holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Massive replacement of 'fw' with '' in the Documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-12 18:43:26 +00:00
parent 72c5855827
commit 23b0f37ec2
21 changed files with 313 additions and 431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall-docs2/Actions.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-08-28</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2005</year>
@ -221,6 +221,12 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
your action provided that the macro's expansion only results in the
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename>/usr/share/shorewall/Drop</filename> for an example of an
action that users macros extensively.</para>
</listitem>
<listitem>
@ -369,7 +375,7 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc fw tcp 22</programlisting>
LogAndAccept loc $FW tcp 22</programlisting>
</section>
<section>
@ -399,7 +405,7 @@ bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug fw net</programlisting>
foo:debug $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
@ -424,7 +430,7 @@ bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! fw net</programlisting>
foo:debug! $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
@ -463,7 +469,7 @@ bar:debug</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST
acton:info:test fw net</programlisting>
acton:info:test $FW net</programlisting>
<para>Your /etc/shorewall/acton file will be run with:</para>

22
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-08</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -1366,7 +1366,7 @@ loc loc REJECT info</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTION
fw firewall
$FW firewall
sam plain
net plain
loc plain</programlisting>
@ -1434,7 +1434,7 @@ DNAT net loc:192.168.1.5 tcp www
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam fw tcp ssh
DNAT sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...</programlisting>
@ -2046,7 +2046,7 @@ DNAT&lt;4/min:8&gt; net loc:192.168.1.3 tcp ssh</programlisting
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177
ACCEPT fw net tcp www</programlisting>
ACCEPT $FW net tcp www</programlisting>
</example>
<example>
@ -2166,7 +2166,7 @@ DNAT net loc:192.168.1.101-192.168.1.109 tcp 80</programlisting>
NONAT loc:192.168.1.4,192.168.1.199 \
net tcp www
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www</programlisting>
ACCEPT $FW net tcp www</programlisting>
<para>The reason that NONAT is used in the above example rather than
ACCEPT+ is that the example is assuming the usual ACCEPT loc-&gt;net
@ -3244,16 +3244,6 @@ eth0 eth1 206.124.146.176</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>FW</term>
<listitem>
<para>This parameter specifies the name of the firewall zone. If not
set or if set to an empty string, the value <quote>fw</quote> is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SUBSYSLOCK</term>
@ -4093,4 +4083,4 @@ eth1 -</programlisting>
</revision>
</revhistory></para>
</appendix>
</article>
</article>

17
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-03</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2004</year>
@ -388,17 +388,6 @@ spdadd 134.28.54.2/32 206.162.148.9/32 any -P in ipsec esp/tunnel/134.28.54.2
<para>The <filename>setkey.conf</filename> file on gateway B would be
similar.</para>
<caution>
<para>If you are running kernel 2.6.10 or later, then you need
ipsec-tools (and racoon) 0.5 or later OR you need to add <emphasis
role="bold">-P fwd</emphasis> rules (duplicate each <emphasis
role="bold">-P in</emphasis> rule and replace the <emphasis
role="bold">in</emphasis> with <emphasis role="bold">fwd</emphasis>) --
as of this writing (2005-02028, the IPSEC HOWTO (<ulink
url="http://www.ipsec-howto.org/x277.html">http://www.ipsec-howto.org/x277.html</ulink>)
is inaccurate on this point.</para>
</caution>
<para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
X.509 certificates might look like:</para>
@ -779,8 +768,8 @@ loc eth0:192.168.20.0/24
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw all ACCEPT
loc fw ACCEPT
$FW all ACCEPT
loc $FW ACCEPT
net loc NONE
loc net NONE
net all DROP info

15
Shorewall-docs2/Introduction.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-08-30</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2003-2005</year>
@ -132,11 +132,10 @@ dmz Demilitarized Zone</programlisting>
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis
role="bold"><varname>fw</varname></emphasis> but that may be changed by
setting the FW option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
<para>Note that Shorewall recognizes the firewall system as its own zone.
The name of the zone designating the firewall itself is stored in the
shell variable $<firstterm>FW</firstterm> which may be used throughout the
Shorewall configuration to refer to the firewall zone.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact">
@ -207,7 +206,7 @@ all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting> The above policy will:
$FW net ACCEPT</programlisting> The above policy will:
<itemizedlist>
<listitem>
<para>Allow all connection requests from your local network to the
@ -255,7 +254,7 @@ dmz eth2 detect</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net fw tcp 22</programlisting>
ACCEPT net $FW tcp 22</programlisting>
<para>So although you have a policy of ignoring all connection attempts
from the net zone (from the internet), the above exception to that policy

