Remove documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1079 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
@ -1,113 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>6to4 Tunnels</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">6to4 Tunnels<br>
|
||||
</h1>
|
||||
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
|
||||
</h3>
|
||||
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
|
||||
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
|
||||
provide any IPv6
|
||||
security measures.</h3>
|
||||
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
|
||||
network to another IPv6 network over an IPv4 infrastructure</p>
|
||||
<p>More information on Linux and IPv6 can be found in the <a
|
||||
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
|
||||
Details on how to setup a 6to4 tunnels are described in the section <a
|
||||
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
||||
of 6to4 tunnels</a>.</p>
|
||||
<h2>Connecting two IPv6 Networks</h2>
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
|
||||
width="745" height="427" alt=""> </p>
|
||||
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
|
||||
be able to communicate with the systems in the 2002:488:999::/64
|
||||
network. This is accomplished through use of the /etc/shorewall/tunnels
|
||||
file and the "ip" utility for network interface and routing
|
||||
configuration.</p>
|
||||
<p align="left">Unlike GRE and IPIP tunneling, the
|
||||
/etc/shorewall/policy, /etc/shorewall/interfaces and
|
||||
/etc/shorewall/zones files are not used. There is no need to declare a
|
||||
zone to represent the remote IPv6 network. This
|
||||
remote network is not visible on IPv4 interfaces and to iptables. All
|
||||
that
|
||||
is visible on the IPv4 level is an IPv4 stream which contains IPv6
|
||||
traffic. Separate IPv6 interfaces and ip6tables rules need to be
|
||||
defined to handle
|
||||
this traffic. </p>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IPv6 encapsulation protocol (41) will be accepted to/from the remote
|
||||
gateway.</p>
|
||||
<p>Use the following commands to setup system A:</p>
|
||||
<blockquote>
|
||||
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
|
||||
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
|
||||
</blockquote>
|
||||
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>And use the following commands to setup system B:</p>
|
||||
<blockquote>
|
||||
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
|
||||
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and issue the configuration
|
||||
commands as listed above. The systems in both IPv6 subnetworks can now
|
||||
talk to each other using IPv6.</p>
|
||||
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,114 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Accounting</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall and Traffic Accounting<br>
|
||||
</h1>
|
||||
Shorewall Traffic Accounting support was added in Shorewall release
|
||||
1.4.7.<br>
|
||||
<br>
|
||||
Shorewall accounting rules are described in the file
|
||||
/etc/shorewall/accounting. By default, the accounting rules are placed
|
||||
in a chain called "accounting" and can thus be displayed using
|
||||
"shorewall show accounting". All traffic passing into, out of or
|
||||
through the firewall traverses the accounting chain including traffic
|
||||
that will later be rejected by <a href="Documentation.htm#Interfaces">interface
|
||||
options</a> such as "tcpflags" and "maclist". If your kernel doesn't
|
||||
support the connection tracking match extension (Kernel 2.4.21) then
|
||||
some traffic rejected under 'norfc1918' will not traverse the
|
||||
accounting chain.<br>
|
||||
<br>
|
||||
The columns in the accounting file are as follows:<br>
|
||||
<ul>
|
||||
<li><span style="font-weight: bold;">ACTION</span> - What to do when
|
||||
a
|
||||
match is found. Possible values are:</li>
|
||||
<ul>
|
||||
<li>COUNT- Simply count the match and continue trying to
|
||||
match the
|
||||
packet with the following accounting rules</li>
|
||||
<li>DONE- Count the match and don't attempt to match any following
|
||||
accounting rules.</li>
|
||||
<li><<span style="font-style: italic;">chain</span>> - The
|
||||
name of a chain to jump to. Shorewall will create the chain
|
||||
automatically. If the name of the chain is followed by ":COUNT" then a
|
||||
COUNT rule matching this rule will automatically be added to <<span
|
||||
style="font-style: italic;">chain</span>>. Chain names must start
|
||||
with a letter, must be composed of letters and digits, and may contain
|
||||
underscores ("_") and periods ("."). Beginning with Shorewall version
|
||||
1.4.8, chain names man also contain embedded dashes ("-") and are not
|
||||
required to start with a letter.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
|
||||
chain where the accounting rule is to be added. If empty or "-" then
|
||||
the
|
||||
"accounting" chain is assumed.<br>
|
||||
</li>
|
||||
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
|
||||
The name of an interface, an address (host or net) or an interface name
|
||||
followed by ":" and a host or net address.</li>
|
||||
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
|
||||
Destination Format the same as the SOURCE column.</li>
|
||||
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
|
||||
name
|
||||
(from /etc/protocols) or a protocol number.</li>
|
||||
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
|
||||
Port number. Service name from /etc/services or port number. May only
|
||||
be
|
||||
specified if the protocol is TCP or UDP (6 or 17).</li>
|
||||
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
|
||||
number. Service name from /etc/services or port number. May only be
|
||||
specified if the protocol is TCP or UDP (6 or 17).<br>
|
||||
</li>
|
||||
</ul>
|
||||
In all columns except ACTION and CHAIN, the values "-","any" and "all"
|
||||
are treated as wild-cards.<br>
|
||||
<br>
|
||||
The accounting rules are evaluated in the Netfilter 'filter' table.
|
||||
This is the same environment where the 'rules' file rules are evaluated
|
||||
and in this environment, DNAT has already occurred in inbound packets
|
||||
and SNAT has not yet occurred on outbound ones.<br>
|
||||
<br>
|
||||
Accounting rules are not stateful -- each rule only handles traffic in
|
||||
one direction. For example, if eth0 is your internet interface and you
|
||||
have a web server in your DMZ connected to eth1 then to count HTTP
|
||||
traffic in both directions requires two rules: <br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
|
||||
Associating a counter with a chain allows for nice reporting. For
|
||||
example:<br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web:COUNT - eth0 eth1 tcp 80<br> web:COUNT - eth1 eth0 tcp - 80<br> web:COUNT - eth0 eth1 tcp 443<br> web:COUNT - eth1 eth0 tcp - 443<br> DONE web<br></pre>
|
||||
Now "shorewall show web" will give you a breakdown of your web traffic:<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<pre>[root@gateway shorewall]# shorewall show web<br>Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003<br> <br>Counters reset Wed Aug 20 09:48:00 PDT 2003<br> <br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br> 0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br> 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#</pre>
|
||||
</div>
|
||||
Here's a slightly different example:<br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web - eth0 eth1 tcp 80<br> web - eth1 eth0 tcp - 80<br> web - eth0 eth1 tcp 443<br> web - eth1 eth0 tcp - 443<br><br> COUNT web eth0 eth1<br> COUNT web eth1 eth0<br></pre>
|
||||
Now "shorewall show web" simply gives you a breakdown by input and
|
||||
output:<br>
|
||||
<br>
|
||||
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br></pre>
|
||||
Here's how the same example would be constructed on a server with only
|
||||
one interface (eth0):<br>
|
||||
<pre style="margin-left: 40px;">#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br># PORT PORT<br>web - eth0 - tcp 80<br>web - - eth0 tcp - 80<br>web - eth0 - tcp 443<br>web - - eth0 tcp - 443<br><br>COUNT web eth0 -<br>COUNT web - eth0<br></pre>
|
||||
Note that with only one interface, only the SOURCE (for input rules) or
|
||||
the DESTINATION (for output rules) is specified in each rule.<br>
|
||||
<br>
|
||||
Here's the output:<br>
|
||||
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
|
||||
<p align="left"><font size="2">Last updated 10/30/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,226 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
|
||||
<title>Corporate Shorewall Configuration</title>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
|
||||
<meta content="FrontPage.Editor.Document" name="ProgId">
|
||||
<meta content="none" name="Microsoft Theme">
|
||||
<meta content="Graeme Boyle" name="author">
|
||||
</head>
|
||||
<body>
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(){return(null);}
|
||||
//--></script>
|
||||
<blockquote></blockquote>
|
||||
<h1 style="text-align: center;">Corporate Network</h1>
|
||||
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
|
||||
color="#ff0000"><b>:</b></font></big></p>
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li><b>This configuration is used on a corporate network that has a
|
||||
Linux (RedHat 8.0) server with three interfaces, running Shorewall
|
||||
1.4.5 release,</b> </li>
|
||||
<li><b>Make sure you know what public IP addresses are currently
|
||||
being used and verify these </b><i>before</i><b> starting.</b> </li>
|
||||
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
|
||||
Shorewall configuration especially if you have split DNS.</b> </li>
|
||||
<li><b>System names and Internet IP addresses have been changed to
|
||||
protect the innocent.</b> </li>
|
||||
</ul>
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
|
||||
configuration
|
||||
uses a combination of Static NAT and Proxy ARP. This is generally not
|
||||
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here
|
||||
won't apply to your setup so beware of copying parts of this
|
||||
configuration
|
||||
and expecting them to work for you. What you copy may or may not work
|
||||
in your configuration.<br>
|
||||
</small></b></big><br>
|
||||
</p>
|
||||
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
||||
internet is connected to eth0. The local network is connected via eth1
|
||||
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
|
||||
have an IPSec tunnel connecting our offices in Germany to our offices
|
||||
in the US. I host two Microsoft Exchange servers for two different
|
||||
companies behind
|
||||
the firewall hence, the two Exchange servers in the diagram below.</p>
|
||||
<p>Summary:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>SNAT for all systems connected to the LAN - Internal addresses
|
||||
10.10.x.x to external address 192.0.18.127. </li>
|
||||
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal
|
||||
address 10.10.1.8 and external address 192.0.18.70. </li>
|
||||
<li>Static NAT for <i>Sims</i> (Inventory Management server).
|
||||
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
|
||||
</li>
|
||||
<li>Static NAT for <i>Project</i> (Project Web Server). Internal
|
||||
address 10.10.1.55 and external address 192.0.18.84. </li>
|
||||
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal
|
||||
address 10.10.1.252 and external address 192.0.18.93. </li>
|
||||
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal
|
||||
address 10.10.1.230 and external address 192.0.18.97. </li>
|
||||
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal
|
||||
address 10.10.1.60 and external address 192.0.18.115. </li>
|
||||
</ul>
|
||||
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
|
||||
with RH8.0.</p>
|
||||
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
|
||||
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
|
||||
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
|
||||
1.1.0). That server is managed through Proxy ARP.</p>
|
||||
<p>All administration and publishing is done using ssh/scp. I have X
|
||||
installed on the firewall and the system in the DMZ. X applications
|
||||
tunnel through SSH to Hummingbird Exceed running on a PC located in the
|
||||
LAN. Access to the firewall using SSH is restricted to systems in the
|
||||
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
|
||||
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
|
||||
src="images/CorpNetwork.gif" width="770" border="0"> </p>
|
||||
<p></p>
|
||||
<p>The Ethernet 0 interface in the Server is configured with IP
|
||||
address 192.0.18.68, netmask 255.255.255.192. The server's default
|
||||
gateway is 192.0.18.65, the Router connected to my network and the ISP.
|
||||
This is the same default gateway used by the firewall itself. On the
|
||||
firewall, Shorewall automatically adds a host route to 192.0.18.80
|
||||
through Ethernet 2 (192.168.21.1) because of the entry in
|
||||
/etc/shorewall/proxyarp (see below). I modified the start, stop and
|
||||
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
|
||||
<p><b>Some Mistakes I Made:</b></p>
|
||||
<p>Yes, believe it or not, I made some really basic mistakes when
|
||||
building this firewall. Firstly, I had the new firewall setup in
|
||||
parallel with the
|
||||
old firewall so that there was no interruption of service to my users.
|
||||
During my out-bound testing, I set up systems on the LAN to utilize the
|
||||
firewall which worked fine. When testing my NAT connections, from the
|
||||
outside,
|
||||
these would fail and I could not understand why. Eventually, I changed
|
||||
the default route on the internal system I was trying to access, to
|
||||
point
|
||||
to the new firewall and "bingo", everything worked as expected. This
|
||||
oversight
|
||||
delayed my deployment by a couple of days not to mention level of
|
||||
frustration
|
||||
it produced. </p>
|
||||
<p>Another problem that I encountered was in setting up the Proxyarp
|
||||
system in the DMZ. Initially I forgot to remove the entry for the eth2
|
||||
from the /etc/shorewall/masq file. Once my file settings were correct,
|
||||
I started verifying that the ARP caches on the firewall, as well as the
|
||||
outside system "kaos", were showing the correct Ethernet MAC address.
|
||||
However, in testing remote access, I could access the system in the DMZ
|
||||
only from the firewall
|
||||
and LAN but not from the Internet. The message I received was
|
||||
"connection
|
||||
denied" on all protocols. What I did not realize was that a "helpful"
|
||||
administrator that had turned on an old system and assigned the same
|
||||
address
|
||||
as the one I was using for Proxyarp without notifying me. How did I
|
||||
work
|
||||
this out. I shutdown the system in the DMZ, rebooted the router and
|
||||
flushed
|
||||
the ARP cache on the firewall and kaos. Then, from kaos, I started
|
||||
pinging
|
||||
that IP address and checked the updated ARP cache and lo-and-behold a
|
||||
different MAC address showed up. High levels of frustration etc., etc.
