li>
+Reports   that say "I tried XYZ and it didn't work" are not at all helpful.</li>
-   <li>Please don't describe your environment and then ask us to send you 
+      <li>Please don't describe your environment and then ask us to send
-          custom configuration files. We're here to answer your questions
+you             custom configuration files. We're here to answer your questions 
-but we           can't do your job for you.</li>
+ but we           can't do your job for you.</li>
       <li>Do you see any "Shorewall" messages in     /var/log/messages when 
-you exercise the function that is giving you problems?</li>
+ you exercise the function that is giving you problems?</li>
-   <li>Have you looked at the packet flow with a tool like tcpdump     to
+      <li>Have you looked at the packet flow with a tool like tcpdump   
-try to understand what is going on?</li>
+ to  try to understand what is going on?</li>
       <li>Have you tried using the diagnostic capabilities of the     application 
-that isn't working? For example, if "ssh" isn't able     to connect, using
+ that isn't working? For example, if "ssh" isn't able     to connect, using 
-the "-v" option gives you a lot of valuable     diagnostic information.</li>
+ the "-v" option gives you a lot of valuable     diagnostic information.</li>
       <li>Please include any of the Shorewall configuration files (especially 
-the    /etc/shorewall/hosts file if you have modified that file) that you
+ the    /etc/shorewall/hosts file if you have modified that file) that you 
-think are    relevant. If an error occurs when you try to "shorewall start",
+ think are    relevant. If an error occurs when you try to "shorewall start", 
-include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
+ include a    trace (See the <a href="troubleshoot.htm">Troubleshooting</a> 
-section for    instructions).</li>
+ section for    instructions).</li>
       <li>The list server limits posts to 120kb so don't post GIFs of your
            network layout, etc to the Mailing List -- your post will be rejected.</li>
        
@@ -127,7 +123,7 @@ section for    instructions).</li>
  href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; 
   there are lots of folks there who are willing to help you. Your question/problem 
   description and their responses will be placed in the mailing list archives 
-to  help people who have a similar question or problem in the future.</p>
+ to  help people who have a similar question or problem in the future.</p>
                                        
 <p>I don't look at problems sent to me directly but I try to spend some amount 
   of time each day responding to problems posted on the mailing list.</p>
@@ -138,10 +134,13 @@ to  help people who have a similar question or problem in the future.</p>
  href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
       .</p>
                                       
-<p align="left"><font size="2">Last Updated 9/14/2002 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 9/27/2002 - Tom Eastep</font></p>
         
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
  size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
      <br>
+   <br>
+  <br>
+ <br>
 </body>
 </html>

Shorewall-docs/three-interface.htm

@@ -30,8 +30,8 @@
 <h2 align="center">Version 2.0.1</h2>
        
 <p align="left">Setting up a Linux system as a firewall for a small network 
-with  DMZ is a  fairly straight-forward task if you understand the basics
+ with  DMZ is a  fairly straight-forward task if you understand the basics 
-and follow the  documentation.</p>
+ and follow the  documentation.</p>
        
 <p>This guide doesn't attempt to acquaint you with all of the features of 
   Shorewall. It rather focuses on what is required to configure Shorewall 
@@ -41,7 +41,8 @@ in one  of its more popular configurations:</p>
       <li>Linux system used as a firewall/router for a small local network.</li>
       <li>Single public IP address.</li>
       <li>DMZ connected to a separate ethernet interface.</li>
-   <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...</li>
+      <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
+ ...</li>
        
 </ul>
        
@@ -49,54 +50,55 @@ in one  of its more popular configurations:</p>
        
 <p align="center"> <img border="0" src="images/dmz1.png" width="692"
  height="635">
-</p>
+   </p>
        
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
-this  package is installed by the presence of an <b>ip</b> program on your
+ this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
        
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
+     
 <p>I recommend that you first read through the guide    to familiarize yourself 
-with what's involved then go back through it again  making your configuration
+ with what's involved then go back through it again  making your configuration 
-changes. Points at which configuration changes are  recommended are flagged
+ changes. Points at which configuration changes are  recommended are flagged 
-with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
-</p>
+   </p>
        
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+        If you edit your configuration files on a Windows system, you must
-them as  Unix files if your editor supports that option or you must run them
+ save them as  Unix files if your editor supports that option or you must
-through  dos2unix before trying to use them. Similarly, if you copy a configuration
+run them through  dos2unix before trying to use them. Similarly, if you copy
-file  from your Windows hard drive to a floppy disk, you must run dos2unix
+a configuration file  from your Windows hard drive to a floppy disk, you
-against the  copy before using it with Shorewall.</p>
+must run dos2unix against the  copy before using it with Shorewall.</p>
        
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
        
 </ul>
        
 <h2 align="left">Shorewall Concepts</h2>
        
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
--- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
  href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface 
-sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy the
+ sample</a>, un-tar it  (tar -zxvf three-interfaces.tgz) and and copy the 
 files to /etc/shorewall  (the files will replace files with the same names 
 that were placed in  /etc/shorewall when Shorewall was installed).</p>
        
 <p>As each file is introduced, I suggest that you  look through the actual 
-file on your system -- each file contains detailed  configuration instructions
+ file on your system -- each file contains detailed  configuration instructions 
-and default entries.</p>
+ and default entries.</p>
        
 <p>Shorewall views the network where it is running as being composed of a 
-set of  <i>zones.</i> In the three-interface sample configuration, the following
+ set of  <i>zones.</i> In the three-interface sample configuration, the following 
-zone names are used:</p>
+ zone names are used:</p>
        
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
@@ -127,25 +129,26 @@ zone names are used:</p>
   the firewall itself is known as <b>fw</b>.</p>
        
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
-in  terms of zones.</p>
+ in  terms of zones.</p>
        
 <ul>
-   <li>You express your default policy for connections from one zone to another
+      <li>You express your default policy for connections from one zone to
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
  href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
        
 </ul>
        
 <p>For each connection request entering the firewall, the request is first 
-checked against the  /etc/shorewall/rules file. If no rule in that file matches
+ checked against the  /etc/shorewall/rules file. If no rule in that file matches
-the connection  request then the first policy in /etc/shorewall/policy that
+ the connection  request then the first policy in /etc/shorewall/policy that
-matches the    request is applied. If that policy is REJECT or DROP  the
+ matches the    request is applied. If that policy is REJECT or DROP  the
 request is first  checked against the rules in /etc/shorewall/common (the
 samples provide that  file for you).</p>
        
 <p>The /etc/shorewall/policy file included with the three-interface sample 
-has the  following policies:</p>
+ has the  following policies:</p>
        
 <blockquote>            
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -186,7 +189,7 @@ has the  following policies:</p>
        
 <blockquote>          
   <p>In the three-interface sample, the line below is included but commented 
-out. If  you want your firewall system to have full access to servers on
+ out. If  you want your firewall system to have full access to servers on 
 the internet,  uncomment that line.</p>
              
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -215,92 +218,93 @@ the internet,  uncomment that line.</p>
        
 <ol>
       <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+      <li>drop (ignore) all connection requests from the internet to your 
-   or local network</li>
+firewall     or local network</li>
-   <li>optionally accept all connection requests from the firewall to the
+      <li>optionally accept all connection requests from the firewall to
-   internet (if you uncomment the additional policy)</li>
+the     internet (if you uncomment the additional policy)</li>
       <li>reject all other connection requests.</li>
        
 </ol>
        
 <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy  file and make any changes
+       At this point, edit your /etc/shorewall/policy  file and make any
-that you  wish.</p>
+changes  that you  wish.</p>
        
 <h2 align="left">Network Interfaces</h2>
        
 <p align="center"> <img border="0" src="images/dmz1.png" width="692"
  height="635">
-</p>
+   </p>
        
 <p align="left">The firewall has three network interfaces. Where Internet 
   connectivity is through a cable or DSL "Modem", the <i>External Interface</i> 
   will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
-<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
+  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
+a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-External  Interface will also be <b>ppp0</b>. If you connect using ISDN,
+your External  Interface will also be <b>ppp0</b>. If you connect using ISDN, 
-you external  interface will be <b>ippp0.</b></p>
+ you external  interface will be <b>ippp0.</b></p>
        
