holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

1.3.11 release changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@347 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-04 00:02:25 +00:00
parent a237911ebc
commit 1ad262c7cb
14 changed files with 3739 additions and 3589 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
STABLE/INSTALL
View File

@ -24,8 +24,12 @@ o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to
fit your environment.
o Edit the configuration files to fit your environment.
To do this, I strongly advise you to follow the instructions at:
http://shorewall.sf.net/shorewall_quickstart_guide.htm
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs

277
STABLE/documentation/FAQ.htm
View File

@ -24,6 +24,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
@ -32,8 +33,8 @@
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find <b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.<br>
@ -49,9 +50,9 @@ but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using their
external (non-RFC1918 addresses) so they <b>can't access each other using
their DNS names.</b></a></p>
to hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they <b>can't access each
other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
@ -94,13 +95,13 @@ support?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
it but as expected if I enable <b> rfc1918 blocking</b> for my eth0
interface, it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot
renew its lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I
enable RFC 1918 filtering on my external interface, <b>my DHCP client
cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
@ -111,15 +112,21 @@ support?</a></p>
<b>17</b>. <a href="#faq17">How do I find out <b>why
this is</b> getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased ip
addresses</b> with Shorewall, and maintain separate rulesets for different
IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a server.
<b>Do I have to change Shorewall to allow access to my server from the internet?</b><br>
</a>
<b>20.<a href="#faq20"> </a></b><a href="#faq20">I have just set up a
server. <b>Do I have to change Shorewall to allow access to my server from
the internet?<br>
</b><br>
</a><a href="#faq21"><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
</a><br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere
@ -237,11 +244,11 @@ port</i>&gt;]</td>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no,
that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You are trying to test from inside your firewall
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system
such as an incorrect default gateway configured (it should be set to
the IP address of your firewall's internal interface).</li>
such as an incorrect default gateway configured (it should be set
to the IP address of your firewall's internal interface).</li>
</ul>
@ -250,29 +257,29 @@ the IP address of your firewall's internal interface).</li>
<b>Answer: </b>To further diagnose this problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter counters
in the nat table.</li>
<li>As root, type "iptables -t nat -Z". This clears the NetFilter
counters in the nat table.</li>
<li>Try to connect to the redirected port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain called
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the server
('loc' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect default gateway
setting on the server (the server's default gateway should be the IP address
of the firewall's interface to the server).</li>
<i>zone</i>_dnat where <i>zone</i> is the zone that includes the 
('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If so, the
connection request is reaching the firewall and is being redirected to
the server. In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default gateway should
be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching your server (possibly
it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address on your firewall
and your rule is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your DNAT rule);
or</li>
<li>your DNAT rule doesn't match the connection request in some other
way. In that case, you may have to use a packet sniffer such as tcpdump
<li>you are trying to connect to a secondary IP address on your
firewall and your rule is only redirecting the primary IP address (You
need to specify the secondary IP address in the "ORIG. DEST." column in
your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request in some
other way. In that case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
</li>
@ -287,25 +294,25 @@ or ethereal to further diagnose the problem.<br>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server
is compromised, there's nothing between that server and your other
internal systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated from your
local systems - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
to 130.141.100.69 externally and 192.168.1.5 internally. That's what
I do here at shorewall.net for my local systems that use static NAT.</li>
<li>Having an internet-accessible server in your local
network is like raising foxes in the corner of your hen house.
If the server is compromised, there's nothing between that server
and your other internal systems. For the cost of another NIC and
a cross-over cable, you can put your server in a DMZ such that
it is isolated from your local systems - assuming that the Server
can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's
what I do here at shorewall.net for my local systems that use static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface
is eth0 and your internal interface is eth1 and that eth1 has IP address
192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
is eth0 and your internal interface is eth1 and that eth1 has IP
address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -394,24 +401,24 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a
new IP address.</p>
client to automatically restart Shorewall each time that you get
a new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they can't access each other using their DNS
names.</h4>
(non-RFC1918 addresses) so they can't access each other using their
DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external and internal
clients to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
addresses and can be accessed externally and internally using the same
address. </p>
addresses and can be accessed externally and internally using the
same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
@ -513,32 +520,32 @@ traffic through your firewall then:</p>
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than
'blocked'. Why?</h4>
to check my firewall and it shows some ports as 'closed' rather
than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to
services that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139 as well as
UDP ports 137-139. These are ports that are used by Windows (Windows
<u>can</u> be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down slightly
on the amount of Windows chatter on LAN segments connected to the Firewall.
</p>
always rejects connection requests on TCP port 113 rather than
dropping them. This is necessary to prevent outgoing connection
problems to services that use the 'Auth' mechanism for identifying
requesting users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator on port
135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of
your Service Agreement.</p>
your ISP preventing you from running a web server in violation
of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your
firewall then it reports the port as open. If you want to see which
UDP ports are really open, temporarily change your net-&gt;all policy
to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back from
your firewall then it reports the port as open. If you want to see
which UDP ports are really open, temporarily change your net-&gt;all
policy to REJECT, restart Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -564,8 +571,8 @@ on the amount of Windows chatter on LAN segments connected to the Firewall.
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on
a RedHat system, "service syslog restart"). </p>
When you have changed /etc/syslog.conf, be sure to restart syslogd
(on a RedHat system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
@ -585,7 +592,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<p align="left"><a
href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
<a
href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
href="http://www.logwatch.org"><br>
http://www.logwatch.org</a><br>
</p>
@ -617,8 +625,8 @@ logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with
RH7.2.</p>
for problems concerning the version of iptables (v1.2.3) shipped
with RH7.2.</p>
</div>
<h4 align="left"> </h4>
@ -714,10 +722,10 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
interface to correspond to the modem address, you must also make an
entry in /etc/shorewall/rfc1918 for that address. For example, if you
configure the address 192.168.100.2 on your firewall, then you would
add two entries to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
@ -742,6 +750,7 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</td>
</tr>
</tbody>
</table>
</blockquote>
@ -781,8 +790,8 @@ aside, the most common causes of this problem are:</p>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP
and TCP port 53 from the firewall to the internet.</p>
user is running a DNS server on the firewall and hasn't enabled
UDP and TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
@ -797,12 +806,12 @@ aside, the most common causes of this problem are:</p>
</p>
<h4><a name="faq17"></a>17. How do I find out why this is getting logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains (as indicated
in the log message) in Shorewall:<br>
<b>Answer: </b>Logging occurs out of a number of chains (as
indicated in the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
<li><b>man1918 - </b>The destination address is listed in
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
@ -818,34 +827,40 @@ aside, the most common causes of this problem are:</p>
<b>&lt;zone2&gt;</b> that specifies a log level and this packet is being
logged under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under the
<b>maclist</b> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged under
the <b>maclist</b> <a href="Documentation.htm#Interfaces">interface
option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the source
IP is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because it is
a TCP packet that is not part of any current connection yet it is not
a syn packet. Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet is being logged because the
source IP is blacklisted in the<a
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because
it is a TCP packet that is not part of any current connection yet it
is not a syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source IP
address that isn't in any of your defined zones ("shorewall check" and
look at the printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has a source
IP address that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD and
the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged because it failed the
checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your rules (or
if you use NAT, use the local IP address in your rules). <b>Note:</b> The
":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
<b>Answer: </b>Yes. You simply use the IP address in your rules
(or if you use NAT, use the local IP address in your rules). <b>Note:</b>
The ":n" notation (e.g., eth0:0) is deprecated and will disappear eventually.
Neither iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<br>
@ -873,24 +888,56 @@ does Shorewall. <br>
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
so the contents of the tcrules file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br>
</h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart guide</a>
that you used during your initial setup for information about how to set
up rules for your server.<br>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart
guide</a> that you used during your initial setup for information about
how to set up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
</h4>
<blockquote>
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
</blockquote>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN<br>
<br>
<b>Answer: </b>While most people associate the Internet Control Message
Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. ICMP is
used to report problems back to the sender of a packet; this is what is happening
here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
there are a lot of broken implementations. That is what you are seeing with
these messages.<br>
<br>
Here is my interpretation of what is happening -- to confirm this analysis,
one out have to have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query
to 192.0.2.3 and your DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a DNS reply).
When the response was returned to to 206.124.146.179, it rewrote the destination
IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had
a connection on UDP port 2857. This causes a port unreachable (type 3, code
3) to be generated back to 192.0.2.3. As this packet is sent back through
206.124.146.179, that box correctly changes the source address in the packet
to 206.124.146.179 but doesn't reset the DST IP in the original DNS response
similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall
has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result is that the
packet gets logged and dropped in the all2all chain. I have also seen cases
where the source IP in the ICMP itself isn't set back to the external IP
of the remote NAT gateway; that causes your firewall to log and drop the packet
out of the rfc1918 chain because the source IP is reserved by RFC 1918.<br>
<br>
<div align="left"> </div>
<font size="2">Last updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 11/25/2002 - <a href="support.htm">Tom
Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

