diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 23e46da41..1f40b8a44 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -74,7 +74,7 @@ - + @@ -121,19 +121,18 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . Configuration notes that are unique to Debian and it's derivatives are marked with . + format="GIF"/>.
PPTP/ADSL - + If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you @@ -146,7 +145,7 @@
Shorewall Concepts - + The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple @@ -154,7 +153,7 @@ this guide. + format="GIF"/> After you have installed Shorewall, locate the two-interfaces samples: @@ -189,10 +188,10 @@ If you installed using a + fileref="images/openlogo-nd-25.png"/>If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall-common/examples/two-interfaces. + class="directory">/usr/share/doc/shorewall/examples/two-interfaces. You do not need the shorewall-doc package to have access to the samples. @@ -230,8 +229,7 @@ a set of zones. In the two-interface sample configuration, the following zone names are used: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 loc ipv4Zones are defined in the Zones are defined in the The /etc/shorewall/policy file included with the two-interface sample has the following policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT infoIn the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment - that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + that line. #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT The above policy will: @@ -333,11 +331,11 @@ $FW net ACCEPT The above policy will: local network from a security perspective. If you want to do this, add these two policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc $FW ACCEPT $FW loc ACCEPT - + At this point, edit your /etc/shorewall/policy @@ -349,7 +347,7 @@ $FW loc ACCEPT - + @@ -393,7 +391,7 @@ root@lists:~# the external interface. - + If your external interface is ppp0 or internal interface. Your firewall should have exactly one default route via your ISP's Router. + format="GIF"/> The Shorewall two-interface sample configuration assumes that the external interface is eth0 and the @@ -533,7 +531,7 @@ root@lists:~# directly. To communicate with systems outside of the subnetwork, systems send packets through a gateway (router). - + Your local computers (computer 1 and computer 2 in the above diagram) should be configured with their default gateway to be the @@ -550,7 +548,7 @@ root@lists:~# The remainder of this guide will assume that you have configured your network as shown here: - + The default gateway for computer's 1 & 2 would be 10.10.10.254. @@ -607,7 +605,7 @@ root@lists:~# IP is dynamic and SNAT if the IP is static. - + If your external firewall interface is eth0, you do not need to modify the file @@ -616,7 +614,7 @@ root@lists:~# class="directory">/etc/shorewall/masq and change the first column to the name of your external interface. - + If your external IP is static, you can enter it in the third column in the column 3 (SNAT) makes the processing of outgoing packets a little more efficient. - + If you are using the Debian package, please check your shorewall.conf file to ensure that the @@ -689,7 +687,7 @@ root@lists:~# - + If you are running a distribution that logs netfilter messages to a log other than /var/log/messages, then modify the @@ -729,7 +727,7 @@ root@lists:~# /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. - + Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -758,7 +756,7 @@ root@lists:~# a server in the loc zone, the general form of a simple port forwarding rule in /etc/shorewall/rules is: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> If you want to forward traffic from the loc zone to a server in the @@ -784,14 +782,14 @@ DNAT net loc:<server local ip address>[:You run a Web Server on computer 2 in the above diagram and you want to forward incoming TCP port 80 to that system: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(DNAT) net loc:10.10.10.2 FTP Server You run an FTP Server on computer 1 so you want to forward incoming - TCP port 21 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) + TCP port 21 to that system: #ACTION SOURCE DEST PROTO DPORT FTP(DNAT) net loc:10.10.10.1 For FTP, you will also need to have FTP connection tracking and NAT @@ -829,11 +827,11 @@ FTP(DNAT) net loc:10.10.10.1 For server, try the following rule and try connecting to port 5000. - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10.10.10.2:80 tcp 5000 + format="GIF"/> At this point, modify /etc/shorewall/rules to @@ -881,7 +879,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 - You can configure a + You can configure a Caching Name Server on your firewall. Red Hat has an RPM for a caching name server (the RPM also requires the @@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 network to the firewall; you do that by adding the following rules in /etc/shorewall/rules. - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT)loc $FW @@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW Other Connections The two-interface sample includes the following rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) $FW netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in This rule allows You don't have to use defined macros when coding a rule in /etc/shorewall/rules; Shorewall will start slightly faster if you code your rules directly rather than using macros. The the - rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DEST PORT(S) + rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 @@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53 your needs, you can either define the macro yourself or you can simply code the appropriate rules directly. - The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) + The sample also includes: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) loc $FW That rule allows you to run an SSH server on your firewall and connect to that server from your local systems. If you wish to enable other connections from your firewall to other - systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) + systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) $FW <destination zone>The - general format when not using defined macros is:#ACTION SOURCE DEST PROTO DEST PORT(S) + general format when not using defined macros is:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW <destination zone> <protocol> <port> Web Server on Firewall You want to run a Web Server on your firewall system: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(ACCEPT) net $FW Web(ACCEPT) loc $FW Those two rules would of course be in addition to the rules listed above under Those two rules would of shell access to your firewall from the Internet, use SSH: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) net $FW Bering users will want to add the following two rules to be - compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S) + format="GIF"/>Bering users will want to add the following two rules to be + compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW tcp 80 #Allow Weblet to work - + Now edit your /etc/shorewall/rules @@ -1030,7 +1028,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Starting and Stopping Your Firewall - + The installation procedure configures your system to start Shorewall at system boot but startup is @@ -1038,7 +1036,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work + fileref="images/openlogo-nd-25.png"/> Users of the .deb package must edit /etc/default/shorewall and set startup=1. @@ -1056,11 +1054,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work /etc/shorewall/stoppedrules. A running firewall may be restarted using the shorewall - restart command. If you want to totally remove any trace + reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. - + The two-interface sample assumes that you want to enable routing to/from eth1 (the local network) @@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Also, I don't recommend using shorewall - restart; it is better to create an alternate + reload; it is better to create an alternate configuration and test it using the shorewall try command. @@ -1158,7 +1156,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to worksystemctl disable iptables.service - + At this point, disable your existing firewall service.
@@ -1202,9 +1200,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Your new network will look similar to what is shown in the following - figure. + figure. - + The first thing to note is that the computers in your wireless network will be in a different subnet from those on your wired local LAN. @@ -1217,7 +1215,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work - + There are only two changes that need to be made to the Shorewall configuration: @@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workwlan0, the entry might look like: - #ZONE INTERFACE BROADCAST OPTIONS -loc wlan0 detect maclist + #ZONE INTERFACE OPTIONS +loc wlan0 maclist As shown in the above entry, I recommend using the maclist option for the wireless @@ -1248,7 +1246,7 @@ loc wlan0 detect maclist from the wireless network to the Internet. If you file looks like this: - #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK + #INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK eth0 10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\