forked from extern/shorewall_code
More doc updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1978 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e5f040d070
commit
1984e51b64
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-01-03</pubdate>
|
<pubdate>2005-03-03</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003</year>
|
||||||
@ -257,7 +257,7 @@ jbd 47860 2 [ext3]
|
|||||||
have:</title>
|
have:</title>
|
||||||
|
|
||||||
<programlisting>loadmodule ip_conntrack_ftp ports=21,49
|
<programlisting>loadmodule ip_conntrack_ftp ports=21,49
|
||||||
loadmodule ip_nat_ftp ports=21,49</programlisting>
|
loadmodule ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>
|
||||||
|
|
||||||
<para><note>
|
<para><note>
|
||||||
<para>you MUST include port 21 in the ports list or you may have
|
<para>you MUST include port 21 in the ports list or you may have
|
||||||
@ -269,7 +269,7 @@ loadmodule ip_nat_ftp ports=21,49</programlisting>
|
|||||||
/etc/modules.conf:</para>
|
/etc/modules.conf:</para>
|
||||||
|
|
||||||
<programlisting>options ip_conntrack_ftp ports=21,49
|
<programlisting>options ip_conntrack_ftp ports=21,49
|
||||||
options ip_nat_ftp ports=21,49</programlisting>
|
options ip_nat_ftp ports=21,49 # NOTE: This is not necessary with kernel 2.6.11 and later!</programlisting>
|
||||||
|
|
||||||
<para><important>
|
<para><important>
|
||||||
<para>Once you have made these changes to /etc/shorewall/modules
|
<para>Once you have made these changes to /etc/shorewall/modules
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2005-02-19</pubdate>
|
<pubdate>2005-03-03</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2005</year>
|
<year>2005</year>
|
||||||
@ -66,11 +66,15 @@
|
|||||||
|
|
||||||
<graphic fileref="images/Netfilter.png" />
|
<graphic fileref="images/Netfilter.png" />
|
||||||
|
|
||||||
<para>The light blue boxes indicate where routing decisions are made. The
|
<para>The light blue boxes indicate where routing decisions are made. Upon
|
||||||
green boxes show where Netfilter processing takes place (as directed by
|
exit from one of these boxes, if the packet is being sent to another
|
||||||
Shorewall). You will notice that there are two different paths through
|
system then the interface and the next hop have been uniquely
|
||||||
this maze, depending on where the packet originates. We will look at each
|
determined.</para>
|
||||||
of these separately.</para>
|
|
||||||
|
<para>The green boxes show where Netfilter processing takes place (as
|
||||||
|
directed by Shorewall). You will notice that there are two different paths
|
||||||
|
through this maze, depending on where the packet originates. We will look
|
||||||
|
at each of these separately.</para>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Packets Entering the Firewall from Outside</title>
|
<title>Packets Entering the Firewall from Outside</title>
|
||||||
@ -89,6 +93,14 @@
|
|||||||
<firstterm>alternate routing table</firstterm>; see the <ulink
|
<firstterm>alternate routing table</firstterm>; see the <ulink
|
||||||
url="Shorewall_Squid_Usage.html">Shorewall Squid
|
url="Shorewall_Squid_Usage.html">Shorewall Squid
|
||||||
documentation</ulink> for examples.</para>
|
documentation</ulink> for examples.</para>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>Marking packets then using the <emphasis>fwmark</emphasis>
|
||||||
|
selector in your "<emphasis role="bold">ip rule add</emphasis>"
|
||||||
|
commands should NOT be your first choice. In most cases, you can
|
||||||
|
use the <emphasis>from</emphasis> or <emphasis>dev</emphasis>
|
||||||
|
selector instead.</para>
|
||||||
|
</caution>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -165,6 +177,6 @@
|
|||||||
the Shorewall init script (<filename>/etc/init.d/shorewall</filename>) to
|
the Shorewall init script (<filename>/etc/init.d/shorewall</filename>) to
|
||||||
configure your alternate routing table at boot time and that <emphasis
|
configure your alternate routing table at boot time and that <emphasis
|
||||||
role="bold">other than as described in the previous section, there is no
|
role="bold">other than as described in the previous section, there is no
|
||||||
connection between Shorewall and routing</emphasis>. </para>
|
connection between Shorewall and routing</emphasis>.</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
@ -13,10 +13,10 @@
|
|||||||
<surname>Eastep</surname>
|
<surname>Eastep</surname>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<pubdate>2004-08-25</pubdate>
|
<pubdate>20045-03-03</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2005</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -326,7 +326,7 @@ ACCEPT dmz loc udp 53</programlisting>
|
|||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
ACCEPT <emphasis><source zone></emphasis> <emphasis><destination zone></emphasis> icmp echo-request</programlisting>
|
AllowPing <emphasis><source zone></emphasis> <emphasis><destination zone></emphasis></programlisting>
|
||||||
|
|
||||||
<para>The ramifications of this can be subtle. For example, if you
|
<para>The ramifications of this can be subtle. For example, if you
|
||||||
have the following in <filename><ulink
|
have the following in <filename><ulink
|
||||||
@ -339,16 +339,6 @@ ACCEPT <emphasis><source zone></emphasis> <emphasi
|
|||||||
between the zone containing the system you are pinging from and the
|
between the zone containing the system you are pinging from and the
|
||||||
zone containing 10.1.1.2, the ping requests will be dropped.</para>
|
zone containing 10.1.1.2, the ping requests will be dropped.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Similarly, since Shorewall gives no special treatment to
|
|
||||||
<quote>ping</quote>packets, these packets are subject to logging
|
|
||||||
specifications in policies. This allows people pinging your firewall
|
|
||||||
to create large number of messages in your log. These messages can be
|
|
||||||
eliminated by the following rule:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
|
||||||
# PORT(S)
|
|
||||||
DROP net fw icmp echo-request</programlisting></para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user