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-    If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then you will
+       If your external interface is <b>ppp0</b>  or <b>ippp0 </b>then you
-want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+ will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
        
 <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, 
   eth1 or eth2) and will be connected to a hub or switch. Your local computers 
   will be connected to the same switch (note: If you have only a single local 
-system,  you can connect the firewall directly to the computer using a <i>cross-over
+ system,  you can connect the firewall directly to the computer using a <i>cross-over 
-</i> cable).</p>
+ </i> cable).</p>
        
 <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter 
-(eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ
+ (eth0,  eth1 or eth2) and will be connected to a hub or switch. Your DMZ 
 computers will  be connected to the same switch (note: If you have only a 
 single DMZ system,  you can connect the firewall directly to the computer 
 using a <i>cross-over </i> cable).</p>
        
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
  width="60" height="60">
-</b></u>Do not connect more than one interface  to the same hub or switch
+   </b></u>Do not connect more than one interface  to the same hub or switch 
-(even for testing). It won't work the way that you  expect it to and you
+ (even for testing). It won't work the way that you  expect it to and you 
 will end up confused and  believing that Shorewall doesn't work at all.</p>
        
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-    The Shorewall three-interface sample configuration assumes that  the
+       The Shorewall three-interface sample configuration assumes that  the 
-external interface is <b>eth0, </b>the local interface is <b>eth1 </b>and
+ external interface is <b>eth0, </b>the local interface is <b>eth1 </b>and 
   the DMZ interface is <b> eth2</b>.  If your configuration is different, 
 you will have to modify the sample  /etc/shorewall/interfaces file accordingly. 
-While you are there, you may wish to  review the list of options that are
+ While you are there, you may wish to  review the list of options that are 
-specified for the interfaces. Some hints:</p>
+ specified for the interfaces. Some hints:</p>
        
 <ul>
       <li>                  
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-you can replace the    "detect" in the second column with "-".   </p>
+ you can replace the    "detect" in the second column with "-".   </p>
      </li>
      <li>                  
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-or if you have a static IP    address, you can remove "dhcp" from the option
+ or if you have a static IP    address, you can remove "dhcp" from the option 
-list. </p>
+ list. </p>
      </li>
+     
 </ul>
        
 <h2 align="left">IP Addresses</h2>
        
 <p align="left">Before going further, we should say a few words about Internet 
   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
-<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
+ <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
-Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
+ Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
- when you dial in (standard modem) or establish your PPP connection. In rare
+  when you dial in (standard modem) or establish your PPP connection. In
- cases, your ISP may assign you a<i> static</i> IP address; that means that
+rare   cases, your ISP may assign you a<i> static</i> IP address; that means
-you  configure your firewall's external interface to use that address permanently.<i> 
+that  you  configure your firewall's external interface to use that address
-</i>Regardless of how the address is assigned, it will be shared by all of
+permanently.<i>  </i>Regardless of how the address is assigned, it will be
-your  systems when you access the Internet. You will have to assign your
+shared by all of your  systems when you access the Internet. You will have
-own addresses  for your internal network (the local and DMZ Interfaces on
+to assign your  own addresses  for your internal network (the local and DMZ
-your firewall plus your other  computers). RFC 1918 reserves several <i>Private
+Interfaces on  your firewall plus your other  computers). RFC 1918 reserves
-</i>IP address ranges for this  purpose:</p>
+several <i>Private  </i>IP address ranges for this  purpose:</p>
        
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@@ -309,27 +313,28 @@ your firewall plus your other  computers). RFC 1918 reserves several <i>Private
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-       Before starting Shorewall, you should look at the IP address of your
+          Before starting Shorewall, you should look at the IP address of 
-external    interface and if it is one of the above ranges, you should remove
+your  external    interface and if it is one of the above ranges, you should 
-the    'norfc1918' option from the external interface's entry in    /etc/shorewall/interfaces.</p>
+remove  the    'norfc1918' option from the external interface's entry in 
-</div>
+  /etc/shorewall/interfaces.</p>
+   </div>
        
 <div align="left">      
 <p align="left">You will want to assign your local addresses from one <i>
-  sub-network </i>or <i>subnet</i> and your DMZ addresses from another subnet.
+    sub-network </i>or <i>subnet</i> and your DMZ addresses from another
-For our purposes, we can consider a subnet    to consists of a range of addresses
+subnet.  For our purposes, we can consider a subnet    to consists of a range
-x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet Mask </i>of 255.255.255.0.
+of addresses  x.y.z.0 - x.y.z.255. Such a subnet will    have a <i>Subnet
-The address x.y.z.0 is reserved as    the <i>Subnet Address</i> and x.y.z.255
+Mask </i>of 255.255.255.0.  The address x.y.z.0 is reserved as    the <i>Subnet 
-is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall,
+Address</i> and x.y.z.255  is reserved as the <i>Subnet Broadcast</i>   <i>Address</i>. 
-a subnet is described using   <a href="subnet_masks.htm"> <i>Variable-Length
+In Shorewall,  a subnet is described using <a href="subnet_masks.htm"><i>Classless 
-   Subnet Mask </i>(VLSM)</a> notation with consists of the subnet address
+InterDomain Routing </i>(CIDR)</a> notation with consists of the subnet address 
 followed    by "/24". The "24" refers to the number of    consecutive "1" 
 bits from the left of the subnet mask. </p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">Example sub-network:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -349,7 +354,7 @@ bits from the left of the subnet mask. </p>
             <td>10.10.10.255</td>
           </tr>
           <tr>
-         <td><b>VLSM Notation:</b></td>
+            <td><b>CIDR Notation:</b></td>
             <td>10.10.10.0/24</td>
           </tr>
                        
@@ -360,31 +365,31 @@ bits from the left of the subnet mask. </p>
        
 <div align="left">      
 <p align="left">It is conventional to assign the internal interface either 
-the    first usable address in the subnet (10.10.10.1 in the above example)
+ the    first usable address in the subnet (10.10.10.1 in the above example) 
-or the    last usable address (10.10.10.254).</p>
+ or the    last usable address (10.10.10.254).</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">One of the purposes of subnetting is to allow all computers 
-in the    subnet to understand which other computers can be communicated
+ in the    subnet to understand which other computers can be communicated 
-with directly.    To communicate with systems outside of the subnetwork,
+with directly.    To communicate with systems outside of the subnetwork, systems
-systems send packets    through a<i>  gateway</i>  (router).</p>
+send packets    through a<i>  gateway</i>  (router).</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-    Your local  computers    (Local Computers 1 &amp; 2) should be configured
+       Your local  computers    (Local Computers 1 &amp; 2) should be configured 
-with their<i>    default gateway</i> set to the IP address of the firewall's
+ with their<i>    default gateway</i> set to the IP address of the firewall's 
-internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) should
+ internal interface    and your DMZ computers ( DMZ Computers 1 &amp; 2) should
-be configured with their    default gateway set to the IP address of the
+ be configured with their    default gateway set to the IP address of the
 firewall's DMZ interface.   </p>
-</div>
+   </div>
        
 <p align="left">The foregoing short discussion barely scratches the surface 
   regarding subnetting and routing. If you are interested in learning more 
-about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+ about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
-What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
+ What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas 
 A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
        
 <p align="left">The remainder of this quide will assume that you have configured 
@@ -392,7 +397,7 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
        
 <p align="center"> <img border="0" src="images/dmz2.png" width="721"
  height="635">
-</p>
+   </p>
        
 <p align="left">The default gateway for the DMZ computers would be 10.10.10.254 
   and the default gateway for the Local computers would be 10.10.10.254.</p>
@@ -400,23 +405,23 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
 <h2 align="left">IP Masquerading (SNAT)</h2>
        