438
STABLE/documentation/News.htm
View File

@ -28,13 +28,18 @@
</tbody>
</table>
<p><b>12/3/2002 - Shorewall 1.3.11a</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT with
excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't
need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option causes Shorewall to make a set of sanity check on TCP packet header
flags.</li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This option
causes Shorewall to make a set of sanity check on TCP packet header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in a <a
href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear by
itself (in may not be qualified) and it does not enable intra-zone traffic.
@ -43,11 +48,13 @@ For example, the rule <br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with bash clones
such as ash and dash.</li>
<li>Shorewall's use of the 'echo' command is now compatible with bash
clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules generate
a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation.
@ -88,9 +95,9 @@ be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall. The
script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for
Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code</li>
to do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that
tends to have distribution-dependent code</li>
</ul>
@ -108,9 +115,9 @@ of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>. Thanks
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents of
a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily within
<a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
on ethernet segments. You can specify the set of allowed MAC addresses
on the segment and you can optionally tie each MAC address to one or more
@ -121,11 +128,11 @@ IP addresses.</li>
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall. The
script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to
do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that
tends to have distribution-dependent code.</li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for
Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
You may download the Beta from:<br>
@ -166,9 +173,9 @@ tends to have distribution-dependent code.</li>
</p>
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li><a href="configuration_file_basics.htm#dnsnames">DNS
Names</a> are now allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
@ -176,8 +183,8 @@ tends to have distribution-dependent code.</li>
nasty surprises during reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to
appease the LFS police at Debian.<br>
link have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
</ul>
@ -185,8 +192,8 @@ tends to have distribution-dependent code.</li>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net
broke the Search facility:<br>
@ -199,6 +206,7 @@ tends to have distribution-dependent code.</li>
</ol>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored<br>
</b></p>
@ -225,8 +233,8 @@ tends to have distribution-dependent code.</li>
</p>
<ul>
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
has been added to shorewall.conf. This option determines whether
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a>
option has been added to shorewall.conf. This option determines whether
Shorewall accepts TCP packets which are not part of an established
connection and that are not 'SYN' packets (SYN flag on and ACK flag
off).</li>
@ -245,8 +253,8 @@ the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
<ul>
<li>The /etc/shorewall/blacklist file now contains three
columns. In addition to the SUBNET/ADDRESS column, there are optional
PROTOCOL and PORT columns to block only certain applications from the
blacklisted addresses.<br>
PROTOCOL and PORT columns to block only certain applications from
the blacklisted addresses.<br>
</li>
</ul>
@ -287,7 +295,8 @@ the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
<p><b>8/25/2002 - Shorewall 1.3.7a Debian Packages Available</b></p>
<p>Lorenzo Martignoni reports that the packages for version 1.3.7a are available
at <a href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
-- Shorewall 1.3.7a released<img border="0"
@ -302,19 +311,19 @@ the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that
file were required in ipchains firewalls but are not required
<li>The 'icmp.def' file is now empty! The rules in
that file were required in ipchains firewalls but are not required
in Shorewall. Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf">shorewall.conf</a> should see the <a
href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to <a
href="Documentation.htm#Conf"> shorewall.conf</a>. The effect of setting
this variable to Yes is the same as the effect of adding an ACCEPT
rule for ICMP echo-request in <a
this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in <a
href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>. Users
who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been
added to the rfc1918 file.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has
been added to the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7</li>
<li>The documentation and web site no longer uses FrontPage
themes.</li>
@ -328,8 +337,8 @@ in Shorewall. Users who have ALLOWRELATED=No in <a
<p><b>8/13/2002 - Documentation in the <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image files -
the Frontpage files have been removed.</p>
<p>The Shorewall-docs project now contains just the HTML and image files
- the Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
@ -338,8 +347,8 @@ the Frontpage files have been removed.</p>
so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section
added to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading
to recent versions of Shorewall.</p>
@ -355,11 +364,11 @@ the Frontpage files have been removed.</p>
Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not
part of or related to an existing connection and that are not SYN
packets. These "New not SYN" packets may be optionally logged by
setting the LOGNEWNOTSYN option in <a
packets. These "New not SYN" packets may be optionally logged
by setting the LOGNEWNOTSYN option in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended
by commands in the new <a
<li>The processing of "New not SYN" packets may be
extended by commands in the new <a
href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul>
@ -406,8 +415,8 @@ guides. Feedback on the new guide is welcome.</p>
<ul>
<li>Empty and invalid source and destination qualifiers
are now detected in the rules file. It is a good idea to use
the 'shorewall check' command before you issue a 'shorewall restart'
are now detected in the rules file. It is a good idea to use the
'shorewall check' command before you issue a 'shorewall restart'
command be be sure that you don't have any configuration problems
that will prevent a successful restart.</li>
<li>Added <b>MERGE_HOSTS</b> variable in <a
@ -438,8 +447,8 @@ capabilities in this release. </li>