320
Shorewall-docs2/Macros.xml
View File

@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2005-08-22</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2005</year>
@ -40,6 +40,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section>
<title>What are Shorewall Macros?</title>
@ -47,8 +54,9 @@
series of one or more iptables rules. The symbolic name may appear in the
ACTION column of an <filename><ulink
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink></filename> file
entry in which case, the traffic matching that rules file entry will be
passed to the series of iptables rules named by the action.</para>
entry and in the TARGET column of an action in which case, the traffic
matching that rules file entry will be passed to the series of iptables
rules named by the macro.</para>
<para>Macros can be thought of as templates. When a macro is invoked in an
<filename>/etc/shorewall/rules</filename> entry, it may be qualified by a
@ -57,30 +65,22 @@
which each packet/rule match within the macro causes a log message to be
generated.</para>
<para>There are three types of Shorewall macros:</para>
<para>There are two types of Shorewall macros:</para>
<orderedlist>
<listitem>
<para>Built-in Macros. These macros are known by the Shorewall code
itself. They are listed in the comments at the top of the file
<filename>/usr/share/shorewall/actions.std</filename>.</para>
</listitem>
<listitem>
<para>Standard Macros. These actions are released as part of
Shorewall. They are listed in the file
<filename>/usr/share/shorewall/actions.std</filename> and are defined
in the corresponding macros.* files in <filename
<para>Standard Macros. These macros are released as part of Shorewall.
They are defined in macros.* files in <filename
class="directory">/usr/share/shorewall</filename>. Each
<filename>macros.*</filename> file has a comment at the beginning of
the file that describes what the action does. As an example, here is
the definition of the <firstterm>AllowSMB</firstterm> standard
the file that describes what the macro does. As an example, here is
the definition of the <firstterm>SMB</firstterm> standard
macro.</para>
<programlisting>#
# Shorewall 2.2 /usr/share/shorewall/macro.AllowSMB
#
# Allow Microsoft SMB traffic. You need to invoke this action in
# Allow Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
@ -100,126 +100,97 @@ PARAM - - tcp 135,139,445
<listitem>
<para>User-defined Macros. These macros are created by end-users. They
are listed in the file /etc/shorewall/actions and are defined in
macros.* files in /etc/shorewall/actions or in another directory
listed in your CONFIG_PATH (defined in <ulink
are defined in macros.* files in /etc/shorewall or in another
directory listed in your CONFIG_PATH (defined in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>).</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Common Actions</title>
<para>Shorewall allows the association of a <firstterm>common
action</firstterm> with policies. A separate common action may be
associated with ACCEPT, DROP and REJECT policies. Common actions provide a
way to invoke a set of common rules just before the policy is enforced.
Common actions accomplish two goals:</para>
<orderedlist>
<listitem>
<para>Relieve log congestion. Common actions typically include rules
to silently drop or reject traffic that would otherwise be logged when
the policy is enforced.</para>
</listitem>
<listitem>
<para>Ensure correct operation. Common actions can also avoid common
pitfalls like dropping connection requests on port TCP port 113. If
these connections are dropped (rather than rejected) then you may
encounter problems connecting to internet services that utilize the
AUTH protocol of client authentication<footnote>
<para>AUTH is actually pretty silly on today's internet but it's
amazing how many servers still employ it.</para>
</footnote>.</para>
</listitem>
</orderedlist>
<para>Shorewall provides common actions for the REJECT and DROP policies.
The common action for REJECT is named <firstterm>Reject</firstterm> and
the common action for DROP is named <firstterm>Drop</firstterm>. These
associations are made through two entries in
/usr/share/shorewall/actions.std:</para>
<programlisting>Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy</programlisting>
<para>These may be overridden by entries in your /etc/shorewall/actions
file.</para>
<warning>
<para>Entries in the DROP and REJECT common actions <emphasis
role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
Remember — common actions are only invoked immediately before the packet
is going to be dropped or rejected anyway!!!</para>
</warning>
</section>
<section>
<title>Defining your own Macros</title>
<para>To define a new action:</para>
<para>To define a new macro:</para>
<orderedlist>
<listitem>
<para>Add a line to
<filename><filename>/etc/shorewall/actions</filename></filename> that
names your new action. Action names must be valid shell variable names
((must begin with a letter and be composed of letters, digits and
underscore characters) as well as valid Netfilter chain names. If you
intend to log from the action, the name must have a maximum of 11
characters. It is recommended that the name you select for a new
action begins with a capital letter; that way, the name won't conflict
with a Shorewall-defined chain name.</para>
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
or REJECT. When this is done, the named action will become the
<emphasis>common action </emphasis>for policies of type ACCEPT, DROP
or REJECT respectively. The common action is applied immediately
before the policy is enforced (before any logging is done under that
policy) and is used mainly to suppress logging of uninteresting
traffic which would otherwise clog your logs. The same policy name can
appear in multiple actions; the last such action for each policy name
is the one which Shorewall will use.</para>
<para>Shorewall includes pre-defined actions for DROP and REJECT --
see above.</para>
<para>Macro names must be valid shell variable names ((must begin with
a letter and be composed of letters, digits and underscore characters)
as well as valid Netfilter chain names.</para>
</listitem>
<listitem>
<para>Once you have defined your new action name (ActionName), then
copy /usr/share/shorewall/action.template to
<filename>/etc/shorewall/action.ActionName</filename> (for example, if
your new action name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
<para>Copy /usr/share/shorewall/macro.template to
<filename>/etc/shorewall/macro.ActionName</filename> (for example, if
your new macro name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/macro.template</filename> to
<filename>/etc/shorewall/macro.Foo</filename>).</para>
</listitem>
<listitem>
<para>Now modify the new file to define the new action.</para>
<para>Now modify the new file to define the new macro.</para>
</listitem>
</orderedlist>
<para>Columns in the action.template file are as follows:</para>
<para>Columns in the macro.template file are as follows:</para>