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-to as <i>non-routable</i> because the Internet backbone routers don't forward
+ to as <i>non-routable</i> because the Internet backbone routers don't forward 
-packets  which have an RFC-1918 destination address. When one of your local
+ packets  which have an RFC-1918 destination address. When one of your local 
-systems  (let's assume local computer 1) sends a connection request to an
+ systems  (let's assume local computer 1) sends a connection request to an 
-internet host, the  firewall must perform <i>Network Address Translation
+ internet host, the  firewall must perform <i>Network Address Translation 
-</i>(NAT). The firewall  rewrites the source address in the packet to be
+</i>(NAT). The firewall  rewrites the source address in the packet to be the
-the address of the firewall's  external interface; in other words, the firewall
+address of the firewall's  external interface; in other words, the firewall 
 makes it look as if the firewall  itself is initiating the connection.  This 
 is necessary so that the  destination host will be able to route return packets 
-back to the firewall  (remember that packets whose destination address is
+ back to the firewall  (remember that packets whose destination address is 
-reserved by RFC 1918 can't  be routed accross the internet). When the firewall
+ reserved by RFC 1918 can't  be routed accross the internet). When the firewall 
-receives a return packet, it  rewrites the destination address back to 10.10.10.1
+ receives a return packet, it  rewrites the destination address back to 10.10.10.1 
-and  forwards the packet on to local computer 1. </p>
+ and  forwards the packet on to local computer 1. </p>
        
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> and you will also see the term <i>Source Network
+ IP Masquerading</i> and you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
        
 <ul>
       <li>                  
@@ -426,9 +431,10 @@ with  Netfilter:</p>
      </li>
      <li>                  
     <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
-the    source address that you want outbound packets from your local network
+ the    source address that you want outbound packets from your local network 
-to use.    </p>
+ to use.    </p>
      </li>
+     
 </ul>
        
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
@@ -436,35 +442,35 @@ to use.    </p>
        
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-    If your external firewall interface is <b>eth0</b>, your local  interface
+       If your external firewall interface is <b>eth0</b>, your local  interface 
-<b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do not  need to
+ <b>eth1 </b>and your DMZ interface is <b>eth2</b> then you do not  need to
-modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
+ modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
-and change it to match your configuration.</p>
+ and change it to match your configuration.</p>
        
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-    If your external IP  is static, you can enter it in the third column
+       If your external IP  is static, you can enter it in the third column 
-in the /etc/shorewall/masq entry  if you like although your firewall will
+ in the /etc/shorewall/masq entry  if you like although your firewall will 
-work fine if you leave that column  empty. Entering your static IP in column
+ work fine if you leave that column  empty. Entering your static IP in column 
-3 makes processing outgoing packets a  little more efficient. </p>
+ 3 makes processing outgoing packets a  little more efficient. </p>
        
 <h2 align="left">Port Forwarding (DNAT)</h2>
        
 <p align="left">One of your goals will be to run one or more servers on your 
-DMZ computers. Because these computers have RFC-1918 addresses, it is not
+ DMZ computers. Because these computers have RFC-1918 addresses, it is not 
   possible for clients on the internet to connect directly to them. It is 
-rather  necessary for those clients to address their connection requests
+rather  necessary for those clients to address their connection requests to
-to your firewall  who rewrites the destination address to the address of
+your firewall  who rewrites the destination address to the address of your
-your server and forwards  the packet to that server. When your server responds,
+server and forwards  the packet to that server. When your server responds, 
 the firewall automatically  performs SNAT to rewrite the source address in 
 the response.</p>
        
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-Destination Network Address Translation</i> (DNAT). You configure port  forwarding
+  Destination Network Address Translation</i> (DNAT). You configure port
-using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
        
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
-is:</p>
+ is:</p>
        
 <blockquote>            
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -482,7 +488,8 @@ is:</p>
         <tr>
           <td>DNAT</td>
           <td>net</td>
-       <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
+          <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
+port&gt;</i>]</td>
           <td><i>&lt;protocol&gt;</i></td>
           <td><i>&lt;port&gt;</i></td>
           <td> </td>
@@ -493,8 +500,8 @@ is:</p>
   </table>
     </blockquote>
        
-<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
+<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
-be the same  as <i>&lt;port&gt;</i>.</p>
+the same  as <i>&lt;port&gt;</i>.</p>
        
 <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming 
   TCP port 80 to that system:</p>
@@ -538,13 +545,13 @@ be the same  as <i>&lt;port&gt;</i>.</p>
 <p>A  couple of important points  to keep in mind:</p>
        
 <ul>
-   <li>When you are connecting to your server from your local systems, you
+      <li>When you are connecting to your server from your local systems, 
-must    use the server's internal IP address (10.10.11.2).</li>
+you  must    use the server's internal IP address (10.10.11.2).</li>
-   <li>Many ISPs block incoming connection requests to port 80. If you have
+      <li>Many ISPs block incoming connection requests to port 80. If you 
-   problems connecting to your web server, try the following rule and try
+have     problems connecting to your web server, try the following rule and 
-   connecting to port 5000 (e.g., connect to <a
+try     connecting to port 5000 (e.g., connect to <a
  href="http://w.x.y.z:5000">   http://w.x.y.z:5000</a> where w.x.y.z is your 
-external IP).</li>
+ external IP).</li>
        
 </ul>
        
@@ -576,8 +583,8 @@ external IP).</li>
     </blockquote>
        
 <p>If you want to be able  to access your server from the local network using 
-your external address, then  if you have a static external IP you can replace
+ your external address, then  if you have a static external IP you can replace 
-the loc-&gt;dmz rule above with:</p>
+ the loc-&gt;dmz rule above with:</p>
        
 <blockquote>            
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -607,8 +614,8 @@ the loc-&gt;dmz rule above with:</p>
     </blockquote>
        
 <p>If you have a dynamic ip then you must ensure that your external interface 
-is  up before starting Shorewall and you must take steps as follows (assume
+ is  up before starting Shorewall and you must take steps as follows (assume 
-that  your external interface is <b>eth0</b>):</p>
+ that  your external interface is <b>eth0</b>):</p>
        
 <ol>
       <li>Include the following in /etc/shorewall/params:<br>
@@ -647,15 +654,15 @@ that  your external interface is <b>eth0</b>):</p>
     </blockquote>
        
 <p>If you want to access your server from the DMZ using your external IP 
- address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
+address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
        
 <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
-    At this point, add the DNAT and  ACCEPT rules for your servers. </p>
+       At this point, add the DNAT and  ACCEPT rules for your servers. </p>
        
 <h2 align="left">Domain Name Server (DNS)</h2>
        
 <p align="left">Normally, when you connect to your ISP, as part of getting 
-an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
+ an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
 will be  automatically configured (e.g., the /etc/resolv.conf file will be 
 written).  Alternatively, your ISP may have given you the IP address of a 
 pair of DNS <i> name servers</i> for you to manually configure as your primary 
@@ -665,26 +672,27 @@ the resolver in your  internal systems. You can take one of two approaches:</p>
 <ul>
       <li>                  
     <p align="left">You can configure your internal systems to use your ISP's 
-name    servers. If you ISP gave you the addresses of their servers or if
+ name    servers. If you ISP gave you the addresses of their servers or if 
-those    addresses are available on their web site, you can configure your
+ those    addresses are available on their web site, you can configure your 
-internal    systems to use those addresses. If that information isn't available,
+ internal    systems to use those addresses. If that information isn't available, 
-look in    /etc/resolv.conf on your firewall system -- the name servers are
+ look in    /etc/resolv.conf on your firewall system -- the name servers are
-given in    "nameserver" records in that file.   </p>
+ given in    "nameserver" records in that file.   </p>
      </li>
      <li>                  
     <p align="left"><img border="0" src="images/BD21298_2.gif"
  width="13" height="13">
-    You can configure a<i> Caching Name Server </i>on your    firewall or
+       You can configure a<i> Caching Name Server </i>on your    firewall 
-in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which also
+or  in your DMZ.<i> </i>Red Hat has an RPM for a caching name server (which 
-   requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
+also     requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. 
-If you    take this approach, you configure your internal systems to use
+If you    take this approach, you configure your internal systems to use the
-the caching    name server as their primary (and only) name server. You use
+caching    name server as their primary (and only) name server. You use the
-the internal IP    address of the firewall (10.10.10.254 in the example above)
+internal IP    address of the firewall (10.10.10.254 in the example above) 
-for the name    server address if you choose to run the name server on your
+ for the name    server address if you choose to run the name server on your 
-firewall. To allow your local systems to talk to your caching name    server,
+ firewall. To allow your local systems to talk to your caching name    server, 
-you must open port 53 (both UDP and TCP) from the local network to the  
+ you must open port 53 (both UDP and TCP) from the local network to the  
  server; you do that by adding the rules in /etc/shorewall/rules. </p>
      </li>
+     
 </ul>
        