<ul>
<li>A new <a href="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</a> file has been added. This file
is intended to eventually replace the <b>routestopped</b> option
/etc/shorewall/routestopped</a> file has been added. This file is
intended to eventually replace the <b>routestopped</b> option
in the /etc/shorewall/interface and /etc/shorewall/hosts files.
This new file makes remote firewall administration easier by allowing
any IP or subnet to be enabled while Shorewall is stopped.</li>
@ -448,8 +457,8 @@ This new file makes remote firewall administration easier by allowing
This script is invoked after Shorewall has stopped.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added
to <a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>.
When this option is selected, DNAT rules only apply when the destination
address is the external interface's primary IP address.</li>
When this option is selected, DNAT rules only apply when the
destination address is the external interface's primary IP address.</li>
<li>The <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> has been broken into three guides and has been almost
entirely rewritten.</li>
@ -479,8 +488,8 @@ now validated against the interfaces file.</li>
<li>The TARGET column in the rfc1918 file is now checked
for correctness.</li>
<li>The chain structure in the nat table has been changed
to reduce the number of rules that a packet must traverse and
to correct problems with NAT_BEFORE_RULES=No</li>
to reduce the number of rules that a packet must traverse and to
correct problems with NAT_BEFORE_RULES=No</li>
<li>The "hits" command has been enhanced.</li>
</ul>
@ -497,9 +506,9 @@ to correct problems with NAT_BEFORE_RULES=No</li>
<p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
<a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
PDF format.</p>
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available
for <a href="download.htm">download</a> in <a
href="http://www.adobe.com">Adobe</a> PDF format.</p>
<p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
@ -520,10 +529,10 @@ has been added.</li>
<p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
<p>Last weekend, I installed the CVS Web package to provide brower-based access
to the Shorewall CVS repository. Since then, I have had several instances
where my server was almost unusable due to the high load generated by website
copying tools like HTTrack and WebStripper. These mindless tools:</p>
<p>Last weekend, I installed the CVS Web package to provide brower-based
access to the Shorewall CVS repository. Since then, I have had several
instances where my server was almost unusable due to the high load generated
by website copying tools like HTTrack and WebStripper. These mindless tools:</p>
<ul>
<li>Ignore robot.txt files.</li>
@ -535,8 +544,8 @@ copying tools like HTTrack and WebStripper. These mindless tools:</p>
<p>These tools/weapons are particularly damaging when combined with CVS Web
because they doggedly follow every link in the cgi-generated HTML
resulting in 1000s of executions of the cvsweb.cgi script. Yesterday,
I spend several hours implementing measures to block these tools but
unfortunately, these measures resulted in my server OOM-ing under
I spend several hours implementing measures to block these tools
but unfortunately, these measures resulted in my server OOM-ing under
even moderate load.</p>
<p>Until I have the time to understand the cause of the OOM (or until I buy
@ -560,11 +569,11 @@ even moderate load.</p>
<ul>
<li>Corrects a serious problem with "all <i>&lt;zone&gt;</i>
CONTINUE" policies. This problem is present in all versions of
Shorewall that support the CONTINUE policy. These previous versions
optimized away the "all2<i>&lt;zone&gt;</i>" chain and replaced it
with the "all2all" chain with the usual result that a policy of REJECT
was enforced rather than the intended CONTINUE policy.</li>
CONTINUE" policies. This problem is present in all versions
of Shorewall that support the CONTINUE policy. These previous
versions optimized away the "all2<i>&lt;zone&gt;</i>" chain and
replaced it with the "all2all" chain with the usual result that a
policy of REJECT was enforced rather than the intended CONTINUE policy.</li>
<li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
file for defining the exact behavior of the<a
href="Documentation.htm#Interfaces"> 'norfc1918' interface option</a>.</li>
@ -578,8 +587,8 @@ even moderate load.</p>
<ul>
<li>A 'filterping' interface option that allows ICMP
echo-request (ping) requests addressed to the firewall to be handled
by entries in /etc/shorewall/rules and /etc/shorewall/policy.</li>
echo-request (ping) requests addressed to the firewall to be
handled by entries in /etc/shorewall/rules and /etc/shorewall/policy.</li>
</ul>
@ -602,9 +611,9 @@ by entries in /etc/shorewall/rules and /etc/shorewall/policy.</li>
<ul>
<li>The structure of the firewall is changed markedly.
There is now an INPUT and a FORWARD chain for each interface; this
reduces the number of rules that a packet must traverse, especially
in complicated setups.</li>
There is now an INPUT and a FORWARD chain for each interface;
this reduces the number of rules that a packet must traverse,
especially in complicated setups.</li>
<li><a href="Documentation.htm#Exclude">Sub-zones may
now be excluded from DNAT and REDIRECT rules.</a></li>
<li>The names of the columns in a number of the configuration
@ -624,12 +633,13 @@ by entries in /etc/shorewall/rules and /etc/shorewall/policy.</li>
<li>Simplified rule syntax which makes the intent of
each rule clearer and hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files
has been maintained so that current users can migrate to the
new syntax at their convenience.</li>
has been maintained so that current users can migrate to the new
syntax at their convenience.</li>
<li><b><font color="#cc6666">WARNING:  Compatibility
with the old parameterized sample configurations has NOT been maintained.
Users still running those configurations should migrate to the
new sample configurations before upgrading to 1.3 Beta 1.</font></b></li>
with the old parameterized sample configurations has NOT been
maintained. Users still running those configurations should migrate
to the new sample configurations before upgrading to 1.3 Beta
1.</font></b></li>
</ul>
@ -644,19 +654,19 @@ with the old parameterized sample configurations has NOT been maintain
</a>is added.</li>
<li>IP addresses added under <a
href="Documentation.htm#Conf">ADD_IP_ALIASES and ADD_SNAT_ALIASES</a>
now inherit the VLSM and Broadcast Address of the interface's primary
IP address.</li>
now inherit the VLSM and Broadcast Address of the interface's
primary IP address.</li>
<li>The order in which port forwarding DNAT and Static
DNAT <a href="Documentation.htm#Conf">can now be reversed</a> so
that port forwarding rules can override the contents of <a
DNAT <a href="Documentation.htm#Conf">can now be reversed</a>
so that port forwarding rules can override the contents of <a