|
||||
The administrator will <i>not</i> be doing that again! :-)</p>
|
||||
<p><b>Lessons Learned:</b></p>
|
||||
<ul>
|
||||
<li>Read the documentation. </li>
|
||||
<li>Draw your network topology before starting. </li>
|
||||
<li>Understand what services you are going to allow in and out of
|
||||
the firewall, whether they are TCP or UDP packets and make a note of
|
||||
these port numbers. </li>
|
||||
<li>Try to get quiet time to build the firewall - you need to focus
|
||||
on the job at hand. </li>
|
||||
<li>When asking for assistance, be honest and include as much
|
||||
detail as requested. Don't try and hide IP addresses etc., you will
|
||||
probably screw up the logs and make receiving assistance harder. </li>
|
||||
<li>Read the documentation. </li>
|
||||
</ul>
|
||||
<p><b>Futures:</b></p>
|
||||
<p>This is by no means the final configuration. In the near future, I
|
||||
will be moving more systems from the LAN to the DMZ. I will also be
|
||||
watching the logs for port scan programs etc. but, this should be
|
||||
standard security maintenance.</p>
|
||||
<p>Here are copies of my files. I have removed most of the internal
|
||||
documentation
|
||||
for the purpose of this space however, my system still has the original
|
||||
files with all the comments and I highly recommend you do the same.</p>
|
||||
</blockquote>
|
||||
<h3>Shorewall.conf</h3>
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
|
||||
</blockquote>
|
||||
<h3>Zones File</h3>
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"><br></font></pre>
|
||||
</blockquote>
|
||||
<h3>Interfaces File: </h3>
|
||||
<blockquote>
|
||||
<p>##############################################################################<br>
|
||||
#ZONE INTERFACE BROADCAST OPTIONS<br>
|
||||
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
|
||||
loc eth1 detect dhcp,routefilter<br>
|
||||
dmz eth2 detect<br>
|
||||
vpn1 ipsec0<br>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
|
||||
</blockquote>
|
||||
<h3>Routestopped File:</h3>
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"> </font></pre>
|
||||
</blockquote>
|
||||
<h3>Policy File:</h3>
|
||||
<blockquote>
|
||||
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
<h3>Masq File: </h3>
|
||||
<blockquote>
|
||||
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
<h3>NAT File: </h3>
|
||||
<blockquote>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
<h3>Proxy ARP File:</h3>
|
||||
<blockquote>
|
||||
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
|
||||
</blockquote>
|
||||
<h3>Tunnels File:</h3>
|
||||
<blockquote>
|
||||
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
<h3>Start File:</h3>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
|
||||
</blockquote>
|
||||
<h3>Stop File:</h3>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
|
||||
</blockquote>
|
||||
<h3>Init File:</h3>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
|
||||
</blockquote>
|
||||
<p><font size="2">Last updated 7/16/2003</font>
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
|
||||
//</script>
|
||||
<br>
|
||||
</p>
|
||||
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
|
||||
and
|
||||
Graeme Boyle</a></small><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,31 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>The Documentation Index</title>
|
||||
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<h1 align="center">The Shorewall Documentation Index</h1>
|
||||
|
||||
<h1 align="center">has Moved <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
|
||||
|
||||
<p><font size="2"> Last updated 8/9/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -1,76 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall and ECN</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">ECN<br>
|
||||
</h1>
|
||||
Explicit Congestion Notification (ECN) is described in RFC 3168 and is
|
||||
a proposed internet standard. Unfortunately, not all sites support ECN
|
||||
and when
|
||||
a TCP connection offering ECN is sent to sites that don't support it,
|
||||
the
|
||||
result is often that the connection request is ignored.<br>
|
||||
<br>
|
||||
To allow ECN to be used, Shorewall allows you to enable ECN on your
|
||||
Linux systems then disable it in your firewall when the destination
|
||||
matches a list that you create (the /etc/shorewall/ecn file).<br>
|
||||
<br>
|
||||
You enable ECN by<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 1 > /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
|
||||
</blockquote>
|
||||
You must arrange for that command to be executed at system boot. Most
|
||||
distributions have a method for doing that -- on RedHat, you make an
|
||||
entry in /etc/sysctl.conf.<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
|
||||
</blockquote>
|
||||
Entries in /etc/shorewall/ecn have two columns as follows:<br>
|
||||
<br>
|
||||
INTERFACE - The name of an interface on your system<br>
|
||||
<br>
|
||||
HOST(S) - An address (host or
|
||||
subnet) of a system or group of systems accessed through the
|
||||
interface in the first column. You may include a comma-separated
|
||||
list of such addresses in this column. <br>
|
||||
<br>
|
||||
Example: Your external interface is eth0 and you want to disable ECN
|
||||
for tcp connections to 192.0.2.0/24:<br>
|
||||
<br>
|
||||
In /etc/shorewall/ecn:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOST(S)<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">192.0.2.0/24<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,205 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall and FTP</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h2></h2>
|
||||
<blockquote> </blockquote>
|
||||
<h1 style="text-align: center;">Shorewall and FTP<br>
|
||||
</h1>
|
||||
<p>FTP transfers involve two TCP connections. The first <u>control</u>
|
||||
connection goes from the FTP client to port 21 on the FTP server. This
|
||||
connection is used for logon and to send commands and responses between
|
||||
the endpoints. Data transfers (including the output of "ls" and "dir"
|
||||
commands) requires a second <u>data</u> connection. The data
|
||||
connection is dependent on the <u>mode</u>
|
||||
that the client is operating in:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>Passive Mode (default for web browsers) -- The client issues a
|
||||
PASV command. Upon receipt of this command, the server listens on a
|
||||
dynamically-allocated port then sends a PASV reply to the client. The
|
||||
PASV reply gives the IP address
|
||||
and port number that the server is listening on. The client then opens
|
||||
a
|
||||
second connection to that IP address and port number.</li>
|
||||
<li>Active Mode (often the default for line-mode clients) -- The
|
||||
client listens on a dynamically-allocated port then sends a PORT
|
||||
command to the server. The PORT command gives the IP address and port
|
||||
number that the client is listening on. The server then opens a
|
||||
connection to that IP address and port number; the <u>source port</u>
|
||||
for this connection is 20 (ftp-data in /etc/services).</li>
|
||||
</ul>
|
||||
You can see these commands in action using your linux ftp command-line
|
||||
client in debugging mode. Note that my ftp client defaults to passive
|
||||
mode and that I can toggle between passive and active mode by issuing a
|
||||
"passive" command:<br>
|
||||
<blockquote>
|
||||
<pre>[teastep@wookie Shorewall]$ <font color="#009900"><b>ftp ftp1.shorewall.net<br></b></font>Connected to lists.shorewall.net.<br>220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-<br>220-You are user number 1 of 50 allowed.<br>220-Local time is now 10:21 and the load is 0.14. Server port: 21.<br>220 You will be disconnected after 15 minutes of inactivity.<br>500 Security extensions not implemented<br>500 Security extensions not implemented<br>KERBEROS_V4 rejected as an authentication type<br>Name (ftp1.shorewall.net:teastep): ftp<br>331-Welcome to ftp.shorewall.net<br>331-<br>331 Any password will work<br>Password:<br>230 Any password will work<br>Remote system type is UNIX.<br>Using binary mode to transfer files.<br>ftp> <font
|
||||
color="#009900"><b>debug<br></b></font>Debugging on (debug=1).<br>ftp> <font
|
||||
color="#009900"><b>ls<br></b></font><b>---> PASV</b><br><b>227 Entering Passive Mode (192,168,1,193,195,210)</b><br>---> LIST<br>150 Accepted data connection<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp> <font
|
||||
color="#009900"><b>passive<br></b></font>Passive mode off.<br>ftp> <font
|
||||
color="#009900"><b>ls<br></b></font><b>---> PORT 192,168,1,3,142,58</b><br>200 PORT command successful<br>---> LIST<br>150 Connecting to port 36410<br>drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives<br>drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc<br>drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub<br>226-Options: -l<br>226 3 matches total<br>ftp><br></pre>
|
||||
</blockquote>
|
||||
Things to notice:<br>
|
||||
<ol>
|
||||
<li>The commands that I issued are in <b><font color="#009900">green.</font></b><br>
|
||||
</li>
|
||||
<li>Commands sent by the client to the server are preceded by <b>---></b></li>
|
||||
<li>Command responses from the server over the control connection are
|
||||
numbered.<br>
|
||||
</li>
|
||||
<li>FTP uses a comma as a separator between the bytes of the IP
|
||||
address; and</li>
|
||||
<li>When sending a port number, FTP sends the MSB then the LSB and
|
||||
separates the two bytes by a comma. As shown in the PORT command, port
|
||||
142,58 translates
|
||||
to 142*256+58 = 36410.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Given the normal loc->net policy of ACCEPT, passive mode access from
|
||||
local clients to remote servers will always work but active mode
|
||||
requires the firewall to dynamically open a "hole" for the server's
|
||||
connection back to the client. Similarly, if you are running an FTP
|
||||
server in your local
|
||||
zone then active mode should always work but passive mode requires the
|
||||
firewall to dynamically open a "hole" for the client's second
|
||||
connection to the server. This is the role of FTP connection-tracking
|
||||
support in the Linux kernel.
|
||||
<div align="left"><br>
|
||||
Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
|
||||
involved, the PORT commands and PASV responses may also need to be
|
||||
modified by the firewall. This is the job of the FTP nat support kernel
|
||||
function.<br>
|
||||
</div>
|
||||
<p>Including FTP connection-tracking and NAT support normally means
|
||||
that the
|
||||
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
|
||||
Shorewall automatically
|
||||
loads these "helper" modules from /lib/modules/<<i>kernel-version></i>/kernel/net/ipv4/netfilter/
|
||||
and you can determine if they are loaded using the 'lsmod' command:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>Example:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p>If you want Shorewall to load these modules from an alternate
|
||||
directory, you need to set the MODULESDIR variable in
|
||||
/etc/shorewall/shorewall.conf to point to that directory.<br>
|
||||
</p>
|
||||
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
|
||||
/etc/shorewall/rules documentation</a>,<br>
|
||||
</p>
|
||||
<p>For a client, you must open outbound TCP port 21. <br>
|
||||
</p>
|
||||
<p>The above discussion about commands and responses makes it clear
|
||||
that the
|
||||
FTP connection-tracking and NAT helpers must scan the traffic on the
|
||||
control
|
||||
connection looking for PASV and PORT commands as well as PASV
|
||||
responses. If
|
||||
you run an FTP server on a nonstandard port or you need to access such
|
||||
a server, you must therefore let the helpers know by specifying
|
||||
the port
|
||||
in /etc/shorewall/modules entries for the helpers. <span
|
||||
style="font-weight: bold;">For example, if you
|
||||
run an FTP server that listens on port 49 or you need to access a
|
||||
server on the internet that listens on that port then you would have:</span><br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
||||
loadmodule ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you
|
||||
may have problems accessing regular FTP servers.</p>
|
||||
<p>If there is a possibility that these modules might be loaded before
|
||||
Shorewall starts, then you should include the port list in
|
||||
/etc/modules.conf:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>options ip_conntrack_ftp ports=21,49<br>
|
||||
options ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p><b>IMPORTANT: </b>Once you have made these changes to
|
||||
/etc/shorewall/modules and/or /etc/modules.conf, you must either:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Unload the modules and restart shorewall: (<b><font
|
||||
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall
|
||||
restart</font></b>); or</li>
|
||||
<li>Reboot</li>
|
||||
</ol>
|
||||
One problem that I see occasionally involves active mode and the FTP
|
||||
server in my DMZ. I see the active data connection <u>to certain
|
||||
client IP addresses</u> being continuously rejected by my firewall. It
|
||||
is my conjecture that there is some broken client out there that is
|
||||
sending a PORT command that is being either missed or mis-interpreted
|
||||
by the FTP connection tracking helper yet it is being accepted by my
|
||||
FTP server. My solution is to add the following rule:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL<br>
|
||||
DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT:info<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">20<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
The above rule accepts and logs all active mode connections from my DMZ
|
||||
to the net.<br>
|
||||
<blockquote>
|
||||
<p> </p>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,45 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Support Forum</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3><font color="#ff6633"></font></h3>
|
||||
|
||||
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
|
||||
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
|
||||
|
||||
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a><br>
|
||||
</p>
|
||||
|
||||
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,194 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Generic Tunnels</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Generic Tunnels<br>
|
||||
</h1>
|
||||
Shorewall includes built-in support for a wide range of VPN solutions.