 <blockquote>            
@@ -741,7 +749,7 @@ you must open port 53 (both UDP and TCP) from the local network to the
     </tbody>         
   </table>
     </p>
-</blockquote>
+   </blockquote>
        
 <div align="left">      
 <blockquote>              
@@ -807,7 +815,7 @@ you must open port 53 (both UDP and TCP) from the local network to the
        
 <div align="left">      
 <p align="left">The three-interface sample includes the following rules:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -850,12 +858,12 @@ you must open port 53 (both UDP and TCP) from the local network to the
 <div align="left">      
 <p align="left">Those rules allow DNS access from your firewall and may be 
     removed if you commented out the line in /etc/shorewall/policy allowing 
-all    connections from the firewall to the internet.</p>
+ all    connections from the firewall to the internet.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">The sample also includes:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -897,14 +905,14 @@ all    connections from the firewall to the internet.</p>
        
 <div align="left">      
 <p align="left">That rule allows you to run an SSH server on your firewall 
-and    in each of your DMZ systems and    to connect to those servers from
+ and    in each of your DMZ systems and    to connect to those servers from 
-your local systems.</p>
+ your local systems.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">If you wish to enable other connections between your systems, 
-the general format is:</p>
+ the general format is:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -937,8 +945,8 @@ the general format is:</p>
        
 <div align="left">      
 <p align="left">Example - You want to run a publicly-available DNS server 
-on your firewall    system:</p>
+ on your firewall    system:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -981,18 +989,18 @@ on your firewall    system:</p>
 <div align="left">      
 <p align="left">Those two rules would of course be in addition to the rules 
     listed above under "If you run the name server on your firewall".</p>
-</div>
+   </div>
        
 <div align="left">      
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
     the internet because it uses clear text (even for login!). If you want 
-shell    access to your firewall from the internet, use SSH:</p>
+ shell    access to your firewall from the internet, use SSH:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -1026,55 +1034,69 @@ shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-    Now modify    /etc/shorewall/rules to add or remove other connections
+       Now modify    /etc/shorewall/rules to add or remove other connections 
-as required.</p>
+ as required.</p>
-</div>
+   </div>
        
 <div align="left">      
 <h2 align="left">Starting and Stopping Your Firewall</h2>
     </div>
        
 <div align="left">      
-<p align="left">The <a href="Install.htm">installation procedure </a>   configures
+<p align="left">     <img border="0" src="images/BD21298_2.gif"
-your system to start Shorewall at system boot.</p>
+ width="13" height="13" alt="Arrow">
-</div>
+     The <a href="Install.htm">installation procedure </a>   configures 
+your system to start Shorewall at system boot  but beginning with Shorewall
+version 1.3.9 startup is disabled so that your system won't try to start
+Shorewall before configuration is complete. Once you have completed configuration
+of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+   </p>
+ 
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
+ color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
+and set 'startup=1'.</font><br>
+  </p>
+    </div>
        
 <div align="left">      
 <p align="left">The firewall is started using the "shorewall start" command 
     and stopped using "shorewall stop". When the firewall is stopped, routing 
-is    enabled on those hosts that have an entry in   <a
+ is    enabled on those hosts that have an entry in   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
     running firewall may be restarted using the "shorewall restart" command. 
-If    you want to totally remove any trace of Shorewall from your Netfilter
+ If    you want to totally remove any trace of Shorewall from your Netfilter 
     configuration, use "shorewall clear".</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
  height="13">
-    The three-interface sample assumes that you want to enable    routing
+       The three-interface sample assumes that you want to enable    routing 
-to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) when Shorewall
+ to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ) when Shorewall 
-is stopped.    If these two interfaces don't connect to your local network
+ is stopped.    If these two interfaces don't connect to your local network 
-and DMZ or if you    want to enable a different set of hosts, modify /etc/shorewall/routestopped
+ and DMZ or if you    want to enable a different set of hosts, modify /etc/shorewall/routestopped 
     accordingly.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-the    internet, do not issue a "shorewall stop" command unless you have
+ the    internet, do not issue a "shorewall stop" command unless you have 
 added an    entry for the IP address that you are connected from to   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
   Also, I don't recommend using "shorewall restart"; it is better to create 
-an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
+ an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
-and    test it using the <a href="Documentation.htm#Starting">"shorewall
+ and    test it using the <a href="Documentation.htm#Starting">"shorewall 
 try" command</a>.</p>
-</div>
+   </div>
        
-<p align="left"><font size="2">Last updated 9/16/2002 - <a
+<p align="left"><font size="2">Last updated 9/26/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
         
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
-M. Eastep</font></a></p>
+ M. Eastep</font></a></p>
+     <br>
+   <br>
+  <br>
  <br>
 </body>
 </html>

Shorewall-docs/two-interface.htm

@@ -30,8 +30,8 @@
 </table>
        
 <p align="left">Setting up a Linux system as a firewall for a small network 
-is a  fairly straight-forward task if you understand the basics and follow
+ is a  fairly straight-forward task if you understand the basics and follow 
-the  documentation.</p>
+ the  documentation.</p>
        
 <p>This guide doesn't attempt to acquaint you with all of the features of 
   Shorewall. It rather focuses on what is required to configure Shorewall 
@@ -40,8 +40,8 @@ in its  most common configuration:</p>
 <ul>
       <li>Linux system used as a firewall/router for a small local network.</li>
       <li>Single public IP address.</li>
-   <li>Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up
+      <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
-   ...</li>
+ dial-up    ...</li>
        
 </ul>
        
@@ -49,53 +49,54 @@ in its  most common configuration:</p>
        
 <p align="center"> <img border="0" src="images/basics.png" width="444"
  height="635">
-</p>
+   </p>
        
 <p>This guide assumes that you have the iproute/iproute2 package installed 
-(on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
+ (on  RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
-this  package is installed by the presence of an <b>ip</b> program on your
+ this  package is installed by the presence of an <b>ip</b> program on your
-firewall  system. As root, you can use the 'which' command to check for this
+ firewall  system. As root, you can use the 'which' command to check for
-program:</p>
+this  program:</p>
        
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
+     
 <p>I recommend that you first read through the  guide to familiarize yourself 
-with what's involved then go back through it again  making your configuration
+ with what's involved then go back through it again  making your configuration 
-changes. Points at which configuration changes are  recommended are flagged
+ changes. Points at which configuration changes are  recommended are flagged 
-with <img border="0" src="images/BD21298_.gif" width="13" height="13">
+ with <img border="0" src="images/BD21298_.gif" width="13" height="13">
-.</p>
+   .</p>
        
 <p><img border="0" src="images/j0213519.gif" width="60" height="60">
-     If you edit your configuration files on a Windows system, you must save
+        If you edit your configuration files on a Windows system, you must
-them as  Unix files if your editor supports that option or you must run them
+ save them as  Unix files if your editor supports that option or you must
-through  dos2unix before trying to use them. Similarly, if you copy a configuration
+run them through  dos2unix before trying to use them. Similarly, if you copy
-file  from your Windows hard drive to a floppy disk, you must run dos2unix
+a configuration file  from your Windows hard drive to a floppy disk, you
-against the  copy before using it with Shorewall.</p>
+must run dos2unix against the  copy before using it with Shorewall.</p>
        
 <ul>
       <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version 
-of    dos2unix</a></li>
+ of    dos2unix</a></li>
-   <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
+      <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux 
-of    dos2unix</a></li>
+Version  of    dos2unix</a></li>
        
 </ul>
        
 <h2 align="left">Shorewall Concepts</h2>
        
-<p>The configuration files for Shorewall are contained in the directory  /etc/shorewall
+<p>The configuration files for Shorewall are contained in the directory 
--- for simple setups, you will only need to deal with a few of  these as
+/etc/shorewall -- for simple setups, you will only need to deal with a few
-described in this guide.  After you have <a href="Install.htm">installed
+of  these as described in this guide.  After you have <a
-Shorewall</a>,  download the <a
+ href="Install.htm">installed Shorewall</a>,  download the <a
  href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, 
-un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
+ un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall 
   (these files will replace files with the same name).</p>
        