href="Documentation.htm#NAT"> /etc/shorewall/nat</a>. </li>
</ul>
<p><b>4/30/2002 - Shorewall Debian News</b></p>
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</p>
@ -665,7 +675,8 @@ Unstable Branch</a>.</p>
<ul>
<li>The 'try' command works again</li>
<li>There is now a single RPM that also works with SuSE.</li>
<li>There is now a single RPM that also works with
SuSE.</li>
</ul>
@ -675,8 +686,8 @@ Unstable Branch</a>.</p>
<ul>
<li>Shorewall 1.2.10 is in the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a></li>
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a></li>
<li>Shorewall 1.2.11 is in the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a></li>
@ -723,7 +734,8 @@ from being locked out of the firewall in the case where the new configura
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there
is now a mirror of the Shorewall website at <a target="_top"
href="http://germany.shorewall.net"> http://germany.shorewall.net</a>. </p>
href="http://germany.shorewall.net"> http://germany.shorewall.net</a>.
</p>
<p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
@ -752,16 +764,16 @@ Shorewall installations.</p>
<p><b>4/2/2002 - Updated Log Parser</b></p>
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
version of his <a href="pub/shorewall/parsefw/">CGI-based log parser</a>
with corrected date handling. </p>
version of his <a href="pub/shorewall/parsefw/">CGI-based log
parser</a> with corrected date handling. </p>
<p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
<p>The quick search on the home page now excludes the mailing list archives.
The <a href="htdig/search.html">Extended Search</a> allows excluding
the archives or restricting the search to just the archives. An archive
search form is also available on the <a href="mailing_list.htm">mailing
list information page</a>.</p>
the archives or restricting the search to just the archives. An
archive search form is also available on the <a
href="mailing_list.htm">mailing list information page</a>.</p>
<p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
@ -791,11 +803,11 @@ Unstable Distribution</a>.</li>
start" and if that results in the firewall being stopped due to an
error, a "shorewall start" command is executed. The 'try' command
allows you to create a new <a href="Documentation.htm#Configs"> configuration</a>
and attempt to start it; if there is an error that leaves your
firewall in the stopped state, it will automatically be restarted using
and attempt to start it; if there is an error that leaves your firewall
in the stopped state, it will automatically be restarted using
the default configuration (in /etc/shorewall).</li>
<li>A new variable ADD_SNAT_ALIASES has been added to
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
<li>A new variable ADD_SNAT_ALIASES has been added
to <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.
If this variable is set to "Yes", Shorewall will automatically
add IP addresses listed in the third column of the <a
href="Documentation.htm#Masq"> /etc/shorewall/masq</a> file.</li>
@ -809,8 +821,8 @@ firewall in the stopped state, it will automatically be restarted using
<ul>
<li>Filtering by <a href="Documentation.htm#MAC">MAC
address</a> has been added. MAC addresses may be used as the source
address in:
address</a> has been added. MAC addresses may be used as the
source address in:
<ul>
<li>Filtering rules (<a
@ -845,8 +857,8 @@ address in:
<p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
problems associated with the lock file used to prevent multiple state-changing
operations from occuring simultaneously. My apologies for any inconvenience
my carelessness may have caused.</p>
operations from occuring simultaneously. My apologies for any
inconvenience my carelessness may have caused.</p>
<p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
@ -855,9 +867,10 @@ address in:
<ul>
<li>UPnP probes (UDP destination port 1900) are now
silently dropped in the <i>common</i> chain</li>
<li>RFC 1918 checking in the mangle table has been streamlined
to no longer require packet marking. RFC 1918 checking in the filter
table has been changed to require half as many rules as previously.</li>
<li>RFC 1918 checking in the mangle table has been
streamlined to no longer require packet marking. RFC 1918 checking
in the filter table has been changed to require half as many rules
as previously.</li>
<li>A 'shorewall check' command has been added that
does a cursory validation of the zones, interfaces, hosts, rules
and policy files.</li>
@ -878,9 +891,9 @@ and policy files.</li>
<li>The interfaces and hosts files now have their contents
validated before any changes are made to the existing Netfilter
configuration. The appearance of a zone name that isn't defined
in /etc/shorewall/zones causes "shorewall start" and "shorewall restart"
to abort without changing the Shorewall state. Unknown options in
either file cause a warning to be issued.</li>
in /etc/shorewall/zones causes "shorewall start" and "shorewall
restart" to abort without changing the Shorewall state. Unknown options
in either file cause a warning to be issued.</li>
<li>A problem occurring when BLACKLIST_LOGLEVEL was
not set has been corrected.</li>
@ -904,8 +917,8 @@ supported.</li>
<li>A "shorewall version" command has been added</li>
<li>The default value of the STATEDIR variable in
/etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall
in order to conform to the GNU/Linux File Hierarchy Standard, Version
2.2.</li>
in order to conform to the GNU/Linux File Hierarchy Standard,
Version 2.2.</li>
</ul>
@ -942,8 +955,8 @@ and has the name "lock".</li>
<ul>
<li>Support for TCP MSS Clamp to PMTU -- This support
is usually required when the internet connection is via PPPoE or
PPTP and may be enabled using the <a
is usually required when the internet connection is via PPPoE
or PPTP and may be enabled using the <a
href="Documentation.htm#ClampMSS">CLAMPMSS</a> option in /etc/shorewall/shorewall.conf.</li>
</ul>
@ -1009,11 +1022,11 @@ to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorew
<ul>
<li>TCP connection requests rejected because of a REJECT
policy are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a protocol=all
rule in /etc/shorewall/rules are now replied with a TCP RST
packet.</li>
<li>TCP connection requests rejected because of a
REJECT policy are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a
protocol=all rule in /etc/shorewall/rules are now replied
with a TCP RST packet.</li>
</ul>
@ -1033,8 +1046,8 @@ for Shorewall messages.</li>
<ul>
<li>Unless you have explicitly enabled Auth connections
(tcp port 113) to your firewall, these connections will be REJECTED
rather than DROPPED. This speeds up connection establishment
to some servers.</li>
rather than DROPPED. This speeds up connection establishment to
some servers.</li>
<li>Orphan DNS replies are now silently dropped.</li>
</ul>
@ -1063,8 +1076,8 @@ corrected.</li>
</ul>
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist releasing