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
&lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These actions
have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon
(<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case) as
a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
LOG, QUEUE, PARAM or an action name.</para>
<simplelist>
<member>ACCEPT - allow the connection request</member>
<member>ACCEPT+ - like ACCEPT but also excludes the connection from
any subsequent DNAT[-] or REDIRECT[-] rules.</member>
<member>NONAT - Excludes the connection from any subsequent DNAT[-]
or REDIRECT[-] rules but doesn't generate a rule to accept the
traffic.</member>
<member>DROP - ignore the request</member>
<member>REJECT - disallow the request and return an icmp unreachable
or an RST packet.</member>
<member>DNAT - Forward the request to another address (and
optionally another port).</member>
<member>DNAT- - Advanced users only. Like DNAT but only generates
the DNAT iptables rule and not the companion ACCEPT rule.</member>
<member>SAME - Similar to DNAT except that the port may not be
remapped and when multiple server addresses are listed, all requests
from a given remote system go to the same server.</member>
<member>SAME- - Advanced users only. Like SAME but only generates
the SAME iptables rule and not the companion ACCEPT rule.</member>
<member>REDIRECT - Redirect the request to a local port on the
firewall.</member>
<member>REDIRECT- - Advanced users only. Like REDIRET but only
generates the REDIRECT iptables rule and not the companion ACCEPT
rule.</member>
<member>CONTINUE - (For experts only). Do not process any of the
following rules for this (source zone,destination zone). If The
source and/or destination If the address falls into a zone defined
later in /etc/shorewall/zones, this connection request will be
passed to the rules defined for that (those) zone(s).</member>
<member>LOG - Simply log the packet and continue.</member>
<member>QUEUE - Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net).</member>
</simplelist>
<para>The ACTION may optionally be followed by ":" and a syslog log
level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
logged at the specified level.</para>
<para>(<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
</listitem>
@ -360,156 +331,77 @@ Reject:REJECT #Common Action for REJECT policy</programlisting>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
<para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename> you
<para>To use your macro, in <filename>/etc/shorewall/rules</filename> you
might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc fw tcp 22</programlisting>
LogAndAccept loc $FW tcp 22</programlisting>
</section>
<section>
<title>Actions and Logging</title>
<title>Macros and Logging</title>
<para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
log tag) on a rule that specified a user-defined (or Shorewall-defined)
action would log all traffic passed to the action. Beginning with
Shorewall 2.1.2, specifying a log level in a rule that specifies a user-
or Shorewall-defined action will cause each rule in the action to be
logged with the specified level (and tag).</para>
<para>Specifying a log level in a rule that invokes a user- or
Shorewall-defined action will cause each rule in the macro to be logged
with the specified level (and tag).</para>
<para>The extent to which logging of action rules occur is governed by the
<para>The extent to which logging of macro rules occur is governed by the
following:</para>
<orderedlist>
<listitem>
<para>When you invoke an action and specify a log level, only those
rules in the action that have no log level will be changed to log at
<para>When you invoke a macro and specify a log level, only those
rules in the macro that have no log level will be changed to log at
the level specified at the action invocation.</para>
<para>Example:</para>
<para>/etc/shorewall/action.foo</para>
<para>/etc/shorewall/macro.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug fw net</programlisting>
foo:debug $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
<para>Logging in the invokeD 'foo' macro will be as if foo had been
defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:info</programlisting>
</listitem>
<listitem>
<para>If you follow the log level with "!" then logging will be at
that level for all rules recursively invoked by the action.</para>
that level for all rules recursively invoked by the macro.</para>
<para>Example:</para>
<para>/etc/shorewall/action.foo</para>
<para>/etc/shorewall/macro.foo</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT - - tcp 22
bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! fw net</programlisting>
foo:debug! $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
<para>Logging in the invoked 'foo' macro will be as if foo had been
defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
bar:debug</programlisting>
</listitem>
</orderedlist>
<para>The change in Shorewall 2.1.2 has an effect on extension scripts
used with user-defined actions. If you define an action 'acton' and you
have an <filename>/etc/shorewall/acton</filename> script then when that
script is invoked, the following three variables will be set for use by
the script:</para>
<itemizedlist>
<listitem>
<para>$CHAIN = the name of the chain where your rules are to be
placed. When logging is used on an action invocation, Shorewall
creates a chain with a slightly different name from the action
itself.</para>
</listitem>
<listitem>
<para>$LEVEL = Log level. If empty, no logging was specified.</para>
</listitem>
<listitem>
<para>$TAG = Log Tag.</para>
</listitem>
</itemizedlist>
<para>Example:</para>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST
acton:info:test fw net</programlisting>
<para>Your /etc/shorewall/acton file will be run with:</para>
<itemizedlist>
<listitem>
<para>$CHAIN="%acton1"</para>
</listitem>
<listitem>
<para>$LEVEL="info"</para>
</listitem>
<listitem>
<para>$TAG="test"</para>
</listitem>
</itemizedlist>
<para>For an example of how to use these variables, see <ulink
url="PortKnocking.html">this article</ulink>.</para>
</section>
<section id="Extension">
<title>Creating an Action using an Extension Script</title>
<para>There may be cases where you wish to create a chain with rules that
can't be constructed using the tools defined in the action.template. In
that case, you can use an extension script.<note>
<para>If you actually need an action to drop broadcast packets, use
the <command>dropBcast</command> standard action rather than create
one like this.</para>
</note></para>
<example>
<title>An action to drop all broadcast packets</title>
<para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
<para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting></para>
<para>/etc/shorewall/DropBcasts<programlisting>run_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP</programlisting></para>
</example>
<para>For a richer example, see <ulink url="PortKnocking.html">this
article</ulink>.</para>
</section>
</article>

