holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1079 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-13 22:23:12 +00:00
parent f22dff0fca
commit 3954d9310f
215 changed files with 0 additions and 34134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
STABLE/documentation/6to4.htm
View File

@ -1,113 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>6to4 Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">6to4 Tunnels<br>
</h1>
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
provide any IPv6
security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
network to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
<h2>Connecting two IPv6 Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
width="745" height="427" alt=""> </p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
be able to communicate with the systems in the 2002:488:999::/64
network. This is accomplished through use of the /etc/shorewall/tunnels
file and the "ip" utility for network interface and routing
configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the
/etc/shorewall/policy, /etc/shorewall/interfaces and
/etc/shorewall/zones files are not used. There is no need to declare a
zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All
that
is visible on the IPv4 level is an IPv4 stream which contains IPv6
traffic. Separate IPv6 interfaces and ip6tables rules need to be
defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IPv6 encapsulation protocol (41) will be accepted to/from the remote
gateway.</p>
<p>Use the following commands to setup system A:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>And use the following commands to setup system B:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
talk to each other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

114
STABLE/documentation/Accounting.html
View File

@ -1,114 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Accounting</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Shorewall and Traffic Accounting<br>
</h1>
Shorewall Traffic Accounting support was added in Shorewall release
1.4.7.<br>
<br>
Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed
in a chain called "accounting" and can thus be displayed using
"shorewall show accounting". All traffic passing into, out of or
through the firewall traverses the accounting chain including traffic
that will later be rejected by <a href="Documentation.htm#Interfaces">interface
options</a> such as "tcpflags" and "maclist". If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then
some traffic rejected under 'norfc1918' will not traverse the
accounting chain.<br>
<br>
The columns in the accounting file are as follows:<br>
<ul>
<li><span style="font-weight: bold;">ACTION</span> - What to do when
a
match is found. Possible values are:</li>
<ul>
<li>COUNT- Simply count the match and&nbsp; continue trying to
match the
packet with the following accounting rules</li>
<li>DONE- Count the match and don't attempt to match any following
accounting rules.</li>
<li>&lt;<span style="font-style: italic;">chain</span>&gt; - The
name of a chain to jump to. Shorewall will create the chain
automatically. If the name of the chain is followed by ":COUNT" then a
COUNT rule matching this rule will automatically be added to &lt;<span
style="font-style: italic;">chain</span>&gt;. Chain names must start
with a letter, must be composed of letters and digits, and may contain
underscores ("_") and periods ("."). Beginning with Shorewall version
1.4.8, chain names man also contain embedded dashes ("-") and are not
required to start with a letter.<br>
</li>
</ul>
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
chain where the accounting rule is to be added. If empty or "-" then
the
"accounting" chain is assumed.<br>
</li>
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
The name of an interface, an address (host or net) or an interface name
followed by ":" and a host or net address.</li>
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
Destination Format the same as the SOURCE column.</li>
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
name
(from /etc/protocols) or a protocol number.</li>
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
Port number. Service name from /etc/services or port number. May only
be
specified if the protocol is TCP or UDP (6 or 17).</li>
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17).<br>
</li>
</ul>
In all columns except ACTION and CHAIN, the values "-","any" and "all"
are treated as wild-cards.<br>
&nbsp;<br>
The accounting rules are evaluated in the Netfilter 'filter' table.
This is the same environment where the 'rules' file rules are evaluated
and in this environment, DNAT has already occurred in inbound packets
and SNAT has not yet occurred on outbound ones.<br>
&nbsp;<br>
Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you
have a web server in your DMZ connected to eth1 then to count HTTP
traffic in both directions requires two rules:&nbsp;<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
Associating a counter with a chain allows for nice reporting. For
example:<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web:COUNT - eth0 eth1 tcp 80<br> web:COUNT - eth1 eth0 tcp - 80<br> web:COUNT - eth0 eth1 tcp 443<br> web:COUNT - eth1 eth0 tcp - 443<br> DONE web<br></pre>
Now "shorewall show web" will give you a breakdown of your web traffic:<br>
<div style="margin-left: 40px;">
<pre>[root@gateway shorewall]# shorewall show web<br>Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003<br> <br>Counters reset Wed Aug 20 09:48:00 PDT 2003<br> <br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br> 0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br> 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#</pre>
</div>
Here's a slightly different example:<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web - eth0 eth1 tcp 80<br> web - eth1 eth0 tcp - 80<br> web - eth0 eth1 tcp 443<br> web - eth1 eth0 tcp - 443<br><br> COUNT web eth0 eth1<br> COUNT web eth1 eth0<br></pre>
Now "shorewall show web" simply gives you a breakdown by input and
output:<br>
<br>
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br></pre>
Here's how the same example would be constructed on a server with only
one interface (eth0):<br>
<pre style="margin-left: 40px;">#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br># PORT PORT<br>web - eth0 - tcp 80<br>web - - eth0 tcp - 80<br>web - eth0 - tcp 443<br>web - - eth0 tcp - 443<br><br>COUNT web eth0 -<br>COUNT web - eth0<br></pre>
Note that with only one interface, only the SOURCE (for input rules) or
the DESTINATION (for output rules) is specified in each rule.<br>
<br>
Here's the output:<br>
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
<p align="left"><font size="2">Last updated 10/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

226
STABLE/documentation/CorpNetwork.htm
View File

@ -1,226 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta content="FrontPage.Editor.Document" name="ProgId">
<meta content="none" name="Microsoft Theme">
<meta content="Graeme Boyle" name="author">
</head>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<blockquote></blockquote>
<h1 style="text-align: center;">Corporate Network</h1>
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to
protect the innocent.</b> </li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this
configuration
and expecting them to work for you. What you copy may or may not work
in your configuration.<br>
</small></b></big><br>
</p>
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different
companies behind
the firewall hence, the two Exchange servers in the diagram below.</p>
<p>Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal
address 10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal
address 10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal
address 10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal
address 10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal
address 10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
with RH8.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
1.1.0). That server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0"> </p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server's default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when
building this firewall. Firstly, I had the new firewall setup in
parallel with the
old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside,
these would fail and I could not understand why. Eventually, I changed
the default route on the internal system I was trying to access, to
point
to the new firewall and "bingo", everything worked as expected. This
oversight
delayed my deployment by a couple of days not to mention level of
frustration
it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp
system in the DMZ. Initially I forgot to remove the entry for the eth2
from the /etc/shorewall/masq file. Once my file settings were correct,
I started verifying that the ARP caches on the firewall, as well as the
outside system "kaos", were showing the correct Ethernet MAC address.
However, in testing remote access, I could access the system in the DMZ
only from the firewall
and LAN but not from the Internet. The message I received was
"connection
denied" on all protocols. What I did not realize was that a "helpful"
administrator that had turned on an old system and assigned the same
address
as the one I was using for Proxyarp without notifying me. How did I
work
this out. I shutdown the system in the DMZ, rebooted the router and
flushed
the ARP cache on the firewall and kaos. Then, from kaos, I started
pinging
that IP address and checked the updated ARP cache and lo-and-behold a
different MAC address showed up. High levels of frustration etc., etc.
The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note of
these port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand. </li>
<li>When asking for assistance, be honest and include as much
detail as requested. Don't try and hide IP addresses etc., you will
probably screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I
will be moving more systems from the LAN to the DMZ. I will also be
watching the logs for port scan programs etc. but, this should be
standard security maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation
for the purpose of this space however, my system still has the original
files with all the comments and I highly recommend you do the same.</p>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script>
<br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
and
Graeme Boyle</a></small><br>
</p>
<br>
<br>
</body>
</html>

2850
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

31
STABLE/documentation/Documentation_Index.htm
View File

@ -1,31 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head>
<body>
<h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved <a
href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2"> Last updated 8/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

76
STABLE/documentation/ECN.html
View File

@ -1,76 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall and ECN</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">ECN<br>
</h1>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is
a proposed internet standard. Unfortunately, not all sites support ECN
and when
a TCP connection offering ECN is sent to sites that don't support it,
the
result is often that the connection request is ignored.<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<blockquote>
<pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
</blockquote>
You must arrange for that command to be executed at system boot. Most
distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.<br>
<br>
<blockquote>
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or
subnet) of a system or group of systems accessed through the
&nbsp;interface in the first column. You may include a comma-separated
list of such addresses in this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN
for tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>HOST(S)<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">192.0.2.0/24<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

1206
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

205
STABLE/documentation/FTP.html
View File

@ -1,205 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall and FTP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h2></h2>
<blockquote> </blockquote>
<h1 style="text-align: center;">Shorewall and FTP<br>
</h1>
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between
the endpoints. Data transfers (including the output of "ls" and "dir"
commands) requires a second <u>data</u> connection. The data
connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client. The
PASV reply gives the IP address
and port number that the server is listening on. The client then opens
a
second connection to that IP address and port number.</li>
<li>Active Mode (often the default for line-mode clients) -- The
client listens on a dynamically-allocated port then sends a PORT
command to the server. The PORT command gives the IP address and port
number that the client is listening on. The server then opens a
connection to that IP address and port number; the <u>source port</u>
for this connection is 20 (ftp-data in /etc/services).</li>
</ul>
You can see these commands in action using your linux ftp command-line
client in debugging mode. Note that my ftp client defaults to passive
mode and that I can toggle between passive and active mode by issuing a
"passive" command:<br>
<blockquote>
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&lt;*&gt;)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp&gt; <font
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---&gt; LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt; <font
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp&gt; <font
color="#009900"><b>ls<br></b></font><b>---&gt; PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---&gt; LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp&gt;<br></pre>
</blockquote>
Things to notice:<br>
<ol>
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
</li>
<li>Commands sent by the client to the server are preceded by <b>---&gt;</b></li>
<li>Command responses from the server over the control connection are
numbered.<br>
</li>
<li>FTP uses a comma as a separator between the bytes of the IP
address; and</li>
<li>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates
to 142*256+58 = 36410.<br>
</li>
</ol>
Given the normal loc-&gt;net policy of ACCEPT, passive mode access from
local clients to remote servers will always work but active mode
requires the firewall to dynamically open a "hole" for the server's
connection back to the client. Similarly, if you are running an FTP
server in your local
zone then active mode should always work but passive mode requires the
firewall to dynamically open a "hole" for the client's second
connection to the server. This is the role of FTP connection-tracking
support in the Linux kernel.
<div align="left"><br>
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.<br>
</div>
<p>Including FTP connection-tracking and NAT support normally means
that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
</p>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
<p>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
<p>For a client, you must open outbound TCP port 21.&nbsp;<br>
</p>
<p>The above discussion about commands and responses makes it clear
that the
FTP connection-tracking and NAT helpers must scan the traffic on the
control
connection looking for PASV and PORT commands as well as PASV
responses. If
you run an FTP server on a nonstandard port or you need to access such
a server,&nbsp; you must therefore let the helpers know by specifying
the port
in /etc/shorewall/modules entries for the helpers. <span
style="font-weight: bold;">For example, if you
run an FTP server that listens on port 49 or you need to access a
server on the internet that listens on that port then you would have:</span><br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
may have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in
/etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
restart</font></b>); or</li>
<li>Reboot</li>
</ol>
One problem that I see occasionally involves active mode and the FTP
server in my DMZ. I see the active data connection <u>to certain
client IP addresses</u> being continuously rejected by my firewall. It
is my conjecture that there is some broken client out there that is
sending a PORT command that is being either missed or mis-interpreted
by the FTP connection tracking helper yet it is being accepted by my
FTP server. My solution is to add the following rule:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE<br>
PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL<br>
DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT:info<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">20<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
The above rule accepts and logs all active mode connections from my DMZ
to the net.<br>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

45
STABLE/documentation/Forum.html
View File

@ -1,45 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Forum</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

194
STABLE/documentation/GenericTunnels.html
View File

@ -1,194 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Generic Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">Generic Tunnels<br>
</h1>
Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support,
you can generally describe the tunneling software using "generic
tunnels"<br>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoNets1.png"
width="745" height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.<br>
</p>
<p align="left">Suppose that you have tunneling software that uses two
different protocols:<br>
</p>
<p align="left">a) TCP port 1071<br>
b) GRE (Protocol 47)<br>
c) The tunnel interface on system A is "tun0" and the tunnel interface
on system B is also "tun0".<br>
</p>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td>10.255.255.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>generic:tcp:1071<br>
</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
<tr>
<td style="vertical-align: top;">generic:47<br>
</td>
<td style="vertical-align: top;">net<br>
</td>
<td style="vertical-align: top;">134.28.54.2<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p>These entries in /etc/shorewall/tunnels, opens the firewall so that
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47)
will be accepted to/from the remote gateway.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>generic:tcp:1071<br>
</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
<tr>
<td style="vertical-align: top;">generic:47<br>
</td>
<td style="vertical-align: top;">net<br>
</td>
<td style="vertical-align: top;">134.28.54.2<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start your VPN software on
each system. The systems in the two masqueraded subnetworks
can now talk to each other</p>
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