1.2 on 12/21/2001</b></p>
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist
releasing 1.2 on 12/21/2001</b></p>
<p>Version 1.2 contains the following new features:</p>
@ -1092,8 +1105,9 @@ fixes.</p>
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web
site is mirrored at <a href="http://www.infohiiway.com/shorewall"
target="_top">http://www.infohiiway.com/shorewall</a> and the ftp site
is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
target="_top">http://www.infohiiway.com/shorewall</a> and the ftp site is
at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
<p><b>11/30/2001 - A new set of the parameterized <a
href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
@ -1101,9 +1115,9 @@ Configurations</a> has been released</b>. In this version:</p>
<ul>
<li>Ping is now allowed between the zones.</li>
<li>In the three-interface configuration, it is now possible
to configure the internet services that are to be available to
servers in the DMZ. </li>
<li>In the three-interface configuration, it is now
possible to configure the internet services that are to be available
to servers in the DMZ. </li>
</ul>
@ -1115,13 +1129,14 @@ Configurations</a> has been released</b>. In this version:</p>
<li>The spelling of ADD_IP_ALIASES has been corrected
in the shorewall.conf file</li>
<li>The logic for deleting user-defined chains has been
simplified so that it avoids a bug in the LRP version of the 'cut'
utility.</li>
simplified so that it avoids a bug in the LRP version of the
'cut' utility.</li>
<li>The /var/lib/lrpkg/shorwall.conf file has been corrected
to properly display the NAT entry in that file.</li>
</ul>
<p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
Ontkanin</a>, there is now a Shorewall mirror in the Slovak
Republic</b>. The website is now mirrored at <a
@ -1180,8 +1195,8 @@ Beginning with version 1.1.16, a new parameter (<a
version:</p>
<ul>
<li>Support for nested zones has been improved. See <a
href="Documentation.htm#Nested"> the documentation</a> for details</li>
<li>Support for nested zones has been improved. See
<a href="Documentation.htm#Nested"> the documentation</a> for details</li>
<li>Shorewall now correctly checks the alternate configuration
directory for the 'zones' file.</li>
@ -1205,10 +1220,10 @@ files that you want to change.<br>
(pings) are now moved after rules created when processing the
rules file. This allows you to add rules that selectively allow/deny
ping based on source or destination address.</li>
<li>Rules that specify multiple client ip addresses or
subnets no longer cause startup failures.</li>
<li>Zone names in the policy file are now validated against
the zones file.</li>
<li>Rules that specify multiple client ip addresses
or subnets no longer cause startup failures.</li>
<li>Zone names in the policy file are now validated
against the zones file.</li>
<li>If you have <a
href="Documentation.htm#MangleEnabled">packet mangling</a> support
enabled, the "<a href="Documentation.htm#Interfaces">norfc1918</a>"
@ -1221,8 +1236,8 @@ ping based on source or destination address.</li>
version</p>
<ul>
<li>Shell variables can now be used to parameterize Shorewall
rules.</li>
<li>Shell variables can now be used to parameterize
Shorewall rules.</li>
<li>The second column in the hosts file may now contain
a comma-separated list.<br>
<br>
@ -1250,14 +1265,14 @@ comma-separated lists.</li>
version</p>
<ul>
<li>A "shorewall refresh" command has been added to allow
for refreshing the rules associated with the broadcast address on
a dynamic interface. This command should be used in place of
"shorewall restart" when the internet interface's IP address changes.</li>
<li>A "shorewall refresh" command has been added to
allow for refreshing the rules associated with the broadcast address
on a dynamic interface. This command should be used in place
of "shorewall restart" when the internet interface's IP address changes.</li>
<li>The /etc/shorewall/start file (if any) is now processed
after all temporary rules have been deleted. This change prevents
the accidental removal of rules added during the processing of
that file.</li>
the accidental removal of rules added during the processing
of that file.</li>
<li>The "dhcp" interface option is now applicable to
firewall interfaces used by a DHCP server running on the firewall.</li>
<li>The RPM can now be built from the .tgz file using
@ -1265,14 +1280,15 @@ firewall interfaces used by a DHCP server running on the firewall.</li
</ul>
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this
version</p>
<ul>
<li>Shorewall now enables Ipv4 Packet Forwarding by default.
Packet forwarding may be disabled by specifying IP_FORWARD=Off
in /etc/shorewall/shorewall.conf. If you don't want Shorewall
to enable or disable packet forwarding, add IP_FORWARDING=Keep
to your /etc/shorewall/shorewall.conf file.</li>
<li>Shorewall now enables Ipv4 Packet Forwarding by
default. Packet forwarding may be disabled by specifying IP_FORWARD=Off
in /etc/shorewall/shorewall.conf. If you don't want Shorewall to
enable or disable packet forwarding, add IP_FORWARDING=Keep to
your /etc/shorewall/shorewall.conf file.</li>
<li>The "shorewall hits" command no longer lists extraneous
service names in its last report.</li>
<li>Erroneous instructions in the comments at the head
@ -1280,27 +1296,29 @@ to your /etc/shorewall/shorewall.conf file.</li>
</ul>
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this
version</p>
<ul>
<li>The "tunnels" file <u>really</u> is in the RPM now.</li>
<li>SNAT can now be applied to port-forwarded connections.</li>
<li>A bug which would cause firewall start failures in
some dhcp configurations has been fixed.</li>
<li>The firewall script now issues a message if you have
the name of an interface in the second column in an entry in
/etc/shorewall/masq and that interface is not up.</li>
<li>A bug which would cause firewall start failures
in some dhcp configurations has been fixed.</li>
<li>The firewall script now issues a message if you
have the name of an interface in the second column in an entry
in /etc/shorewall/masq and that interface is not up.</li>
<li>You can now configure Shorewall so that it<a
href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or mangle
netfilter modules</a>.</li>
href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or
mangle netfilter modules</a>.</li>
<li>Thanks to Alex  Polishchuk, the "hits" command
from seawall is now in shorewall.</li>
<li>Support for <a href="IPIP.htm">IPIP tunnels</a> has
been added.</li>
<li>Support for <a href="IPIP.htm">IPIP tunnels</a>
has been added.</li>
</ul>
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this
version</p>
<ul>
<li>A typo in the sample rules file has been corrected.</li>
@ -1315,59 +1333,62 @@ netfilter modules</a>.</li>
<p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
<ul>
<li>The TOS rules are now deleted when the firewall is
stopped.</li>
<li>The TOS rules are now deleted when the firewall
is stopped.</li>