8
Shorewall-docs2/PortKnocking.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-06-26</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2005</year>
@ -97,13 +97,13 @@ run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --nam
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock net fw tcp 22,1599,1600,1601</programlisting>
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
can just add a log level as in:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock:info net fw tcp 22,1599,1600,1601</programlisting>
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
</listitem>
<listitem>
@ -115,7 +115,7 @@ SSHKnock:info net fw tcp 22,1599,1600,1601<
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net fw tcp 1599,1600,1601
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
<note>

12
Shorewall-docs2/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-06-01</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2003-2005</year>
@ -150,7 +150,7 @@
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3128 tcp www - !206.124.146.177
ACCEPT fw net tcp www</programlisting>
ACCEPT $FW net tcp www</programlisting>
<para>There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
@ -218,7 +218,7 @@ fi</command> </programlisting>
<para>Add this entry to your /etc/shorewall/providers file.</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 202 - eth1 192.168.1.3 -</programlisting>
Squid 1 202 - eth1 192.168.1.3 loose</programlisting>
</listitem>
</orderedlist>
@ -308,8 +308,8 @@ ACCEPT SZ net tcp 80,443</programlisting>
<quote>loc</quote> zone:</title>
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw tcp 8080
ACCEPT fw net tcp 80,443</programlisting></para>
ACCEPT loc $FW tcp 8080
ACCEPT $FW net tcp 80,443</programlisting></para>
</example>
</section>
</article>
</article>

4
Shorewall-docs2/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-03</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2003-2005</year>
@ -56,7 +56,7 @@
<programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp
QUEUE loc net udp
QUEUE loc fw udp</programlisting>
QUEUE loc $FW udp</programlisting>
<para>Now simply configure ftwall as described in the ftwall documentation
and restart Shorewall.</para>

6
Shorewall-docs2/UPnP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-05-16</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2005</year>
@ -109,7 +109,7 @@ net eth1 detect dhcp,routefilter,norfc1918,tcpflags,<emp
rule:</para>
<programlisting>#ACTION SOURCE DEST
allowoutUPnP fw loc</programlisting>
allowoutUPnP $FW loc</programlisting>
<note>
<para>To use 'allowoutUPnP', your iptables and kernel must support the
@ -121,7 +121,7 @@ allowoutUPnP fw loc</programlisting>
rule:</para>
<programlisting>#ACTION SOURCE DEST
allowinUPnP loc fw</programlisting>
allowinUPnP loc $FW</programlisting>
<para>You MUST have this rule:</para>

12
Shorewall-docs2/User_defined_Actions.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-01-14</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2003</year>
@ -257,7 +257,7 @@
might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc fw tcp 22</programlisting>
LogAndAccept loc $FW tcp 22</programlisting>
<para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
log tag) on a rule that specified a user-defined (or Shorewall-defined)
@ -286,7 +286,7 @@ bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug fw net</programlisting>
foo:debug $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
@ -311,7 +311,7 @@ bar:info</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! fw net</programlisting>
foo:debug! $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
@ -350,7 +350,7 @@ bar:debug</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST
acton:info:test fw net</programlisting>
acton:info:test $FW net</programlisting>
<para>Your /etc/shorewall/acton file will be run with:</para>
@ -383,7 +383,7 @@ acton:info:test fw net</programlisting>
your firewall. In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO ...
AllowFTP loc fw</programlisting>
AllowFTP loc $FW</programlisting>
</example>
<para><filename>/usr/share/shorewall/actions.std</filename> is processed

