holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update the two-interface guide for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 10:17:20 -08:00
parent b73fb58745
commit 3562a5b1bd
1 changed files with 52 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
docs/two-interface.xml
View File

@ -121,8 +121,7 @@
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif" with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
format="GIF" />.</para>
<para>Configuration notes that are unique to Debian and it's derivatives <para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png" are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
@ -146,7 +145,7 @@
<section id="Concepts"> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para></para> <para/>
<para>The configuration files for Shorewall are contained in the directory <para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple <filename class="directory">/etc/shorewall</filename> -- for simple
@ -192,7 +191,7 @@
fileref="images/openlogo-nd-25.png"/>If you installed using a fileref="images/openlogo-nd-25.png"/>If you installed using a
Shorewall 4.x .deb, the samples are in <emphasis Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename role="bold"><filename
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis> class="directory">/usr/share/doc/shorewall/examples/two-interfaces</filename>.</emphasis>
You do not need the shorewall-doc package to have access to the You do not need the shorewall-doc package to have access to the
samples.</para> samples.</para>
@ -230,8 +229,7 @@
a set of zones. In the two-interface sample configuration, the following a set of zones. In the two-interface sample configuration, the following
zone names are used:</para> zone names are used:</para>
<para><programlisting>#ZONE TYPE OPTIONS IN OUT <para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 net ipv4
loc ipv4</programlisting>Zones are defined in the <ulink loc ipv4</programlisting>Zones are defined in the <ulink
@ -289,13 +287,13 @@ loc ipv4</programlisting>Zones are defined in the <ulink
<para>The <filename <para>The <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the two-interface sample has the following policies: file included with the two-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting>In the two-interface all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the Internet, uncomment firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW net ACCEPT</programlisting> The above policy will: $FW net ACCEPT</programlisting> The above policy will:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -333,7 +331,7 @@ $FW net ACCEPT</programlisting> The above policy will:
local network from a security perspective. If you want to do this, add local network from a security perspective. If you want to do this, add
these two policies:</para> these two policies:</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
loc $FW ACCEPT loc $FW ACCEPT
$FW loc ACCEPT</programlisting> $FW loc ACCEPT</programlisting>
@ -758,7 +756,7 @@ root@lists:~# </programlisting>
a server in the <emphasis>loc</emphasis> zone, the general form of a a server in the <emphasis>loc</emphasis> zone, the general form of a
simple port forwarding rule in <filename simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is: class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important> DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para><emphasis role="bold">If you want to forward traffic from the <para><emphasis role="bold">If you want to forward traffic from the
<emphasis>loc</emphasis> zone to a server in the <emphasis>loc</emphasis> zone to a server in the
@ -784,14 +782,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
<para>You run a Web Server on computer 2 in <link <para>You run a Web Server on computer 2 in <link
linkend="Diagram">the above diagram</link> and you want to forward linkend="Diagram">the above diagram</link> and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system: incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(DNAT) net loc:10.10.10.2</programlisting></para> Web(DNAT) net loc:10.10.10.2</programlisting></para>
</example> <example id="Example2" label="2"> </example> <example id="Example2" label="2">
<title>FTP Server</title> <title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on <link <para>You run an <acronym>FTP</acronym> Server on <link
linkend="Diagram">computer 1</link> so you want to forward incoming linkend="Diagram">computer 1</link> so you want to forward incoming
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DPORT
FTP(DNAT) net loc:10.10.10.1</programlisting> For FTP(DNAT) net loc:10.10.10.1</programlisting> For
<acronym>FTP</acronym>, you will also need to have <acronym>FTP</acronym>, you will also need to have
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym> <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
@ -829,7 +827,7 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
server, try the following rule and try connecting to port server, try the following rule and try connecting to port
5000.</para> 5000.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting> DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem> </listitem>
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif" </itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
network to the firewall; you do that by adding the following rules network to the firewall; you do that by adding the following rules
in <filename in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>. class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT)loc $FW</programlisting></para> DNS(ACCEPT)loc $FW</programlisting></para>
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW</programlisting></para>
<title>Other Connections</title> <title>Other Connections</title>
<para>The two-interface sample includes the following rules: <para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNS(ACCEPT) $FW net</programlisting>This rule allows DNS(ACCEPT) $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you <acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename uncommented the line in <filename
@ -922,7 +920,7 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
<para>You don't have to use defined macros when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
faster if you code your rules directly rather than using macros. The the faster if you code your rules directly rather than using macros. The the
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW net udp 53 ACCEPT $FW net udp 53
ACCEPT $FW net tcp 53</programlisting></para> ACCEPT $FW net tcp 53</programlisting></para>
@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53</programlisting></para>
your needs, you can either define the macro yourself or you can simply your needs, you can either define the macro yourself or you can simply
code the appropriate rules directly.</para> code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server <acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para> from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other <para>If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
&lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The &lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3"> id="Example3">
<title>Web Server on Firewall</title> <title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system: <para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Web(ACCEPT) net $FW Web(ACCEPT) net $FW
Web(ACCEPT) loc $FW </programlisting>Those two rules would of Web(ACCEPT) loc $FW </programlisting>Those two rules would of
course be in addition to the rules listed above under <quote><link course be in addition to the rules listed above under <quote><link
@ -957,11 +955,11 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
shell access to your firewall from the Internet, use shell access to your firewall from the Internet, use
<acronym>SSH</acronym>:</para> <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSH(ACCEPT) net $FW</programlisting> SSH(ACCEPT) net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif" </important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF"/>Bering users will want to add the following two rules to be format="GIF"/>Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting> ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para> <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
@ -1056,7 +1054,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
(Shorewall 4.5.7 and earlier) or in<filename> <ulink (Shorewall 4.5.7 and earlier) or in<filename> <ulink
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>. url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
A running firewall may be restarted using the <quote><command>shorewall A running firewall may be restarted using the <quote><command>shorewall
restart</command></quote> command. If you want to totally remove any trace reload</command></quote> command. If you want to totally remove any trace
of Shorewall from your Netfilter configuration, use of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para> <quote><command>shorewall clear</command></quote>.</para>
@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</orderedlist> </orderedlist>
<para>Also, I don't recommend using <quote><command>shorewall <para>Also, I don't recommend using <quote><command>shorewall
restart</command></quote>; it is better to create an alternate reload</command></quote>; it is better to create an alternate
configuration and test it using the <quote><command>shorewall configuration and test it using the <quote><command>shorewall
try</command></quote> command.</para> try</command></quote> command.</para>
</warning></para> </warning></para>
@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
network interface. If the wireless interface is <filename network interface. If the wireless interface is <filename
class="devicefile">wlan0</filename>, the entry might look like:</para> class="devicefile">wlan0</filename>, the entry might look like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
loc wlan0 detect maclist</programlisting> loc wlan0 maclist</programlisting>
<para>As shown in the above entry, I recommend using the <ulink <para>As shown in the above entry, I recommend using the <ulink
url="MAC_Validation.html">maclist option</ulink> for the wireless url="MAC_Validation.html">maclist option</ulink> for the wireless
@ -1248,7 +1246,7 @@ loc wlan0 detect maclist</programlisting>
from the wireless network to the Internet. If you file looks like from the wireless network to the Internet. If you file looks like
this:</para> this:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK <programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK
eth0 10.0.0.0/8,\ eth0 10.0.0.0/8,\
169.254.0.0/16,\ 169.254.0.0/16,\
172.16.0.0/12,\ 172.16.0.0/12,\