diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index ccb8458ed..923a0539d 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -231,10 +231,11 @@ If you want to be able to allow non-root users to manage - remote filewall systems, then the file + remote filewall systems, then the files + /etc/shorewall/params and /etc/shorewall/shorewall.conf must be readable by all users on the administrative system. Not all packages secure - the file that way and you may have to change the file permissions + the files that way and you may have to change the file permissions yourself. /sbin/shorewall uses the SHOREWALL_SHELL setting from /etc/shorewall/shorewall.conf to determine the shell to use when compiling programs and it uses the VERBOSITY @@ -330,7 +331,7 @@ /sbin/shorewall load firewall The load + url="manpages/shorewall.html">load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via @@ -374,7 +375,7 @@ /sbin/shorewall reload firewall The reload + url="manpages/shorewall.html">reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and @@ -771,31 +772,37 @@ clean: file:
- NAT_ENABLED=Yes # NAT -MANGLE_ENABLED=Yes # Packet Mangling -MULTIPORT=Yes # Multi-port Match -XMULTIPORT=Yes # Extended Multi-port Match -CONNTRACK_MATCH=Yes # Connection Tracking Match -USEPKTTYPE= # Packet Type Match -POLICY_MATCH=Yes # Policy Match -PHYSDEV_MATCH=Yes # Physdev Match -LENGTH_MATCH=Yes # Packet Length Match -IPRANGE_MATCH=Yes # IP range Match -RECENT_MATCH=Yes # Recent Match -OWNER_MATCH=Yes # Owner match -IPSET_MATCH= # Ipset Match -CONNMARK=Yes # CONNMARK Target -XCONNMARK=Yes # Extended CONNMARK Target -CONNMARK_MATCH=Yes # Connmark Match -XCONNMARK_MATCH=Yes # Extended Connmark Match -RAW_TABLE=Yes # Raw Table -IPP2P_MATCH= # IPP2P Match -CLASSIFY_TARGET=Yes # CLASSIFY Target -ENHANCED_REJECT=Yes # Extended REJECT -KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command -MARK=Yes # MARK Target Support -XMARK=YES # Extended MARK Target Support -MANGLE_FORWARD # Mangle table has FORWARD chain + # +# Shorewall detected the following iptables/netfilter capabilities - Fri Jul 27 14:22:31 PDT 2007 +# +NAT_ENABLED=Yes +MANGLE_ENABLED=Yes +MULTIPORT=Yes +XMULTIPORT=Yes +CONNTRACK_MATCH=Yes +USEPKTTYPE=Yes +POLICY_MATCH=Yes +PHYSDEV_MATCH=Yes +LENGTH_MATCH=Yes +IPRANGE_MATCH=Yes +RECENT_MATCH=Yes +OWNER_MATCH=Yes +IPSET_MATCH= +CONNMARK=Yes +XCONNMARK=Yes +CONNMARK_MATCH=Yes +XCONNMARK_MATCH=Yes +RAW_TABLE=Yes +IPP2P_MATCH= +CLASSIFY_TARGET=Yes +ENHANCED_REJECT=Yes +KLUDGEFREE=Yes +MARK=Yes +XMARK=Yes +MANGLE_FORWARD=Yes +COMMENTS=Yes +ADDRTYPE=Yes +CAPVERSION=30405
As you can see, the file contains a simple list of shell variable @@ -876,4 +883,4 @@ MANGLE_FORWARD # Mangle table has FORWARD chain - + \ No newline at end of file diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index fc09f2e71..69e8a0a1c 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -182,29 +182,26 @@ - ECN Disabling by host or - subnet + DNAT (Port + Forwarding) Operating Shorewall - Troubleshooting - - - - Extension - Scripts (User Exits) - - Packet - Marking - UPnP - Fallback/Uninstall + ECN Disabling by host or + subnet + + Packet + Marking + + + + Extension + Scripts (User Exits) Packet Processing in a Shorewall-based Firewall @@ -214,21 +211,32 @@ - FAQs + Fallback/Uninstall 'Ping' Management VPN + + FAQs + + Port + Forwarding + + White List + Creation + + Features Port Information - White List - Creation + Xen - Shorewall in a Bridged Xen + DomU @@ -238,8 +246,8 @@ Port Knocking and Other Uses of the 'Recent Match' - Xen - Shorewall in a Bridged Xen - DomU + Xen - Shorewall in Routed + Xen Dom0 @@ -247,8 +255,7 @@ PPTP - Xen - Shorewall in Routed - Xen Dom0 + diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index 6dae6903c..a3d2d9a0f 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -18,7 +18,7 @@ - 2001 - 2005 + 2001 - 2007 Thomas M. Eastep @@ -52,9 +52,10 @@ The packet is part of an established connecection. While the packet can be logged using LOG rules in the ESTABLISHED section of - /etc/shorewall/rules, - that is not recommended because of the large amount of information - that may be logged. + /etc/shorewall/rules, that + is not recommended because of the large amount of information that may + be logged. @@ -67,8 +68,8 @@ The packet is rejected because of an option in /etc/shorewall/shorewall.conf or - /etc/shorewall/shorewall.conf + or /etc/shorewall/interfaces. These packets can be logged by setting the appropriate logging-related option in The packet doesn't match a rule so it is handled by a policy defined in /etc/shorewall/policy. These - may be logged by specifying a syslog level in the LOG LEVEL column of - the policy's entry (e.g., loc net ACCEPT /etc/shorewall/policy. + These may be logged by specifying a syslog level in the LOG LEVEL + column of the policy's entry (e.g., loc net ACCEPT info). @@ -154,11 +155,11 @@ If you are unsure of the level to choose, 6 (info) is a safe bet. You may specify levels by name or by number. - Syslogd writes log messages to files (typically in /var/log/*) - based on their facility and level. The mapping of these facility/level - pairs to log files is done in /etc/syslog.conf (5). If you make changes - to this file, you must