 <p>As each file is introduced, I suggest that you  look through the actual 
-file on your system -- each file contains detailed  configuration instructions
+ file on your system -- each file contains detailed  configuration instructions 
-and default entries.</p>
+ and default entries.</p>
        
 <p>Shorewall views the network where it is running as being composed of a 
-set of  <i>zones.</i> In the two-interface sample configuration, the following
+ set of  <i>zones.</i> In the two-interface sample configuration, the following 
-zone names are used:</p>
+ zone names are used:</p>
        
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
  cellspacing="0" id="AutoNumber2">
@@ -117,31 +118,32 @@ zone names are used:</p>
 </table>
        
 <p>Zones are defined in the <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a> 
-file.</p>
+ file.</p>
        
 <p>Shorewall also recognizes the firewall system as its own zone - by default, 
   the firewall itself is known as <b>fw.</b></p>
        
 <p>Rules about what traffic to allow and what traffic to deny are expressed 
-in  terms of zones.</p>
+ in  terms of zones.</p>
        
 <ul>
-   <li>You express your default policy for connections from one zone to another
+      <li>You express your default policy for connections from one zone to
-   zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
+ another    zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+     </a>file.</li>
       <li>You define exceptions to those default policies in the   <a
  href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
        
 </ul>
        
 <p>For each connection request entering the firewall, the request is first 
-checked against the  /etc/shorewall/rules file. If no rule in that file matches
+ checked against the  /etc/shorewall/rules file. If no rule in that file matches
-the connection  request then the first policy in /etc/shorewall/policy that
+ the connection  request then the first policy in /etc/shorewall/policy that
-matches the    request is applied. If that policy is REJECT or DROP  the
+ matches the    request is applied. If that policy is REJECT or DROP  the
 request is first  checked against the rules in /etc/shorewall/common (the
 samples provide that  file for you).</p>
        
-<p>The /etc/shorewall/policy file included with the two-interface sample
+<p>The /etc/shorewall/policy file included with the two-interface sample has
-has the  following policies:</p>
+the  following policies:</p>
        
 <blockquote>            
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -182,7 +184,7 @@ has the  following policies:</p>
        
 <blockquote>          
   <p>In the two-interface sample, the line below is included but commented 
-out. If  you want your firewall system to have full access to servers on
+ out. If  you want your firewall system to have full access to servers on 
 the internet,  uncomment that line.</p>
              
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -211,87 +213,88 @@ the internet,  uncomment that line.</p>
        
 <ol>
       <li>allow all connection requests from your local network to the internet</li>
-   <li>drop (ignore) all connection requests from the internet to your firewall
+      <li>drop (ignore) all connection requests from the internet to your 
-   or local network</li>
+firewall     or local network</li>
-   <li>optionally accept all connection requests from the firewall to the
+      <li>optionally accept all connection requests from the firewall to
-   internet (if you uncomment the additional policy)</li>
+the     internet (if you uncomment the additional policy)</li>
       <li>reject all other connection requests.</li>
        
 </ol>
        
 <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, edit your /etc/shorewall/policy and make any changes that
+       At this point, edit your /etc/shorewall/policy and make any changes
-you  wish.</p>
+ that you  wish.</p>
        
 <h2 align="left">Network Interfaces</h2>
        
 <p align="center"> <img border="0" src="images/basics.png" width="444"
  height="635">
-</p>
+   </p>
        
-<p align="left">The firewall has two network interfaces. Where Internet  connectivity
+<p align="left">The firewall has two network interfaces. Where Internet 
-is through a cable or DSL "Modem", the <i>External Interface</i>  will be
+connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
-the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  
+ will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
-<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
+  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol 
   over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
-<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be a
+  <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
-ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem, your
+a ppp  interface (e.g., <b>ppp0</b>). If you connect via a regular modem,
-External  Interface will also be <b>ppp0</b>. If you connect via ISDN, your
+your External  Interface will also be <b>ppp0</b>. If you connect via ISDN,
-external  interface will be <b>ippp0.</b></p>
+your external  interface will be <b>ippp0.</b></p>
        
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-    If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then you
+       If your external interface is <b>ppp0</b>  or<b> ippp0</b>  then you 
-will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
+ will want to  set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
        
 <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter 
-(eth1  or eth0) and will be connected to a hub or switch. Your other computers
+ (eth1  or eth0) and will be connected to a hub or switch. Your other computers 
-will be  connected to the same hub/switch (note: If you have only a single
+ will be  connected to the same hub/switch (note: If you have only a single 
-internal system,  you can connect the firewall directly to the computer using
+ internal system,  you can connect the firewall directly to the computer using
-a <i>cross-over </i> cable).</p>
+ a <i>cross-over </i> cable).</p>
        
 <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
  width="60" height="60">
-</b></u>Do not connect the internal and external interface  to the same hub
+   </b></u>Do not connect the internal and external interface  to the same
-or switch (even for testing). It won't work the way that you think that it
+ hub or switch (even for testing). It won't work the way that you think that
-will and you will end up confused and  believing that Shorewall doesn't work
+ it will and you will end up confused and  believing that Shorewall doesn't
-at all.</p>
+ work at all.</p>
        
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
  width="13" height="13">
-    The Shorewall two-interface sample configuration assumes that  the external
+       The Shorewall two-interface sample configuration assumes that  the 
-interface is <b>eth0</b> and the internal interface is <b>eth1</b>.  If your
+external  interface is <b>eth0</b> and the internal interface is <b>eth1</b>. 
-configuration is different, you will have to modify the sample  <a
+ If your  configuration is different, you will have to modify the sample 
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file accordingly.
+<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file 
-While you are there, you may wish to  review the list of options that are
+accordingly.  While you are there, you may wish to  review the list of options 
-specified for the interfaces. Some hints:</p>
+that are  specified for the interfaces. Some hints:</p>
        
 <ul>
       <li>                  
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, 
-you can replace the    "detect" in the second column with "-".   </p>
+ you can replace the    "detect" in the second column with "-".   </p>
      </li>
      <li>                  
     <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> 
-or if you have a static IP    address, you can remove "dhcp" from the option
+ or if you have a static IP    address, you can remove "dhcp" from the option 
-list. </p>
+ list. </p>
      </li>
+     
 </ul>
        
 <h2 align="left">IP Addresses</h2>
        
 <p align="left">Before going further, we should say a few words about Internet 
   Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single 
-<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
+ <i> Public</i> IP address. This address may be assigned via the<i> Dynamic 
-Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
+ Host  Configuration Protocol</i> (DHCP) or as part of establishing your connection
- when you dial in (standard modem) or establish your PPP connection. In rare
+  when you dial in (standard modem) or establish your PPP connection. In
- cases, your ISP may assign you a<i> static</i> IP address; that means that
+rare   cases, your ISP may assign you a<i> static</i> IP address; that means
-you  configure your firewall's external interface to use that address permanently.<i> 
+that  you  configure your firewall's external interface to use that address
-</i>However your external address is assigned, it will be shared by all of
+permanently.<i>  </i>However your external address is assigned, it will be
-your systems when you access the  Internet. You will have to assign your
+shared by all of your systems when you access the  Internet. You will have
-own addresses in your  internal network (the Internal Interface on your firewall
+to assign your  own addresses in your  internal network (the Internal Interface
-plus your other  computers). RFC 1918 reserves several <i>Private </i>IP
+on your firewall  plus your other  computers). RFC 1918 reserves several
-address ranges for this  purpose:</p>
+<i>Private </i>IP address ranges for this  purpose:</p>
        
 <div align="left">      
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
@@ -300,27 +303,28 @@ address ranges for this  purpose:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-       Before starting Shorewall, you should look at the IP address of your
+          Before starting Shorewall, you should look at the IP address of 
-external    interface and if it is one of the above ranges, you should remove
+your  external    interface and if it is one of the above ranges, you should 
-the    'norfc1918' option from the external interface's entry in    /etc/shorewall/interfaces.</p>
+remove  the    'norfc1918' option from the external interface's entry in 
-</div>
+  /etc/shorewall/interfaces.</p>
+   </div>
        