6
Shorewall-docs2/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-08-28</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -230,7 +230,7 @@
<title>Comments in a Configuration File</title>
<programlisting># This is a comment
ACCEPT net fw tcp www #This is an end-of-line comment</programlisting>
ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting>
</example>
</section>
@ -244,7 +244,7 @@ ACCEPT net fw tcp www #This is an end-of-line comment</program
<example>
<title>Line Continuation</title>
<programlisting>ACCEPT net fw tcp \
<programlisting>ACCEPT net $FW tcp \
smtp,www,pop3,imap #Services running on the firewall</programlisting>
</example>
</section>

4
Shorewall-docs2/ipsets.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-07-27</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2005</year>
@ -112,7 +112,7 @@
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok fw tcp 22</programlisting></para>
ACCEPT +sshok $FW tcp 22</programlisting></para>
<para>Shorewall can automatically manage the contents of your ipsets for
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then

90
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-04-15</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -333,7 +333,7 @@ $WIFI_IF 192.168.3.0/24
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT
$FW $FW ACCEPT
loc net ACCEPT
$FW vpn ACCEPT
vpn net ACCEPT
@ -342,14 +342,14 @@ sec vpn ACCEPT
vpn sec ACCEPT
sec loc ACCEPT
loc sec ACCEPT
fw sec ACCEPT
$FW sec ACCEPT
sec net ACCEPT
Wifi sec NONE
sec Wifi NONE
fw Wifi ACCEPT
$FW Wifi ACCEPT
loc vpn ACCEPT
$FW loc ACCEPT
loc fw REJECT $LOG
loc $FW REJECT $LOG
net all DROP $LOG 10/sec:40
all all REJECT $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -514,23 +514,23 @@ REDIRECT sec 3128 tcp
#####
# Local Network to Firewall
#
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
ACCEPT loc fw tcp ssh,time,631,8080
ACCEPT loc fw udp 161,ntp,631
DROP loc fw tcp 3185 #SuSE Meta pppd
DROP loc:!192.168.0.0/22 $FW # Silently drop traffic with an HP source IP from my XP box
ACCEPT loc $FW tcp ssh,time,631,8080
ACCEPT loc $FW udp 161,ntp,631
DROP loc $FW tcp 3185 #SuSE Meta pppd
##########################################################################################################################################################################
#####
# Secure wireless to Firewall
#
ACCEPT sec fw tcp ssh,time,631,8080
ACCEPT sec fw udp 161,ntp,631
DROP sec fw tcp 3185 #SuSE Meta pppd
ACCEPT sec $FW tcp ssh,time,631,8080
ACCEPT sec $FW udp 161,ntp,631
DROP sec $FW tcp 3185 #SuSE Meta pppd
##########################################################################################################################################################################
#####
# Roadwarriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
ACCEPT vpn $FW tcp ssh,time,631,8080
ACCEPT vpn $FW udp 161,ntp,631
##########################################################################################################################################################################
#####
# Local Network to DMZ
@ -561,7 +561,7 @@ ACCEPT vpn dmz tcp
#####
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net $FW tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
@ -632,10 +632,10 @@ ACCEPT:$LOG dmz net tcp
#####
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
ACCEPT dmz $FW udp ntp ntp
ACCEPT dmz $FW tcp 161,ssh
ACCEPT dmz $FW udp 161
REJECT dmz $FW tcp auth
##########################################################################################################################################################################
#####
# DMZ to Local Network
@ -647,29 +647,29 @@ ACCEPT dmz:206.124.146.177 loc:192.168.1.5 udp
#####
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
REJECT net $FW tcp www,ftp,https
ACCEPT net dmz udp 33434:33454
ACCEPT net:$OMAK fw udp ntp
ACCEPT net:$OMAK fw tcp 22 #SSH from Omak
ACCEPT net:$OMAK $FW udp ntp
ACCEPT net:$OMAK $FW tcp 22 #SSH from Omak
##########################################################################################################################################################################
#####
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
REJECT:$LOG fw net udp 1025:1031
DROP fw net udp ntp
ACCEPT $FW net:$NTPSERVERS udp ntp ntp
#ACCEPT $FW net:$POPSERVERS tcp pop3
ACCEPT $FW net udp domain
ACCEPT $FW net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT $FW net udp 33435:33535
ACCEPT $FW net icmp
REJECT:$LOG $FW net udp 1025:1031
DROP $FW net udp ntp
##########################################################################################################################################################################
#####
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
ACCEPT $FW dmz tcp www,ftp,ssh,smtp,993,465
ACCEPT $FW dmz udp domain
REJECT $FW dmz udp 137:139
##########################################################################################################################################################################
#####
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
@ -883,9 +883,9 @@ net Net Internet
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
fw home ACCEPT
home fw ACCEPT
$FW net ACCEPT
$FW home ACCEPT
home $FW ACCEPT
net home NONE
home net NONE
net all DROP info
@ -932,9 +932,9 @@ home eth0:0.0.0.0/0
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT net fw tcp 22
ACCEPT net fw tcp 4000:4100
ACCEPT net $FW icmp 8
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -1021,9 +1021,9 @@ net Net Internet
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
fw home ACCEPT
home fw ACCEPT
$FW net ACCEPT
$FW home ACCEPT
home $FW ACCEPT
net home NONE
home net NONE
net all DROP info
@ -1050,9 +1050,9 @@ home tun0 -
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT net fw tcp 22
ACCEPT net fw tcp 4000:4100
ACCEPT net $FW icmp 8
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>