420
STABLE/documentation/GnuCopyright.htm
View File

@ -1,420 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<h1 style="text-align: center;">GNU Free Documentation License<br>
</h1>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other
written document "free" in the sense of freedom: to assure everyone the
effective freedom to copy and redistribute it, with or without
modifying it, either commercially or noncommercially. Secondarily, this
License preserves for
the author and publisher a way to get credit for their work, while not
being considered responsible for modifications made by others. </p>
<p>This License is a kind of "copyleft", which means that derivative
works
of the document must themselves be free in the same sense. It
complements
the GNU General Public License, which is a copyleft license designed
for
free software. </p>
<p>We have designed this License in order to use it for manuals for
free software,
because free software needs free documentation: a free program should
come
with manuals providing the same freedoms that the software does. But
this License is not limited to software manuals; it can be used for any
textual
work, regardless of subject matter or whether it is published as a
printed
book. We recommend this License principally for works whose purpose is
instruction
or reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a
notice placed by the copyright holder saying it can be distributed
under the terms
of this License. The "Document", below, refers to any such manual or
work.
Any member of the public is a licensee, and is addressed as "you". </p>
<p>A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated
into another language. </p>
<p>A "Secondary Section" is a named appendix or a front-matter section
of
the Document that deals exclusively with the relationship of the
publishers
or authors of the Document to the Document's overall subject (or to
related matters) and contains nothing that could fall directly within
that overall subject. (For example, if the Document is in part a
textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship
could
be a matter of historical connection with the subject or with related
matters,
or of legal, commercial, philosophical, ethical or political position
regarding
them. </p>
<p>The "Invariant Sections" are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says
that the Document is released under this License. </p>
<p>The "Cover Texts" are certain short passages of text that are
listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the
Document is released under this License. </p>
<p>A "Transparent" copy of the Document means a machine-readable copy,
represented
in a format whose specification is available to the general public,
whose
contents can be viewed and edited directly and straightforwardly with
generic
text editors or (for images composed of pixels) generic paint programs
or
(for drawings) some widely available drawing editor, and that is
suitable
for input to text formatters or for automatic translation to a variety
of
formats suitable for input to text formatters. A copy made in an
otherwise
Transparent file format whose markup has been designed to thwart or
discourage
subsequent modification by readers is not Transparent. A copy that is
not
"Transparent" is called "Opaque". </p>
<p>Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
XML using
a publicly available DTD, and standard-conforming simple HTML designed
for
human modification. Opaque formats include PostScript, PDF, proprietary
formats
that can be read and edited only by proprietary word processors, SGML
or
XML for which the DTD and/or processing tools are not generally
available,
and the machine-generated HTML produced by some word processors for
output
purposes only. </p>
<p>The "Title Page" means, for a printed book, the title page itself,
plus
such following pages as are needed to hold, legibly, the material this
License requires to appear in the title page. For works in formats
which do not have
any title page as such, "Title Page" means the text near the most
prominent appearance of the work's title, preceding the beginning of
the body of the
text. </p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and
the license notice saying this License applies to the Document are
reproduced
in all copies, and that you add no other conditions whatsoever to those
of
this License. You may not use technical measures to obstruct or control
the
reading or further copying of the copies you make or distribute.
However,
you may accept compensation in exchange for copies. If you distribute a
large
enough number of copies you must also follow the conditions in section
3.
</p>
<p>You may also lend copies, under the same conditions stated above,
and
you may publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than
100,
and the Document's license notice requires Cover Texts, you must
enclose
the copies in covers that carry, clearly and legibly, all these Cover
Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover.
Both covers must also clearly and legibly identify you as the publisher
of
these copies. The front cover must present the full title with all
words
of the title equally prominent and visible. You may add other material
on
the covers in addition. Copying with changes limited to the covers, as
long
as they preserve the title of the Document and satisfy these
conditions,
can be treated as verbatim copying in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit
legibly,
you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along
with each Opaque copy, or state in or with each Opaque copy a
publicly-accessible computer-network location containing a complete
Transparent copy of the Document,
free of added material, which the general network-using public has
access
to download anonymously at no charge using public-standard network
protocols.
If you use the latter option, you must take reasonably prudent steps,
when
you begin distribution of Opaque copies in quantity, to ensure that
this Transparent
copy will remain thus accessible at the stated location until at least
one
year after the last time you distribute an Opaque copy (directly or
through
your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies, to
give them
a chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release the
Modified Version under precisely this License, with the Modified
Version filling the
role of the Document, thus licensing distribution and modification of
the
Modified Version to whoever possesses a copy of it. In addition, you
must
do these things in the Modified Version: </p>
<p>&nbsp;</p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if
any)
a title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History
section
of the Document). You may use the same title as a previous version if
the
original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or
more persons or entities responsible for authorship of the
modifications in
the Modified Version, together with at least five of the principal
authors
of the Document (all of its principal authors, if it has less than
five). </li>
<li><strong>C.</strong> State on the Title page the name of the
publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the
Document. </li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright
notices,
a license notice giving the public permission to use the Modified
Version
under the terms of this License, in the form shown in the Addendum
below. </li>
<li><strong>G.</strong> Preserve in that license notice the full
lists
of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled "History", and
its title, and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the Title
Page. If there
is no section entitled "History" in the Document, create one stating
the
title, year, authors, and publisher of the Document as given on its
Title
Page, then add an item describing the Modified Version as stated in the
previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given
in
the Document for public access to a Transparent copy of the Document,
and
likewise the network locations given in the Document for previous
versions
it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four
years
before the Document itself, or if the original publisher of the version
it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
"Dedications", preserve the section's title, and preserve in the
section
all the substance and tone of each of the contributor acknowledgements
and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the
Document, unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled "Endorsements".
Such
a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as
"Endorsements" or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or
appendices
that qualify as Secondary Sections and contain no material copied from
the
Document, you may at your option designate some or all of these
sections
as invariant. To do this, add their titles to the list of Invariant
Sections
in the Modified Version's license notice. These titles must be distinct
from
any other section titles. </p>
<p>You may add a section entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and
a passage of up to 25 words as a Back-Cover Text, to the end of the
list of
Cover Texts in the Modified Version. Only one passage of Front-Cover
Text
and one of Back-Cover Text may be added by (or through arrangements
made
by) any one entity. If the Document already includes a cover text for
the
same cover, previously added by you or by arrangement made by the same
entity
you are acting on behalf of, you may not add another; but you may
replace
the old one, on explicit permission from the previous publisher that
added
the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this
License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under
this License,
under the terms defined in section 4 above for modified versions,
provided
that you include in the combination all of the Invariant Sections of
all
of the original documents, unmodified, and list them all as Invariant
Sections
of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there
are multiple Invariant Sections with the same name but different
contents,
make the title of each such section unique by adding at the end of it,
in
parentheses, the name of the original author or publisher of that
section
if known, or else a unique number. Make the same adjustment to the
section
titles in the list of Invariant Sections in the license notice of the
combined
work. </p>
<p>In the combination, you must combine any sections entitled "History"
in
the various original documents, forming one section entitled "History";
likewise combine any sections entitled "Acknowledgements", and any
sections entitled "Dedications". You must delete all sections entitled
"Endorsements." </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other
documents released under this License, and replace the individual
copies of this License in the various documents with a single copy that
is included in the collection, provided that you follow the rules of
this License for verbatim copying of
each of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and
distribute
it individually under this License, provided you insert a copy of this
License
into the extracted document, and follow this License in all other
respects
regarding verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, does not as a whole count as a Modified Version of
the Document, provided
no compilation copyright is claimed for the compilation. Such a
compilation
is called an "aggregate", and this License does not apply to the other
self-contained
works thus compiled with the Document, on account of their being thus
compiled,
if they are not themselves derivative works of the Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these
copies
of the Document, then if the Document is less than one quarter of the
entire aggregate, the Document's Cover Texts may be placed on covers
that surround
only the Document within the aggregate. Otherwise they must appear on
covers
around the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You
may
include a translation of this License provided that you also include
the
original English version of this License. In case of a disagreement
between
the translation and the original English version of this License, the
original
English version will prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document
except
as expressly provided for under this License. Any other attempt to
copy,
modify, sublicense or distribute the Document is void, and will
automatically
terminate your rights under this License. However, parties who have
received
copies, or rights, from you under this License will not have their
licenses
terminated so long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of
the
GNU Free Documentation License from time to time. Such new versions
will
be similar in spirit to the present version, but may differ in detail
to
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version
number.
If the Document specifies that a particular numbered version of this
License
"or any later version" applies to it, you have the option of following
the
terms and conditions either of that specified version or of any later
version
that has been published (not as a draft) by the Free Software
Foundation.
If the Document does not specify a version number of this License, you
may
choose any version ever published (not as a draft) by the Free Software
Foundation.
</p>
<p align="left">&nbsp;</p>
<br>
</body>
</html>

204
STABLE/documentation/IPIP.htm
View File

@ -1,204 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
</h1>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
insecure when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
Shorewall also includes a tunnel script for automating tunnel
configuration. If you have installed the RPM, the tunnel script may be
found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoNets1.png"
width="745" height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included
in the tarball; if you install using the RPM, the file is in your
Shorewall documentation directory (normally
/usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the
'tunnel_type' parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>ipip</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tosysa</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>ipip</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel
script with
the "start" argument on each system. The systems in the two masqueraded
subnetworks
can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

714
STABLE/documentation/IPSEC.htm
View File

@ -1,714 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">IPSEC Tunnels<br>
</h1>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://www.geocities.com/jixen66/">
http://www.geocities.com/jixen66/</a> . I highly recommend that you
consult that site for information about configuring FreeS/Wan.&nbsp;
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel
active, the proxied IP addresses are mistakenly assigned to the IPSEC
tunnel device (ipsecX) rather than to the interface that you specify in
the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the time
to debug this problem so I can't say if it is a bug in the Kernel or in
FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the
following (I haven't tried it):</p>
<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec
stop</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp; qt service ipsec start<br>
</p>
<p>Also, the documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
additional entries in ipsec.conf:<br>
</p>
<p style="margin-left: 40px;"><tt>conn block<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private-or-clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear-or-private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn packetdefault<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
</tt></p>
For further information see <a
href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
</tt>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
src="images/TwoNets1.png" width="745" height="427"> </font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be
able to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p>
<p align="left">a) Open the firewall so that the IPSEC tunnel can be
established (allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is
accomplished by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following&nbsp;</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a
NAT gateway then the tunnels file entry on the <u><b>other</b></u>
endpoint should specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i>
and the GATEWAY address should specify the external address of the NAT
gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or
include it in your local zone. In this example, we'll assume that you
have created a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a "vpn" interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> You will need to allow traffic between the "vpn" zone
and the "loc" zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> Once you have these entries in place, restart
Shorewall
(type shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .<br>
</p>
<h2><a name="VPNHub"></a>VPN Hub</h2>
Shorewall can be used in a VPN Hub environment where multiple remote
networks are connected to a gateway running Shorewall. This environment
is shown
in this diatram.<br>
<div align="center"><img src="images/ThreeNets.png"
alt="(Three networks linked with IPSEC)" width="750" height="781"> <br>
</div>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be
able to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16
networks and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be
able to communicate.</p>
<p align="left">To make this work, we need to do several things:</p>
<p align="left">a) Open the firewall so that two IPSEC tunnels can be
established (allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnels two/from the local
zone (192.168.1.0/24).<br>
</p>
<p align="left">c) Deny traffic through the tunnels between the two
remote networks.<br>
</p>
<p align="left">Opening the firewall for the IPSEC tunnels is
accomplished by adding two entries to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following&nbsp;</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec<br>
</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">130.152.100.14<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on systems B and C, we would
have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"></p>
<p align="left"><b>Note: </b>If either of the endpoints is behind a
NAT gateway then the tunnels file entry on the <u><b>other</b></u>
endpoint should specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
</i> and the GATEWAY address should specify the external address of the
NAT gateway.<br>
</p>
<p align="left">On each system, we will create a zone to represent the
remote networks. On System A:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn1</td>
<td>VPN1</td>
<td>Remote Subnet on system B</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN2<br>
</td>
<td valign="top">Remote Subnet on system C<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On systems B and C:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet on system A</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At system A, ipsec0 represents two zones so we have the
following in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>-<br>
</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">The /etc/shorewall/hosts file on system A defines the
two VPN zones:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> HOSTS</strong><br>
</td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn1<br>
</td>
<td>ipsec0:10.0.0.0/16</td>
<td><br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">ipsec0:10.1.0.0/16<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">At systems B and C, ipsec0 represents a single zone so
we have the following in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> ZONE</strong></td>
<td><strong> INTERFACE</strong></td>
<td><strong> BROADCAST</strong></td>
<td><strong> OPTIONS</strong></td>
</tr>
<tr>
<td>vpn<br>
</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p align="left">On systems A, you will need to allow traffic between
the
"vpn1" zone and the "loc" zone as well as between "vpn2" and the
"loc" zone -- if you simply want to admit all traffic in both
directions,
you can use the following policy file entries on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn1</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn1</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">vpn2<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On systems B and C, you will need to allow traffic
between the "vpn" zone and the "loc" zone -- if you simply want to
admit
all traffic in both directions, you can use the following policy file
entries on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">Once you have the Shorewall entries added, restart
Shorewall on each gateway (type shorewall restart); you are now ready
to configure the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/">
FreeS/WAN</a> .</p>
Note that to allow traffic between the networks attached to systems B
and C, it is necessary to simply add two additional entries to the
/etc/shorewall/policy file on system A.<br>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>vpn1<br>
</td>
<td>vpn2</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn2</td>
<td>vpn1<br>
</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<span style="font-weight: bold;">NOTE: If you find traffic being
rejected/dropped in the OUTPUT chain, place the names of the remote VPN
zones as a comma-separated list in the GATEWAY ZONE column of the
/etc/shorewall/tunnels file
entry.</span>
<blockquote> </blockquote>
<h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile
System (Road Warrior)</h2>
<p>Suppose that you have a laptop system (B) that you take with you
when
you travel and you want to be able to establish a secure connection
back
to your local network.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426"> </font></strong></p>
<p align="left">You need to define a zone for the laptop or include it
in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address
134.28.54.2 but that cannot be determined in advance. In the
/etc/shorewall/tunnels file on system A, the following entry should be
made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Note that the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the remote
gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
</p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN
zones and add and delete remote endpoints dynamically using
/sbin/shorewall. In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>COMMENTS<br>
</b></td>
</tr>
<tr>
<td valign="top">vpn1<br>
</td>
<td valign="top">VPN-1<br>
</td>
<td valign="top">First VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn2<br>
</td>
<td valign="top">VPN-2<br>
</td>
<td valign="top">Second VPN Zone<br>
</td>
</tr>
<tr>
<td valign="top">vpn3<br>
</td>
<td valign="top">VPN-3<br>
</td>
<td valign="top">Third VPN Zone<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/tunnels:<br>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">ipsec<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">vpn1,vpn2,vpn3<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and
Shorewall will issue warnings to that effect. These warnings may be
safely ignored. FreeS/Wan may now be configured to have three different
Road Warrior connections with the choice of connection being based on
X-509 certificates or some other means. Each of these connectioins will
utilize a different updown script that adds the remote station to the
appropriate zone when the connection comes up and that deletes the
remote station when the connection comes down. For example, when
134.28.54.2 connects for the vpn2 zone the 'up' part of the script will
issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the
dynamically-added hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
<blockquote>
<table cellpadding="2" border="2">
<tbody>
<tr>
<td valign="top"><u><b>ACTION<br>
</b></u></td>
<td valign="top"><u><b>SOURCE<br>
</b></u></td>
<td valign="top"><u><b>DESTINATION<br>
</b></u></td>
<td valign="top"><u><b>PROTOCOL<br>
</b></u></td>
<td valign="top"><u><b>PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>CLIENT<br>
PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br>
</b></u></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z!dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the
above rule.
<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