|
||||
If you have need for a tunnel type that does not have explicit support,
|
||||
you can generally describe the tunneling software using "generic
|
||||
tunnels"<br>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
<p align="center"> <img border="0" src="images/TwoNets1.png"
|
||||
width="745" height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.<br>
|
||||
</p>
|
||||
<p align="left">Suppose that you have tunneling software that uses two
|
||||
different protocols:<br>
|
||||
</p>
|
||||
<p align="left">a) TCP port 1071<br>
|
||||
b) GRE (Protocol 47)<br>
|
||||
c) The tunnel interface on system A is "tun0" and the tunnel interface
|
||||
on system B is also "tun0".<br>
|
||||
</p>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>10.255.255.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>generic:tcp:1071<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">generic:47<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">net<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">134.28.54.2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>These entries in /etc/shorewall/tunnels, opens the firewall so that
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47)
|
||||
will be accepted to/from the remote gateway.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>generic:tcp:1071<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">generic:47<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">net<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">134.28.54.2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and start your VPN software on
|
||||
each system. The systems in the two masqueraded subnetworks
|
||||
can now talk to each other</p>
|
||||
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,420 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">GNU Free Documentation License<br>
|
||||
</h1>
|
||||
<p>Version 1.1, March 2000 </p>
|
||||
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
|
||||
<p><strong>0. PREAMBLE</strong> </p>
|
||||
<p>The purpose of this License is to make a manual, textbook, or other
|
||||
written document "free" in the sense of freedom: to assure everyone the
|
||||
effective freedom to copy and redistribute it, with or without
|
||||
modifying it, either commercially or noncommercially. Secondarily, this
|
||||
License preserves for
|
||||
the author and publisher a way to get credit for their work, while not
|
||||
being considered responsible for modifications made by others. </p>
|
||||
<p>This License is a kind of "copyleft", which means that derivative
|
||||
works
|
||||
of the document must themselves be free in the same sense. It
|
||||
complements
|
||||
the GNU General Public License, which is a copyleft license designed
|
||||
for
|
||||
free software. </p>
|
||||
<p>We have designed this License in order to use it for manuals for
|
||||
free software,
|
||||
because free software needs free documentation: a free program should
|
||||
come
|
||||
with manuals providing the same freedoms that the software does. But
|
||||
this License is not limited to software manuals; it can be used for any
|
||||
textual
|
||||
work, regardless of subject matter or whether it is published as a
|
||||
printed
|
||||
book. We recommend this License principally for works whose purpose is
|
||||
instruction
|
||||
or reference. </p>
|
||||
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
|
||||
<p>This License applies to any manual or other work that contains a
|
||||
notice placed by the copyright holder saying it can be distributed
|
||||
under the terms
|
||||
of this License. The "Document", below, refers to any such manual or
|
||||
work.
|
||||
Any member of the public is a licensee, and is addressed as "you". </p>
|
||||
<p>A "Modified Version" of the Document means any work containing the
|
||||
Document or a portion of it, either copied verbatim, or with
|
||||
modifications and/or translated
|
||||
into another language. </p>
|
||||
<p>A "Secondary Section" is a named appendix or a front-matter section
|
||||
of
|
||||
the Document that deals exclusively with the relationship of the
|
||||
publishers
|
||||
or authors of the Document to the Document's overall subject (or to
|
||||
related matters) and contains nothing that could fall directly within
|
||||
that overall subject. (For example, if the Document is in part a
|
||||
textbook of mathematics,
|
||||
a Secondary Section may not explain any mathematics.) The relationship
|
||||
could
|
||||
be a matter of historical connection with the subject or with related
|
||||
matters,
|
||||
or of legal, commercial, philosophical, ethical or political position
|
||||
regarding
|
||||
them. </p>
|
||||
<p>The "Invariant Sections" are certain Secondary Sections whose titles
|
||||
are designated, as being those of Invariant Sections, in the notice
|
||||
that says
|
||||
that the Document is released under this License. </p>
|
||||
<p>The "Cover Texts" are certain short passages of text that are
|
||||
listed,
|
||||
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
|
||||
the
|
||||
Document is released under this License. </p>
|
||||
<p>A "Transparent" copy of the Document means a machine-readable copy,
|
||||
represented
|
||||
in a format whose specification is available to the general public,
|
||||
whose
|
||||
contents can be viewed and edited directly and straightforwardly with
|
||||
generic
|
||||
text editors or (for images composed of pixels) generic paint programs
|
||||
or
|
||||
(for drawings) some widely available drawing editor, and that is
|
||||
suitable
|
||||
for input to text formatters or for automatic translation to a variety
|
||||
of
|
||||
formats suitable for input to text formatters. A copy made in an
|
||||
otherwise
|
||||
Transparent file format whose markup has been designed to thwart or
|
||||
discourage
|
||||
subsequent modification by readers is not Transparent. A copy that is
|
||||
not
|
||||
"Transparent" is called "Opaque". </p>
|
||||
<p>Examples of suitable formats for Transparent copies include plain
|
||||
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
|
||||
XML using
|
||||
a publicly available DTD, and standard-conforming simple HTML designed
|
||||
for
|
||||
human modification. Opaque formats include PostScript, PDF, proprietary
|
||||
formats
|
||||
that can be read and edited only by proprietary word processors, SGML
|
||||
or
|
||||
XML for which the DTD and/or processing tools are not generally
|
||||
available,
|
||||
and the machine-generated HTML produced by some word processors for
|
||||
output
|
||||
purposes only. </p>
|
||||
<p>The "Title Page" means, for a printed book, the title page itself,
|
||||
plus
|
||||
such following pages as are needed to hold, legibly, the material this
|
||||
License requires to appear in the title page. For works in formats
|
||||
which do not have
|
||||
any title page as such, "Title Page" means the text near the most
|
||||
prominent appearance of the work's title, preceding the beginning of
|
||||
the body of the
|
||||
text. </p>
|
||||
<p><strong>2. VERBATIM COPYING</strong> </p>
|
||||
<p>You may copy and distribute the Document in any medium, either
|
||||
commercially or noncommercially, provided that this License, the
|
||||
copyright notices, and
|
||||
the license notice saying this License applies to the Document are
|
||||
reproduced
|
||||
in all copies, and that you add no other conditions whatsoever to those
|
||||
of
|
||||
this License. You may not use technical measures to obstruct or control
|
||||
the
|
||||
reading or further copying of the copies you make or distribute.
|
||||
However,
|
||||
you may accept compensation in exchange for copies. If you distribute a
|
||||
large
|
||||
enough number of copies you must also follow the conditions in section
|
||||
3.
|
||||
</p>
|
||||
<p>You may also lend copies, under the same conditions stated above,
|
||||
and
|
||||
you may publicly display copies. </p>
|
||||
<p><strong>3. COPYING IN QUANTITY</strong> </p>
|
||||
<p>If you publish printed copies of the Document numbering more than
|
||||
100,
|
||||
and the Document's license notice requires Cover Texts, you must
|
||||
enclose
|
||||
the copies in covers that carry, clearly and legibly, all these Cover
|
||||
Texts:
|
||||
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
|
||||
cover.
|
||||
Both covers must also clearly and legibly identify you as the publisher
|
||||
of
|
||||
these copies. The front cover must present the full title with all
|
||||
words
|
||||
of the title equally prominent and visible. You may add other material
|
||||
on
|
||||
the covers in addition. Copying with changes limited to the covers, as
|
||||
long
|
||||
as they preserve the title of the Document and satisfy these
|
||||
conditions,
|
||||
can be treated as verbatim copying in other respects. </p>
|
||||
<p>If the required texts for either cover are too voluminous to fit
|
||||
legibly,
|
||||
you should put the first ones listed (as many as fit reasonably) on the
|
||||
actual cover, and continue the rest onto adjacent pages. </p>
|
||||
<p>If you publish or distribute Opaque copies of the Document numbering
|
||||
more than 100, you must either include a machine-readable Transparent
|
||||
copy along
|
||||
with each Opaque copy, or state in or with each Opaque copy a
|
||||
publicly-accessible computer-network location containing a complete
|
||||
Transparent copy of the Document,
|
||||
free of added material, which the general network-using public has
|
||||
access
|
||||
to download anonymously at no charge using public-standard network
|
||||
protocols.
|
||||
If you use the latter option, you must take reasonably prudent steps,
|
||||
when
|
||||
you begin distribution of Opaque copies in quantity, to ensure that
|
||||
this Transparent
|
||||
copy will remain thus accessible at the stated location until at least
|
||||
one
|
||||
year after the last time you distribute an Opaque copy (directly or
|
||||
through
|
||||
your agents or retailers) of that edition to the public. </p>
|
||||
<p>It is requested, but not required, that you contact the authors of
|
||||
the Document well before redistributing any large number of copies, to
|
||||
give them
|
||||
a chance to provide you with an updated version of the Document. </p>
|
||||
<p><strong>4. MODIFICATIONS</strong> </p>
|
||||
<p>You may copy and distribute a Modified Version of the Document under
|
||||
the conditions of sections 2 and 3 above, provided that you release the
|
||||
Modified Version under precisely this License, with the Modified
|
||||
Version filling the
|
||||
role of the Document, thus licensing distribution and modification of
|
||||
the
|
||||
Modified Version to whoever possesses a copy of it. In addition, you
|
||||
must
|
||||
do these things in the Modified Version: </p>
|
||||
<p> </p>
|
||||
<ul>
|
||||
<li><strong>A.</strong> Use in the Title Page (and on the covers, if
|
||||
any)
|
||||
a title distinct from that of the Document, and from those of previous
|
||||
versions (which should, if there were any, be listed in the History
|
||||
section
|
||||
of the Document). You may use the same title as a previous version if
|
||||
the
|
||||
original publisher of that version gives permission. </li>
|
||||
<li><strong>B.</strong> List on the Title Page, as authors, one or
|
||||
more persons or entities responsible for authorship of the
|
||||
modifications in
|
||||
the Modified Version, together with at least five of the principal
|
||||
authors
|
||||
of the Document (all of its principal authors, if it has less than
|
||||
five). </li>
|
||||
<li><strong>C.</strong> State on the Title page the name of the
|
||||
publisher
|
||||
of the Modified Version, as the publisher. </li>
|
||||
<li><strong>D.</strong> Preserve all the copyright notices of the
|
||||
Document. </li>
|
||||
<li><strong>E.</strong> Add an appropriate copyright notice for your
|
||||
modifications adjacent to the other copyright notices. </li>
|
||||
<li><strong>F.</strong> Include, immediately after the copyright
|
||||
notices,
|
||||
a license notice giving the public permission to use the Modified
|
||||
Version
|
||||
under the terms of this License, in the form shown in the Addendum
|
||||
below. </li>
|
||||
<li><strong>G.</strong> Preserve in that license notice the full
|
||||
lists
|
||||
of Invariant Sections and required Cover Texts given in the Document's
|
||||
license notice. </li>
|
||||
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
|
||||
<li><strong>I.</strong> Preserve the section entitled "History", and
|
||||
its title, and add to it an item stating at least the title, year, new
|
||||
authors, and publisher of the Modified Version as given on the Title
|
||||
Page. If there
|
||||
is no section entitled "History" in the Document, create one stating
|
||||
the
|
||||
title, year, authors, and publisher of the Document as given on its
|
||||
Title
|
||||
Page, then add an item describing the Modified Version as stated in the
|
||||
previous sentence. </li>
|
||||
<li><strong>J.</strong> Preserve the network location, if any, given
|
||||
in
|
||||
the Document for public access to a Transparent copy of the Document,
|
||||
and
|
||||
likewise the network locations given in the Document for previous
|
||||
versions
|
||||
it was based on. These may be placed in the "History" section. You may
|
||||
omit a network location for a work that was published at least four
|
||||
years
|
||||
before the Document itself, or if the original publisher of the version
|
||||
it refers to gives permission. </li>
|
||||
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
|
||||
"Dedications", preserve the section's title, and preserve in the
|
||||
section
|
||||
all the substance and tone of each of the contributor acknowledgements
|
||||
and/or dedications given therein. </li>
|
||||
<li><strong>L.</strong> Preserve all the Invariant Sections of the
|
||||
Document, unaltered in their text and in their titles. Section numbers
|
||||
or the equivalent are not considered part of the section titles. </li>
|
||||
<li><strong>M.</strong> Delete any section entitled "Endorsements".
|
||||
Such
|
||||
a section may not be included in the Modified Version. </li>
|
||||
<li><strong>N.</strong> Do not retitle any existing section as
|
||||
"Endorsements" or to conflict in title with any Invariant Section. </li>
|
||||
</ul>
|
||||
<p>If the Modified Version includes new front-matter sections or
|
||||
appendices
|
||||
that qualify as Secondary Sections and contain no material copied from
|
||||
the
|
||||
Document, you may at your option designate some or all of these
|
||||
sections
|
||||
as invariant. To do this, add their titles to the list of Invariant
|
||||
Sections
|
||||
in the Modified Version's license notice. These titles must be distinct
|
||||
from
|
||||
any other section titles. </p>
|
||||
<p>You may add a section entitled "Endorsements", provided it contains
|
||||
nothing but endorsements of your Modified Version by various
|
||||
parties--for example, statements of peer review or that the text has
|
||||
been approved by an organization as the authoritative definition of a
|
||||
standard. </p>
|
||||
<p>You may add a passage of up to five words as a Front-Cover Text, and
|
||||
a passage of up to 25 words as a Back-Cover Text, to the end of the
|
||||
list of
|
||||
Cover Texts in the Modified Version. Only one passage of Front-Cover
|
||||
Text
|
||||
and one of Back-Cover Text may be added by (or through arrangements
|
||||
made
|
||||
by) any one entity. If the Document already includes a cover text for
|
||||
the
|
||||
same cover, previously added by you or by arrangement made by the same
|
||||
entity
|
||||
you are acting on behalf of, you may not add another; but you may
|
||||
replace
|
||||
the old one, on explicit permission from the previous publisher that
|
||||
added
|
||||
the old one. </p>
|
||||
<p>The author(s) and publisher(s) of the Document do not by this
|
||||
License
|
||||
give permission to use their names for publicity for or to assert or
|
||||
imply endorsement of any Modified Version. </p>
|
||||
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
|
||||
<p>You may combine the Document with other documents released under
|
||||
this License,
|
||||
under the terms defined in section 4 above for modified versions,
|
||||
provided
|
||||
that you include in the combination all of the Invariant Sections of
|
||||
all
|
||||
of the original documents, unmodified, and list them all as Invariant
|
||||
Sections
|
||||
of your combined work in its license notice. </p>
|
||||
<p>The combined work need only contain one copy of this License, and
|
||||
multiple identical Invariant Sections may be replaced with a single
|
||||
copy. If there
|
||||
are multiple Invariant Sections with the same name but different
|
||||
contents,
|
||||
make the title of each such section unique by adding at the end of it,
|
||||
in
|
||||
parentheses, the name of the original author or publisher of that
|
||||
section
|
||||
if known, or else a unique number. Make the same adjustment to the
|
||||
section
|
||||
titles in the list of Invariant Sections in the license notice of the
|
||||
combined
|
||||
work. </p>
|
||||
<p>In the combination, you must combine any sections entitled "History"
|
||||
in
|
||||
the various original documents, forming one section entitled "History";
|
||||
likewise combine any sections entitled "Acknowledgements", and any
|
||||
sections entitled "Dedications". You must delete all sections entitled
|
||||
"Endorsements." </p>
|
||||
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
|
||||
<p>You may make a collection consisting of the Document and other
|
||||
documents released under this License, and replace the individual
|
||||
copies of this License in the various documents with a single copy that
|
||||
is included in the collection, provided that you follow the rules of
|
||||
this License for verbatim copying of
|
||||
each of the documents in all other respects. </p>
|
||||
<p>You may extract a single document from such a collection, and
|
||||
distribute
|
||||
it individually under this License, provided you insert a copy of this
|
||||
License
|
||||
into the extracted document, and follow this License in all other
|
||||
respects
|
||||
regarding verbatim copying of that document. </p>
|
||||
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
|
||||
<p>A compilation of the Document or its derivatives with other separate
|
||||
and independent documents or works, in or on a volume of a storage or
|
||||
distribution medium, does not as a whole count as a Modified Version of
|
||||
the Document, provided
|
||||
no compilation copyright is claimed for the compilation. Such a
|
||||
compilation
|
||||
is called an "aggregate", and this License does not apply to the other
|
||||
self-contained
|
||||
works thus compiled with the Document, on account of their being thus
|
||||
compiled,
|
||||
if they are not themselves derivative works of the Document. </p>
|
||||
<p>If the Cover Text requirement of section 3 is applicable to these
|
||||
copies
|
||||
of the Document, then if the Document is less than one quarter of the
|
||||
entire aggregate, the Document's Cover Texts may be placed on covers
|
||||
that surround
|
||||
only the Document within the aggregate. Otherwise they must appear on
|
||||
covers
|
||||
around the whole aggregate. </p>
|
||||
<p><strong>8. TRANSLATION</strong> </p>
|
||||
<p>Translation is considered a kind of modification, so you may
|
||||
distribute translations of the Document under the terms of section 4.