6
Shorewall-docs2/ping.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2005-08-31</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -64,7 +64,7 @@ Ping/ACCEPT z1 z2</programlisting>
<para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT loc fw</programlisting>
Ping/ACCEPT loc $FW</programlisting>
</example>
<para>If you would like to accept <quote>ping</quote> by default even when
@ -89,7 +89,7 @@ Ping/DROP z1 z2</programlisting>
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP net fw</programlisting>
Ping/DROP net $FW</programlisting>
</example>
<para>Note that the above rule may be used without changing the action

6
Shorewall-docs2/samba.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-08-31</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2002</year>
@ -43,8 +43,8 @@
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
SMB/ACCEPT fw loc
SMB/ACCEPT loc fw</programlisting>
SMB/ACCEPT $FW loc
SMB/ACCEPT loc $FW</programlisting>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>

6
Shorewall-docs2/shorewall_logging.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-04</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001 - 2005</year>
@ -68,7 +68,7 @@
<para>The packet matches a rule in <ulink
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>. By
including a syslog level (see below) in the ACTION column of a rule
(e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net fw tcp
(e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
22</quote>), the connection attempt will be logged at that
level.</para>
</listitem>
@ -231,7 +231,7 @@ rules:REJECT:$LOG loc net
rules:REJECT:$LOG loc net udp 1025:1031
rules:REJECT:$LOG dmz net udp 1025:1031
rules:ACCEPT:$LOG dmz net tcp 1024: 20
rules:REJECT:$LOG fw net udp 1025:1031
rules:REJECT:$LOG $FW net udp 1025:1031
shorewall.conf:LOGFILE=/var/log/shorewall
shorewall.conf:LOGUNCLEAN=$LOG
shorewall.conf:LOGNEWNOTSYN=$LOG

32
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-04</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -145,7 +145,7 @@
<term>net</term>
<listitem>
<para>The public Internet. </para>
<para>The public Internet.</para>
</listitem>
</varlistentry>
@ -184,8 +184,10 @@ dmz plain</programlisting>
<para>Note that Shorewall recognizes the firewall system as its own zone -
The above example follows the usual convention of naming the Firewall zone
<emphasis role="bold">fw</emphasis>. In this guide, the name <emphasis
role="bold">fw</emphasis> will be used. With the exception of the name
<emphasis role="bold">fw</emphasis>. The name specified for the firewall
zone (<emphasis role="bold">fw</emphasis> in the above example) is stored
in the shell variable <firstterm>$FW</firstterm> when the
/etc/shorewall/zones file is processed. With the exception of the name
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is
@ -418,7 +420,7 @@ net eth0 detect rfc1918
loc eth1 detect
dmz eth2 detect</programlisting>
<para>Note that the <emphasis role="bold">fw</emphasis> zone has no entry
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
in the /etc/shorewall/interfaces file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -1698,7 +1700,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<note>
<para>Shorewall has a <ulink url="Macros.html">macro facility</ulink>
that includes macros for many standard applications. This section does
not use those macros but rather defines the rules directly. </para>
not use those macros but rather defines the rules directly.</para>
</note>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -1738,7 +1740,7 @@ ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local
#Network
ACCEPT fw dmz:192.0.2.178 tcp smtp #Mail from the
ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the
#Internet
@ -1763,9 +1765,9 @@ ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from
#Local Network
ACCEPT fw dmz:192.0.2.177 udp domain #UDP DNS from
ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from
#the Firewall
ACCEPT fw dmz:192.0.2.177 tcp domain #TCP DNS from
ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to
#the Internet
@ -1780,7 +1782,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
# PORT(S)
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net fw tcp ssh #SSH to the
ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting>
</section>
@ -1860,7 +1862,7 @@ ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local
#Network
ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local
#Network
ACCEPT fw dmz:192.0.2.178 tcp smtp #Mail from the
ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the
#Firewall
ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the
#Internet
@ -1879,16 +1881,16 @@ ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from
#Local Network
ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from
#Local Network
ACCEPT fw dmz:192.0.2.177 udp domain #UDP DNS from
ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from
#the Firewall
ACCEPT fw dmz:192.0.2.177 tcp domain #TCP DNS from
ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from
#the Firewall
ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to
#the Internet
ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
#the Internet
ACCEPT loc dmz tcp ssh #SSH to the DMZ
ACCEPT net fw tcp ssh #SSH to the
ACCEPT net $FW tcp ssh #SSH to the
#Firewall</programlisting>
</section>
</section>
@ -2339,7 +2341,7 @@ foobar.net. 86400 IN A 192.0.2.177
external IP address does not mean that the request will be associated
with the external interface or the <quote>net</quote> zone. Any
traffic that you generate from the local network will be associated
with your local interface and will be treated as loc-&gt;fw
with your local interface and will be treated as loc-&gt;$FW
traffic.</para>
</listitem>