 <div align="left">      
 <p align="left">You will want to assign your addresses from the same <i>
   sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet 
     to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet 
-will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
+ will    have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
-reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as the
+ reserved as    the <i>Subnet Address</i> and x.y.z.255 is reserved as the
-<i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
+ <i>Subnet Broadcast</i>   <i>Address</i>. In Shorewall, a subnet is described
-using   <a href="subnet_masks.htm"> <i>Variable-Length    Subnet Mask </i>(VLSM)
+ using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
-notation</a> with consists of the subnet address followed    by "/24". The
+ notation</a> with consists of the subnet address followed    by "/24". The
-"24" refers to the number of    consecutive leading "1" bits from the left
+ "24" refers to the number of    consecutive leading "1" bits from the left
-of the subnet mask. </p>
+ of the subnet mask. </p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">Example sub-network:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -340,7 +344,7 @@ of the subnet mask. </p>
             <td>10.10.10.255</td>
           </tr>
           <tr>
-         <td><b>VLSM Notation:</b></td>
+            <td><b>CIDR Notation:</b></td>
             <td>10.10.10.0/24</td>
           </tr>
                        
@@ -351,29 +355,29 @@ of the subnet mask. </p>
        
 <div align="left">      
 <p align="left">It is conventional to assign the internal interface either 
-the    first usable address in the subnet (10.10.10.1 in the above example)
+ the    first usable address in the subnet (10.10.10.1 in the above example) 
-or the    last usable address (10.10.10.254).</p>
+ or the    last usable address (10.10.10.254).</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">One of the purposes of subnetting is to allow all computers 
-in the    subnet to understand which other computers can be communicated
+ in the    subnet to understand which other computers can be communicated 
-with directly.    To communicate with systems outside of the subnetwork,
+with directly.    To communicate with systems outside of the subnetwork, systems
-systems send packets    through a<i>  gateway</i>  (router).</p>
+send packets    through a<i>  gateway</i>  (router).</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
  height="13">
-    Your local computers (computer    1 and computer 2 in the above diagram)
+       Your local computers (computer    1 and computer 2 in the above diagram) 
-should be configured with their<i>    default gateway</i> to be the IP address
+ should be configured with their<i>    default gateway</i> to be the IP address 
-of the firewall's internal    interface.<i>      </i> </p>
+ of the firewall's internal    interface.<i>      </i> </p>
-</div>
+   </div>
        
 <p align="left">The foregoing short discussion barely scratches the surface 
   regarding subnetting and routing. If you are interested in learning more 
-about  IP addressing and routing, I highly recommend <i>"IP Fundamentals:
+ about  IP addressing and routing, I highly recommend <i>"IP Fundamentals: 
-What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas
+ What Everyone  Needs to Know about Addressing &amp; Routing",</i> Thomas 
 A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
        
 <p align="left">The remainder of this quide will assume that you have configured 
@@ -381,31 +385,31 @@ A. Maufer, Prentice-Hall,  1999, ISBN 0-13-975483-0.</p>
        
 <p align="center"> <img border="0" src="images/basics1.png" width="444"
  height="635">
-</p>
+   </p>
        
 <p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.</p>
        
 <h2 align="left">IP Masquerading (SNAT)</h2>
        
 <p align="left">The addresses reserved by RFC 1918 are sometimes referred 
-to as <i>non-routable</i> because the Internet backbone routers don't forward
+ to as <i>non-routable</i> because the Internet backbone routers don't forward 
-packets  which have an RFC-1918 destination address. When one of your local
+ packets  which have an RFC-1918 destination address. When one of your local 
-systems  (let's assume computer 1) sends a connection request to an internet
+ systems  (let's assume computer 1) sends a connection request to an internet 
-host, the  firewall must perform <i>Network Address Translation </i>(NAT).
+ host, the  firewall must perform <i>Network Address Translation </i>(NAT). 
-The firewall  rewrites the source address in the packet to be the address
+ The firewall  rewrites the source address in the packet to be the address 
-of the firewall's  external interface; in other words, the firewall makes
+ of the firewall's  external interface; in other words, the firewall makes 
-it look as if the firewall  itself is initiating the connection.  This is
+ it look as if the firewall  itself is initiating the connection.  This is 
-necessary so that the  destination host will be able to route return packets
+ necessary so that the  destination host will be able to route return packets 
-back to the firewall  (remember that packets whose destination address is
+ back to the firewall  (remember that packets whose destination address is 
-reserved by RFC 1918 can't  be routed across the internet so the remote host
+ reserved by RFC 1918 can't  be routed across the internet so the remote host
-can't address its response to  computer 1). When the firewall receives a
+ can't address its response to  computer 1). When the firewall receives a
 return packet, it  rewrites the destination address  back to 10.10.10.1 and
  forwards the packet on to computer 1. </p>
        
-<p align="left">On Linux systems, the above process is often referred to
+<p align="left">On Linux systems, the above process is often referred to as<i>
-as<i>  IP Masquerading</i> but you will also see the term <i>Source Network
+ IP Masquerading</i> but you will also see the term <i>Source Network Address
-Address  Translation </i>(SNAT) used. Shorewall follows the convention used
+ Translation </i>(SNAT) used. Shorewall follows the convention used with
-with  Netfilter:</p>
+ Netfilter:</p>
        
 <ul>
       <li>                  
@@ -415,28 +419,29 @@ with  Netfilter:</p>
      </li>
      <li>                  
     <p align="left"><i>SNAT</i> refers to the case when you explicitly specify 
-the    source address that you want outbound packets from your local network
+ the    source address that you want outbound packets from your local network 
-to use.    </p>
+ to use.    </p>
      </li>
+     
 </ul>
        
 <p align="left">In Shorewall, both Masquerading and SNAT are configured with 
   entries in the /etc/shorewall/masq file. You will normally use Masquerading 
-if  your external IP is dynamic and SNAT if the IP is static.</p>
+ if  your external IP is dynamic and SNAT if the IP is static.</p>
        
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-    If your external firewall interface is <b>eth0</b>, you do not  need
+       If your external firewall interface is <b>eth0</b>, you do not  need 
-to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq
+ to modify the file provided with the sample. Otherwise, edit  /etc/shorewall/masq 
-and change the first column to the name of your external  interface and the
+ and change the first column to the name of your external  interface and the
-second column to the name of your internal interface.</p>
+ second column to the name of your internal interface.</p>
        
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-    If your external IP is  static, you can enter it in the third column
+       If your external IP is  static, you can enter it in the third column 
-in the /etc/shorewall/masq entry if  you like although your firewall will
+ in the /etc/shorewall/masq entry if  you like although your firewall will 
-work fine if you leave that column empty.  Entering your static IP in column
+ work fine if you leave that column empty.  Entering your static IP in column 
-3 makes processing outgoing packets a little  more efficient. </p>
+ 3 makes processing outgoing packets a little  more efficient. </p>
        
 <h2 align="left">Port Forwarding (DNAT)</h2>
        
@@ -445,16 +450,16 @@ work fine if you leave that column empty.  Entering your static IP in column
 not  possible for clients on the internet to connect directly to them. It 
 is rather  necessary for those clients to address their connection requests 
 to the firewall  who rewrites the destination address to the address of your 
-server and forwards  the packet to that server. When your server responds,
+ server and forwards  the packet to that server. When your server responds, 
-the firewall automatically  performs SNAT to rewrite the source address in
+ the firewall automatically  performs SNAT to rewrite the source address in
-the response.</p>
+ the response.</p>
        
 <p align="left">The above process is called<i> Port Forwarding</i> or <i>
-Destination Network Address Translation</i> (DNAT). You configure port  forwarding
+  Destination Network Address Translation</i> (DNAT). You configure port
-using DNAT rules in the /etc/shorewall/rules file.</p>
+ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
        
 <p>The general  form of a simple port forwarding rule in  /etc/shorewall/rules 
-is:</p>
+ is:</p>
        
 <blockquote>            
   <table border="1" cellpadding="2" style="border-collapse: collapse;"
@@ -472,7 +477,8 @@ is:</p>
         <tr>
           <td>DNAT</td>
           <td>net</td>
-       <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
+          <td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
+port&gt;</i>]</td>
           <td><i>&lt;protocol&gt;</i></td>
           <td><i>&lt;port&gt;</i></td>
           <td> </td>
@@ -516,14 +522,14 @@ is:</p>
 <p>A couple of important points  to keep in mind:</p>
        
