holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation improvements

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7031 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-08-02 22:09:56 +00:00
parent 981e337c41
commit 2aee7f135a
4 changed files with 129 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
docs/CompiledPrograms.xml
View File

@ -231,10 +231,11 @@
<caution>
<para>If you want to be able to allow non-root users to manage
remote filewall systems, then the file
remote filewall systems, then the files
<filename>/etc/shorewall/params</filename> and
<filename>/etc/shorewall/shorewall.conf</filename> must be readable
by all users on the administrative system. Not all packages secure
the file that way and you may have to change the file permissions
the files that way and you may have to change the file permissions
yourself. /sbin/shorewall uses the SHOREWALL_SHELL setting from
<filename>/etc/shorewall/shorewall.conf</filename> to determine the
shell to use when compiling programs and it uses the VERBOSITY
@ -330,7 +331,7 @@
<command>/sbin/shorewall load firewall</command></programlisting>
<para>The <ulink
url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
url="manpages/shorewall.html"><command>load</command></ulink>
command compiles a firewall script from the configuration files
in the current working directory (using <command>shorewall
compile -e</command>), copies that file to the remote system via
@ -374,7 +375,7 @@
<command>/sbin/shorewall reload firewall</command></programlisting>
<para>The <ulink
url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command></ulink>
url="manpages/shorewall.html"><command>reload</command></ulink>
command compiles a firewall script from the configuration files in the
current working directory (using <command>shorewall compile
-e</command>), copies that file to the remote system via scp and
@ -771,31 +772,37 @@ clean:
file:</para>
<blockquote>
<programlisting>NAT_ENABLED=Yes # NAT
MANGLE_ENABLED=Yes # Packet Mangling
MULTIPORT=Yes # Multi-port Match
XMULTIPORT=Yes # Extended Multi-port Match
CONNTRACK_MATCH=Yes # Connection Tracking Match
USEPKTTYPE= # Packet Type Match
POLICY_MATCH=Yes # Policy Match
PHYSDEV_MATCH=Yes # Physdev Match
LENGTH_MATCH=Yes # Packet Length Match
IPRANGE_MATCH=Yes # IP range Match
RECENT_MATCH=Yes # Recent Match
OWNER_MATCH=Yes # Owner match
IPSET_MATCH= # Ipset Match
CONNMARK=Yes # CONNMARK Target
XCONNMARK=Yes # Extended CONNMARK Target
CONNMARK_MATCH=Yes # Connmark Match
XCONNMARK_MATCH=Yes # Extended Connmark Match
RAW_TABLE=Yes # Raw Table
IPP2P_MATCH= # IPP2P Match
CLASSIFY_TARGET=Yes # CLASSIFY Target
ENHANCED_REJECT=Yes # Extended REJECT
KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
MARK=Yes # MARK Target Support
XMARK=YES # Extended MARK Target Support
MANGLE_FORWARD # Mangle table has FORWARD chain</programlisting>
<programlisting>#
# Shorewall detected the following iptables/netfilter capabilities - Fri Jul 27 14:22:31 PDT 2007
#
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
MULTIPORT=Yes
XMULTIPORT=Yes
CONNTRACK_MATCH=Yes
USEPKTTYPE=Yes
POLICY_MATCH=Yes
PHYSDEV_MATCH=Yes
LENGTH_MATCH=Yes
IPRANGE_MATCH=Yes
RECENT_MATCH=Yes
OWNER_MATCH=Yes
IPSET_MATCH=
CONNMARK=Yes
XCONNMARK=Yes
CONNMARK_MATCH=Yes
XCONNMARK_MATCH=Yes
RAW_TABLE=Yes
IPP2P_MATCH=
CLASSIFY_TARGET=Yes
ENHANCED_REJECT=Yes
KLUDGEFREE=Yes
MARK=Yes
XMARK=Yes
MANGLE_FORWARD=Yes
COMMENTS=Yes
ADDRTYPE=Yes
CAPVERSION=30405</programlisting>
</blockquote>
<para>As you can see, the file contains a simple list of shell variable
@ -876,4 +883,4 @@ MANGLE_FORWARD # Mangle table has FORWARD chain</programlisting
is the level specified in the shorewall.conf file used when then program
was compiled.</para>
</section>
</article>
</article>