<li>The .rpm will now install regardless of which version
of iptables is installed.</li>
<li>The .rpm will now install without iproute2 being
installed.</li>
<li>The documentation has been cleaned up.</li>
<li>The sample configuration files included in Shorewall
have been formatted to 80 columns for ease of editing on a
VGA console.</li>
have been formatted to 80 columns for ease of editing on a VGA
console.</li>
</ul>
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this
version</p>
<ul>
<li><a href="Documentation.htm#lograte">You may now rate-limit
the packet log.</a></li>
<li><a href="Documentation.htm#lograte">You may now
rate-limit the packet log.</a></li>
<li><font face="Century Gothic, Arial, Helvetica"> Previous
versions of Shorewall have an implementation of Static NAT which
violates the principle of least surprise.  NAT only occurs for
packets arriving at (DNAT) or send from (SNAT) the interface named
in the INTERFACE column of /etc/shorewall/nat. Beginning with version
1.1.6, NAT effective regardless of which interface packets come from
or are destined to. To get compatibility with prior versions, I have
added a new "ALL <a href="NAT.htm#AllInterFaces">"ALL INTERFACES"  column
to /etc/shorewall/nat</a>. By placing "no" or "No" in the new column,
the NAT behavior of prior versions may be retained. </font></li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
Tunnels where the remote gateway is a standalone system has been
improved</a>. Previously, it was necessary to include an additional
rule allowing UDP port 500 traffic to pass through the tunnel.
Shorewall will now create this rule automatically when you place
the name of the remote peer's zone in a new GATEWAY ZONE column in
/etc/shorewall/tunnels. </li>
1.1.6, NAT effective regardless of which interface packets come
from or are destined to. To get compatibility with prior versions,
I have added a new "ALL <a href="NAT.htm#AllInterFaces">"ALL INTERFACES" 
column to /etc/shorewall/nat</a>. By placing "no" or "No" in the
new column, the NAT behavior of prior versions may be retained. </font></li>
<li>The treatment of <a
href="IPSEC.htm#RoadWarrior">IPSEC Tunnels where the remote
gateway is a standalone system has been improved</a>. Previously,
it was necessary to include an additional rule allowing UDP port
500 traffic to pass through the tunnel. Shorewall will now create
this rule automatically when you place the name of the remote peer's
zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. </li>
</ul>
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this
version</p>
<ul>
<li><a href="Documentation.htm#modules">You may now pass
parameters when loading netfilter modules and you can specify
<li><a href="Documentation.htm#modules">You may now
pass parameters when loading netfilter modules and you can specify
the modules to load.</a></li>
<li>Compressed modules are now loaded. This requires
that you modutils support loading compressed modules.</li>
<li><a href="Documentation.htm#TOS">You may now set the
Type of Service (TOS) field in packets.</a></li>
<li><a href="Documentation.htm#TOS">You may now set
the Type of Service (TOS) field in packets.</a></li>
<li>Corrected rules generated for port redirection (again).</li>
</ul>
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this
version</p>
<ul>
<li> <a href="Documentation.htm#Conf">Accepting RELATED
@ -1381,19 +1402,20 @@ that you modutils support loading compressed modules.</li>
</ul>
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this
version</p>
<ul>
<li>Correct message issued when Proxy ARP address added
(Thanks to Jason Kirtland).</li>
<li>/tmp/shorewallpolicy-$$ is now removed if there is
an error while starting the firewall.</li>
<li>/tmp/shorewallpolicy-$$ is now removed if there
is an error while starting the firewall.</li>
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def
are now used to define the icmpdef and common chains unless overridden
by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf
has been corrected. An extra space after "/etc/shorwall/policy"
has been removed and "/etc/shorwall/rules" has been added.</li>
has been corrected. An extra space after "/etc/shorwall/policy" has
been removed and "/etc/shorwall/rules" has been added.</li>
<li>When a sub-shell encounters a fatal error and has
stopped the firewall, it now kills the main shell so that the main
shell will not continue.</li>
@ -1401,14 +1423,15 @@ shell will not continue.</li>
the firewall and main shell continued resulting in a perplexing
error message referring to "common.so" resulted.</li>
<li>Previously, placing "-" in the PORT(S) column in
/etc/shorewall/rules resulted in an error message during start.
This has been corrected.</li>
/etc/shorewall/rules resulted in an error message during start. This
has been corrected.</li>
<li>The first line of "install.sh" has been corrected
-- I had inadvertently deleted the initial "#".</li>
</ul>
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this
version</p>
<ul>
<li>Port redirection now works again.</li>
@ -1436,8 +1459,8 @@ This has been corrected.</li>
and FORWARD before logging occurs</li>
<li>The source has been cleaned up dramatically</li>
<li>DHCP DISCOVER packets with RFC1918 source addresses
no longer generate log messages. Linux DHCP clients generate such
packets and it's annoying to see them logged. </li>
no longer generate log messages. Linux DHCP clients generate
such packets and it's annoying to see them logged. </li>
</ul>
@ -1457,8 +1480,8 @@ the source subnetworks whose packets are dropped under the <i>norfc19
script when a chain is defined, when the firewall is initialized,
when the firewall is started, when the firewall is stopped and
when the firewall is cleared.</li>
<li>The Linux kernel's route filtering facility can now
be specified selectively on network interfaces.</li>
<li>The Linux kernel's route filtering facility can
now be specified selectively on network interfaces.</li>
</ul>
@ -1474,8 +1497,8 @@ in the new configuration file /etc/shorewall/zones. The /etc/shorew
the /etc/shorewall/rules file.</li>
<li>Correct handling of the icmp-def chain so that only
ICMP packets are sent through the chain.</li>
<li>Compresses the output of "shorewall monitor" if awk
is installed. Allows the command to work if awk isn't installed
<li>Compresses the output of "shorewall monitor" if
awk is installed. Allows the command to work if awk isn't installed
(although it's not pretty).</li>
</ul>
@ -1486,8 +1509,8 @@ the /etc/shorewall/rules file.</li>
<ul>
<li>The PATH variable in the firewall script now includes
/usr/local/bin and /usr/local/sbin.</li>
<li>DMZ-related chains are now correctly deleted if the
DMZ is deleted.</li>
<li>DMZ-related chains are now correctly deleted if
the DMZ is deleted.</li>
<li>The interface OPTIONS for "gw" interfaces are no
longer ignored.</li>
@ -1498,28 +1521,11 @@ longer ignored.</li>
tunnels with end-points on the firewall. There is also a .lrp available
now.</b></p>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