189
STABLE/documentation/Install.htm
View File

@ -1,189 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
</h1>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge
you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
a shell prompt, type "/sbin/iptables --version"), you must upgrade to
version 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
before attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note1: </b>Some SuSE&nbsp; users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the installation of
Shorewall to fail with the diagnostic:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.x-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall
to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh
Bering disk, simply replace the "shorwall.lrp" file on the image with
the file that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
installed and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an
entry for each interface mentioned in the hosts file. Also, there are
certain 1.2 rule forms that are no longer supported under 1.4 (you must
use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
issues </a>for details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the upgrade of Shorewall to
fail with the diagnostic:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.0-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).&nbsp;</p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an
entry
for each interface mentioned in the hosts file.&nbsp; Also, there are
certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running
Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br>
&nbsp;&nbsp;&nbsp; <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to
match your setup. In most cases, the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p>
<ul>
</ul>
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

104
STABLE/documentation/MAC_Validation.html
View File

@ -1,104 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>MAC Verification</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">MAC Verification<br>
</h1>
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP
addresses. <br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
When
this option is specified, all traffic arriving on the interface is
subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that
subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
which connection requests that fail verification are to be logged. If
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
for details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
like a wireless router with DHCP relay. When forwarding DHCP traffic,
it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it
uses it's
own MAC address. Consequently, I list the IP addresses of both devices
in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless zone
and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

98
STABLE/documentation/NAT.htm
View File

@ -1,98 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<br>
<h1 style="text-align: center;">Static NAT<br>
</h1>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the <a
href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the
following /etc/shorewall/NAT file would make the lower left-hand system
appear to have IP address 130.252.100.18 and the right-hand one to have
IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth0</td>
<td>10.1.1.2</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
can only add external addresses to an interface that is configured with
a single subnetwork -- if your external interface has addresses in more
than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
COLUMN
also contains "Yes" or "yes") then such packets are redirected;
otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>

4830
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

232
STABLE/documentation/OPENVPN.html
View File

@ -1,232 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>OpenVPN Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<h1 style="text-align: center;">OpenVPN Tunnels<br>
</h1>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an
Open Source project and is <a
href="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</a>. OpenVPN can be downloaded from <a
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
</p>
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the
/etc/shorewall/policy file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and
stop script to start and stop OpenVPN, I decided to use the init script
of OpenVPN to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td><br>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from
the remote gateway. If you change the port used by OpenVPN to 7777, you
can define&nbsp;/etc/shorewall/tunnels like this:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn:7777</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This is the OpenVPN config on system A:</p>
<blockquote>
<p></p>
</blockquote>
<blockquote>
<p>dev tun<br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
ifconfig 192.168.99.1 192.168.99.2<br>
up ./route-a.up<br>
tls-server<br>
dh dh1024.pem<br>
ca ca.crt<br>
cert my-a.crt<br>
key my-a.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the&nbsp;OpenVPN config on system B:</p>
<blockquote>
<p>dev tun<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
ifconfig 192.168.99.2 192.168.99.1<br>
up ./route-b.up<br>
tls-client<br>
ca ca.crt<br>
cert my-b.crt<br>
key my-b.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<small>and Simon Mater</small><br>
</p>
<p><font size="2"> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

885
STABLE/documentation/PPTP.htm
View File

@ -1,885 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
</head>
<body>
<h1 style="text-align: center;">PPTP<br>
</h1>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
current
Linux kernel's and pppd. I recommend that you refer to the following
URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client
project
</a>has a nice GUI for configuring and managing VPN connections where
your
Linux system is the PPTP client. This is what I currently use. I am no
longer
running PoPToP but rather I use the PPTP Server included with XP
Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
&nbsp;&nbsp;&nbsp; <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
&nbsp;&nbsp;&nbsp; <a href="http://www.poptop.org">http://www.poptop.org</a>
(The 'kernelmod'
package can be used to quickly install MPPE into your kernel without
rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and
pppd
in the text below for those who may wish to obtain the relevant current
patches
and "roll their own".<br>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of
configurations:</p>
<ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
<li><a href="#PPTP_ADSL">PPTP Client running on your Firewall with
PPTP
Server in an ADSL Modem</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on
your
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on
your
firewall system. This isn't a detailed HOWTO but rather an example of
how
I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
<ol>
<li><a href="#PatchPppd">Patching and building pppd</a></li>
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
<li><a href="#Samba">Configuring Samba</a></li>
<li><a href="#ConfigPppd">Configuring pppd</a></li>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The
primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
<li><a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
</ul>
<p>You may also want the following patch if you want to require remote
hosts
to use encryption:</p>
<ul>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
</ul>
<p>Un-tar the pppd source and uncompress the patches into one directory
(the
patches and the ppp-2.4.1 directory are all in a single parent
directory):</p>
<ul>
<li>cd ppp-2.4.1</li>
<li>patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
<li>patch -p1 &lt; ../ppp-2.4.1-MSCHAPv2-fix.patch</li>
<li>(Optional) patch -p1 &lt; ../require-mppe.diff</li>
<li>./configure</li>
<li>make</li>
</ul>
<p>You will need to install the resulting binary on your firewall
system.
To do that, I NFS mount my source filesystem and use "make install"
from
the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
<p>You will need one of the following patches depending on your kernel
version:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
</ul>
<p>Uncompress the patch into the same directory where your top-level
kernel
source is located and:</p>
<ul>
<li>cd &lt;your GNU/Linux source top-level directory&gt;</li>
<li>patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
</ul>
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734"> </p>
</blockquote>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS
server
is fine). Global section from /etc/samba/smb.conf on my WINS server
(192.168.1.3)
is:</p>
<blockquote>
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
</blockquote>
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
lock<br>
mtu 1490<br>
mru 1490<br>
ms-wins 192.168.1.3<br>
ms-dns 206.124.146.177<br>
multilink<br>
proxyarp<br>
auth<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
ipcp-accept-local<br>
ipcp-accept-remote<br>
lcp-echo-failure 30<br>
lcp-echo-interval 5<br>
deflate 0<br>
mppe-128<br>
mppe-stateless<br>
require-mppe<br>
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>System 192.168.1.3 acts as a WINS server so I have included that
IP
as the 'ms-wins' value.</li>
<li>I have pointed the remote clients at my DNS server -- it has
external
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built
with
the 'require-mppe.diff' patch mentioned above.</li>
</ul>
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using
CHAP<br>
# client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
server&nbsp;&nbsp;&nbsp; secret&nbsp;&nbsp;&nbsp; IP addresses<br>
CPQTDM\\TEastep *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;shhhhhh&gt; 192.168.1.7<br>
TEastep&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;shhhhhh&gt;
192.168.1.7</font></p>
</blockquote>
<p>I am the only user who connects to the server but I may connect
either
with or without a domain being specified. The system I connect from is
my
laptop so I give it the same IP address when tunneled in at it has when
I
use its wireless LAN card around the house.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<pre> alias ppp-compress-18 ppp_mppe<br> alias ppp-compress-21 bsd_comp<br> alias ppp-compress-24 ppp_deflate<br> alias ppp-compress-26 ppp_deflate</pre>
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
speed 115200<br>
localip 192.168.1.254<br>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
(I
have several).</li>
<li>The local IP is the same as my internal interface's
(192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network.
This,
together with 'proxyarp' in my /etc/ppp/options.poptop file make the
remote
hosts look like they are part of the local subnetwork.</li>
</ul>
<p>I use this file to start/stop pptpd -- I have this in
/etc/init.d/pptpd:</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptpd<br>
#<br>
# chkconfig: 5 12 85<br>
# description: control pptp server<br>
#<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo 1 &gt; /proc/sys/net/ipv4/ip_forward<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_async<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_generic<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_mppe<br>
&nbsp;&nbsp;&nbsp; modprobe slhc<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></p>
</blockquote>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>Often there will be situations where you want multiple connections
from remote networks with these networks having different firewalling
requirements.<br>
</p>
<div style="text-align: center;"><img src="images/MultiPPTP.png"
title="" alt="" style="width: 846px; height: 544px;"><br>
</div>
<p>Here's how you configure this in Shorewall:<br>
</p>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Internet</td>
<td>The Internet</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Network <br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn1</td>
<td style="vertical-align: top;">Remote1<br>
</td>
<td style="vertical-align: top;">Remote Network 1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn2<br>
</td>
<td style="vertical-align: top;">Remote2<br>
</td>
<td style="vertical-align: top;">Remote Network 2<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn3<br>
</td>
<td style="vertical-align: top;">Remote3<br>
</td>
<td style="vertical-align: top;">Remote Network 3<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.10.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;-</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td><br>
</td>
</tr>
<tr>
<td>vpn1<br>
</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn2<br>
</td>
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn3<br>
</td>
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Your policies and rules can now be configured using separate zones
(vpn1, vpn2, and vpn3) for the three remote network.<br>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
Behind
your Firewall</h2>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<p>If you have multiple external IP address and you want to forward a
single
<i>&lt;external address&gt;, </i>add the following to your
/etc/shorewall/rules
file:</p>
<p>&nbsp;<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
</tbody>
</table>
</p>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running
Behind
your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless
you
wish to connect multiple clients to the same external server. In that
case,
you will need to follow the instructions at <a
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your
/etc/shorewall/modules
file: </p>
<blockquote>
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on
your
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.&nbsp;&nbsp;&nbsp;
Rather than use the configuration script that comes with the client, I
built
my own. I also build my own kernel <a href="#PatchKernel">as described
above</a>
rather than using the mppe package that is available with the client.
My
/etc/ppp/options file is mostly unchanged from what came with the
client
(see below).</p>
<p>The key elements of this setup are as follows: </p>
<ol>
<li>Define a zone for the remote network accessed via PPTP.</li>
<li>Associate that zone with a ppp interface.</li>
<li>Define rules for PPTP traffic to/from the firewall.</li>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4>/etc/shorewall/zones</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>cpq</td>
<td>Compaq</td>
<td>Compaq Intranet</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>-</td>
<td>ppp+:!192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
1.3.9b)</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">pptpclient<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p>I use the combination of interface and hosts file to define the
'cpq'
zone because I also run a PPTP server on my firewall (see above). Using
this technique allows me to distinguish clients of my own PPTP server
from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP
clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason
that
I disable ECN when connecting is that the Compaq tunnel servers don't
do
ECN yet and reject the initial TCP connection request if I enable ECN
:-(
</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptp<br>
#<br>
# chkconfig: 5 60 85<br>
# description: PPTP Link Control<br>
#<br>
NAME="Tandem"<br>
ADDRESS=tunnel-tandem.compaq.com<br>
USER='Tandem\tommy'<br>
ECN=0<br>
DEBUG=<br>
<br>
start_pptp() {<br>
&nbsp;&nbsp;&nbsp; echo $ECN &gt; /proc/sys/net/ipv4/tcp_ecn<br>
&nbsp;&nbsp;&nbsp; if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG;
then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptp<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "PPTP Connection to
$NAME Started"<br>
&nbsp;&nbsp;&nbsp; fi<br>
}<br>
<br>
stop_pptp() {<br>
&nbsp;&nbsp;&nbsp; if killall /usr/sbin/pptp 2&gt; /dev/null; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "Stopped pptp"<br>
&nbsp;&nbsp;&nbsp; else<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rm -f /var/run/pptp/*<br>
&nbsp;&nbsp;&nbsp; fi<br>
<br>
&nbsp;&nbsp;&nbsp; # if killall pppd; then<br>
&nbsp;&nbsp;&nbsp; # echo "Stopped pppd"<br>
&nbsp;&nbsp;&nbsp; # fi<br>
<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptp<br>
<br>
&nbsp;&nbsp;&nbsp; echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn<br>
}<br>
<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo "Starting PPTP Connection to ${NAME}..."<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; echo "Stopping $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; echo "Restarting $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac<br>
</font> </p>
</blockquote>
<p>Here's my /etc/ppp/options file: </p>
<blockquote>
<p><font face="Courier" size="2">#<br>
# Identify this connection<br>
#<br>
ipparam Compaq<br>
#<br>
# Lock the port<br>
#<br>
lock<br>
#<br>
# We don't need the tunnel server to authenticate itself<br>
#<br>
noauth<br>
<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
<br>
multilink<br>
mrru 1614<br>
#<br>
# Turn off transmission protocols we know won't be used<br>
#<br>
nobsdcomp<br>
nodeflate<br>
<br>
#<br>
# We want MPPE<br>
#<br>
mppe-128<br>
mppe-stateless<br>
<br>
#<br>
# We want a sane mtu/mru<br>
#<br>
mtu 1000<br>
mru 1000<br>
<br>
#<br>
# Time this thing out of it goes poof<br>
#<br>
lcp-echo-failure 10<br>
lcp-echo-interval 10</font> </p>
</blockquote>
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route
Compaq
traffic through the PPTP tunnel: </p>
<blockquote>
<p><font face="Courier" size="2">#/bin/sh<br>
<br>
case $6 in<br>
Compaq)<br>
&nbsp;&nbsp;&nbsp; route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; route add -net 130.252.0.0 netmask 255.255.0.0 gw $5
$1<br>
&nbsp;&nbsp;&nbsp; route add -net 131.124.0.0 netmask 255.255.0.0 gw $5
$1<br>
&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></p>
</blockquote>
<p>Finally, I run the following script every five minutes under crond
to
restart the tunnel if it fails:</p>
<pre> #!/bin/sh<br> restart_pptp() {<br> /sbin/service pptp stop<br> sleep 10<br> if /sbin/service pptp start; then<br> /usr/bin/logger "PPTP Restarted"<br> fi<br> }<br><br> if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then<br> exit 0<br> fi<br><br> echo "Attempting to restart PPTP"<br><br> restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;<br><br><a
href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a scriptand corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.<br></pre>
<h2 style="text-align: center;"><a name="PPTP_ADSL"></a>5. PPTP Client
running
on your Firewall with PPTP Server in an ADSL Modem</h2>
Some ADSL systems in Europe (most notably in Austria) feature a PPTP
server built into an ADSL "Modem".
In this setup, an ethernet interface is dedicated to supporting the
PPTP tunnel between the firewall and the "Modem" while the actual
internet access is through PPTP (interface ppp0). If you have this type
of setup, you need to modify the sample configuration
that you downloaded as described in this section. <span
style="font-weight: bold;">These changes are <span
style="text-decoration: underline;">in addition</span> to those
described in the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a>.</span><br>
<br>
Lets assume the following:<br>
<ul>
<li>ADSL Modem connected through eth0</li>
<li>Modem IP address = 192.168.1.1</li>
<li>eth0 IP address = 192.168.1.2</li>
</ul>
The changes you need to make are as follows:<br>
<br>
1. Add this entry to /etc/shorewall/zones:<br>
<br>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>modem<br>
</td>
<td>Modem</td>
<td>ADSL Modem<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<div style="margin-left: 40px;">That entry defines a new zone called '<span
style="font-style: italic;">modem</span>' which will contain only your
ADSL modem.<br>
<br>
</div>
2. Add the following entry to /etc/shorewall/interfaces:<br>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>modem<br>
</td>
<td>eth0<br>
</td>
<td>192.168.1.255 <br>
</td>
<td>&nbsp;dhcp</td>
</tr>
</tbody>
</table>
</blockquote>
<div style="margin-left: 40px;">You will of course modify the 'net'
entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
as described in the QuickStart Guide corresponding to your setup.<br>
</div>
<br>
3. Add the following to /etc/shorewall/tunnels:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">pptpclient </td>
<td valign="top">modem<br>
</td>
<td valign="top">192.168.1.1<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</div>
<div style="margin-left: 40px;"><br>
That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.<br>
</div>
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