51
docs/Documentation_Index.xml
View File

@ -182,29 +182,26 @@
</row>
<row>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="two-interface.htm#DNAT">DNAT</ulink> (Port
Forwarding)</entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry>
<entry><ulink
url="troubleshoot.htm">Troubleshooting</ulink></entry>
</row>
<row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (User Exits)</entry>
<entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry>
<entry><ulink url="UPnP.html">UPnP</ulink></entry>
</row>
<row>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></entry>
<entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry>
</row>
<row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (User Exits)</entry>
<entry><ulink url="PacketHandling.html">Packet Processing in a
Shorewall-based Firewall</ulink></entry>
@ -214,21 +211,32 @@
</row>
<row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink
url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
</row>
<row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
</row>
<row>
<entry><ulink
url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="ports.htm">Port Information</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
DomU</ulink></entry>
</row>
<row>
@ -238,8 +246,8 @@
<entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
of the 'Recent Match'</ulink></entry>
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
DomU</ulink></entry>
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
Xen Dom0</ulink></entry>
</row>
<row>
@ -247,8 +255,7 @@
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
Xen Dom0</ulink></entry>
<entry></entry>
</row>
<row>

52
docs/shorewall_logging.xml
View File

@ -18,7 +18,7 @@
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001 - 2005</year>
<year>2001 - 2007</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -52,9 +52,10 @@
<listitem>
<para>The packet is part of an established connecection. While the
packet can be logged using LOG rules in the ESTABLISHED section of
<ulink url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>,
that is not recommended because of the large amount of information
that may be logged.</para>
<ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
is not recommended because of the large amount of information that may
be logged.</para>
</listitem>
<listitem>
@ -67,8 +68,8 @@
<listitem>
<para>The packet is rejected because of an option in <ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink> or
<ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>
or <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.
These packets can be logged by setting the appropriate logging-related
option in <ulink
@ -87,9 +88,9 @@
<listitem>
<para>The packet doesn't match a rule so it is handled by a policy
defined in <ulink
url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>. These
may be logged by specifying a syslog level in the LOG LEVEL column of
the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>.
These may be logged by specifying a syslog level in the LOG LEVEL
column of the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
role="bold">info</emphasis></quote>).</para>
</listitem>
</orderedlist>
@ -154,11 +155,11 @@
If you are unsure of the level to choose, 6 (info) is a safe bet. You
may specify levels by name or by number.</para>
<para>Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.</para>
<para>Syslogd writes log messages to files (typically in <filename
class="directory">/var/log/</filename>*) based on their facility and
level. The mapping of these facility/level pairs to log files is done in
/etc/syslog.conf (5). If you make changes to this file, you must restart
syslogd before the changes can take effect.</para>
<para>Syslog may also write to your system console. See <ulink
url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
@ -197,9 +198,9 @@
<note>
<para>The ULOG logging mechanism is <emphasis
role="underline">completely separate</emphasis> from syslog. Once you
switch to ULOG, the settings in /etc/syslog.conf have absolutely no
effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).</para>
switch to ULOG, the settings in <filename>/etc/syslog.conf</filename>
have absolutely no effect on your Shorewall logging (except for
Shorewall status messages which still go to syslog).</para>
</note>
<para>You will need to change all instances of log levels (usually
@ -224,11 +225,13 @@ shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
shorewall.conf:RFC1918_LOG_LEVEL=$LOG
gateway:/etc/shorewall# </programlisting>
<para>Finally edit /etc/shorewall/shorewall.conf and set
LOGFILE=&lt;<emphasis>file that you wish to log to</emphasis>&gt;. This
tells the /sbin/shorewall program where to look for the log when
processing its <quote>show log</quote>, <quote>logwatch</quote> and
<quote>monitor</quote> commands.</para>
<para>Finally edit <filename>/etc/shorewall/shorewall.conf</filename>
and set LOGFILE=&lt;<emphasis>file that you wish to log
to</emphasis>&gt;. This tells the <filename>/sbin/shorewall</filename>
program where to look for the log when processing its
<quote><command>show log</command></quote>,
<quote><command>logwatch</command></quote> and
<quote><command>dump</command></quote> commands.</para>
</section>
</section>
@ -237,7 +240,10 @@ gateway:/etc/shorewall# </programl
<para><ulink
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
is a post describing configuring syslog-ng to work with Shorewall.</para>
is a post describing configuring syslog-ng to work with Shorewall. Recent
<trademark>SuSE</trademark> releases come preconfigured with syslog-ng
with Netfilter messages (including Shorewall's) are written to
<filename>/var/log/firewall</filename>.</para>
</section>
<section id="Contents">