43
STABLE/documentation/download.htm
View File

@ -30,15 +30,23 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
for the configuration that most closely matches your own.<br>
</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<p>The entire set of Shorewall documentation is also available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a><br>
<br>
Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a
2.4 kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts
Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM
should also work with other distributions that store init scripts
in /etc/init.d and that include chkconfig or insserv). If you
find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
@ -48,8 +56,8 @@ find that it works in other cases, let <a
also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian Testing
Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module
@ -66,8 +74,8 @@ Testing Branch</a> and the <a
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
contain the version)</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
&lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
@ -84,7 +92,7 @@ Testing Branch</a> and the <a
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
<p><b>Download Latest Version</b> (<b>1.3.11a</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
@ -221,13 +229,14 @@ to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
.rpm</a><br>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
@ -334,7 +343,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
@ -377,7 +387,7 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</p>
</blockquote>
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
<p align="left"><font size="2">Last Updated 12/3/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -391,5 +401,8 @@ in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

166
STABLE/documentation/errata.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -32,6 +33,7 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -39,12 +41,14 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
@ -66,19 +70,20 @@ example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on
SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
@ -87,11 +92,37 @@ with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive the following
warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the .rpm
from shorewall.net or mirrors should no longer see these warnings as the
.rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains !
followed by a sub-zone list) result in an error message and Shorewall fails
to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running on
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
@ -106,8 +137,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
@ -116,8 +147,8 @@ is the real script now and not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
@ -126,9 +157,9 @@ is the real script now and not just a symbolic link to the real script.<br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
<li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file is
installed in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
@ -190,15 +221,15 @@ tcp 25 - 10.1.1.1")<br>
has two problems:</p>
<ol>
<li>If the firewall is running a
DHCP server, the client won't be able
to obtain an IP address lease from that
server.</li>
<li>If the firewall is running
a DHCP server, the client won't be
able to obtain an IP address lease
from that server.</li>
<li>With this order of checking,
the "dhcp" option cannot be used as a
noise-reduction measure where there are
both dynamic and static clients on a LAN
segment.</li>
the "dhcp" option cannot be used as
a noise-reduction measure where there
are both dynamic and static clients
on a LAN segment.</li>
</ol>
@ -300,10 +331,10 @@ segment.</li>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -320,15 +351,15 @@ message in this case.</p>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it
from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
<li>The code to detect a duplicate interface entry
in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -365,15 +396,15 @@ option. For example:<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<li>Update 17 June 2002 - The bug described in the
prior bullet affects the following options: dhcp, dropunclean,
logunclean, norfc1918, routefilter, multi, filterping and
noping. An additional bug has been found that affects only
the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior to
1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li>
</ul>
@ -385,10 +416,10 @@ option.<br>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the
download page before 23:40 GMT, 29 May 2002 may have downloaded
1.2.13 rather than 1.3.0. The "shorewall version" command
will tell you which version that you have installed.</li>
<li>Folks who downloaded 1.3.0 from the links on
the download page before 23:40 GMT, 29 May 2002 may have
downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
command will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
@ -408,8 +439,8 @@ will tell you which version that you have installed.</li>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
@ -417,8 +448,8 @@ will tell you which version that you have installed.</li>
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
@ -451,6 +482,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
@ -459,9 +491,9 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
@ -508,23 +540,17 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 11/24/2002 -
<p><font size="2"> Last updated 12/3/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>