|
||||
Replacing Invariant Sections with translations requires special
|
||||
permission from their copyright holders, but you may include
|
||||
translations of some or all Invariant Sections
|
||||
in addition to the original versions of these Invariant Sections. You
|
||||
may
|
||||
include a translation of this License provided that you also include
|
||||
the
|
||||
original English version of this License. In case of a disagreement
|
||||
between
|
||||
the translation and the original English version of this License, the
|
||||
original
|
||||
English version will prevail. </p>
|
||||
<p><strong>9. TERMINATION</strong> </p>
|
||||
<p>You may not copy, modify, sublicense, or distribute the Document
|
||||
except
|
||||
as expressly provided for under this License. Any other attempt to
|
||||
copy,
|
||||
modify, sublicense or distribute the Document is void, and will
|
||||
automatically
|
||||
terminate your rights under this License. However, parties who have
|
||||
received
|
||||
copies, or rights, from you under this License will not have their
|
||||
licenses
|
||||
terminated so long as such parties remain in full compliance. </p>
|
||||
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
|
||||
<p>The Free Software Foundation may publish new, revised versions of
|
||||
the
|
||||
GNU Free Documentation License from time to time. Such new versions
|
||||
will
|
||||
be similar in spirit to the present version, but may differ in detail
|
||||
to
|
||||
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
|
||||
<p>Each version of the License is given a distinguishing version
|
||||
number.
|
||||
If the Document specifies that a particular numbered version of this
|
||||
License
|
||||
"or any later version" applies to it, you have the option of following
|
||||
the
|
||||
terms and conditions either of that specified version or of any later
|
||||
version
|
||||
that has been published (not as a draft) by the Free Software
|
||||
Foundation.
|
||||
If the Document does not specify a version number of this License, you
|
||||
may
|
||||
choose any version ever published (not as a draft) by the Free Software
|
||||
Foundation.
|
||||
</p>
|
||||
<p align="left"> </p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,204 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>GRE/IPIP Tunnels</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
|
||||
</h1>
|
||||
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
|
||||
insecure when used over the internet; use them at your own risk</h3>
|
||||
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
|
||||
masqueraded networks.</p>
|
||||
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
|
||||
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
|
||||
Shorewall also includes a tunnel script for automating tunnel
|
||||
configuration. If you have installed the RPM, the tunnel script may be
|
||||
found in the Shorewall documentation directory (usually
|
||||
/usr/share/doc/shorewall-<version>/).</p>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
<p align="center"> <img border="0" src="images/TwoNets1.png"
|
||||
width="745" height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</p>
|
||||
<p align="left">The 'tunnel' script is not installed in /etc/shorewall
|
||||
by default -- If you install using the tarball, the script is included
|
||||
in the tarball; if you install using the RPM, the file is in your
|
||||
Shorewall documentation directory (normally
|
||||
/usr/share/doc/shorewall-<version>).</p>
|
||||
<p align="left">In the /etc/shorewall/tunnel script, set the
|
||||
'tunnel_type' parameter to the type of tunnel that you want to create.</p>
|
||||
<p align="left">Example:</p>
|
||||
<blockquote>
|
||||
<p align="left">tunnel_type=gre</p>
|
||||
</blockquote>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tosysb</td>
|
||||
<td>10.255.255.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipip</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IP encapsulation protocol (4) will be accepted to/from the remote
|
||||
gateway.</p>
|
||||
<p>In the tunnel script on system A:</p>
|
||||
<blockquote>
|
||||
<p>tunnel=tosysb<br>
|
||||
myrealip=206.161.148.9 (for GRE tunnel only)<br>
|
||||
myip=192.168.1.1<br>
|
||||
hisip=10.0.0.1<br>
|
||||
gateway=134.28.54.2<br>
|
||||
subnet=10.0.0.0/8</p>
|
||||
</blockquote>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tosysa</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipip</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>And in the tunnel script on system B:</p>
|
||||
<blockquote>
|
||||
<p>tunnel=tosysa<br>
|
||||
myrealip=134.28.54.2 (for GRE tunnel only)<br>
|
||||
myip=10.0.0.1<br>
|
||||
hisip=192.168.1.1<br>
|
||||
gateway=206.191.148.9<br>
|
||||
subnet=192.168.1.0/24</p>
|
||||
</blockquote>
|
||||
<p>You can rename the modified tunnel scripts if you like; be sure that
|
||||
they are secured so that root can execute them. </p>
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and run the modified tunnel
|
||||
script with
|
||||
the "start" argument on each system. The systems in the two masqueraded
|
||||
subnetworks
|
||||
can now talk to each other</p>
|
||||
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,714 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall IPSec Tunneling</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">IPSEC Tunnels<br>
|
||||
</h1>
|
||||
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
|
||||
There is an excellent guide to configuring IPSEC tunnels at<a
|
||||
href="http://www.geocities.com/jixen66/">
|
||||
http://www.geocities.com/jixen66/</a> . I highly recommend that you
|
||||
consult that site for information about configuring FreeS/Wan.
|
||||
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP
|
||||
and FreeS/Wan on the same system unless you are prepared to suffer the
|
||||
consequences. If you start or restart Shorewall with an IPSEC tunnel
|
||||
active, the proxied IP addresses are mistakenly assigned to the IPSEC
|
||||
tunnel device (ipsecX) rather than to the interface that you specify in
|
||||
the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the time
|
||||
to debug this problem so I can't say if it is a bug in the Kernel or in
|
||||
FreeS/Wan. </p>
|
||||
<p>You <b>might</b> be able to work around this problem using the
|
||||
following (I haven't tried it):</p>
|
||||
<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;"> qt service ipsec
|
||||
stop</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;"> qt service ipsec start<br>
|
||||
</p>
|
||||
<p>Also, the documentation below assumes that you have disabled
|
||||
opportunistic encryption feature in FreeS/Wan 2.0 using the following
|
||||
additional entries in ipsec.conf:<br>
|
||||
</p>
|
||||
<p style="margin-left: 40px;"><tt>conn block<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn private<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn private-or-clear<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn clear-or-private<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn clear<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn packetdefault<br>
|
||||
auto=ignore<br>
|
||||
</tt></p>
|
||||
For further information see <a
|
||||
href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
|
||||
</tt>
|
||||
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
|
||||
<p>Suppose that we have the following sutuation:</p>
|
||||
<font color="#660066">
|
||||
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
|
||||
src="images/TwoNets1.png" width="745" height="427"> </font></p>
|
||||
</font>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be
|
||||
able to communicate with systems in the 10.0.0.0/8 network.</p>
|
||||
<p align="left">To make this work, we need to do two things:</p>
|
||||
<p align="left">a) Open the firewall so that the IPSEC tunnel can be
|
||||
established (allow the ESP and AH protocols and UDP Port 500). </p>
|
||||
<p align="left">b) Allow traffic through the tunnel.</p>
|
||||
<p align="left">Opening the firewall for the IPSEC tunnel is
|
||||
accomplished by adding an entry to the /etc/shorewall/tunnels file.</p>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following </p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipsec</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipsec</td>
|
||||
<td>net</td>
|
||||
<td>206.161.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><b>Note: </b>If either of the endpoints is behind a
|
||||
NAT gateway then the tunnels file entry on the <u><b>other</b></u>
|
||||
endpoint should specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i>
|
||||
and the GATEWAY address should specify the external address of the NAT
|
||||
gateway.<br>
|
||||
</p>
|
||||
<p align="left">You need to define a zone for the remote subnet or
|
||||
include it in your local zone. In this example, we'll assume that you
|
||||
have created a zone called "vpn" to represent the remote subnet.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">At both systems, ipsec0 would be included in
|
||||
/etc/shorewall/interfaces as a "vpn" interface:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> INTERFACE</strong></td>
|
||||
<td><strong> BROADCAST</strong></td>
|
||||
<td><strong> OPTIONS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>ipsec0</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone -- if you simply want to admit all traffic in both
|
||||
directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"> Once you have these entries in place, restart
|
||||
Shorewall
|
||||
(type shorewall restart); you are now ready to configure the tunnel in <a
|
||||
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .<br>
|
||||
</p>
|
||||
<h2><a name="VPNHub"></a>VPN Hub</h2>
|
||||
Shorewall can be used in a VPN Hub environment where multiple remote
|
||||
networks are connected to a gateway running Shorewall. This environment
|
||||
is shown
|
||||
in this diatram.<br>
|
||||
<div align="center"><img src="images/ThreeNets.png"
|
||||
alt="(Three networks linked with IPSEC)" width="750" height="781"> <br>
|
||||
</div>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be
|
||||
able to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16
|
||||
networks and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be
|
||||
able to communicate.</p>
|
||||
<p align="left">To make this work, we need to do several things:</p>
|
||||
<p align="left">a) Open the firewall so that two IPSEC tunnels can be
|
||||
established (allow the ESP and AH protocols and UDP Port 500). </p>
|
||||
<p align="left">b) Allow traffic through the tunnels two/from the local
|
||||
zone (192.168.1.0/24).<br>
|
||||
</p>
|
||||
<p align="left">c) Deny traffic through the tunnels between the two
|
||||
remote networks.<br>
|
||||
</p>
|
||||
<p align="left">Opening the firewall for the IPSEC tunnels is
|
||||
accomplished by adding two entries to the /etc/shorewall/tunnels file.</p>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following </p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipsec<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ipsec<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">130.152.100.14<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on systems B and C, we would
|
||||
have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipsec</td>
|
||||
<td>net</td>
|
||||
<td>206.161.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"></p>
|
||||
<p align="left"><b>Note: </b>If either of the endpoints is behind a
|
||||
NAT gateway then the tunnels file entry on the <u><b>other</b></u>
|
||||
endpoint should specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
|
||||
</i> and the GATEWAY address should specify the external address of the
|
||||
NAT gateway.<br>
|
||||
</p>
|
||||
<p align="left">On each system, we will create a zone to represent the
|
||||
remote networks. On System A:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn1</td>
|
||||
<td>VPN1</td>
|
||||
<td>Remote Subnet on system B</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">VPN2<br>
|
||||
</td>
|
||||
<td valign="top">Remote Subnet on system C<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On systems B and C:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet on system A</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">At system A, ipsec0 represents two zones so we have the
|
||||
following in /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> INTERFACE</strong></td>
|
||||
<td><strong> BROADCAST</strong></td>
|
||||
<td><strong> OPTIONS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-<br>
|
||||
</td>
|
||||
<td>ipsec0</td>
|
||||
<td> </td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">The /etc/shorewall/hosts file on system A defines the
|
||||
two VPN zones:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> HOSTS</strong><br>
|
||||
</td>
|
||||
<td><strong> OPTIONS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
<td>ipsec0:10.0.0.0/16</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">ipsec0:10.1.0.0/16<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">At systems B and C, ipsec0 represents a single zone so
|
||||
we have the following in /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> INTERFACE</strong></td>
|
||||
<td><strong> BROADCAST</strong></td>
|
||||
<td><strong> OPTIONS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn<br>
|
||||
</td>
|
||||
<td>ipsec0</td>
|
||||
<td> </td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<p align="left">On systems A, you will need to allow traffic between
|
||||
the
|
||||
"vpn1" zone and the "loc" zone as well as between "vpn2" and the
|
||||
"loc" zone -- if you simply want to admit all traffic in both
|
||||
directions,
|
||||
you can use the following policy file entries on all three gateways:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn1</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn1</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On systems B and C, you will need to allow traffic