 <ul>
-   <li>You must test the above rule from a client outside of your local network
+      <li>You must test the above rule from a client outside of your local
-   (i.e., don't test from a browser running on computers 1 or 2 or on the
+ network    (i.e., don't test from a browser running on computers 1 or 2
-   firewall). If you want to be able to access your web server using the
+or  on the    firewall). If you want to be able to access your web server
-IP    address of your external interface, see <a href="FAQ.htm#faq2">Shorewall
+using  the IP    address of your external interface, see <a
-FAQ    #2</a>.</li>
+ href="FAQ.htm#faq2">Shorewall  FAQ    #2</a>.</li>
-   <li>Many ISPs block incoming connection requests to port 80. If you have
+      <li>Many ISPs block incoming connection requests to port 80. If you 
-   problems connecting to your web server, try the following rule and try
+have     problems connecting to your web server, try the following rule and 
-   connecting to port 5000.</li>
+try     connecting to port 5000.</li>
        
 </ul>
        
@@ -555,13 +561,13 @@ FAQ    #2</a>.</li>
     </blockquote>
        
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
-    At this point, modify  /etc/shorewall/rules to add any DNAT rules that
+       At this point, modify  /etc/shorewall/rules to add any DNAT rules
-you require.</p>
+that  you require.</p>
        
 <h2 align="left">Domain Name Server (DNS)</h2>
        
 <p align="left">Normally, when you connect to your ISP, as part of getting 
-an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver
+ an IP  address your firewall's <i>Domain Name Service </i>(DNS) resolver 
 will be  automatically configured (e.g., the /etc/resolv.conf file will be 
 written).  Alternatively, your ISP may have given you the IP address of a 
 pair of DNS <i> name servers</i> for you to manually configure as your primary 
@@ -572,26 +578,27 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
 <ul>
       <li>                  
     <p align="left">You can configure your internal systems to use your ISP's 
-name    servers. If you ISP gave you the addresses of their servers or if
+ name    servers. If you ISP gave you the addresses of their servers or if 
-those    addresses are available on their web site, you can configure your
+ those    addresses are available on their web site, you can configure your 
-internal    systems to use those addresses. If that information isn't available,
+ internal    systems to use those addresses. If that information isn't available, 
-look in    /etc/resolv.conf on your firewall system -- the name servers are
+ look in    /etc/resolv.conf on your firewall system -- the name servers are
-given in    "nameserver" records in that file.   </p>
+ given in    "nameserver" records in that file.   </p>
      </li>
      <li>                  
     <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-    You can configure a<i> Caching Name Server </i>on your    firewall.<i>
+       You can configure a<i> Caching Name Server </i>on your    firewall.<i> 
      </i>Red Hat has an RPM for a caching name server (the RPM also    requires 
-the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take
+ the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you    take 
-this approach, you configure your internal systems to use the firewall  
+ this approach, you configure your internal systems to use the firewall  
  itself as their primary (and only) name server. You use the internal IP 
   address of the firewall (10.10.10.254 in the example above) for the name 
     server address. To allow your local systems to talk to your caching name 
     server, you must open port 53 (both UDP and TCP) from the local network 
-to the    firewall; you do that by adding the following rules in /etc/shorewall/rules. 
+ to the    firewall; you do that by adding the following rules in /etc/shorewall/rules.
       </p>
      </li>
+     
 </ul>
        
 <blockquote>            
@@ -636,7 +643,7 @@ to the    firewall; you do that by adding the following rules in /etc/shorewall/
        
 <div align="left">      
 <p align="left">The two-interface sample includes the following rules:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -679,12 +686,12 @@ to the    firewall; you do that by adding the following rules in /etc/shorewall/
 <div align="left">      
 <p align="left">Those rules allow DNS access from your firewall and may be 
     removed if you commented out the line in /etc/shorewall/policy allowing 
-all    connections from the firewall to the internet.</p>
+ all    connections from the firewall to the internet.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">The sample also includes:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -717,13 +724,13 @@ all    connections from the firewall to the internet.</p>
        
 <div align="left">      
 <p align="left">That rule allows you to run an SSH server on your firewall 
-and    connect to that server from your local systems.</p>
+ and    connect to that server from your local systems.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left">If you wish to enable other connections between your firewall 
     and other systems, the general format is:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -757,7 +764,7 @@ and    connect to that server from your local systems.</p>
 <div align="left">      
 <p align="left">Example - You want to run a Web Server on your firewall 
   system:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -800,18 +807,18 @@ and    connect to that server from your local systems.</p>
 <div align="left">      
 <p align="left">Those two rules would of course be in addition to the rules 
     listed above under "You can configure a Caching Name Server on your firewall"</p>
-</div>
+   </div>
        
 <div align="left">      
-<p align="left">If you don't know what port and protocol a particular   
+<p align="left">If you don't know what port and protocol a particular    application
-application uses, look <a href="ports.htm">here</a>.</p>
+uses, look <a href="ports.htm">here</a>.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from 
     the internet because it uses clear text (even for login!). If you want 
-shell    access to your firewall from the internet, use SSH:</p>
+ shell    access to your firewall from the internet, use SSH:</p>
-</div>
+   </div>
        
 <div align="left">      
 <blockquote>              
@@ -845,54 +852,68 @@ shell    access to your firewall from the internet, use SSH:</p>
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-    Now edit your    /etc/shorewall/rules file to add or delete other connections
+       Now edit your    /etc/shorewall/rules file to add or delete other
-as required.</p>
+connections  as required.</p>
-</div>
+   </div>
        
 <div align="left">      
 <h2 align="left">Starting and Stopping Your Firewall</h2>
     </div>
        
 <div align="left">      
-<p align="left">The <a href="Install.htm">installation procedure </a>   configures
+<p align="left">          <img border="0" src="images/BD21298_2.gif"
-your system to start Shorewall at system boot.</p>
+ width="13" height="13" alt="Arrow">
-</div>
+      The <a href="Install.htm">installation procedure </a>   configures
+ your system to start Shorewall at system boot  but beginning with Shorewall
+version 1.3.9 startup is disabled so that your system won't try to start
+Shorewall before configuration is complete. Once you have completed configuration
+of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
+   </p>
+ 
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
+ color="#ff0000">Users of the .deb package must edit /etc/default/shorewall
+and set 'startup=1'.</font><br>
+  </p>
+    </div>
        
 <div align="left">      
 <p align="left">The firewall is started using the "shorewall start" command 
     and stopped using "shorewall stop". When the firewall is stopped, routing 
-is    enabled on those hosts that have an entry in   <a
+ is    enabled on those hosts that have an entry in   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A 
     running firewall may be restarted using the "shorewall restart" command. 
-If    you want to totally remove any trace of Shorewall from your Netfilter
+ If    you want to totally remove any trace of Shorewall from your Netfilter 
     configuration, use "shorewall clear".</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
  height="13">
-    The two-interface sample assumes that you want to enable    routing to/from
+       The two-interface sample assumes that you want to enable    routing
-<b>eth1 </b>(the local network) when Shorewall is stopped. If    your local
+ to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If  
-network isn't connected to <b>eth1</b> or if you wish to enable    access
+ your local network isn't connected to <b>eth1</b> or if you wish to enable
-to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
+   access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
-</div>
+   </div>
        
 <div align="left">      
 <p align="left"><b>WARNING: </b>If you are connected to your firewall from 
-the    internet, do not issue a "shorewall stop" command unless you have
+ the    internet, do not issue a "shorewall stop" command unless you have 
 added an    entry for the IP address that you are connected from to   <a
  href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. 
   Also, I don't recommend using "shorewall restart"; it is better to create 
-an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
+ an   <i><a href="Documentation.htm#Configs">alternate configuration</a></i> 
-and    test it using the <a href="Documentation.htm#Starting">"shorewall
+ and    test it using the <a href="Documentation.htm#Starting">"shorewall 
 try" command</a>.</p>
-</div>
+   </div>
        
-<p align="left"><font size="2">Last updated 9/16/2002 - <a
+<p align="left"><font size="2">Last updated 9/26/2002 - <a
  href="support.htm">Tom Eastep</a></font></p>
         
 <p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas 
-M. Eastep</font></a></p>
+ M. Eastep</font></a></p>
+     <br>
+   <br>
+  <br>
  <br>
 </body>
 </html>