165
STABLE/documentation/ProxyARP.htm
View File

@ -1,165 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<h1 style="text-align: center;">Proxy ARP<br>
</h1>
<p>Proxy ARP allows you to insert a firewall in front of a set of
servers without changing their IP addresses and without having to
re-subnet. Before you try to use this technique, I strongly recommend
that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png" width="519"
height="397"> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with
addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
(130.252.100.*) subnet.&nbsp; Assuming that the upper firewall
interface is eth0 and the lower interface is eth1, this is accomplished
using the following entries in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and
130.252.100.19&nbsp; in the above example) are not included in any
specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
is irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
their subnet mask and default gateway configured exactly the same way
that the Firewall system's eth0 is configured. In other words, they
should be configured just like they would be if they were parallel to
the firewall rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
address(es) (130.252.100.18 and 130.252.100.19 in the above
example)&nbsp; to the external interface (eth0 in this example) of the
firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically
configure their routers with a long ARP cache timeout. If you move a
system from parallel to your firewall to behind your firewall with
Proxy ARP, it
will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP
address
isn't a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in
its cache for the old hardware address to update its ARP cache entry
accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP
(or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I <i>&lt;net
if&gt; &lt;newly proxied IP&gt;</i></b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>&nbsp; &nbsp; shorewall clear<br>
</b></font>&nbsp; &nbsp; <font color="#009900"><b>ip addr add
130.252.100.18 dev eth0<br>
&nbsp; &nbsp; ip addr add 130.252.100.19 dev eth0</b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
130.252.100.18</b></font><br>
&nbsp; &nbsp; <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
&nbsp; &nbsp; <b><font color="#009900">ip addr del 130.252.100.18 dev
eth0<br>
&nbsp; &nbsp; ip addr del 130.252.100.19 dev eth0<br>
&nbsp; &nbsp; shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
we will assume is 130.252.100.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request
is different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
In other words,
the gateway's ARP cache still associates 130.252.100.19 with the NIC
in that system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

34
STABLE/documentation/SeattleInTheSpring.html
View File

@ -1,34 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Springtime in Seattle!!!</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
-+
<h3><font color="#ff6633"></font></h3>
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
</h1>
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the
deck (Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
</body>
</html>

21
STABLE/documentation/Shorewall_Banner.htm
View File

@ -1,21 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Banner</title>
<base target="contents">
<meta name="Microsoft Theme" content="blueprnt 011">
<meta name="Microsoft Border" content="none, default">
</head>
<body background="_themes/blueprnt/blutextb.gif" bgcolor="#FFFFFF" text="#003399" link="#3366FF" vlink="#9900FF" alink="#000066"><!--mstheme--><font face="Century Gothic, Arial, Helvetica"><p align="right"><b><font size="2"><img border="0" src="images/Shorewall_Banner.gif" align="left" width="600" height="60"></font><font size="4"><strong>
</strong></font><font size="2">The Shorewall Project uses the Services of</font><font size="4">
&nbsp;</font></b><a href="http://sourceforge.net" target="_top"><img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" align="top"></a> </p>
<p align="right">&nbsp; </p>
<!--mstheme--></font></body>
</html>

80
STABLE/documentation/Shorewall_CA_html.html
View File

@ -1,80 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
Certificate<br>
</h1>
Given that I develop and support Shorewall without asking for any
renumeration, I can hardly justify paying $200US+ a year to a
Certificate Authority such as Thawte (A Division of VeriSign) for an
X.509 certificate to prove that I am who I am. I have therefore
established my own Certificate Authority (CA) and sign my own X.509
certificates. I use these certificates on my list server (<a
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser
verifies the X.509 certificate supplied by the HTTPS server against the
set of Certificate Authority Certificates that were shipped with your
browser. It is expected that the server's certificate was issued by one
of the authorities whose identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
that the CAs literally have a license to print money -- they are
selling a string of bits (an X.509 certificate) for $200US+ per
year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and
writing Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of
the authorities known to your browser. If you try to connect to my
server using SSL, your browser will frown and give you a dialog box
asking if you want to accept the sleezy X.509 certificate being
presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your
browser asks -- your acceptence of the certificate can be temporary
(for that access only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed)
CA certificate.</a> This will make my Certificate Authority known to
your browser so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am
trustworthy and that Shorewall running on your firewall won't redirect
HTTPS requests intented to go to your bank's server to one of my
systems that will present your browser with a bogus certificate
claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to
https://mail.shorewall.net, the server you are connecting to might not
be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

39
STABLE/documentation/Shorewall_CVS_Access.html
View File

@ -1,39 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall CVS Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">Shorewall CVS Access<br>
</h1>
Lots of people try to download the entire Shorewall website for
off-line browsing, including the CVS portion. In addition to being an
enormous volume of data (HTML versions of all versions of all Shorewall
files), all of the pages in Shorewall CVS access are cgi-generated
which places a tremendous load on my little server. I have therefore
resorted to making CVS access password controlled. When you are asked
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
the user name and the password.<br>
<br>
<div align="center">
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

54
STABLE/documentation/Shorewall_Doesnt.html
View File

@ -1,54 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>What Shorewall Cannot Do</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<small><br>
</small>
<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
</h1>
Shorewall cannot:<br>
<ul>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by
application.</li>
<li>Be used with an Operating System other than Linux (version &gt;=
2.4.0)<br>
</li>
<li>Do content filtering:</li>
<ul>
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
for that.</li>
<li>Email -- Install something like <a
href="http://www.postfix.org">Postfix</a> on your firewall and
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
</li>
</ul>
</ul>
In addition:<br>
<ul>
<li>Shorewall does not contain any support for Netfilter <a
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
style="font-style: italic;">Patch-O-Matic</span></a> features --
Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

631
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -1,631 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0"
style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> </a><br>
</td>
<td valign="middle" height="90" align="center" width="34%"
style="background-color: rgb(255, 255, 255);">
<h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%" align="right"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> </a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <a
href="#Transparent">Transparent
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
<br>
If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
</h1>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a
href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
have those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
When the Squid server is in the DMZ zone or in the local zone, that
zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid
server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
You must have iptables installed on your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>&nbsp;&nbsp;&nbsp;
If you run a Shorewall version earlier than 1.4.6, you must have NAT
and MANGLE enabled in your /etc/shorewall/conf file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
running on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
You want to redirect all local www connection requests
EXCEPT those to your own http server (206.124.146.177) to a Squid
transparent proxy running on the firewall
and listening on port 3128. Squid will of course require access
to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also
want
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
<br>
If you are running Shorewall version 1.4.5 or later, you may just add
the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule:<br>
<br>
<div style="margin-left: 40px;">
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177,130.252.100.0/24</td>
</tr>
</tbody>
</table>
</div>
<br>
If you are running a Shorewall version earlier than 1.4.5, you must add
a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br>
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening
on port 3128. Your local interface is eth1. There may also be a web
server running on 192.168.1.3. It is assumed that web access is already
enabled from the local zone to the internet..<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in
/etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in
/etc/shorewall/shorewall.conf and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
Assume that Squid is running in zone SZ and listening on port SP; all
web sites that are to be accessed through Squid are in the 'net' zone.
Then for each zone Z that needs access to the Squid server:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">Z<br>
</td>
<td valign="top">SZ<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">SP<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">SZ<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</div>
<br>
Example:<br>
<br>
<div style="margin-left: 40px;">Squid on the firewall listening on port
8080 with access from the 'loc' zone:<br>
<br>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">$FW<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">8080<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">$FW<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