|
||||
between the "vpn" zone and the "loc" zone -- if you simply want to
|
||||
admit
|
||||
all traffic in both directions, you can use the following policy file
|
||||
entries on all three gateways:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">Once you have the Shorewall entries added, restart
|
||||
Shorewall on each gateway (type shorewall restart); you are now ready
|
||||
to configure the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/">
|
||||
FreeS/WAN</a> .</p>
|
||||
Note that to allow traffic between the networks attached to systems B
|
||||
and C, it is necessary to simply add two additional entries to the
|
||||
/etc/shorewall/policy file on system A.<br>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
<td>vpn2</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn2</td>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<span style="font-weight: bold;">NOTE: If you find traffic being
|
||||
rejected/dropped in the OUTPUT chain, place the names of the remote VPN
|
||||
zones as a comma-separated list in the GATEWAY ZONE column of the
|
||||
/etc/shorewall/tunnels file
|
||||
entry.</span>
|
||||
<blockquote> </blockquote>
|
||||
<h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile
|
||||
System (Road Warrior)</h2>
|
||||
<p>Suppose that you have a laptop system (B) that you take with you
|
||||
when
|
||||
you travel and you want to be able to establish a secure connection
|
||||
back
|
||||
to your local network.</p>
|
||||
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
|
||||
<img src="images/Mobile.png" width="677" height="426"> </font></strong></p>
|
||||
<p align="left">You need to define a zone for the laptop or include it
|
||||
in your local zone. In this example, we'll assume that you have created
|
||||
a zone called "vpn" to represent the remote host.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"> In this instance, the mobile system (B) has IP address
|
||||
134.28.54.2 but that cannot be determined in advance. In the
|
||||
/etc/shorewall/tunnels file on system A, the following entry should be
|
||||
made:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ipsec</td>
|
||||
<td>net</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>vpn</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>Note that the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the remote
|
||||
gateway is a standalone system.</p>
|
||||
<p>You will need to configure /etc/shorewall/interfaces and establish
|
||||
your "through the tunnel" policy as shown under the first example above.<br>
|
||||
</p>
|
||||
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
|
||||
Beginning with Shorewall release 1.3.10, you can define multiple VPN
|
||||
zones and add and delete remote endpoints dynamically using
|
||||
/sbin/shorewall. In /etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DISPLAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>COMMENTS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn1<br>
|
||||
</td>
|
||||
<td valign="top">VPN-1<br>
|
||||
</td>
|
||||
<td valign="top">First VPN Zone<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">VPN-2<br>
|
||||
</td>
|
||||
<td valign="top">Second VPN Zone<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">vpn3<br>
|
||||
</td>
|
||||
<td valign="top">VPN-3<br>
|
||||
</td>
|
||||
<td valign="top">Third VPN Zone<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/tunnels:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>TYPE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY ZONE<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ipsec<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">vpn1,vpn2,vpn3<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
When Shorewall is started, the zones vpn[1-3] will all be empty and
|
||||
Shorewall will issue warnings to that effect. These warnings may be
|
||||
safely ignored. FreeS/Wan may now be configured to have three different
|
||||
Road Warrior connections with the choice of connection being based on
|
||||
X-509 certificates or some other means. Each of these connectioins will
|
||||
utilize a different updown script that adds the remote station to the
|
||||
appropriate zone when the connection comes up and that deletes the
|
||||
remote station when the connection comes down. For example, when
|
||||
134.28.54.2 connects for the vpn2 zone the 'up' part of the script will
|
||||
issue the command":<br>
|
||||
<br>
|
||||
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
|
||||
</blockquote>
|
||||
and the 'down' part will:<br>
|
||||
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
|
||||
<br>
|
||||
</blockquote>
|
||||
<h3>Limitations of Dynamic Zones</h3>
|
||||
If you include a dynamic zone in the exclude list of a DNAT rule, the
|
||||
dynamically-added hosts are not excluded from the rule.<br>
|
||||
<br>
|
||||
Example with dyn=dynamic zone:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><u><b>ACTION<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>SOURCE<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>DESTINATION<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>PROTOCOL<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>PORT(S)<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>CLIENT<br>
|
||||
PORT(S)<br>
|
||||
</b></u></td>
|
||||
<td valign="top"><u><b>ORIGINAL<br>
|
||||
DESTINATION<br>
|
||||
</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">DNAT<br>
|
||||
</td>
|
||||
<td valign="top">z!dyn<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
Dynamic changes to the zone <b>dyn</b> will have no effect on the
|
||||
above rule.
|
||||
<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,189 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Installation</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
|
||||
</h1>
|
||||
<p align="center"><b>Before upgrading, be sure to review the <a
|
||||
href="upgrade_issues.htm">Upgrade Issues<br>
|
||||
</a></b></p>
|
||||
<div align="left"><b>Before attempting installation, I strongly urge
|
||||
you
|
||||
to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.</b><br>
|
||||
</div>
|
||||
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
|
||||
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
|
||||
a shell prompt, type "/sbin/iptables --version"), you must upgrade to
|
||||
version 1.2.4 either from the <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
|
||||
update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
|
||||
before attempting to start Shorewall.</b></p>
|
||||
<ul>
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note1: </b>Some SuSE users have encountered a problem
|
||||
whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4
|
||||
kernel is installed. If this happens, simply use the --nodeps option to
|
||||
rpm (rpm -ivh --nodeps <shorewall rpm>.<br>
|
||||
<br>
|
||||
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
|
||||
dependent on the iproute package. Unfortunately, some distributions
|
||||
call this package iproute2 which will cause the installation of
|
||||
Shorewall to fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by
|
||||
shorewall-1.4.x-1 <br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -ivh
|
||||
--nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
|
||||
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
|
||||
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
|
||||
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
|
||||
ISSUE
|
||||
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
</ul>
|
||||
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
|
||||
and install script: </p>
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall
|
||||
to be started automatically at boot, see <a
|
||||
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
|
||||
</ul>
|
||||
<p><a name="LRP"></a>To install my version of Shorewall on a fresh
|
||||
Bering disk, simply replace the "shorwall.lrp" file on the image with
|
||||
the file that you downloaded. See the <a href="two-interface.htm">two-interface
|
||||
QuickStart Guide</a> for information about further steps required.</p>
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
|
||||
installed and are upgrading to a new version:</p>
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version or
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an
|
||||
entry for each interface mentioned in the hosts file. Also, there are
|
||||
certain 1.2 rule forms that are no longer supported under 1.4 (you must
|
||||
use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
|
||||
issues </a>for details.</p>
|
||||
<ul>
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note: </b>If
|
||||
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
|
||||
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
|
||||
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
<p> <b>Note1: </b>Some SuSE users have encountered a problem
|
||||
whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4
|
||||
kernel is installed. If this happens, simply use the --nodeps option to
|
||||
rpm (rpm -Uvh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
|
||||
dependent on the iproute package. Unfortunately, some distributions
|
||||
call this package iproute2 which will cause the upgrade of Shorewall to
|
||||
fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by
|
||||
shorewall-1.4.0-1 <br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>). </p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
</ul>
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
|
||||
installed
|
||||
and are upgrading to a new version using the tarball:</p>
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an
|
||||
entry
|
||||
for each interface mentioned in the hosts file. Also, there are
|
||||
certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
|
||||
for details. </p>
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
</ul>
|
||||
<a name="LRP_Upgrade"></a>If you already have a running
|
||||
Bering installation and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
|
||||
<p>You will need to edit some or all of the configuration files to
|
||||
match your setup. In most cases, the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
|
||||
contain all of the information you need.</p>
|
||||
<ul>
|
||||
</ul>
|
||||
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,104 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>MAC Verification</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">MAC Verification<br>
|
||||
</h1>
|
||||
All traffic from an interface or from a subnet on an interface can be
|
||||
verified to originate from a defined set of MAC addresses. Furthermore,
|
||||
each MAC address may be optionally associated with one or more IP
|
||||
addresses. <br>
|
||||
<br>
|
||||
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
|
||||
module name ipt_mac.o).</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
<ol>
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
When
|
||||
this option is specified, all traffic arriving on the interface is
|
||||
subjet
|
||||
to MAC verification.</li>
|
||||
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||||
When this option is specified for a subnet, all traffic from that
|
||||
subnet is subject to
|
||||
MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses
|
||||
with MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
|
||||
and determines the disposition of connection requests that fail MAC
|
||||
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
|
||||
which connection requests that fail verification are to be logged. If
|
||||
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
|
||||
connection requests are not logged.<br>
|
||||
</li>
|
||||
</ol>
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
<ul>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment
|
||||
connected by INTERFACE. It is not necessary to use the Shorewall MAC
|
||||
format in this column although you may use that format if you so choose.</li>
|
||||
<li>IP Address - An optional comma-separated list of IP addresses for
|
||||
the device whose MAC is listed in the MAC column.</li>
|
||||
</ul>
|
||||
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
|
||||
for details about my setup):</h3>
|
||||
<b>/etc/shorewall/shorewall.conf:<br>
|
||||
</b>
|
||||
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
|
||||
<b>/etc/shorewall/interfaces:</b><br>
|
||||
<blockquote>
|
||||
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
|
||||
</blockquote>
|
||||
<b>/etc/shorewall/maclist:</b><br>
|
||||
<blockquote>
|
||||
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
|
||||
</blockquote>
|
||||
As shown above, I use MAC Verification on my wireless zone.<br>
|
||||
<br>
|
||||
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
|
||||
like a wireless router with DHCP relay. When forwarding DHCP traffic,
|
||||
it uses the
|
||||
MAC address of the host (TIPPER) but for other forwarded traffic it
|
||||
uses it's
|
||||
own MAC address. Consequently, I list the IP addresses of both devices
|
||||
in
|
||||
/etc/shorewall/maclist.<br>
|
||||
<h3>Example 2: Router in Wireless Zone</h3>
|
||||
Suppose now that I add a second wireless segment to my wireless zone
|
||||
and gateway that segment via a router with MAC address
|
||||
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
|
||||
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
|
||||
following entry to my /etc/shorewall/maclist file:<br>
|
||||
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
|
||||
This entry accomodates traffic from the router itself (192.168.3.253)
|
||||
and from the second wireless segment (192.168.4.0/24). Remember that
|
||||
all traffic being sent to my firewall from the 192.168.4.0/24 segment
|
||||
will be forwarded by the router so that traffic's MAC address will be
|
||||
that of the router (00:06:43:45:C6:15) and not that of the host sending
|
||||
the traffic.