51
docs/two-interface.xml
View File

@ -559,8 +559,8 @@ root@lists:~# </programlisting>
(<ulink
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
<para>The remainder of this quide will assume that you have configured
your network as shown here: <mediaobject>
<para id="Diagram">The remainder of this quide will assume that you have
configured your network as shown here: <mediaobject>
<imageobject>
<imagedata fileref="images/basics1.png" format="PNG" />
</imageobject>
@ -656,8 +656,9 @@ root@lists:~# </programlisting>
rather necessary for those clients to address their connection requests to
the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs <acronym>SNAT</acronym> to rewrite the
source address in the response.</para>
the firewall automatically performs <acronym><link
linkend="SNAT">SNAT</link></acronym> to rewrite the source address in the
response.</para>
<para>The above process is called <emphasis>Port Forwarding</emphasis> or
<emphasis>Destination Network Address Translation</emphasis>
@ -672,35 +673,45 @@ root@lists:~# </programlisting>
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTON NEW.</emphasis></para>
</important><important>
<para>The server must have a static IP address. If you assign IP
addresses to your local system using DHCP, you need to configure your
DHCP server to always assign the same IP address to systems that are
the target of a DNAT rule.</para>
</important>Shorewall has <ulink url="Macros.html">macros</ulink> for
many popular applications. Look at /usr/share/shorewall/macro.* to see
what is available in your release. Macros simplify creating DNAT rules by
supplying the protocol and port(s) as shown in the following
examples.</para>
many popular applications. Look at the output of <command>shorewall show
macros</command> to see what is available in your release. Macros simplify
creating DNAT rules by supplying the protocol and port(s) as shown in the
following examples.</para>
<para><example id="Example1" label="1">
<title>Web Server</title>
<para>You run a Web Server on computer 2 and you want to forward
<para>You run a Web Server on computer 2 in <link
linkend="Diagram">the above diagram</link> and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net loc:10.10.10.2</programlisting></para>
</example> <example id="Example2" label="2">
<title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you
want to forward incoming <acronym>TCP</acronym> port 21 to that
system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para>You run an <acronym>FTP</acronym> Server on <link
linkend="Diagram">computer 1</link> so you want to forward incoming
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
FTP/DNAT net loc:10.10.10.1</programlisting> For
<acronym>FTP</acronym>, you will also need to have
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
support in your kernel. For vendor-supplied kernels, this means that
the <filename class="libraryfile">ip_conntrack_ftp</filename> and
<filename class="libraryfile">ip_nat_ftp</filename> modules must be
loaded. Shorewall will automatically load these modules if they are
available and located in the standard place under <filename
<filename class="libraryfile">ip_nat_ftp</filename> modules
(<filename>nf_conntrack_ftp</filename> and
<filename>nf_nat_ftp</filename> in later 2.6 kernels) must be loaded.
Shorewall will automatically load these modules if they are available
and located in the standard place under <filename
class="directory">/lib/modules/&lt;kernel
version&gt;/kernel/net/ipv4/netfilter</filename>.</para>
version&gt;/kernel/net/ipv4/netfilter</filename>. See the <ulink
url="FTP.html">Shorewall FTP documentation</ulink> for more
information.</para>
</example> A couple of important points to keep in mind: <itemizedlist>
<listitem>
<para>You must test the above rule from a client outside of your
@ -736,10 +747,16 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
<para>For DNAT troubleshooting tips, <ulink url="FAQ.htm#faq1a">see FAQs
1a and 1b</ulink>.</para>
</important>
<para>For information about DNAT when there are multiple external IP
addresses, see the <ulink
url="Shorewall_and_Aliased_Interfaces.html">Shorewall Aliased Interface
documentation</ulink> and the <ulink
url="shorewall_setup_guide.htm#dnat">Shorewall Setup Guide</ulink>.</para>
</section>
<section id="DNS">
<title>Domain Name Server (DNS)</title>
<title>DDomain Name Server (DNS)</title>
<para>Normally, when you connect to your ISP, as part of getting an IP
address your firewall's <emphasis>Domain Name Service</emphasis>