632
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -1,632 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Shorewall and Aliased Interfaces<br>
</h1>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the
concept of <i>aliased </i>or <i>virtual </i>interfaces. These
virtual
interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
eth0:0) and ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility
does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects in their own
right.
The ip utility does provide for interaction with ifconfig in that it
allows
addresses to be <i>labeled </i>where these labels take the form of
ipconfig
virtual interfaces.<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file or anywhere
else except as described in the discussion below. <br>
<br>
<h2>Adding Addresses to Interfaces</h2>
Shorewall provides facilities for automatically adding addresses to
interfaces
as described in the following section. It is also easy to add them
yourself
using the <b>ip</b> utility. The above alias was added using:<br>
<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd
206.124.146.255
dev eth0 label eth0:0</font></b><br>
</blockquote>
You probably want to arrange to add these addresses when the device is
started
rather than placing commands like the above in one of the Shorewall
extension
scripts. For example, on RedHat systems, you can place the commands in
/sbin/ifup-local:<br>
<br>
<blockquote>
<pre>#!/bin/sh<br><br>case $1 in<br> eth0)<br> /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br> ;;<br>esac&nbsp;<br></pre>
</blockquote>
RedHat systems also allow adding such aliases from the network
administration
GUI (which works well if you have a graphical environment on your
firewall).<br>
<h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces. In
the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">$FW:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the
/etc/shorewall/rules file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if
you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label"
(virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual
interface
name in the INTERFACE column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP
addresses. Do do that, you specify a range of IP addresses in the
ADDRESS column. If you specify a label in the INTERFACE column,
Shorewall will use that label for the first address of the range and
will increment the label by one for each subsequent label.<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178-206.124.146.180<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if
you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label"
(virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual
interface
name in the INTERFACE column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not
provide for any security between the subnetworks if the users of the
systems have administrative privileges because in that case, the users
can simply manipulate their system's routing table to bypass your
firewall/router. Nevertheless, there are cases where you simply want to
consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
and eth1:0 is 192.168.20.254. You want to simply route all requests
between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as
Shorewall 1.4.1 and later releases default to allowing intra-zone
traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into
separate
zones and control the access between them (the users of the systems do
not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

66
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -1,66 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

68
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -1,68 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

141
STABLE/documentation/UserSets.html
View File

@ -1,141 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Controlling Traffic by UID/GID</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Controlling Output
Traffic by UID/GID<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
This capability was added in Shorewall release
1.4.7.<br>
<br>
Netfilter provides the capability to filter packets generated on the
firewall system by User Id and/or Group Id. Shorewall provides two
separate but related ways to use this Netfilter capability:<br>
<ol>
<li>Shorewall allows you to
define collections of users called "<a href="#UserSet">User Sets</a>"
and then to restrict
certain rules in /etc/shorewall/rules to a given User Set.</li>
<li>Shorewall also allows you to restrict a given <a href="#Rule">rule
</a>to a particular user and/or group.<br>
</li>
</ol>
Since only packets created by programs running on the Shorewall box
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
using either of the facilities.<br>
<h2><a name="UserSet"></a>User Sets<br>
</h2>
Given the way that this facility is implemented in Shorewall, it is not
possible to control logging of individual rules using a User Set and
logging is rather specified on the User Set itself.<br>
<br>
User Sets are defined in the /etc/shorewall/usersets file. Columns in
that file include:<br>
<br>
<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The name of a User Set. Must be a legal
shell
identifier of no more than six (6) characters in length.<br>
REJECT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
Log level for connections rejected for this User Set.<br>
ACCEPT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; Log
level for connections accepted for this User Set.<br>
DROP &nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; Log level for connections dropped for this User Set.<br>
</div>
<br>
In the REJECT and ACCEPT columns, if you don't want to specify a value
in the column but you want to specify a value in a following column,
you may enter "-".<br>
<br>
Users and/or groups are added to User Sets using the
/etc/shorewall/users file. Columns in that file are:<br>
<br>
<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; &nbsp;&nbsp; The name of a User Set defined in
/etc/shorewall/usersets.<br>
USER&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; The name of a user defined on the system or a user number.<br>
GROUP&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
The name of a group defined on the system or a number.<br>
</div>
<p align="left">Only one of the USER and GROUP
column needs to be non-empty. If you wish to specify a GROUP but not a
USER, enter "-" in the user column.<br>
</p>
<p align="left">If both USER and GROUP are
specified then only programs running under that USER:GROUP pair will
match rules specifying the User Set named in the USERSET column.<br>
</p>
<p align="left">Once a user set has been defined, its name may be
placed in the USER SET column of the /etc/shorewall/rules file. <span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
</span></span>When
the name of a user set is given in the USER SET column, you may not
include a log level in the ACTION column; logging of such rules is
governed solely by the user set's definition in the
/etc/shorewall/userset file.
</p>
<p align="left">Example: You want members of the
'admin' group and 'root' to be able to use ssh on the firewall to
connect to local systems. You want to log all connections accepted for
these users using syslog at the 'info' level.<br>
</p>
<div style="margin-left: 40px;"></div>
<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
<div style="margin-left: 40px;"></div>
<pre style="margin-left: 80px;">#USERSET REJECT ACCEPT DROP<br>admins - info<br></pre>
<div style="margin-left: 40px;"></div>
<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
</p>
<div style="margin-left: 40px;"></div>
<pre style="margin-left: 80px;">#USERSET USER GROUP<br>admins - admin<br>admins root<br></pre>
<div style="margin-left: 40px;">/etc/shorewall/rules<br>
</div>
<pre style="margin-left: 80px;">#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 22 - - - admins<br></pre>
<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
group<br>
</h2>
In cases where you may want to restrict a rule to a particular user
and/or group, the USER SET column in the rules file may be specified as:<br>
<br>
<div style="margin-left: 40px;">[ &lt;<span style="font-style: italic;">user
name or number</span>&gt; ] : [ &lt;<span style="font-style: italic;">group
name or number</span>&gt; ]<br>
<div style="text-align: left;"><br>
</div>
</div>
When a user and/or group name is given in the USER SET column, it is OK
to specify a log level in the ACTION column. <br>
<br>
Example: You want user <span style="font-style: italic;">mail </span>to
be able to send email from the firewall to the local net zone<br>
<br>
<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
the ":" in the USER SET column entry).<br>
<pre>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 25 - - - mail:</pre>
</div>
<p align="left"><font size="2">Last updated 9/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

84
STABLE/documentation/VPN.htm
View File

@ -1,84 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<h1 style="text-align: center;">VPN<br>
</h1>
<p>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking
(VPN). The two most common means for doing this are IPSEC and PPTP. The
basic setup is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796"> </p>
<p align="left">A system with an RFC 1918 address needs to access a
remote network through a remote gateway. For this example, we will
assume that the local system has IP address 192.168.1.12 and that the
remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall
requirements beyond the default loc-&gt;net ACCEPT policy. There is one
restriction however: Only one local system at a time can be connected
to a single remote gateway unless you patch your kernel from the
'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect
to the remote gateway and there are firewall configuration requirements
as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
<tbody>
<tr>
<td height="38"><u><b>ACTION</b></u></td>
<td height="38"><u><b>SOURCE</b></u></td>
<td height="38"><u><b>DESTINATION</b></u></td>
<td height="38"><u><b>PROTOCOL</b></u></td>
<td height="38"><u><b>PORT</b></u></td>
<td height="38"><u><b>CLIENT<br>
PORT</b></u></td>
<td height="38"><u><b>ORIGINAL<br>
DEST</b></u></td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">50</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p>&nbsp;</p>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/_themes/radial/aradbck.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/aradbckh.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/aradbnr.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 547 B

BIN
STABLE/documentation/_themes/radial/aradbul1.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 73 B

BIN
STABLE/documentation/_themes/radial/aradbul2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 63 B

BIN
STABLE/documentation/_themes/radial/aradbul3.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 B

BIN
STABLE/documentation/_themes/radial/aradhbtn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/aradhhov.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 243 B

BIN
STABLE/documentation/_themes/radial/aradhom.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 198 B

BIN
STABLE/documentation/_themes/radial/aradhomh.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/aradhsel.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 247 B

BIN
STABLE/documentation/_themes/radial/aradnxt.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 202 B

BIN
STABLE/documentation/_themes/radial/aradnxth.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 206 B

BIN
STABLE/documentation/_themes/radial/aradrule.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 189 B

BIN
STABLE/documentation/_themes/radial/aradup.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 198 B

BIN
STABLE/documentation/_themes/radial/araduph.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/aradvbtn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/aradvhov.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 241 B

BIN
STABLE/documentation/_themes/radial/aradvsel.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 241 B

BIN
STABLE/documentation/_themes/radial/blank.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 807 B

BIN
STABLE/documentation/_themes/radial/blhomep.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 161 B

BIN
STABLE/documentation/_themes/radial/blnextp.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 165 B

BIN
STABLE/documentation/_themes/radial/blprevp.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 164 B

BIN
STABLE/documentation/_themes/radial/bluedot.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 809 B

BIN
STABLE/documentation/_themes/radial/blupp.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 162 B

93
STABLE/documentation/_themes/radial/color0.css
View File

@ -1,93 +0,0 @@
a:link
{
color: rgb(102,102,255);
}
a:visited
{
color: rgb(153,51,51);
}
a:active
{
color: rgb(102,204,204);
}
body
{
color: rgb(0,0,0);
background-color: rgb(255,255,255);
}
h1
{
color: rgb(102,102,102);
}
h2, marquee
{
color: rgb(102,102,102);
}
h3
{
color: rgb(102,102,102);
}
h4
{
color: rgb(102,102,102);
}
h5
{
color: rgb(102,102,102);
}
h6
{
color: rgb(102,102,102);
}
BUTTON
{
background-color: rgb(102,102,102);
border-color: rgb(204,204,204);
color: white;
}
LABEL, .MSTHEME-LABEL
{
color: rgb(0,0,0);
}
TEXTAREA
{
border-color: rgb(102,102,102);
color: black;
}
FIELDSET
{
border-color: rgb(102,102,102);
color: black;
}
LEGEND
{
color: rgb(102,102,102);
}
SELECT
{
border-color: rgb(102,102,102);
color: black;
}
TABLE
{
border-color: rgb(102,102,102);
color: rgb(0,0,0);
table-border-color-light: rgb(204,204,204);
table-border-color-dark: rgb(102,102,102);
}
CAPTION
{
color: rgb(102,102,102);
}
TH
{
color: rgb(0,0,0);
}
HR
{
color: rgb(102,102,102);
}
TD
{
border-color: rgb(102,102,102);
}

93
STABLE/documentation/_themes/radial/color1.css
View File

@ -1,93 +0,0 @@
a:link
{
color: rgb(102,102,204);
}
a:visited
{
color: rgb(153,102,102);
}
a:active
{
color: rgb(102,153,153);
}
body
{
color: rgb(0,0,0);
background-color: rgb(255,255,255);
}
h1
{
color: rgb(102,102,204);
}
h2, marquee
{
color: rgb(102,102,204);
}
h3
{
color: rgb(102,102,204);
}
h4
{
color: rgb(102,102,204);
}
h5
{
color: rgb(102,102,204);
}
h6
{
color: rgb(102,102,204);
}
BUTTON
{
background-color: rgb(102,102,204);
border-color: rgb(153,153,255);
color: white;
}
LABEL, .MSTHEME-LABEL
{
color: rgb(0,0,0);
}
TEXTAREA
{
border-color: rgb(51,0,153);
color: black;
}
FIELDSET
{
border-color: rgb(51,0,153);
color: black;
}
LEGEND
{
color: rgb(102,102,204);
}
SELECT
{
border-color: rgb(51,0,153);
color: black;
}
TABLE
{
border-color: rgb(51,0,153);
color: rgb(0,0,0);
table-border-color-light: rgb(153,153,255);
table-border-color-dark: rgb(51,0,153);
}
CAPTION
{
color: rgb(102,102,204);
}
TH
{
color: rgb(0,0,0);
}
HR
{
color: rgb(102,102,204);
}
TD
{
border-color: rgb(51,0,153);
}

70
STABLE/documentation/_themes/radial/graph0.css
View File

@ -1,70 +0,0 @@
.mstheme
{
nav-banner-image: url(radbnr.gif);
separator-image: url(radrule.gif);
list-image-1: url(radbul1.gif);
list-image-2: url(radbul2.gif);
list-image-3: url(radbul3.gif);
navbutton-horiz-pushed: url(radhsel.gif);
navbutton-horiz-normal: url(radhbtn.gif);
navbutton-vert-pushed: url(radvsel.gif);
navbutton-vert-normal: url(radvbtn.gif);
navbutton-home-normal: url(radhom.gif);
navbutton-up-normal: url(radup.gif);
navbutton-prev-normal: url(radbck.gif);
navbutton-next-normal: url(radnxt.gif);
}
.mstheme-bannertxt
{
font-family: times new roman, Times New Roman, Times;
font-size: 6;
color: rgb(255,255,255);
}
.mstheme-horiz-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-vert-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxthome
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtup
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtprev
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtnext
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
UL
{
list-style-image: url(radbul1.gif);
}
UL UL
{
list-style-image: url(radbul2.gif);
}
UL UL UL
{
list-style-image: url(radbul3.gif);
}