|
||||
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,98 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall NAT</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">Static NAT<br>
|
||||
</h1>
|
||||
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
|
||||
ports to servers behind your firewall, you do NOT want to use static
|
||||
NAT. Port forwarding can be accomplished with simple entries in the <a
|
||||
href="Documentation.htm#Rules">rules file</a>.</b></font></p>
|
||||
<blockquote> </blockquote>
|
||||
<p>Static NAT is a way to make systems behind a firewall and configured
|
||||
with private IP addresses (those reserved for private use in RFC1918)
|
||||
appear to have public IP addresses. Before you try to use this
|
||||
technique, I strongly recommend that you read the <a
|
||||
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
<blockquote> </blockquote>
|
||||
<p>The following figure represents a static NAT environment.</p>
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/staticnat.png"
|
||||
width="435" height="397"> </strong></p>
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
<p align="left">Static NAT can be used to make the systems with the
|
||||
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
|
||||
we assume that the interface to the upper subnet is eth0, then the
|
||||
following /etc/shorewall/NAT file would make the lower left-hand system
|
||||
appear to have IP address 130.252.100.18 and the right-hand one to have
|
||||
IP address 130.252.100.19.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>INTERNAL</b></td>
|
||||
<td><b>ALL INTERFACES</b></td>
|
||||
<td><b>LOCAL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.2</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.3</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
|
||||
above example) is (are) not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
|
||||
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
|
||||
used to specify whether access to the external IP from all firewall
|
||||
interfaces should undergo NAT (Yes or yes) or if only access from the
|
||||
interface in the INTERFACE column should undergo NAT. If you leave this
|
||||
column empty, "Yes" is assumed. The ALL INTERFACES column was
|
||||
added in version 1.1.6.</p>
|
||||
<p>Note 2: Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <a
|
||||
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
|
||||
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
|
||||
if you set it to "Yes" or "yes" then you must NOT configure your own
|
||||
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
|
||||
can only add external addresses to an interface that is configured with
|
||||
a single subnetwork -- if your external interface has addresses in more
|
||||
than one subnetwork,
|
||||
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
|
||||
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
|
||||
column determine whether packets originating on the firewall itself and
|
||||
destined for the EXTERNAL address are redirected to the internal
|
||||
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
|
||||
COLUMN
|
||||
also contains "Yes" or "yes") then such packets are redirected;
|
||||
otherwise,
|
||||
such packets are not redirected. The LOCAL column was added in version
|
||||
1.1.8.</p>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,232 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>OpenVPN Tunnels</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">OpenVPN Tunnels<br>
|
||||
</h1>
|
||||
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||
Network) daemon which can be used to securely link two or more private
|
||||
networks using an encrypted tunnel over the internet. OpenVPN is an
|
||||
Open Source project and is <a
|
||||
href="http://openvpn.sourceforge.net/license.html">licensed under the
|
||||
GPL</a>. OpenVPN can be downloaded from <a
|
||||
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
|
||||
</p>
|
||||
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
|
||||
</p>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
|
||||
height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file and the
|
||||
/etc/shorewall/policy file and OpenVPN.</p>
|
||||
<p align="left">While it was possible to use the Shorewall start and
|
||||
stop script to start and stop OpenVPN, I decided to use the init script
|
||||
of OpenVPN to start and stop it.</p>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td><br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels opens the firewall so that
|
||||
OpenVPN traffic on the default port 5000/udp will be accepted to/from
|
||||
the remote gateway. If you change the port used by OpenVPN to 7777, you
|
||||
can define /etc/shorewall/tunnels like this:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn:7777</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>This is the OpenVPN config on system A:</p>
|
||||
<blockquote>
|
||||
<p></p>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<p>dev tun<br>
|
||||
local 206.162.148.9<br>
|
||||
remote 134.28.54.2<br>
|
||||
ifconfig 192.168.99.1 192.168.99.2<br>
|
||||
up ./route-a.up<br>
|
||||
tls-server<br>
|
||||
dh dh1024.pem<br>
|
||||
ca ca.crt<br>
|
||||
cert my-a.crt<br>
|
||||
key my-a.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>And in the OpenVPN config on system B:</p>
|
||||
<blockquote>
|
||||
<p>dev tun<br>
|
||||
local 134.28.54.2<br>
|
||||
remote 206.162.148.9<br>
|
||||
ifconfig 192.168.99.2 192.168.99.1<br>
|
||||
up ./route-b.up<br>
|
||||
tls-client<br>
|
||||
ca ca.crt<br>
|
||||
cert my-b.crt<br>
|
||||
key my-b.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p align="left">You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and start OpenVPN. The systems in
|
||||
the two masqueraded subnetworks can now talk to each other.</p>
|
||||
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<small>and Simon Mater</small><br>
|
||||
</p>
|
||||
<p><font size="2"> </font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
|
||||
</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,885 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall PPTP</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">PPTP<br>
|
||||
</h1>
|
||||
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
|
||||
current
|
||||
Linux kernel's and pppd. I recommend that you refer to the following
|
||||
URLs
|
||||
for information about installing MPPE into your kernel and pppd.</h4>
|
||||
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client
|
||||
project
|
||||
</a>has a nice GUI for configuring and managing VPN connections where
|
||||
your
|
||||
Linux system is the PPTP client. This is what I currently use. I am no
|
||||
longer
|
||||
running PoPToP but rather I use the PPTP Server included with XP
|
||||
Professional
|
||||
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
|
||||
below).</h4>
|
||||
<a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
|
||||
(Everything you need to run a PPTP client).<br>
|
||||
<a href="http://www.poptop.org">http://www.poptop.org</a>
|
||||
(The 'kernelmod'
|
||||
package can be used to quickly install MPPE into your kernel without
|
||||
rebooting).<br>
|
||||
<h4>I am leaving the instructions for building MPPE-enabled kernels and
|
||||
pppd
|
||||
in the text below for those who may wish to obtain the relevant current
|
||||
patches
|
||||
and "roll their own".<br>
|
||||
</h4>
|
||||
<hr width="100%" size="2">
|
||||
<p align="left">Shorewall easily supports PPTP in a number of
|
||||
configurations:</p>
|
||||
<ul>
|
||||
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
|
||||
<li> <a href="#ServerBehind">PPTP Server running behind your
|
||||
Firewall.</a></li>
|
||||
<li> <a href="#ClientsBehind">PPTP Clients running behind your
|
||||
Firewall.</a></li>
|
||||
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
|
||||
<li><a href="#PPTP_ADSL">PPTP Client running on your Firewall with
|
||||
PPTP
|
||||
Server in an ADSL Modem</a></li>
|
||||
</ul>
|
||||
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on
|
||||
your
|
||||
Firewall</h2>
|
||||
<p>I will try to give you an idea of how to set up a PPTP server on
|
||||
your
|
||||
firewall system. This isn't a detailed HOWTO but rather an example of
|
||||
how
|
||||
I have set up a working PPTP server on my own firewall.</p>
|
||||
<p>The steps involved are:</p>
|
||||
<ol>
|
||||
<li><a href="#PatchPppd">Patching and building pppd</a></li>
|
||||
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
|
||||
<li><a href="#Samba">Configuring Samba</a></li>
|
||||
<li><a href="#ConfigPppd">Configuring pppd</a></li>
|
||||
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
|
||||
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
|
||||
</ol>
|
||||
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
|
||||
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The
|
||||
primary
|
||||
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
|
||||
<p>You will need the following patches:</p>
|
||||
<ul>
|
||||
<li> <a
|
||||
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
|
||||
</ul>
|
||||
<p>You may also want the following patch if you want to require remote
|
||||
hosts
|
||||
to use encryption:</p>
|
||||
<ul>
|
||||
<li><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
|
||||
</ul>
|
||||
<p>Un-tar the pppd source and uncompress the patches into one directory
|
||||
(the
|
||||
patches and the ppp-2.4.1 directory are all in a single parent
|
||||
directory):</p>
|
||||
<ul>
|
||||
<li>cd ppp-2.4.1</li>
|
||||
<li>patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
|
||||
<li>patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch</li>
|
||||
<li>(Optional) patch -p1 < ../require-mppe.diff</li>
|
||||
<li>./configure</li>
|
||||
<li>make</li>
|
||||
</ul>
|
||||
<p>You will need to install the resulting binary on your firewall
|
||||
system.
|
||||
To do that, I NFS mount my source filesystem and use "make install"
|
||||
from
|
||||
the ppp-2.4.1 directory.</p>
|
||||
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
|
||||
<p>You will need one of the following patches depending on your kernel
|
||||
version:</p>
|
||||
<ul>
|
||||
<li> <a
|
||||
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
|
||||
<li> <a
|
||||
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
|
||||
</ul>
|
||||
<p>Uncompress the patch into the same directory where your top-level
|
||||
kernel
|
||||
source is located and:</p>
|
||||
<ul>
|
||||
<li>cd <your GNU/Linux source top-level directory></li>
|
||||
<li>patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
|
||||
</ul>
|
||||
<p>Now configure your kernel. Here is my ppp configuration:</p>
|
||||
<blockquote>
|
||||
<p><img border="0" src="images/ppp.jpg" width="592" height="734"> </p>
|
||||
</blockquote>
|
||||
<h3><a name="Samba"></a>Configuring Samba</h3>
|
||||
<p>You will need a WINS server (Samba configured to run as a WINS
|
||||
server
|
||||
is fine). Global section from /etc/samba/smb.conf on my WINS server
|
||||
(192.168.1.3)
|
||||
is:</p>
|
||||
<blockquote>
|
||||
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
|
||||
</blockquote>
|
||||
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
|
||||
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">ipparam PoPToP<br>
|
||||
lock<br>
|
||||
mtu 1490<br>
|
||||
mru 1490<br>
|
||||
ms-wins 192.168.1.3<br>
|
||||
ms-dns 206.124.146.177<br>
|
||||
multilink<br>
|
||||
proxyarp<br>
|
||||
auth<br>
|
||||
+chap<br>
|
||||
+chapms<br>
|
||||
+chapms-v2<br>
|
||||
ipcp-accept-local<br>
|
||||
ipcp-accept-remote<br>
|
||||
lcp-echo-failure 30<br>
|
||||
lcp-echo-interval 5<br>
|
||||
deflate 0<br>
|
||||
mppe-128<br>
|
||||
mppe-stateless<br>
|
||||
require-mppe<br>
|
||||
require-mppe-stateless</font></p>
|
||||
</blockquote>
|
||||
<p>Notes:</p>
|
||||
<ul>
|
||||
<li>System 192.168.1.3 acts as a WINS server so I have included that
|
||||
IP
|
||||
as the 'ms-wins' value.</li>
|
||||
<li>I have pointed the remote clients at my DNS server -- it has
|
||||
external
|
||||
address 206.124.146.177.</li>
|
||||
<li>I am requiring 128-bit stateless compression (my kernel is built
|
||||
with
|
||||
the 'require-mppe.diff' patch mentioned above.</li>
|
||||
</ul>
|
||||
<p>Here's my /etc/ppp/chap-secrets:</p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2"> Secrets for authentication using
|
||||
CHAP<br>
|
||||
# client
|
||||
server secret IP addresses<br>
|
||||
CPQTDM\\TEastep *
|
||||
<shhhhhh> 192.168.1.7<br>
|
||||
TEastep
|
||||
* <shhhhhh>
|
||||
192.168.1.7</font></p>
|
||||
</blockquote>
|
||||
<p>I am the only user who connects to the server but I may connect
|
||||
either
|
||||
with or without a domain being specified. The system I connect from is
|
||||
my
|
||||
laptop so I give it the same IP address when tunneled in at it has when
|
||||
I
|
||||
use its wireless LAN card around the house.</p>
|
||||
<p>You will also want the following in /etc/modules.conf:</p>
|
||||
<pre> alias ppp-compress-18 ppp_mppe<br> alias ppp-compress-21 bsd_comp<br> alias ppp-compress-24 ppp_deflate<br> alias ppp-compress-26 ppp_deflate</pre>
|
||||
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
|
||||
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
|
||||
<p>Here is a copy of my /etc/pptpd.conf file:</p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
|
||||
speed 115200<br>
|
||||
localip 192.168.1.254<br>
|
||||
remoteip 192.168.1.33-38</font></p>
|
||||
</blockquote>
|
||||
<p>Notes:</p>
|
||||
<ul>
|
||||
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
|
||||
(I
|
||||
have several).</li>
|
||||
<li>The local IP is the same as my internal interface's
|
||||
(192.168.1.254).</li>
|
||||
<li>I have assigned a remote IP range that overlaps my local network.
|
||||
This,
|
||||
together with 'proxyarp' in my /etc/ppp/options.poptop file make the
|
||||
remote
|
||||
hosts look like they are part of the local subnetwork.</li>
|
||||
</ul>
|
||||
<p>I use this file to start/stop pptpd -- I have this in
|
||||
/etc/init.d/pptpd:</p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">#!/bin/sh<br>
|
||||
#<br>
|
||||
# /etc/rc.d/init.d/pptpd<br>
|
||||
#<br>
|
||||
# chkconfig: 5 12 85<br>
|
||||
# description: control pptp server<br>
|
||||
#<br>
|
||||
<br>
|
||||
case "$1" in<br>
|
||||
start)<br>
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward<br>
|
||||
modprobe ppp_async<br>
|
||||
modprobe ppp_generic<br>
|
||||
modprobe ppp_mppe<br>
|
||||
modprobe slhc<br>
|
||||
if /usr/local/sbin/pptpd; then<br>
|
||||
touch /var/lock/subsys/pptpd<br>
|
||||
fi<br>
|
||||
;;<br>
|
||||
stop)<br>
|
||||
killall pptpd<br>
|
||||
rm -f /var/lock/subsys/pptpd<br>
|
||||
;;<br>
|
||||
restart)<br>
|
||||
killall pptpd<br>
|
||||
if /usr/local/sbin/pptpd; then<br>
|
||||
touch /var/lock/subsys/pptpd<br>
|
||||
fi<br>
|
||||
;;<br>
|
||||
status)<br>
|
||||
ifconfig<br>
|
||||
;;<br>
|
||||
*)<br>
|
||||
echo "Usage: $0 {start|stop|restart|status}"<br>
|
||||
;;<br>
|
||||
esac</font></p>
|
||||
</blockquote>
|
||||
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
||||
<p>Often there will be situations where you want multiple connections
|
||||
from remote networks with these networks having different firewalling
|
||||
requirements.<br>
|
||||
</p>
|
||||
<div style="text-align: center;"><img src="images/MultiPPTP.png"
|
||||
title="" alt="" style="width: 846px; height: 544px;"><br>
|
||||
</div>
|
||||
<p>Here's how you configure this in Shorewall:<br>
|
||||
</p>
|
||||
<h4>/etc/shorewall/zones:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>DISPLAY</b></td>
|
||||
<td><b>COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>Internet</td>
|
||||
<td>The Internet</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>Local Network <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn1</td>
|
||||
<td style="vertical-align: top;">Remote1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 2<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 3<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/interfaces:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td>206.124.146.255</td>
|
||||
<td>norfc1918</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.10.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>ppp+</td>
|
||||
<td> -</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/hosts:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>HOST(S)</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2:192.168.1.0/24</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
<td>ppp+:192.168.1.0/24</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
Your policies and rules can now be configured using separate zones
|
||||
(vpn1, vpn2, and vpn3) for the three remote network.<br>
|
||||
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
||||
Behind
|
||||
your Firewall</h2>
|
||||
<p>If you have a single external IP address, add the following to your
|
||||
/etc/shorewall/rules file:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><server address></i></td>
|
||||
<td>tcp</td>
|
||||
<td>1723</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><server address></i></td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p>If you have multiple external IP address and you want to forward a
|
||||
single
|
||||
<i><external address>, </i>add the following to your
|
||||
/etc/shorewall/rules
|
||||
file:</p>
|
||||
<p> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><server address></i></td>
|
||||
<td>tcp</td>
|
||||
<td>1723</td>
|
||||
<td>-</td>
|
||||
<td><i><external address></i></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DNAT</td>
|
||||
<td>net</td>
|
||||
<td>loc:<i><server address></i></td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td>-</td>
|
||||
<td><i><external address></i></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</p>
|
||||
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running
|
||||
Behind
|
||||
your Firewall</h2>
|
||||
<p>You shouldn't have to take any special action for this case unless
|
||||
you
|
||||
wish to connect multiple clients to the same external server. In that
|
||||
case,
|
||||
you will need to follow the instructions at <a
|
||||
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
|
||||
I recommend that you also add these two lines to your
|
||||
/etc/shorewall/modules
|
||||
file: </p>
|
||||
<blockquote>
|
||||
<p>loadmodule ip_conntrack_pptp<br>
|
||||
loadmodule ip_nat_pptp </p>
|
||||
</blockquote>
|
||||
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on
|
||||
your
|
||||
Firewall.</h2>
|
||||
<p align="left">The PPTP GNU/Linux client is available at <a
|
||||
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.