restart syslogd before the changes can take - effect. + Syslogd writes log messages to files (typically in /var/log/*) based on their facility and + level. The mapping of these facility/level pairs to log files is done in + /etc/syslog.conf (5). If you make changes to this file, you must restart + syslogd before the changes can take effect. Syslog may also write to your system console. See Shorewall FAQ 16 for ways to avoid having @@ -197,9 +198,9 @@ The ULOG logging mechanism is completely separate from syslog. Once you - switch to ULOG, the settings in /etc/syslog.conf have absolutely no - effect on your Shorewall logging (except for Shorewall status messages - which still go to syslog). + switch to ULOG, the settings in /etc/syslog.conf + have absolutely no effect on your Shorewall logging (except for + Shorewall status messages which still go to syslog). You will need to change all instances of log levels (usually @@ -224,11 +225,13 @@ shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG shorewall.conf:RFC1918_LOG_LEVEL=$LOG gateway:/etc/shorewall# - Finally edit /etc/shorewall/shorewall.conf and set - LOGFILE=<file that you wish to log to>. This - tells the /sbin/shorewall program where to look for the log when - processing its show log, logwatch and - monitor commands. + Finally edit /etc/shorewall/shorewall.conf + and set LOGFILE=<file that you wish to log + to>. This tells the /sbin/shorewall + program where to look for the log when processing its + show log, + logwatch and + dump commands. @@ -237,7 +240,10 @@ gateway:/etc/shorewall# Here - is a post describing configuring syslog-ng to work with Shorewall. + is a post describing configuring syslog-ng to work with Shorewall. Recent + SuSE releases come preconfigured with syslog-ng + with Netfilter messages (including Shorewall's) are written to + /var/log/firewall.
diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 7b6256d08..0d17375c6 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -559,8 +559,8 @@ root@lists:~# (link). - The remainder of this quide will assume that you have configured - your network as shown here: + The remainder of this quide will assume that you have + configured your network as shown here: @@ -656,8 +656,9 @@ root@lists:~# rather necessary for those clients to address their connection requests to the firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, - the firewall automatically performs SNAT to rewrite the - source address in the response. + the firewall automatically performs SNAT to rewrite the source address in the + response. The above process is called Port Forwarding or Destination Network Address Translation @@ -672,35 +673,45 @@ root@lists:~# DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> Be sure to add your rules after the line that reads SECTON NEW. + + The server must have a static IP address. If you assign IP + addresses to your local system using DHCP, you need to configure your + DHCP server to always assign the same IP address to systems that are + the target of a DNAT rule. Shorewall has macros for - many popular applications. Look at /usr/share/shorewall/macro.* to see - what is available in your release. Macros simplify creating DNAT rules by - supplying the protocol and port(s) as shown in the following - examples. + many popular applications. Look at the output of shorewall show + macros to see what is available in your release. Macros simplify + creating DNAT rules by supplying the protocol and port(s) as shown in the + following examples. Web Server - You run a Web Server on computer 2 and you want to forward + You run a Web Server on computer 2 in the above diagram and you want to forward incoming TCP port 80 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) Web/DNAT net loc:10.10.10.2 FTP Server - You run an FTP Server on computer 1 so you - want to forward incoming TCP port 21 to that - system: #ACTION SOURCE DEST PROTO DEST PORT(S) + You run an FTP Server on computer 1 so you want to forward incoming + TCP port 21 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) FTP/DNAT net loc:10.10.10.1 For FTP, you will also need to have FTP connection tracking and NAT support in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp and - ip_nat_ftp modules must be - loaded. Shorewall will automatically load these modules if they are - available and located in the standard place under ip_nat_ftp modules + (nf_conntrack_ftp and + nf_nat_ftp in later 2.6 kernels) must be loaded. + Shorewall will automatically load these modules if they are available + and located in the standard place under /lib/modules/<kernel - version>/kernel/net/ipv4/netfilter. + version>/kernel/net/ipv4/netfilter. See the Shorewall FTP documentation for more + information. A couple of important points to keep in mind: You must test the above rule from a client outside of your @@ -736,10 +747,16 @@ DNAT net loc:10.10.10.2:80 tcp 5000 For DNAT troubleshooting tips, see FAQs 1a and 1b. + + For information about DNAT when there are multiple external IP + addresses, see the Shorewall Aliased Interface + documentation and the Shorewall Setup Guide.
- Domain Name Server (DNS) + DDomain Name Server (DNS) Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service