80
STABLE/documentation/_themes/radial/graph1.css
View File

@ -1,80 +0,0 @@
.mstheme
{
nav-banner-image: url(aradbnr.gif);
separator-image: url(aradrule.gif);
list-image-1: url(aradbul1.gif);
list-image-2: url(aradbul2.gif);
list-image-3: url(aradbul3.gif);
navbutton-horiz-pushed: url(aradhsel.gif);
navbutton-horiz-normal: url(aradhbtn.gif);
navbutton-horiz-hovered: url(aradhhov.gif);
navbutton-vert-pushed: url(aradvsel.gif);
navbutton-vert-normal: url(aradvbtn.gif);
navbutton-vert-hovered: url(aradvhov.gif);
navbutton-home-normal: url(aradhom.gif);
navbutton-home-hovered: url(aradhomh.gif);
navbutton-home-pushed: url(blhomep.gif);
navbutton-up-normal: url(aradup.gif);
navbutton-up-hovered: url(araduph.gif);
navbutton-up-pushed: url(blupp.gif);
navbutton-prev-normal: url(aradbck.gif);
navbutton-prev-hovered: url(aradbckh.gif);
navbutton-prev-pushed: url(blprevp.gif);
navbutton-next-normal: url(aradnxt.gif);
navbutton-next-hovered: url(aradnxth.gif);
navbutton-next-pushed: url(blnextp.gif);
}
.mstheme-bannertxt
{
font-family: times new roman, Times New Roman, Times;
font-size: 6;
color: rgb(255,255,255);
}
.mstheme-horiz-navtxt
{
font-family: Arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,204);
}
.mstheme-vert-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,204);
}
.mstheme-navtxthome
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtup
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtprev
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtnext
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
UL
{
list-style-image:url(aradbul1.gif);
}
UL UL
{
list-style-image:url(aradbul2.gif);
}
UL UL UL
{
list-style-image:url(aradbul3.gif);
}

BIN
STABLE/documentation/_themes/radial/radbck.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/radbkgnd.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.0 KiB

BIN
STABLE/documentation/_themes/radial/radbnr.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 498 B

BIN
STABLE/documentation/_themes/radial/radbul1.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radbul2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radbul3.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radglobl.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 131 B

BIN
STABLE/documentation/_themes/radial/radhbtn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/radhom.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/radhsel.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 241 B

38
STABLE/documentation/_themes/radial/radial.inf
View File

@ -1,38 +0,0 @@
[info]
refcount=2
version=3.00
readonly=true
codepage=65001
format=2.00
title=Radial
[titles]
1033=Radial
1069=Radyal
1046=Radial
1050=Poluzaobljenja
1029=Oblouky
1030=Radial
1043=Radiaal
1036=Transversal
1035=Säde
1031=Radial
1032=Ακτίνες
1038=Kerekített
2070=Radial
1040=Radiale
1044=Radiell
1045=Wiraże
1048=Radial
1049=Закругление
1051=Lúče
1060=Zaobljena
3082=Radial
1053=Radie
1055=Radyal
1041=半円
1042=캡슐 구성
1028=交織如梭
2052=射线
1037=מוקדי
1054=เป็นรัศมี
1025=شعاعي

38
STABLE/documentation/_themes/radial/radial.utf8
View File

@ -1,38 +0,0 @@
[info]
refcount=2
version=3.00
readonly=true
codepage=65001
format=2.00
title=Radial
[titles]
1033=Radial
1069=Radyal
1046=Radial
1050=Poluzaobljenja
1029=Oblouky
1030=Radial
1043=Radiaal
1036=Transversal
1035=Säde
1031=Radial
1032=Ακτίνες
1038=Kerekített
2070=Radial
1040=Radiale
1044=Radiell
1045=Wiraże
1048=Radial
1049=Закругление
1051=Lúče
1060=Zaobljena
3082=Radial
1053=Radie
1055=Radyal
1041=半円
1042=캡슐 구성
1028=交織如梭
2052=射线
1037=מוקדי
1054=เป็นรัศมี
1025=شعاعي

BIN
STABLE/documentation/_themes/radial/radnxt.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 206 B

BIN
STABLE/documentation/_themes/radial/radrule.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 B

BIN
STABLE/documentation/_themes/radial/radup.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/radvbtn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/radvsel.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 241 B

549
STABLE/documentation/_themes/radial/theme.css
View File

@ -1,549 +0,0 @@
.mstheme
{
navbutton-background-color: rgb(255,255,255);
top-bar-button: url(radglobl.gif);
}
.mstheme-topbar-font
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
body
{
font-family: arial, Arial, Helvetica;
background-image: url(radbkgnd.gif);
}
h1
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 24pt;
}
h2
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 18pt;
}
h3
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 14pt;
}
h4
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 12pt;
}
h5
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 10pt;
}
h6
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 8pt;
}
BUTTON
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
LABEL, .MSTHEME-LABEL
{
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style:normal;
}
TEXTAREA
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
FIELDSET
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
LEGEND
{
font-size: 8pt;
font-family: times new roman, Times New Roman, Times;
font-style: normal;
}
SELECT
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
TABLE
{
font-family: arial, Arial, Helvetica;
font-style: normal;
}
CAPTION
{
font-size: 14pt;
font-family: times new roman, Times New Roman, Times;
font-style: normal;
}
TH
{
font-family: arial, Arial, Helvetica;
font-style: normal;
}
MARQUEE
{
font-size: 14pt;
font-family: arial, Arial, Helvetica;
}
.ms-main {
border-right: 0 solid #cccccc;
}
.ms-bannerframe {
background-color: #6666cc;
}
.ms-banner {
color: #ffffff;
font-size: 9pt;
font-family: Arial, sans-serif;
}
.ms-banner a:link {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #ffffff;
font-weight: normal;
text-decoration: none;
}
.ms-banner a:visited {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #ffffff;
font-weight: normal;
text-decoration: none;
}
.ms-nav td {
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #000000;
}
.ms-nav th {
font-size: 9pt;
font-family: Arial, sans-serif;
font-weight: normal;
text-align: left;
color: #000000;
}
.ms-navframe {
color: #000000;
}
.ms-nav a {
text-decoration: none;
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #6666ff;
}
.ms-nav a:link {
}
.ms-nav a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-nav a:visited {
color: #993333;
}
.ms-verticaldots {
background-image: url(bluedot.gif);
background-position: right;
background-repeat: repeat-y;
}
.ms-viewselect A:link{
font-size: 9pt;
font-family: Arial, sans-serif;
color: #6666ff;
}
.ms-titlearea {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-titleareaframe {
color: #000000;
}
.ms-pagetitle {
color: #669999;
font-family: Times New Roman, serif;
font-size: 1.25em;
font-weight: bold;
}
.ms-pagetitle a {
text-decoration:underline;
color: #669999;
}
.ms-pagetitle a:hover {
text-decoration: underline;
color: #669999;
}
.ms-announcementtitle {
font-weight: normal;
}
.ms-formlabel {
text-align: left;
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #000000;
}
.ms-formdescription a {
color: #6666ff;
text-decoration: underline;
}
.ms-formbody {
text-align: left;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-formdescription
{
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-radiotext {
cursor:default;
text-align: left;
font-family: Arial, sans-serif;
font-size: 10pt;
height: 19px;
}
.ms-searchbox {
width: 100%;
}
.ms-input {
font-size: 9pt;
font-family: Arial, sans-serif;
vertical-align: baseline;
}
.ms-long {
font-size: 9pt;
font-family: Arial, sans-serif;
width: 300px;
}
.ms-wvsel {
color: #3366cc;
}
.ms-selected {
background-color: #6666cc;
color: #ffffff;
}
.ms-selected SPAN {
color: #ffffff;
}
.ms-filedialog TD {
height: 16px;
}
.ms-descriptiontext {
color: #000000;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-descriptiontext a {
color: #6666ff;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-toolbar {
font-family: Arial, sans-serif;
font-size: 9pt;
text-decoration: none;
color: #669999;
}
.ms-separator {
color: #996666;
font-size: 10pt;
}
.ms-authoringcontrols{
background-color: #f2f2f2;
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-sectionheader{
color: #669999;
font-family: Times New Roman, serif;
font-size: 12pt;
font-weight: normal;
}
.ms-sectionline
{
background-color: #6666cc;
height: 1px;
}
.ms-propertysheet {
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-propertysheet th {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
font-weight: normal;
}
.ms-propertysheet a {
text-decoration: none;
color: #6666ff;
}
.ms-propertysheet a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-propertysheet a:visited {
text-decoration: none;
color: #993333;
}
.ms-propertysheet a:visited:hover {
text-decoration: underline;
}
.ms-itemheader a {
font-size: 10pt;
font-family: Arial, sans-serif;
font-weight: normal;
color: #6666ff;
text-decoration: none;
}
.ms-itemheader a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-itemheader a:visited {
text-decoration: none;
color: #993333;
}
.ms-itemheader a:visited:hover {
text-decoration: underline;
}
.ms-discussiontitle {
font-size: 12pt;
font-family: Times New Roman, serif;
color: #000000;
font-weight: normal;
}
.ms-vh {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
text-align: left;
text-decoration: none;
font-weight: normal;
}
.ms-vh a {
color: #6666ff;
text-decoration: none;
}
.ms-vh a:hover {
text-decoration: underline;
}
.ms-vb{
font-family: Arial, sans-serif;
font-size: 9pt;
height: 18px;
vertical-align: top;
}
.ms-vb a {
color: #6666ff;
text-decoration: none;
}
.ms-vb a:hover {
color: #66cccc;
text-decoration: underline;
}
.ms-vb a:visited {
color: #993333;
text-decoration: none;
}
.ms-vb a:visited:hover {
text-decoration: underline;
}
.ms-homepagetitle {
font-family: Time New Roman, serif;
font-size: 12pt;
color: #000000;
font-weight: bold;
text-decoration: none;
}
.ms-homepagetitle:Hover {
text-decoration: underline;
color: #000000;
}
.ms-addnew {
font-weight: normal;
font-family: Arial, sans-serif;
font-size: .68em;
color: #669999;
text-decoration: none;
}
.ms-cal {
border-collapse:collapse;
table-layout:fixed;
font-family: Arial, sans-serif;
cursor:default;
}
.ms-caltop {
border-top:1px solid black;
border-left:1px solid black;
border-right:1px solid black;
vertical-align:top;
font-size: 10pt;
width: 14%;
height:30px;
}
.ms-calhead {
border:none;
text-align:center;
background-color: #6666cc;
color: #ffffff;
font-size: 16pt;
font-family: Arial, sans-serif;
padding: 2px;
}
.ms-caldow {
border-top:1px solid black;
border-left:1px solid black;
border-right:1px solid black;
vertical-align:top;
text-align:center;
font-weight: bold;
font-size: 10pt;
height:20px;
}
.ms-calmid {
border-left:1px solid black;
border-right:1px solid black;
height:20px;
}
.ms-calspacer {
border-left:1px solid black;
border-right:1px solid black;
height:4px;
}
.ms-calbot {
border-top:none;
border-left:1px solid black;
border-right:1px solid black;
border-bottom:1px solid black;
height:2px;
}
.ms-appt a {
color: #000000;
}
.ms-appt a:hover {
color: red;
}
.ms-appt {
border:2px solid #669999;
text-align:center;
vertical-align: middle;
font-size:8pt;
height:18px;
overflow:hidden;
background-color: #cccccc;
color: black;
}
.ms-caldowdown {
font-family: Arial, sans-serif;
font-weight: bold;
color: #000000;
text-align: center;
vertical-align: middle;
}
.ms-caldown {
font-size: 8pt;
color: #000000;
text-align: left;
vertical-align: top;
}
.ms-datepickeriframe {
position:absolute;
display:none;
background:white;
}
.ms-datepicker {
font-family: Arial, sans-serif;
background-color: #ffffff;
border: 2 outset activeborder;
cursor:default;
}
.ms-dpdow {
border:none;
vertical-align:top;
text-align:center;
font-weight: bold;
font-size: 8pt;
border-bottom:1px solid black;
}
.ms-dpday {
border:none;
font-size: 8pt;
text-align: center;
}
.ms-dpselectedday {
border:none;
background-color:#cccccc;
font-size: 8pt;
text-align: center;
}
.ms-dpnonmonth {
color:gray;
border:none;
font-size: 8pt;
text-align: center;
}
.ms-dphead {
border:none;
text-align:center;
font-weight: bold;
font-size: 8pt;
background-color: #669999;
color: #ffffff;
}
.ms-dpfoot {
text-align:center;
font-size: 8pt;
text-align: center;
font-style: italic;
border-top:1px solid;
border-left:none;
border-bottom:none;
border-right:none;
height:24px;
}
IMG.ms-button {
cursor:hand;
}