|
||||
Rather than use the configuration script that comes with the client, I
|
||||
built
|
||||
my own. I also build my own kernel <a href="#PatchKernel">as described
|
||||
above</a>
|
||||
rather than using the mppe package that is available with the client.
|
||||
My
|
||||
/etc/ppp/options file is mostly unchanged from what came with the
|
||||
client
|
||||
(see below).</p>
|
||||
<p>The key elements of this setup are as follows: </p>
|
||||
<ol>
|
||||
<li>Define a zone for the remote network accessed via PPTP.</li>
|
||||
<li>Associate that zone with a ppp interface.</li>
|
||||
<li>Define rules for PPTP traffic to/from the firewall.</li>
|
||||
<li>Define rules for traffic two and from the remote zone.</li>
|
||||
</ol>
|
||||
<p>Here are examples from my setup:</p>
|
||||
<h4>/etc/shorewall/zones</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>DISPLAY</b></td>
|
||||
<td><b>COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>cpq</td>
|
||||
<td>Compaq</td>
|
||||
<td>Compaq Intranet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/interfaces</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>ppp+</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/hosts</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>HOST(S)</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>ppp+:!192.168.1.0/24</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
|
||||
1.3.9b)</h4>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>1723</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
|
||||
</b></p>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="2" border="1"
|
||||
style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>TYPE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY ZONE<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">pptpclient<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<p>I use the combination of interface and hosts file to define the
|
||||
'cpq'
|
||||
zone because I also run a PPTP server on my firewall (see above). Using
|
||||
this technique allows me to distinguish clients of my own PPTP server
|
||||
from arbitrary
|
||||
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP
|
||||
clients
|
||||
and Compaq doesn't use that RFC1918 Class C subnet. </p>
|
||||
<p>I use this script in /etc/init.d to control the client. The reason
|
||||
that
|
||||
I disable ECN when connecting is that the Compaq tunnel servers don't
|
||||
do
|
||||
ECN yet and reject the initial TCP connection request if I enable ECN
|
||||
:-(
|
||||
</p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">#!/bin/sh<br>
|
||||
#<br>
|
||||
# /etc/rc.d/init.d/pptp<br>
|
||||
#<br>
|
||||
# chkconfig: 5 60 85<br>
|
||||
# description: PPTP Link Control<br>
|
||||
#<br>
|
||||
NAME="Tandem"<br>
|
||||
ADDRESS=tunnel-tandem.compaq.com<br>
|
||||
USER='Tandem\tommy'<br>
|
||||
ECN=0<br>
|
||||
DEBUG=<br>
|
||||
<br>
|
||||
start_pptp() {<br>
|
||||
echo $ECN > /proc/sys/net/ipv4/tcp_ecn<br>
|
||||
if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG;
|
||||
then<br>
|
||||
touch /var/lock/subsys/pptp<br>
|
||||
echo "PPTP Connection to
|
||||
$NAME Started"<br>
|
||||
fi<br>
|
||||
}<br>
|
||||
<br>
|
||||
stop_pptp() {<br>
|
||||
if killall /usr/sbin/pptp 2> /dev/null; then<br>
|
||||
echo "Stopped pptp"<br>
|
||||
else<br>
|
||||
rm -f /var/run/pptp/*<br>
|
||||
fi<br>
|
||||
<br>
|
||||
# if killall pppd; then<br>
|
||||
# echo "Stopped pppd"<br>
|
||||
# fi<br>
|
||||
<br>
|
||||
rm -f /var/lock/subsys/pptp<br>
|
||||
<br>
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_ecn<br>
|
||||
}<br>
|
||||
<br>
|
||||
<br>
|
||||
case "$1" in<br>
|
||||
start)<br>
|
||||
echo "Starting PPTP Connection to ${NAME}..."<br>
|
||||
start_pptp<br>
|
||||
;;<br>
|
||||
stop)<br>
|
||||
echo "Stopping $NAME PPTP Connection..."<br>
|
||||
stop_pptp<br>
|
||||
;;<br>
|
||||
restart)<br>
|
||||
echo "Restarting $NAME PPTP Connection..."<br>
|
||||
stop_pptp<br>
|
||||
start_pptp<br>
|
||||
;;<br>
|
||||
status)<br>
|
||||
ifconfig<br>
|
||||
;;<br>
|
||||
*)<br>
|
||||
echo "Usage: $0 {start|stop|restart|status}"<br>
|
||||
;;<br>
|
||||
esac<br>
|
||||
</font> </p>
|
||||
</blockquote>
|
||||
<p>Here's my /etc/ppp/options file: </p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">#<br>
|
||||
# Identify this connection<br>
|
||||
#<br>
|
||||
ipparam Compaq<br>
|
||||
#<br>
|
||||
# Lock the port<br>
|
||||
#<br>
|
||||
lock<br>
|
||||
#<br>
|
||||
# We don't need the tunnel server to authenticate itself<br>
|
||||
#<br>
|
||||
noauth<br>
|
||||
<br>
|
||||
+chap<br>
|
||||
+chapms<br>
|
||||
+chapms-v2<br>
|
||||
<br>
|
||||
multilink<br>
|
||||
mrru 1614<br>
|
||||
#<br>
|
||||
# Turn off transmission protocols we know won't be used<br>
|
||||
#<br>
|
||||
nobsdcomp<br>
|
||||
nodeflate<br>
|
||||
<br>
|
||||
#<br>
|
||||
# We want MPPE<br>
|
||||
#<br>
|
||||
mppe-128<br>
|
||||
mppe-stateless<br>
|
||||
<br>
|
||||
#<br>
|
||||
# We want a sane mtu/mru<br>
|
||||
#<br>
|
||||
mtu 1000<br>
|
||||
mru 1000<br>
|
||||
<br>
|
||||
#<br>
|
||||
# Time this thing out of it goes poof<br>
|
||||
#<br>
|
||||
lcp-echo-failure 10<br>
|
||||
lcp-echo-interval 10</font> </p>
|
||||
</blockquote>
|
||||
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route
|
||||
Compaq
|
||||
traffic through the PPTP tunnel: </p>
|
||||
<blockquote>
|
||||
<p><font face="Courier" size="2">#/bin/sh<br>
|
||||
<br>
|
||||
case $6 in<br>
|
||||
Compaq)<br>
|
||||
route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1<br>
|
||||
route add -net 130.252.0.0 netmask 255.255.0.0 gw $5
|
||||
$1<br>
|
||||
route add -net 131.124.0.0 netmask 255.255.0.0 gw $5
|
||||
$1<br>
|
||||
...<br>
|
||||
;;<br>
|
||||
esac</font></p>
|
||||
</blockquote>
|
||||
<p>Finally, I run the following script every five minutes under crond
|
||||
to
|
||||
restart the tunnel if it fails:</p>
|
||||
<pre> #!/bin/sh<br> restart_pptp() {<br> /sbin/service pptp stop<br> sleep 10<br> if /sbin/service pptp start; then<br> /usr/bin/logger "PPTP Restarted"<br> fi<br> }<br><br> if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then<br> exit 0<br> fi<br><br> echo "Attempting to restart PPTP"<br><br> restart_pptp > /dev/null 2>&1 &<br><br><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a scriptand corresponding ip-up.local </a>from <a
|
||||
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.<br></pre>
|
||||
<h2 style="text-align: center;"><a name="PPTP_ADSL"></a>5. PPTP Client
|
||||
running
|
||||
on your Firewall with PPTP Server in an ADSL Modem</h2>
|
||||
Some ADSL systems in Europe (most notably in Austria) feature a PPTP
|
||||
server built into an ADSL "Modem".
|
||||
In this setup, an ethernet interface is dedicated to supporting the
|
||||
PPTP tunnel between the firewall and the "Modem" while the actual
|
||||
internet access is through PPTP (interface ppp0). If you have this type
|
||||
of setup, you need to modify the sample configuration
|
||||
that you downloaded as described in this section. <span
|
||||
style="font-weight: bold;">These changes are <span
|
||||
style="text-decoration: underline;">in addition</span> to those
|
||||
described in the <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</a>.</span><br>
|
||||
<br>
|
||||
Lets assume the following:<br>
|
||||
<ul>
|
||||
<li>ADSL Modem connected through eth0</li>
|
||||
<li>Modem IP address = 192.168.1.1</li>
|
||||
<li>eth0 IP address = 192.168.1.2</li>
|
||||
</ul>
|
||||
The changes you need to make are as follows:<br>
|
||||
<br>
|
||||
1. Add this entry to /etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>DISPLAY</b></td>
|
||||
<td><b>COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>modem<br>
|
||||
</td>
|
||||
<td>Modem</td>
|
||||
<td>ADSL Modem<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<div style="margin-left: 40px;">That entry defines a new zone called '<span
|
||||
style="font-style: italic;">modem</span>' which will contain only your
|
||||
ADSL modem.<br>
|
||||
<br>
|
||||
</div>
|
||||
2. Add the following entry to /etc/shorewall/interfaces:<br>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>modem<br>
|
||||
</td>
|
||||
<td>eth0<br>
|
||||
</td>
|
||||
<td>192.168.1.255 <br>
|
||||
</td>
|
||||
<td> dhcp</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<div style="margin-left: 40px;">You will of course modify the 'net'
|
||||
entry in /etc/shorewall/interfaces to specify 'ppp0' as the interface
|
||||
as described in the QuickStart Guide corresponding to your setup.<br>
|
||||
</div>
|
||||
<br>
|
||||
3. Add the following to /etc/shorewall/tunnels:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" cellspacing="2" border="1"
|
||||
style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>TYPE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY ZONE<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">pptpclient </td>
|
||||
<td valign="top">modem<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.1<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<div style="margin-left: 40px;"><br>
|
||||
That entry allows a PPTP tunnel to be established between your
|
||||
Shorewall system and the PPTP server in the modem.<br>
|
||||
</div>
|
||||
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,165 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Proxy ARP</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Proxy ARP<br>
|
||||
</h1>
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of
|
||||
servers without changing their IP addresses and without having to
|
||||
re-subnet. Before you try to use this technique, I strongly recommend
|
||||
that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide.</a></p>
|
||||
<p>The following figure represents a Proxy ARP environment.</p>
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/proxyarp.png" width="519"
|
||||
height="397"> </strong></p>
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
<p align="left">Proxy ARP can be used to make the systems with
|
||||
addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
|
||||
(130.252.100.*) subnet. Assuming that the upper firewall
|
||||
interface is eth0 and the lower interface is eth1, this is accomplished
|
||||
using the following entries in /etc/shorewall/proxyarp:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>Be sure that the internal systems (130.242.100.18 and
|
||||
130.252.100.19 in the above example) are not included in any
|
||||
specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
|
||||
is irrelevant. </p>
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
|
||||
their subnet mask and default gateway configured exactly the same way
|
||||
that the Firewall system's eth0 is configured. In other words, they
|
||||
should be configured just like they would be if they were parallel to
|
||||
the firewall rather than behind it.<br>
|
||||
</p>
|
||||
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
|
||||
address(es) (130.252.100.18 and 130.252.100.19 in the above
|
||||
example) to the external interface (eth0 in this example) of the
|
||||
firewall.</b></font><br>
|
||||
</p>
|
||||
<div align="left"> </div>
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically
|
||||
configure their routers with a long ARP cache timeout. If you move a
|
||||
system from parallel to your firewall to behind your firewall with
|
||||
Proxy ARP, it
|
||||
will probably be HOURS before that system can communicate with the
|
||||
internet. There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
|
||||
Illustrated, Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their
|
||||
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
|
||||
the MAC address for its own IP; in addition to ensuring that the IP
|
||||
address
|
||||
isn't a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware
|
||||
address..., this packet causes any other host...that has an entry in
|
||||
its cache for the old hardware address to update its ARP cache entry
|
||||
accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP
|
||||
(or static NAT for that matter). Happily enough, recent versions of
|
||||
Redhat's iputils package include "arping", whose "-U" flag does just
|
||||
that:<br>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net
|
||||
if> <newly proxied IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0
|
||||
66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to
|
||||
gratuitous ARPs, but googling for "arping -U" seems to support the idea
|
||||
that it works most of the time.<br>
|
||||
<br>
|
||||
To use arping with Proxy ARP in the above example, you would have to:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> shorewall clear<br>
|
||||
</b></font> <font color="#009900"><b>ip addr add
|
||||
130.252.100.18 dev eth0<br>
|
||||
ip addr add 130.252.100.19 dev eth0</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0
|
||||
130.252.100.18</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
|
||||
<b><font color="#009900">ip addr del 130.252.100.18 dev
|
||||
eth0<br>
|
||||
ip addr del 130.252.100.19 dev eth0<br>
|
||||
shorewall start</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
</ol>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a
|
||||
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
|
||||
as follows:</div>
|
||||
<div align="left">
|
||||
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
|
||||
we will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request
|
||||
is different from the destination MAC address in the echo reply!! In
|
||||
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
|
||||
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
|
||||
In other words,
|
||||
the gateway's ARP cache still associates 130.252.100.19 with the NIC
|
||||
in that system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,34 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Springtime in Seattle!!!</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
-+
|
||||
<h3><font color="#ff6633"></font></h3>
|
||||
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
|
||||
</h1>
|
||||
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
|
||||
<br>
|
||||
<b>March 6, 2003 - Nice day for a walk....</b><br>
|
||||
<br>
|
||||
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
|
||||
<br>
|
||||
<br>
|
||||
<img src="images/P1000049.jpg" alt="" width="480" height="640">
|
||||
<p><b>The view from my office window -- think I'll go out and enjoy the
|
||||
deck (Yes -- that is snow on the deck...)</b>.<br>
|
||||
</p>
|
||||
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,21 +0,0 @@
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Banner</title>
|
||||
<base target="contents">
|
||||
<meta name="Microsoft Theme" content="blueprnt 011">
|
||||
<meta name="Microsoft Border" content="none, default">
|
||||
</head>
|
||||
|
||||
<body background="_themes/blueprnt/blutextb.gif" bgcolor="#FFFFFF" text="#003399" link="#3366FF" vlink="#9900FF" alink="#000066"><!--mstheme--><font face="Century Gothic, Arial, Helvetica"><p align="right"><b><font size="2"><img border="0" src="images/Shorewall_Banner.gif" align="left" width="600" height="60"></font><font size="4"><strong>
|
||||
</strong></font><font size="2">The Shorewall Project uses the Services of</font><font size="4">
|
||||
</font></b><a href="http://sourceforge.net" target="_top"><img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" align="top"></a> </p>
|
||||
|
||||
<p align="right"> </p>
|
||||
|
||||
<!--mstheme--></font></body>
|
||||
|
||||
</html>
|