39
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-07-12</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2002-2005</year>
@ -164,18 +164,21 @@
<para>Shorewall views the network where it is running as being composed of
a set of <emphasis>zones</emphasis>. In the one-interface sample
configuration, only one zone is defined:</para>
configuration, only two zones are defined:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
net</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net plain</programlisting>
<para>Shorewall zones are defined in <ulink
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis
role="bold">fw</emphasis>.</para>
<para>Note that Shorewall recognizes the firewall system as its own zone.
The name of the firewall zone (<emphasis role="bold">fw</emphasis> in the
above example) is stored in the shell variable <firstterm>$FW</firstterm>
which may be used throughout the rest of the Shorewall configuration to
refer to the firewall itself.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</para>
@ -210,7 +213,7 @@ net</programlisting>
the one-interface sample has the following policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
$FW net ACCEPT
net all DROP info
all all REJECT info</programlisting>
@ -319,15 +322,15 @@ all all REJECT info</programlisting>
rule in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&lt;<emphasis>action</emphasis>&gt; net fw</programlisting>
&lt;<emphasis>action</emphasis>&gt; net $FW</programlisting>
<example>
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net fw
IMAP/ACCEPT net fw</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
IMAP/ACCEPT net $FW</programlisting>
</example>
<para>You may also choose to code your rules directly without using the
@ -337,15 +340,15 @@ IMAP/ACCEPT net fw</programlisting>
is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example>
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw tcp 80
ACCEPT net fw tcp 143</programlisting></para>
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 143</programlisting></para>
</example>
<para>If you don't know what port and protocol a particular application
@ -356,8 +359,8 @@ ACCEPT net fw tcp 143</programlisting></para>
uses clear text (even for login!). If you want shell access to your
firewall from the internet, use SSH:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net fw </programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net $FW </programlisting>
</important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

64
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-09-07</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2002-2005</year>
@ -202,15 +202,19 @@
a set of zones. In the three-interface sample configuration, the following
zone names are used:</para>
<para><programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
net
loc
dmz</programlisting>Zone names are defined in
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net plain
loc plain
dmz plain</programlisting>Zone names are defined in
<filename>/etc/shorewall/zones</filename>.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <varname>fw</varname>.</para>
<para>Note that Shorewall recognizes the firewall system as its own zone.
When the /etc/shorewall/zones file is processed, he name of the firewall
zone is stored in the shell variable <firstterm>$FW</firstterm> which may
be used throughout the Shorewall configuration to refer to the firewall
zone.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones.</para>
@ -252,7 +256,7 @@ all all REJECT info</programlisting>
servers on the internet, uncomment that line.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting>
$FW net ACCEPT</programlisting>
</important>
<para>The above policy will:</para>
@ -721,12 +725,12 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<filename>/etc/shorewall/rules</filename>.</para>
</listitem>
</itemizedlist> If you run the name server on the firewall:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc fw
DNS/ACCEPT dmz fw </programlisting> Run name server on DMZ
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc $FW
DNS/ACCEPT dmz $FW </programlisting> Run name server on DMZ
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc dmz:10.10.11.1
DNS/ACCEPT fw dmz:10.10.11.1 </programlisting></para>
DNS/ACCEPT $FW dmz:10.10.11.1 </programlisting></para>
<para>In the rules shown above, <quote>AllowDNS</quote> is an example of a
<emphasis>defined action</emphasis>. Shorewall includes a number of
@ -744,10 +748,10 @@ DNS/ACCEPT fw dmz:10.10.11.1 </programlisting></para>
firewall) could also have been coded as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT dmz fw tcp 53
ACCEPT dmz fw udp 53 </programlisting>
ACCEPT loc $FW tcp 53
ACCEPT loc $FW udp 53
ACCEPT dmz $FW tcp 53
ACCEPT dmz $FW udp 53 </programlisting>
<para>In cases where Shorewall doesn't include a defined action to meet
your needs, you can either define the action yourself or you can simply
@ -758,14 +762,14 @@ ACCEPT dmz fw udp 53 </programlist
<title>Other Connections</title>
<para>The three-interface sample includes the following rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT fw net </programlisting>That rule allow DNS access
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT $FW net </programlisting>That rule allow DNS access
from your firewall and may be removed if you commented out the line in
<filename>/etc/shorewall/policy</filename> allowing all connections from
the firewall to the Internet.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc fw
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
an SSH server on your firewall and in each of your DMZ systems and to
connect to those servers from your local systems.</para>
@ -784,14 +788,14 @@ ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&g
<para>Using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT net fw</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT net $FW</programlisting>
<para>Not using defined actions:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net fw tcp 53
ACCEPT net fw udp 53 </programlisting>
ACCEPT net $FW tcp 53
ACCEPT net $FW udp 53 </programlisting>
<para>Those rules would of course be in addition to the rules listed
above under "If you run the name server on your firewall".</para>
@ -803,15 +807,15 @@ ACCEPT net fw udp 53 </programlisting>
<important>
<para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net fw</programlisting></para>
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net $FW</programlisting></para>
</important>
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
users will want to add the following two rules to be compatible with
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw udp 53
ACCEPT net fw tcp 80 </programlisting><itemizedlist>
ACCEPT loc $FW udp 53
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
<listitem>
<para>Entry 1 allows the DNS Cache to be used.</para>
</listitem>