350
STABLE/documentation/backup.shorewall_quickstart_guide.htm
View File

@ -1,350 +0,0 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guide<br>
Version 1.3-2<!--mstheme--></font></h1>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Introduction<!--mstheme--></font></h2>
<p>One of the design goals of Shorewall was that &quot;it should be simple to do
simple things&quot;. With that in mind, I've written this QuickStart guide to
demonstrate how easy it is to configure common firewall setups.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in three
common basic configurations. If you don't find what you are looking for in this
Guide, check the <a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<!--mstheme--></font><pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]# </pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>After you have <a href="Install.htm">installed Shorewall</a>, simply pick the sample
configuration that best fits your needs and copy the files to
/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to
match your setup as described below. If you have servers, you will also need to
modify /etc/shorewall/rules.</p>
<p>Available samples include:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/one-interface.tgz">Standalone System</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interface Masquerading Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interface Masquerading Firewall with DMZ</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>All of these samples assume that you have a single external IP address - it
may be static or dynamic. Configuring Shorewall with multiple external IP
addresses is outside of the scope of this guide; see the
<a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p><font color="#FF0000"><b>Do <u>not</u> try to install Shorewall on a remote
system -- you will almost certainly end up not being able to communicate with
that system. </b></font></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configuration Concepts<!--mstheme--></font></h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few of
these as described in this guide. As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the sample configurations, the following zone names are used:</p>
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>dmz</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your demilitarized Zone</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> although you can change that name in the
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf </a>file. As
shown in the above table, not all zones are available with all sample
configurations.</p>
<p>The simplest way to define a zone is to associate the zone with a
network interface on your firewall system. You do that using the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file. So
for a standalone system, you would associate your single network interface with
<b>net</b>; on a two-interface firewall, you would associate one interface with
<b>net</b> and one with <b>loc</b>; and on a three-interface firewall with DMZ,
you would associate one interface with <b>net</b>, a second with <b>loc</b> and
a third with <b>dmz</b>. The sample interfaces do this as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If your configuration doesn't match the sample then you will need to modify
/etc/shorewall/interfaces.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/rules file is also used to define port forwarding.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If the connection request doesn't match any rule in
that file, the first policy in /etc/shorewall/policy that matches the
request is then applied. If the policy is DROP or REJECT then the connection
request is passed through the rules in /etc/shorewall/common (the samples supply
that file for you).</p>
<p>If you have more than one interface and you have a single external IP address you will need to use
either IP masquerade (if your IP address is dynamic) or Source Network Address
Translation (SNAT). Whichever applies, you will define it in&nbsp; <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>
file. <b>Note:</b> This file is used to describe &quot;many-to-one outbound NAT&quot;.
Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend <u>against</u>
one-to-one NAT in most applications unless you are willing to deal with the DNS
issues involved. The two- and three-interface samples assume that you will be
using IP masquerade as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Traffic coming in on this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Will be masqueraded if it goes out this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b><u>Three Interfaces</u></b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h2>
<p>The detailed documentation for this file may be found
<a href="Documentation.htm#Interfaces">here.</a> Entries in this file have four
columns:</p>
<ol>
<li>The name of the zone that this interface connects to - this must be the
name of a zone defined in the /etc/shorewall/zones file.</li>
<li>The name of the interface.</li>
<li>The broadcast address for the subnet on this interface. If you want
Shorewall to detect this address for you, place 'detect' in that column.</li>
<li>A comma-separated list of <a href="Documentation.htm#Interfaces">options</a> that apply to this interface.</li>
</ol>
<p>Some examples:</p>
<p>Standalone system with ethernet interface to the internet.</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Two interface system with eth0 connected to the local network and eth1
connected to the internet. eth1 gets its IP address via DHCP.</p>
<!--mstheme--></font><pre> loc eth0 detect routestopped
net eth1 detect norfc1918,dhcp,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Three interface system with eth0 connected to the internet, eth1 connected to
the DMZ and eth2 connected to the local network. eth0 gets its IP address via
DHCP and the firewall runs a DHCP server for configuring local hosts (those
connected to eth2).</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter,dhcp
dmz eth1 detect routestopped
loc eth2 detect routestopped,dhcp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>At this point, please edit /etc/shorewall/interfaces to match your setup.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Some other considerations<!--mstheme--></font></h3>
<p>If your primary internet interface uses PPPoE, PPP or PPTP then you will want
to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy<!--mstheme--></font></h2>
<p>The /etc/shorewall/policy file documentation is
<a href="Documentation.htm#Policy">here</a>. I recommend the following (which
are
in the standalone sample):</p>
<p>Standalone system:</p>
<!--mstheme--></font><pre> fw net ACCEPT
all all DROP info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>So by default, all connection requests from your firewall to the internet are
accepted (allowed) and all other connection requests (i.e., those from the
internet to your firewall) are dropped (ignored).</p>
<p>Two and three interface firewalls:</p>
<!--mstheme--></font><pre> loc net ACCEPT
net all DROP info
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you want your firewall system to have full access to servers on the
internet, add the following rule before the last rule above (Note -- in the two-
and three-interface samples, the line below is included but commented out).</p>
</blockquote>
<!--mstheme--></font><pre> fw net ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network</li>
<li>optionally accept all connection requests from the firewall to the
internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/masq<!--mstheme--></font></h2>
<p>The /etc/shorewall/masq file (documentation <a href="Documentation.htm#Masq">
here</a>) describes output many-to-one source Network Address Translation.</p>
<p>If you have a static external IP address (assume 206.124.146.176 in these
examples), then:</p>
<blockquote>
<p>Two interface firewall with eth0 interfacing to the internet and eth1
interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>Three interface firewall with eth0 interfacing to the internet, eth1
interfacing to the DMZ and eth2 interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176
eth0 eth2 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have a dynamic internet IP address, simply omit the third column! So
for the two interface firewall, your /etc/shorewall/masq file would have:</p>
<!--mstheme--></font><pre> eth0 eth1</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you don't want to use IP masquerade or SNAT (two- and three-interface
samples), simple delete the entry/entries from /etc/shorewall/masq.</p><p>At
this point, edit your /etc/shorewall/masq file and change it to match your
configuration.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h2>
<p>The rules file (documentation <a href="Documentation.htm#Rules">here</a>) is
probably the most important of the Shorewall configuration files.</p>
<p>The general simplified format for an ACCEPT rule that doesn't involve port forwarding
is:</p>
<!--mstheme--></font><pre> ACCEPT <i>&lt;source zone&gt; &lt;dest zone&gt;[:&lt;server IP address&gt;] &lt;protocol&gt; &lt;port(s)&gt;</i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Here are some rules that I recommend that everyone use (and that I've
included in the samples):</p>
<!--mstheme--></font><pre> ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
ACCEPT fw net tcp 53 # &quot; &quot; &quot; &quot; &quot; &quot; &quot; &quot; &quot;</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>You can omit these rules if your firewall to net policy is
ACCEPT (In other words, if you uncommented the appropriate line in the policy
file as described above).</p>
<p>If you have three interfaces with a DMZ, you probably need DNS access to the
net from your DMZ. To permit that, I've included:</p>
<!--mstheme--></font><pre> ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you run servers on your firewall system that you want to make accessible
to internet clients, you need to include rules to permit that access (note that
the default policy for net-&gt;fw in the policy file above is DROP which causes all
inbound traffic to be ignored by default). For example, if you have a web server
running on your firewall system, you would include the following rule:</p>
<!--mstheme--></font><pre> ACCEPT net fw tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>With multiple local zones, you will probably want to open some ports between
these zones.</p>
<p>Example - You have server system 192.168.2.2 in your DMZ and you want to be
able to access its FTP server from your local systems:</p>
<!--mstheme--></font><pre> ACCEPT loc dmz:192.168.2.2 tcp ftp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For FTP to work properly, you will need kernel support for FTP connection
tracking and NAT but all commercial 2.4 kernel's have such support built in.</p>
<p>If you don't know which protocol and/or port that one of your applications
uses, try looking <a href="ports.htm">here</a>.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h3>
<p>When you are using many-to-one network address translation
outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an
internal server (either in your local zone or in your DMZ), then you need to use
<i>port forwarding </i>(also known as Destination Network Address Translation or
<b>DNAT</b>). Inbound connection requests are selective forwarded to internal systems
based on rules that you supply.</p>
<p>The general form of a simple port forwarding rule in
/etc/shorewall/rules is:</p>
<!--mstheme--></font><pre> DNAT net <i>&lt;server zone&gt;:&lt;server local ip address&gt; &lt;protocol&gt; &lt;port&gt;</i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you run a Web Server on your local zone at 192.168.1.5 and you want
to forward incoming TCP port 80 to that system. You have a single external IP
address:</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.5 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you
want to allow access to that server from your local zone:</p>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
ACCEPT loc dmz:192.168.2.4 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you have a static IP address (assume 206.124.146.176)
and you want your local clients to be able to access your web server using that
external address, you can use these entries instead:</p>
</blockquote>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - You have a static external IP address (206.124.146.176) and you
have DNS set up so that <a href="http://www.yourdomain.com">www.yourdomain.com</a>
resolves to that address. You want to run a web server in your local network (I
think that this is a BAD IDEA -- see <a href="FAQ.htm#faq2">FAQ 2</a>) on system
192.168.1.4 and you want internet users and your local users to be able to
access <a href="http://www.yourdomain.com">www.yourdomain.com</a>. Your
firewall's internal IP address is 192.168.1.254 and is on eth1.</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.4 tcp 80
&nbsp; DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>In addition, you must specify the<b> multi</b> option on eth1<b> </b>in
/etc/shorewall/interfaces:</p>
</blockquote>
<!--mstheme--></font><pre> loc eth1 detect routestopped,multi</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have requirements for port forwarding beyond what is shown here (like
forwarding to a different port number or redirecting to a proxy), see the
<a href="Documentation.htm#Rules">rules file documentation</a>.</p>
<p>At this point, please edit the /etc/shorewall/rules file and make any
additions required by your setup.</p><p>You are now ready to start shorewall. If
you encounter problems, see the <a href="troubleshoot.htm">troubleshooting
information.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2><p>The firewall is started using the
&quot;shorewall start&quot; command and stopped using &quot;shorewall stop&quot;. When the firewall
is stopped, routing is enabled on those interfaces that have the &quot;routestopped&quot;
option specified in /etc/shorewall/interfaces. If you want to totally remove any
trace of Shorewall from your Netfilter configuration, use &quot;shorewall clear&quot;.</p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</html>

77
STABLE/documentation/blacklisting_support.htm
View File

@ -1,77 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
</h1>
<p>Shorewall supports two different forms of blacklisting; static and
dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following
configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want
checked against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
192.0.2.125</p>
<p>Example 2:</p>
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

335
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,335 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<h1 style="text-align: center;">Configuration Files<br>
</h1>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification
(ECN - RFC 3168) to remote hosts or networks.</li>
<li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
<li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
users/groups with
similar access rights<br>
</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first
non-whitespace character a pound sign ("#"). You may also place
comments at the end of any line, again by delimiting the comment from
the
rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual
backslash ("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
directives. An INCLUDE directive consists of the word INCLUDE followed
by a file name and causes the contents of the named file to be
logically included into the file containing the INCLUDE. File names
given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified
for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
directives are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote> &nbsp;&nbsp; shorewall/params.mgmt:<br>
<blockquote> &nbsp;&nbsp; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
&nbsp;&nbsp; TIME_SERVERS=4.4.4.4<br>
&nbsp;&nbsp; BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
&nbsp;&nbsp; ----- end params.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall 1.3 /etc/shorewall/params<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE params.mgmt&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # params unique to this host here<br>
&nbsp;&nbsp; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end params -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; ACCEPT
net:$MGMT_SERVERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
$FW&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$TIME_SERVERS&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 123<br>
&nbsp;&nbsp; ACCEPT
$FW&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net:$BACKUP_SERVERS&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules.mgmt -----<br>
</blockquote>
<blockquote> &nbsp;&nbsp; shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote> &nbsp;&nbsp; # Shorewall version 1.3 - Rules File<br>
&nbsp;&nbsp; [..]<br>
&nbsp;&nbsp; #######################################<br>
&nbsp;<br>
&nbsp;&nbsp; INCLUDE rules.mgmt&nbsp;&nbsp;&nbsp;&nbsp; <br>
&nbsp; <br>
&nbsp;&nbsp; # rules unique to this host here<br>
&nbsp;&nbsp; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
</blockquote>
</blockquote>
<blockquote> &nbsp;&nbsp; ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not
forewarned. <br>
</b></p>
<p align="left"><b>&nbsp;&nbsp;&nbsp; -Tom<br>
</b></p>
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in
Shorewall configuration files may be specified as either IP addresses
or DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts those
addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router is down
for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a
minumum of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply for your
inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,&nbsp;&nbsp;&nbsp;&nbsp;
dhcp,&nbsp;&nbsp;&nbsp;&nbsp; norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, if
you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:<br>
</p>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
</blockquote>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>&nbsp;&nbsp;&nbsp; The result will be the same as if the record had
been written</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, your
kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176
Bcast:206.124.146.255 Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0
overruns:0 frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0
overruns:0 carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX
bytes:1659782221 (1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
numbers separated by hyphens. In Shorewall, the MAC address in the
example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than
/etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
check, start and restart</a> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the
alternate directory rather than the corresponding files in
/etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read
from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary
configuration by:</p>
<ol>
<li> copying the files that need modification from /etc/shorewall to
a separate directory;</li>
<li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

30
STABLE/documentation/copyright.htm
View File

@ -1,30 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<h1 style="text-align: center;">Copyright<br>
</h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
2000, 2001, 2003 Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation
License, Version 1.1 or any later version published by the Free
Software Foundation; with no Invariant Sections, with no Front-Cover,
and with no Back-Cover Texts. A copy of the license is included in the
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
License</a>".<br>
&nbsp;</p>
</blockquote>
<br>
<br>
</body>
</html>