149
STABLE/documentation/seattlefirewall_index.htm
View File

@ -52,6 +52,7 @@
</tbody>
</table>
@ -71,6 +72,7 @@
<h2 align="left">What is it?</h2>
@ -79,9 +81,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -92,8 +94,8 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program
is distributed in the hope that it will be useful,
@ -121,6 +123,7 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
@ -131,12 +134,13 @@ Public License</a> as published by the Free Software Foundation.<br>
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -159,29 +163,48 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
<p><b>12/3/2002 - Shorewall 1.3.11a </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who
don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option causes Shorewall to make a set of sanity check on TCP packet header
flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column
in a <a href="Documentation.htm#Rules">rule</a>. When used, 'all' must
appear by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw
rules generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
@ -212,8 +235,8 @@ generate a warning and are ignored</li>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
@ -225,11 +248,11 @@ you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>A new 'ipsecnat' tunnel type is supported for
use when the <a href="IPSEC.htm">remote IPSEC endpoint is
behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
@ -244,6 +267,7 @@ a NAT gateway</a>.</li>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote>
@ -263,24 +287,25 @@ Linux distribution</a>. Thanks Alex!<br>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define
the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>You may now <a
href="IPSEC.htm#Dynamic">define the contents of a zone dynamically</a>
with the <a href="starting_and_stopping_shorewall.htm">"shorewall add" and
"shorewall delete" commands</a>. These commands are expected
to be used primarily within <a
href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
You can specify the set of allowed MAC addresses on the segment
and you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the
firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported
for use when the <a href="IPSEC.htm">remote IPSEC endpoint
is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The PATH used by Shorewall may now be
specified in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such
@ -319,6 +344,7 @@ firewall system may now be defined in the<a href="PPTP.htm"> /etc/shore
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
@ -343,12 +369,14 @@ and to the firewall script.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at
<a
<img
src="images/j0233056.gif" alt="Brown Paper Bag" width="50" height="86"
align="left">
There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
@ -356,18 +384,21 @@ and to the firewall script.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p>
@ -386,19 +417,19 @@ and to the firewall script.<br>
<ul>
<li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against
using them).</li>
allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE
may now be qualified by both interface and IP address in
a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is
now disabled after initial installation until the file
/etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version'
files and the 'firewall' symbolic link have been moved
from /var/lib/shorewall to /usr/lib/shorewall to appease
may now be qualified by both interface and IP address
in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup
is now disabled after initial installation until the
file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall
but don't configure it.</li>
<li>The 'functions' and
'version' files and the 'firewall' symbolic link have been
moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
@ -415,6 +446,7 @@ the LFS police at Debian.<br>
<p><a href="News.htm">More News</a></p>
@ -423,6 +455,7 @@ the LFS police at Debian.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
@ -440,6 +473,7 @@ the LFS police at Debian.<br>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -462,8 +496,9 @@ the LFS police at Debian.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -471,16 +506,14 @@ if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 12/3/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

36
STABLE/documentation/shoreline.htm
View File

@ -37,14 +37,14 @@
</p>
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a> .</li>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -56,8 +56,8 @@ State University</a> 1967</li>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
@ -70,20 +70,21 @@ ipchains and developed the scripts which are now collectively known as <a
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE
HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also has
RedHat 8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian Woody</a>
and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
@ -105,10 +106,11 @@ and <a href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
<p><font size="2">Last updated 10/28/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<p><font size="2">Last updated 11/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>

24
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -31,8 +31,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
@ -54,9 +54,9 @@ acting as a firewall/router for a small local network</li>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -92,6 +92,7 @@ your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -154,7 +155,8 @@ Starting and Stopping the Firewall</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
@ -175,8 +177,8 @@ Starting and Stopping the Firewall</a></li>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
@ -194,10 +196,12 @@ Starting and Stopping the Firewall</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
@ -218,10 +222,10 @@ Starting and Stopping the Firewall</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/19/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 11/19/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
</p>
<br>
</body>
</html>

52
STABLE/documentation/support.htm
View File

@ -30,12 +30,12 @@
</tbody>
</table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
easier to post a problem than to use your own brain" </font>-- </i> <font
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It
is easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you just
have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<p align="left"> <i>"Any sane computer will tell you how it works -- you
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote>
@ -48,8 +48,8 @@ easier to post a problem than to use your own brain" </font>-- </i> <font
<b><i>"Reading the documentation fully is a prerequisite to getting help
for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon
fed</i></b><i><b>".</b> </i>-- Simon White<br>
busy people. A mailing list is not a tool to speed up your day by being
spoon fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are also a number of sources for problem solution information.</p>
@ -99,11 +99,12 @@ about similar problems:</li>
<h3 align="left">Problem Reporting Guideline</h3>
<ul>
<li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li>
<li>When reporting a problem, give as much information as you
can. Reports that say "I tried XYZ and it didn't work" are not at all
helpful.</li>
<li>Please don't describe your environment and then ask us to
send you custom configuration files. We're here to answer your
questions but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages
when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump
@ -113,9 +114,9 @@ about similar problems:</li>
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) that you
think are relevant. If an error occurs when you try to "shorewall start",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
the /etc/shorewall/hosts file if you have modified that file) that
you think are relevant. If an error occurs when you try to "shorewall
start", include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
@ -126,13 +127,18 @@ be rejected.</li>
<h3>Where to Send your Problem Report or to Ask for Help</h3>
<b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
on October 3, 2002; MandrakeSoft issued a charge against my credit card on
October 4, 2002 (they are very effecient at that part of the order process)
and I haven't heard a word from them since (although their news letters
boast that 9.0 boxed sets have been shipping for the last two weeks). If
they can't fill my 9.0 order within <u>6 weeks after they have billed my
credit card</u> then I refuse to spend my free time supporting their product
for them.<br>
<br>
<b>Mandrake Update - 11/26/2002 - </b>Mandrake have informed me that "Your
order is part of a batch of which was not correctly sent to our shipping
handler, and so unfortunately was not processed". They further assure me
that these mishandled orders will begin shipping on 12/2/2002.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
@ -153,11 +159,11 @@ product for them.<br>
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 12/2/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

73
STABLE/documentation/troubleshoot.htm
View File

@ -18,7 +18,10 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</font></h1>
</td>
</tr>
@ -37,8 +40,9 @@ of the firewall.</p>
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following:
If you receive an error message when starting or restarting the
firewall and you can't determine the cause, then do the following:
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine
@ -55,8 +59,8 @@ of the firewall.</p>
</p>
<ul>
<li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Port Forwarding where client and server are in the
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
@ -80,10 +84,10 @@ that you forget to remove them later.</p>
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
If you DO see packet messages, it may be an indication that you are missing
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
@ -98,14 +102,15 @@ that you forget to remove them later.</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -131,19 +136,19 @@ about how to interpret the chain name appearing in a Shorewall log message.<br>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
you?); or</li>
<li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>your zone definitions are screwed up and the host that is
sending the packets or the destination host isn't in any zone (using
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and that interface doesn't have the 'multi' option
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
@ -153,17 +158,17 @@ the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp type 8
between the zone containing the system you are pinging from and the
and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and the
zone containing 10.1.1.2, the ping requests will be dropped. This is
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing
of their nearest firewall interface. One often overlooked aspect of
routing is that in order for two hosts to communicate, the routing between
them must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a
@ -172,10 +177,10 @@ shell with broken variable expansion. <a
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a
<li>Some features require the "ip" program. That program is
generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
@ -196,10 +201,12 @@ external addresses to be use with NAT unless you have set <a
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
<p><font size="2">Last updated 11/24/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.11
%define version 1.3.11a
%define release 1
%define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Tue Dec 03 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11a
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.11
VERSION=1.3.11a
usage() # $1 = exit status
{