6
Shorewall-docs2/traffic_shaping.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-05-20</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2001-2005</year>
@ -294,7 +294,7 @@
<para>Examples <programlisting> eth0
192.168.2.4,192.168.1.0/24</programlisting></para>
<para>Beginning with Shorewall version 2.2.2, "$fw" may be optionally
<para>Beginning with Shorewall version 2.2.2, "$FW" may be optionally
followed by a colon (":") and a host/net address or an address
range.</para>
</listitem>
@ -379,7 +379,7 @@
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
3 fw 0.0.0.0/0 all</programlisting>
3 $FW 0.0.0.0/0 all</programlisting>
</example>
<example>

53
Shorewall-docs2/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-08-31</pubdate>
<pubdate>2005-09-12</pubdate>
<copyright>
<year>2002-</year>
@ -223,9 +223,10 @@ loc</programlisting> Zones are defined in the <ulink
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis
role="bold"><varname>fw</varname></emphasis>.</para>
<para>Note that Shorewall recognizes the firewall system as its own zone -
when the /etc/shorewall/zones file is processed, the name of the firewall
zone is stored in the shell variable $FW which may be used to refer to the
firewall zone throughout the Shorewall configuration.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact">
@ -265,7 +266,7 @@ all all REJECT info</programlisting> In the two-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting> The above policy will:
$FW net ACCEPT</programlisting> The above policy will:
<itemizedlist>
<listitem>
<para>Allow all connection requests from your local network to the
@ -586,10 +587,10 @@ fw net ACCEPT</programlisting> The above policy will:
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>Shorewall
has macros for many popular applications. Look at
/usr/share/shorewall/macro.* to see what is available in your release.
Macros simplify creating DNAT rules by supplying the protocol and port(s)
as shown in the following examples.</para>
has <ulink url="Macros.html">macros</ulink> for many popular applications.
Look at /usr/share/shorewall/macro.* to see what is available in your
release. Macros simplify creating DNAT rules by supplying the protocol and
port(s) as shown in the following examples.</para>
<para><example label="1">
<title>Web Server</title>
@ -685,7 +686,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc fw</programlisting></para>
DNS/ACCEPT loc $FW</programlisting></para>
</listitem>
</itemizedlist></para>
</section>
@ -695,48 +696,44 @@ DNS/ACCEPT loc fw</programlisting></para>
<para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT fw net</programlisting>This rule allows
DNS/ACCEPT $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
allowing all connections from the firewall to the internet.</para>
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
a <emphasis>defined action</emphasis>. Shorewall includes a number of
defined actions and <ulink url="Actions.html">you can add your
own</ulink>. To see the list of actions included with your version of
Shorewall, look in the file
<filename>/usr/share/shorewall/actions.std</filename>. Those actions that
accept connection requests have names that begin with
<quote>Allow</quote>.</para>
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
url="Macros.html">you can add your own</ulink>.</para>
<para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
faster if you code your rules directly rather than using macros. The the
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw net udp 53
ACCEPT fw net tcp 53</programlisting></para>
ACCEPT $FW net udp 53
ACCEPT $FW net tcp 53</programlisting></para>
<para>In cases where Shorewall doesn't include a defined action to meet
your needs, you can either define the action yourself or you can simply
code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc fw</programlisting> That rule allows you to run an
SSH/ACCEPT loc </programlisting>$FWThat rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;macro&gt;/ACCEPT fw <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
&lt;macro&gt;/ACCEPT $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
<title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/ACCEPT net fw
Web/ACCEPT loc fw</programlisting> Those two rules would of course be
Web/ACCEPT net $FW
Web/ACCEPT loc </programlisting>$FWThose two rules would of course be
in addition to the rules listed above under <quote><link
linkend="cachingdns">You can configure a Caching Name Server on your
firewall</link></quote>.</para>
@ -748,12 +745,12 @@ Web/ACCEPT loc fw</programlisting> Those two rules would of course be
<acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net fw</programlisting>
SSH/ACCEPT net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw udp 53 #Allow DNS Cache to work
ACCEPT loc fw tcp 80 #Allow Weblet to work</programlisting>
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Now edit your <filename