65
STABLE/documentation/dhcp.htm
View File

@ -1,65 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<h1 style="text-align: center;">DHCP<br>
</h1>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall
system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying /etc/sysconfig/dhcpd. </p>
</li>
</ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.&nbsp;This will generate rules that will allow DHCP to and from
your firewall system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always
going to
be in the same subnet, you can specify the subnet address in the
interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance,
you should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change
while Shorewall is started, you need to arrange for a "shorewall
refresh" command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

187
STABLE/documentation/download.htm
View File

@ -1,187 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Download<br>
</h1>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>&nbsp;&nbsp;&nbsp; <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
&nbsp;&nbsp;&nbsp; <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
TurboLinux</b> distribution with a 2.4 kernel, you can
use the RPM version (note: the RPM should also work with other
distributions that store init scripts in /etc/init.d and that include
chkconfig or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also
want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
would like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm
files and there is an documentation .deb that also contains the
documentation.&nbsp;&nbsp;The .rpm will install the documentation in
your default document directory which can be obtained using the
following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
</blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
errata</a></font> to see if there are updates that apply to the version
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
completed configuration of your firewall, you can enable startup by
removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
<p><b>Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
Unavailable)</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of
the each Shorewall component. There's no guarantee that what you find
there will work at all.<br>
</p>
</blockquote>
<p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

337
STABLE/documentation/errata.htm
View File

@ -1,337 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<p align="center"> </p>
<h1 style="text-align: center;">Shorewall Errata<br>
</h1>
<p align="center"><b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it
to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar the
archive, replace the 'firewall' script in the untarred directory with
the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script if you
are
running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0"> </a><br>
</b></li>
</ul>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.7</h3>
<ul>
<li>Using some versions of 'ash' (such as from RH8) as the
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so: <br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>When more than one ICMP type is listed in a rule and your kernel
includes multiport match support,&nbsp; the firewall fails to
start.&nbsp;</li>
<li>Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</li>
<li>After the following error message, Shorewall was left in an
inconsistent state:<br>
<br>
Error: Unable to determine the routes through interface xxx<br>
</li>
</ul>
These problems have been corrected in this <a
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
script</a> which may be installed in /var/share/shorewall/firewall as
described above.<br>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires
Mangle"; that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
corrected in bugfix release 1.4.6a.</li>
<li>This problem occurs in all versions supporting traffic control.
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. For all other
versions, you will have to edit your 'firewall' script (in versions
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
function add_tcrule_() and in that function, replace this line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in
/usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even
though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The
updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
</li>
</ul>
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed
in /etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator
expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in
/usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are
currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you
upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and RedHat
iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall
1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall as described
above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and
REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and
precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

196
STABLE/documentation/errata_1.htm
View File

@ -1,196 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata for Version
1.1</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="left"><font color="#660066"><u>To those of you who downloaded
the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
<blockquote>
<p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
pointed to a broken version of the firewall script. This has now been corrected.
I apologize for any confusion this may have caused.</p>
</blockquote>
<h3 align="left">Version 1.1.18</h3>
<blockquote>
<p align="left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.17</font></h3>
<blockquote>
<p align="left">In shorewall.conf, ADD_IP_ALIASES was incorrectly
spelled IP_ADD_ALIASAES. There is a corrected version of the
file <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="left">This problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.16</font></h3>
<blockquote>
<p align="left"> The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
install the <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> corrected
firewall script</a> in the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="left"> This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.14-1.1.15</font></h3>
<blockquote>
<p align="left"> There are no corrections for these versions.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.13</font></h3>
<blockquote>
<p align="left"> The firewall fails to start if a rule with the following
format is given:</p>
<p align="left"> &lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2   
proto    p1,p2,p3</p>
<p align="left"> To correct this problem, install <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.12</font></h3>
<blockquote>
<p align="left"> The LRP version of Shorewall 1.1.12 has the incorrect
/etc/shorewall/functions file. This incorrect file results in many error
messages of the form:</p>
<blockquote>
<p align="left"> separate_list: not found</p>
</blockquote>
<p align="left"><a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> The
correct file may be obtained here</a> . This problem is also corrected
in version 1.1.13.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.11</font></h3>
<blockquote>
<p align="left"> There are no known problems with this version.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.10</font></h3>
<blockquote>
<p align="left"> If the following conditions were met:<br>
</p>
<ol>
<li>
<p align="left"> A LAN segment attached to the firewall was served
by a DHCP server running on the firewall.</p>
</li>
<li>
<p align="left"> There were entries in /etc/shorewall/hosts that referred
to the interface to that LAN segment.</p>
</li>
</ol>
<p align="left"> then up until now it has been necessary to include entries
for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
<a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a> makes those additions unnecessary
provided that you simply include "dhcp" in the options for the interface
in /etc/shorewall/interfaces. Install the script into the location pointed
to by the symbolic link /etc/shorewall/firewall.</p>
<p align="left"> This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="left"><font color="#660066"> Version 1.1.9</font></h3>
<ul>
<li>The shorewall "hits" command lists extraneous service names in
the final report. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> This
version of the shorewall script</a> corrects this problem.<br>
</li>
</ul>
<h3 align="left">Version 1.1.8</h3>
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> This
version of the firewall script</a> corrects this problem. Install
it into the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
</li>
</ul>
<h3 align="left">Version 1.1.7</h3>
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used,
a warning message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li>
</ul>
<blockquote>
<p align="left"> This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2"> Last updated 12/21/2001 - </font><font
size="2"> <a href="support.htm">Tom Eastep</a></font> </p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

425
STABLE/documentation/errata_2.htm
View File

@ -1,425 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" height="90" bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center"> <b><u>If you use a Windows system to download a
corrected script, be sure to run the script through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center"> <u><b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, use the 'cp' (or 'scp')
utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE
OLD /etc/shorewall/firewall before you do that. /etc/shorewall/firewall
is a symbolic link that points to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot and it
is that file that must be overwritten with the corrected script. </b></u></p>
<ul>
<li>
<h3 align="left"><font color="#660066"> <a href="errata_1.htm"> Problems
in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="left"><font color="#660066"><a href="#iptables"> Problem
with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="left">Version 1.2.13</h3>
<ul>
<li>
<p align="left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem,
use the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm").<br>
<br>
The problem stems from the fact that SuSE does not include
a package named "kernel" but rather has a number of packages that
provide the virtual package "kernel". Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt;
all &lt;port number&gt; - &lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that
<u>all</u> connection requests from the &lt;src&gt; zone whose
original destination IP address matches the last column are forwarded
to the &lt;dest&gt; zone, IP address &lt;ip addr&gt;. 
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="left">Version 1.2.11</h3>
<ul>
<li>
<p align="left">The 'try' command is broken. </p>
</li>
<li>
<p align="left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command. </p>
</li>
</ul>
<p align="left">Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="left">Sample Configurations:</h3>
<ul>
<li>
<p align="left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file. </p>
</li>
</ul>
<h3 align="left">All Versions through 1.2.10</h3>
<ul>
<li>
<p align="left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined)
is shown here: </p>
</li>
</ul>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td><u>eth2</u>:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<h3 align="left">All Versions through 1.2.8</h3>
<ul>
<li>
<p align="left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
href="Documentation.htm#Conf">see the corrected online documentation</a>).
Users of the rpm should change the name (and possibly the value)
of this parameter so that Shorewall interacts properly with the
SysV init scripts. The documentation on this web site has been
corrected and <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses
for a zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="left">Version 1.2.7</h3>
<p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="left">Version 1.2.6</h3>
<ul>
<li>
<p align="left">GRE and IPIP tunnels are broken. </p>
</li>
<li>
<p align="left">The following rule results in a start error:<br>
<br>
    ACCEPT    z1    z2    icmp </p>
</li>
</ul>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in  /etc/shorewall/firewall..</p>
<h3 align="left">Version 1.2.5</h3>
<ul>
<li>
<p align="left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name. </p>
</li>
<li>
<p align="left">Errors result if $FW appears in the /etc/shorewall/policy
file. </p>
</li>
<li>
<p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time. </p>
</li>
</ul>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</p>
<p align="left"> </p>
<ul>
<li>
<p align="left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a> </p>
</li>
</ul>
<h3 align="left">Version 1.2.4</h3>
<ul>
<li>
<p align="left">This version will not install "out of the box" without
modification. Before attempting to start the firewall, please change
the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall.
This only applies to fresh installations -- if you are upgrading from
a previous version of Shorewall, version 1.2.4 will work without modification.
</p>
</li>
</ul>
<h3 align="left">Version 1.2.3</h3>
<ul>
<li>
<p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall. </p>
</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="left">Version 1.2.2</h3>
<ul>
<li>The "shorewall status" command hangs after it displays
the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if  you want to simply modify
your copy of /sbin/shorewall, then at line 445 change this:</li>
</ul>
<div align="left">
<pre align="Left"> status)<br> clear</pre>
</div>
<blockquote>
<p align="left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)<br> get_config<br> clear</pre>
</div>
<ul>
<li>The "shorewall monitor" command doesn't show the icmpdef chain
- <a href="pub/shorewall/errata/1.2.2/shorewall">this corrected /sbin/shorewall</a>
fixes that problem as well as the status problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules
is ignored. This is corrected in <a
href="/pub/shorewall/errata/1.2.2/firewall">this updated firewall script</a>. 
Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not described
in the help text in /etc/shorewall/interfaces. An <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall correctly
replies with a TCP RST packet. Previous versions of the firewall
script are broken in the case of a REJECT policy, however; in REJECT
policy chains, all requests are currently replied to with an ICMP
port-unreachable packet. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP
RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<h3 align="left">Version 1.2.0</h3>
<blockquote>
<p align="left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="left">The tunnel script released in version 1.2.0 contained
errors -- a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font face="Century Gothic, Arial, Helvetica"
color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released
an iptables-1.2.4 RPM of their own which you can download from<font
face="Century Gothic, Arial, Helvetica" color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> Last updated
5/24/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

656
STABLE/documentation/errata_3.html
View File

@ -1,656 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a
href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
<li>The firewall fails to start in the case where you have "eth0 eth1"
in /etc/shorewall/masq and the default route is through eth1.<br>
</li>
</ul>
These problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.13</h3>
<ul>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of
insertion too big".<br>
</li>
</ul>
All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this
problem. Thanks go to Roger Aich who analyzed this problem and provided
a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) result in an error
message. Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes.
Consequently, after "shorewall refresh", the firewall will not
forward icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as options on a
given interface then RFC 1918 checking is occurring before DHCP
checking. This means that if a DHCP client broadcasts using
an RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the client
won't be able to obtain an IP address lease from
that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction measure where there are both
dynamic and static clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described
above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use version 1.3.7a and check
your version against these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in /var/lib/shorewall/
as described above. These problems are also corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line.
This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in
/var/lib/pub/shorewall/firewall as instructed above.</p>
</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after "Activating
rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this
case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the download
sites contained an incorrect version of the .lrp file. That file
can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more
than one interface in /etc/shorewall/interfaces then
depending on the option, Shorewall may ignore all but
the first appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options:
dhcp, dropunclean, logunclean, norfc1918, routefilter,
multi, filterping and noping. An additional bug has been
found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
rpm which you can download here</a>. If you are currently running
RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

61
STABLE/documentation/fallback.htm
View File

@ -1,61 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<div style="text-align: left;">
<h1 style="text-align: center;">Fallback and Uninstall<br>
</h1>
<h1><strong></strong></h1>
<h1><strong></strong></h1>
</div>
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of
Shorewall using the Fallback Script</h2>
<p>If you install Shorewall and discover that it doesn't work for you,
you
can fall back to your previously installed version. To do that:</p>
<ul>
<li>cd to the distribution directory for the version of Seattle
Firewall <u>that you are currently running </u>(NOT the version that
you want to fall back to).</li>
<li>Type "./fallback.sh"</li>
</ul>
<h3><strong><u>Warning:</u> The fallback script will replace
/etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
/etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the
current
version was installed. Any changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
using rpm</h2>
<p>If your previous version of Shorewall was installed using RPM, you
may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;"
at
a root shell prompt (Example: "rpm -Uvh --force
/downloads/shorewall-3.1=0noarch.rpm"
would fall back to the 3.1-0 version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
<ul>
<li>cd to the distribution directory for the version of Shorewall
that you have installed.</li>
<li>type "./uninstall.sh"</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e
shorewall".</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</body>
</html>

57
STABLE/documentation/gnu_mailman.htm
View File

@ -1,57 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head>
<body>
<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in
system-wide aliases file so that rest of mailman's mail handling
processes will run with proper uid/gid. Postfix has an ability to run a
command specified in an alias as owner of that alias, thus mailman's
wrapper is not needed here. The best method to invoke mailman's mail
handling via aliases is to use separate alias file especially for
mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
something very similar so that no workaround is necessary. See the
README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
STABLE/documentation/images/BD21298_.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_1.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_2.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_3.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/CorpNetwork.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
STABLE/documentation/images/Hiking.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 187 KiB

BIN
STABLE/documentation/images/Hiking1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
STABLE/documentation/images/Legend.png
View File

Binary file not shown.

BIN
STABLE/documentation/images/Logo1.png
View File

Binary file not shown.

BIN
STABLE/documentation/images/Logo3.png
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More