Shorewall-docs/upgrade_issues.htm

@@ -2,144 +2,164 @@
 <html>
 <head>
              
-  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+  <meta http-equiv="Content-Type"
+ content="text/html; charset=windows-1252">
   <title>Upgrade Issues</title>
                        
   <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
              
   <meta name="ProgId" content="FrontPage.Editor.Document">
                      
-       
   <meta name="Microsoft Theme" content="none">
 </head>
   <body>
- <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
+    
+<table border="0" cellpadding="0" cellspacing="0"
+ style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+ bgcolor="#400169" height="90">
+     <tbody>
      <tr>
        <td width="100%">             
-     <h1 align="center"><font color="#FFFFFF">Upgrade Issues</font></h1>
+      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
        </td>
      </tr>
- </table>
       
-                              <p>For upgrade instructions see the
+  </tbody> 
-                              <a href="Install.htm">Install/Upgrade page</a>.</p>
+</table>
                                               
-                              <h3>Version &gt;= 1.3.7</h3>
+<p>For upgrade instructions see the                               <a
+ href="Install.htm">Install/Upgrade page</a>.</p>
                                   
-                              <p>Users specifying ALLOWRELATED=No in 
+<h3>Version &gt;= 1.3.8</h3>
-                              /etc/shorewall.conf will need to include the 
-                              following rules in their /etc/shorewall/icmpdef 
-                              file (creating this file if necessary):</p>
                                   
-                              <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+<p>If you have a pair of firewall systems configured for            failover 
-	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+or if you have asymmetric routing, you will need to modify               
-	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+                your firewall setup slightly under Shorewall            
-	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+                   versions &gt;= 1.3.8. Beginning with version 1.3.7,   
-	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
+                            you must set NEWNOTSYN=Yes in your          
- <p>Users having an /etc/shorewall/icmpdef file may remove the &quot;. 
+                     /etc/shorewall/shorewall.conf file.</p>
- /etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now 
+                                  
- empty.</p>
+<h3>Version &gt;= 1.3.7</h3>
- <h3><b><a name="Bering">Upgrading </a>Bering to 
+                                  
+<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
+will need to include the                                following rules in 
+their /etc/shorewall/icmpdef                                file (creating 
+this file if necessary):</p>
+                                  
+<pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
+    
+<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def" 
+command from that file since the icmp.def file is now   empty.</p>
+    
+<h3><b><a name="Bering">Upgrading </a>Bering to                          
      Shorewall &gt;= 1.3.3</b></h3>
                                   
-                              <p>To properly upgrade with Shorewall version 
+<p>To properly upgrade with Shorewall version                            
    1.3.3 and later:</p>
                                   
-                              <ol>
+<ol>
-                                <li>Be sure you have a backup -- you will need 
+                                  <li>Be sure you have a backup -- you will 
-                                to transcribe any Shorewall configuration 
+need                                  to transcribe any Shorewall configuration 
                                  changes that you have made to the new   
                               configuration.</li>
-                                <li>Replace the shorwall.lrp package provided on 
+                                  <li>Replace the shorwall.lrp package provided 
-                                the Bering floppy with the later one. If you did 
+on                                  the Bering floppy with the later one. 
-                                not obtain the later version from Jacques's 
+If you did                                  not obtain the later version from
-                                site, see additional instructions below.</li>
+Jacques's                                  site, see additional instructions 
+below.</li>
                                   <li>Edit the /var/lib/lrpkg/root.exclude.list 
-                                file and remove the /var/lib/shorewall entry if 
+                                 file and remove the /var/lib/shorewall entry 
-                                present. Then do not forget to backup root.lrp !</li>
+if                                  present. Then do not forget to backup 
- </ol>
+root.lrp !</li>
- <p>The .lrp that I release isn't set up for a two-interface firewall like 
+       
- Jacques's. You need to follow the <a href="two-interface.htm">instructions for 
+</ol>
- setting up a two-interface firewall</a> plus you also need to add the following 
+    
- two Bering-specific rules to /etc/shorewall/rules:</p>
+<p>The .lrp that I release isn't set up for a two-interface firewall like 
- <blockquote>
+  Jacques's. You need to follow the <a href="two-interface.htm">instructions 
-   <pre># Bering specific rules:
+for   setting up a two-interface firewall</a> plus you also need to add the 
-# allow loc to fw udp/53 for dnscache to work
+following   two Bering-specific rules to /etc/shorewall/rules:</p>
-# allow loc to fw tcp/80 for weblet to work
+    
-#
+<blockquote>       
-ACCEPT loc fw udp 53
+  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
-ACCEPT loc fw tcp 80</pre>
    </blockquote>
                               
-          <h3 align="Left">Version &gt;= 1.3.6</h3>
+<h3 align="left">Version  1.3.6 and 1.3.7</h3>
                               
-          <p align="Left">If you have a pair of firewall systems configured for 
+<p align="left">If you have a pair of firewall systems configured for    
-          failover, you will need to modify your firewall setup slightly under 
+       failover or if you have asymmetric routing, you will need to modify 
-          Shorewall versions &gt;= 1.3.6. </p>
+           your firewall setup slightly under Shorewall versions 1.3.6 and 
+1.3.7</p>
                               
-          <ol>
+<ol>
               <li>                                 
-                
+    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
-          <p align="Left">Create the file /etc/shorewall/newnotsyn and in it add 
            the following rule<br>
             <br>
-          <font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the 
+            <font face="Courier">run_iptables -A newnotsyn -j RETURN # So 
-          connection tracking table can be rebuilt<br>
+that the            connection tracking table can be rebuilt<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+                                                 # from non-SYN packets after 
-          # from non-SYN packets after takeover.<br>
+takeover.<br>
-&nbsp;</font></li>
+   </font>  </p>
+   </li>
    <li>                                 
-                
+    <p align="left">Create /etc/shorewall/common (if you don't already   
-          <p align="Left">Create /etc/shorewall/common (if you don't already 
         have that file) and include the following:<br>
             <br>
             <font face="Courier">run_iptables -A common -p tcp --tcp-flags 
            ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
+                                                                        
         #tracking table. <br>
-          . /etc/shorewall/common.def</font></li>
+            . /etc/shorewall/common.def</font> </p>
+   </li>
+ 
 </ol>
                               
-          <h3 align="Left">Versions &gt;= 1.3.5</h3>
+<h3 align="left">Versions &gt;= 1.3.5</h3>
                               
-          <p align="Left">Some forms of pre-1.3.0 rules file syntax are no 
+<p align="left">Some forms of pre-1.3.0 rules file syntax are no         
   longer supported. </p>
                               
-          <p align="Left">Example 1:</p>
+<p align="left">Example 1:</p>
                               
-          <div align="left">
+<div align="left">              
-            <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
+<pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
    </div>
                               
-          <p align="Left">Must be replaced with:</p>
+<p align="left">Must be replaced with:</p>
                               
-          <div align="left">
+<div align="left">              
-            <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
+<pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
- </div>
- <div align="left">
-   <p align="left">Example 2:</div>
- <div align="left">
-   <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
- </div>
- <div align="left">
-   <p align="left">Must be replaced with:</div>
- <div align="left">
-   <pre>	REDIRECT	loc	3128	tcp	80</pre>
    </div>
     
-          <h3 align="Left">Version &gt;= 1.3.2</h3>
+<div align="left">     
+<p align="left">Example 2:</p>
+ </div>
     
-          <p align="Left">The functions and versions files together with the 
+<div align="left">     
+<pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
+   </div>
+    
+<div align="left">     
+<p align="left">Must be replaced with:</p>
+ </div>
+    
+<div align="left">     
+<pre>	REDIRECT	loc	3128	tcp	80</pre>
+   </div>
+                              
+<h3 align="left">Version &gt;= 1.3.2</h3>
+                              
+<p align="left">The functions and versions files together with the       
     'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
            If you have applications that access these files, those applications 
            should be modified accordingly.</p>
                      
- <p><font size="2">
+<p><font size="2">  Last updated 9/28/2002 -                             
- Last updated 9/13/2002 -
  <a href="support.htm">Tom Eastep</a></font> </p>
      
- <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
+<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
   © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-
+   <br>
+ <br>
 </body>
-                        </html>
+</html>