@ -1,80 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Certificate Authority</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
|
||||
Certificate<br>
|
||||
</h1>
|
||||
Given that I develop and support Shorewall without asking for any
|
||||
renumeration, I can hardly justify paying $200US+ a year to a
|
||||
Certificate Authority such as Thawte (A Division of VeriSign) for an
|
||||
X.509 certificate to prove that I am who I am. I have therefore
|
||||
established my own Certificate Authority (CA) and sign my own X.509
|
||||
certificates. I use these certificates on my list server (<a
|
||||
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
||||
which hosts parts of this web site.<br>
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
||||
part of establishing an SSL session (URL https://...), your browser
|
||||
verifies the X.509 certificate supplied by the HTTPS server against the
|
||||
set of Certificate Authority Certificates that were shipped with your
|
||||
browser. It is expected that the server's certificate was issued by one
|
||||
of the authorities whose identities are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to
|
||||
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
|
||||
that the CAs literally have a license to print money -- they are
|
||||
selling a string of bits (an X.509 certificate) for $200US+ per
|
||||
year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and
|
||||
writing Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of
|
||||
the authorities known to your browser. If you try to connect to my
|
||||
server using SSL, your browser will frown and give you a dialog box
|
||||
asking if you want to accept the sleezy X.509 certificate being
|
||||
presented by my server. <br>
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
<ol>
|
||||
<li>You can accept the mail.shorewall.net certificate when your
|
||||
browser asks -- your acceptence of the certificate can be temporary
|
||||
(for that access only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed)
|
||||
CA certificate.</a> This will make my Certificate Authority known to
|
||||
your browser so that it will accept any certificate signed by me. <br>
|
||||
</li>
|
||||
</ol>
|
||||
What are the risks?<br>
|
||||
<ol>
|
||||
<li>If you install my CA certificate then you assume that I am
|
||||
trustworthy and that Shorewall running on your firewall won't redirect
|
||||
HTTPS requests intented to go to your bank's server to one of my
|
||||
systems that will present your browser with a bogus certificate
|
||||
claiming that my server is that of
|
||||
your bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to
|
||||
https://mail.shorewall.net, the server you are connecting to might not
|
||||
be mine.</li>
|
||||
</ol>
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
won't be offended if you decline to load it into yours... :-)<br>
|
||||
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003
|
||||
Thomas M.
|
||||
Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,39 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall CVS Access</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">Shorewall CVS Access<br>
|
||||
</h1>
|
||||
Lots of people try to download the entire Shorewall website for
|
||||
off-line browsing, including the CVS portion. In addition to being an
|
||||
enormous volume of data (HTML versions of all versions of all Shorewall
|
||||
files), all of the pages in Shorewall CVS access are cgi-generated
|
||||
which places a tremendous load on my little server. I have therefore
|
||||
resorted to making CVS access password controlled. When you are asked
|
||||
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
|
||||
the user name and the password.<br>
|
||||
<br>
|
||||
<div align="center">
|
||||
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
target="_top">CVS Login</a> <br>
|
||||
</h3>
|
||||
</div>
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
|
||||
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,54 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>What Shorewall Cannot Do</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<small> </small><small> </small><small> </small><small> </small><small>
|
||||
</small> <small> </small>
|
||||
<small><br>
|
||||
</small>
|
||||
<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
|
||||
</h1>
|
||||
Shorewall cannot:<br>
|
||||
<ul>
|
||||
<li>Be used to filter traffic through a Layer 2 Bridge</li>
|
||||
<li>Act as a "Personal Firewall" that allows internet access by
|
||||
application.</li>
|
||||
<li>Be used with an Operating System other than Linux (version >=
|
||||
2.4.0)<br>
|
||||
</li>
|
||||
<li>Do content filtering:</li>
|
||||
<ul>
|
||||
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
|
||||
for that.</li>
|
||||
<li>Email -- Install something like <a
|
||||
href="http://www.postfix.org">Postfix</a> on your firewall and
|
||||
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
|
||||
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
|
||||
</li>
|
||||
</ul>
|
||||
</ul>
|
||||
In addition:<br>
|
||||
<ul>
|
||||
<li>Shorewall does not contain any support for Netfilter <a
|
||||
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
|
||||
style="font-style: italic;">Patch-O-Matic</span></a> features --
|
||||
Shorewall
|
||||
only supports features from released kernels.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>
|
||||
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,631 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Squid Usage</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table cellpadding="0" cellspacing="0" border="0"
|
||||
style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#3366ff"
|
||||
style="background-color: rgb(255, 255, 255);"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
|
||||
alt="" width="88" height="31" hspace="4"> </a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%"
|
||||
style="background-color: rgb(255, 255, 255);">
|
||||
<h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
|
||||
<h1> </h1>
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"
|
||||
style="background-color: rgb(255, 255, 255);"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
|
||||
alt="" width="100" height="31" hspace="4"> </a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <a
|
||||
href="#Transparent">Transparent
|
||||
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
|
||||
<br>
|
||||
If you are running Shorewall 1.3, please see <a
|
||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
|
||||
</h1>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle"> Please observe the
|
||||
following general requirements:<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>In all cases, Squid should be configured to run
|
||||
as a transparent proxy as described at <a
|
||||
href="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</a>.<br>
|
||||
<b><br>
|
||||
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>The following instructions mention
|
||||
the files /etc/shorewall/start and /etc/shorewall/init -- if you don't
|
||||
have those files, siimply create them.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>
|
||||
When the Squid server is in the DMZ zone or in the local zone, that
|
||||
zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
|
||||
file entries. That is because the packets being routed to the Squid
|
||||
server still have their original destination IP addresses.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>
|
||||
You must have iptables installed on your Squid server.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b>
|
||||
If you run a Shorewall version earlier than 1.4.6, you must have NAT
|
||||
and MANGLE enabled in your /etc/shorewall/conf file<br>
|
||||
<br>
|
||||
<b><font color="#009900">
|
||||
NAT_ENABLED=Yes<br>
|
||||
</font></b> <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
|
||||
<br>
|
||||
Three different configurations are covered:<br>
|
||||
<ol>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid
|
||||
running on the Firewall.</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
|
||||
local network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
</ol>
|
||||
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests
|
||||
EXCEPT those to your own http server (206.124.146.177) to a Squid
|
||||
transparent proxy running on the firewall
|
||||
and listening on port 3128. Squid will of course require access
|
||||
to remote web servers.<br>
|
||||
<br>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
There may be a requirement to exclude additional destination
|
||||
hosts or networks from being redirected. For example, you might also
|
||||
want
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
|
||||
<br>
|
||||
If you are running Shorewall version 1.4.5 or later, you may just add
|
||||
the additional hosts/networks to the ORIGINAL DEST column in your
|
||||
REDIRECT rule:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177,130.252.100.0/24</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
If you are running a Shorewall version earlier than 1.4.5, you must add
|
||||
a manual rule in /etc/shorewall/start:<br>
|
||||
<blockquote>
|
||||
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
|
||||
</blockquote>
|
||||
To exclude additional hosts or networks, just add additional
|
||||
similar rules.<br>
|
||||
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy running in your local zone at 192.168.1.3 and
|
||||
listening
|
||||
on port 3128. Your local interface is eth1. There may also be a web
|
||||
server running on 192.168.1.3. It is assumed that web access is already
|
||||
enabled from the local zone to the internet..<br>
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 202 www.out >> /etc/iproute2/rt_tables</font></b><br></pre>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
|
||||
upgrade to Shorewall 1.4.2 or later.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you are running Shorewall 1.4.2 or later, then in
|
||||
/etc/shorewall/interfaces:<br>
|
||||
<br>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ZONE<br>
|
||||
</td>
|
||||
<td valign="top">INTERFACE<br>
|
||||
</td>
|
||||
<td valign="top">BROADCAST<br>
|
||||
</td>
|
||||
<td valign="top">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">detect<br>
|
||||
</td>
|
||||
<td valign="top"><b>routeback</b><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT<br>
|
||||
</td>
|
||||
<td>loc</td>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</li>
|
||||
<br>
|
||||
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
|
||||
the following policy in place of the above rule:<br>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST PARAMETERS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>On 192.168.1.3, arrange for the following command to be executed
|
||||
after networking has come up<br>
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote> If you are running RedHat on the server, you can simply
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
|
||||
what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ
|
||||
interface is eth1 and your local interface is eth2.<br>
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>echo 202 www.out >> /etc/iproute2/rt_tables</b></font><br></pre>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li> Do<b> one </b>of the following:<br>
|
||||
<br>
|
||||
A) In /etc/shorewall/start add<br>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
|
||||
</blockquote>
|
||||
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in
|
||||
/etc/shorewall/shorewall.conf and add the following entry in
|
||||
/etc/shorewall/tcrules:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">MARK<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DESTINATION<br>
|
||||
</td>
|
||||
<td valign="top">PROTOCOL<br>
|
||||
</td>
|
||||
<td valign="top">PORT<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT PORT<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">202<br>
|
||||
</td>
|
||||
<td valign="top">eth2<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
C) Run Shorewall 1.3.14 or later and add the following entry
|
||||
in /etc/shorewall/tcrules:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">MARK<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DESTINATION<br>
|
||||
</td>
|
||||
<td valign="top">PROTOCOL<br>
|
||||
</td>
|
||||
<td valign="top">PORT<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT PORT<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">202:P<br>
|
||||
</td>
|
||||
<td valign="top">eth2<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules, you will need:</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
|
||||
command to be executed after networking has come up<br>
|
||||
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
|
||||
</li>
|
||||
</ul>
|
||||
<blockquote> If you are running RedHat on the server, you can simply
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
|
||||
Assume that Squid is running in zone SZ and listening on port SP; all
|
||||
web sites that are to be accessed through Squid are in the 'net' zone.
|
||||
Then for each zone Z that needs access to the Squid server:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">Z<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">SP<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">Squid on the firewall listening on port
|
||||
8080 with access from the 'loc' zone:<br>
|
||||
<br>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">8080<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
@ -1,632 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall and Aliased Interfaces</title>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall and Aliased Interfaces<br>
|
||||
</h1>
|
||||
<h2>Background</h2>
|
||||
The traditional net-tools contain a program called <i>ifconfig</i>
|
||||
which is used to configure network devices. ifconfig introduced the
|
||||
concept of <i>aliased </i>or <i>virtual </i>interfaces. These
|
||||
virtual
|
||||
interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
|
||||
eth0:0) and ifconfig treats them more or less like real interfaces.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
|
||||
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
|
||||
utility which is part of the <i>iproute </i>package. The ip utility
|
||||
does not use the concept of aliases or virtual interfaces but rather
|
||||
treats additional addresses on an interface as objects in their own
|
||||
right.
|
||||
The ip utility does provide for interaction with ifconfig in that it
|
||||
allows
|
||||
addresses to be <i>labeled </i>where these labels take the form of
|
||||
ipconfig
|
||||
virtual interfaces.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
|
||||
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
|
||||
"eth0:0" is a label for a particular address rather than a device name.<br>
|
||||
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
|
||||
The iptables program doesn't support virtual interfaces in either it's
|
||||
"-i" or "-o" command options; as a consequence, Shorewall does not
|
||||
allow them to be used in the /etc/shorewall/interfaces file or anywhere
|
||||
else except as described in the discussion below. <br>
|
||||
<br>
|
||||
<h2>Adding Addresses to Interfaces</h2>
|
||||
Shorewall provides facilities for automatically adding addresses to
|
||||
interfaces
|
||||
as described in the following section. It is also easy to add them
|
||||
yourself
|
||||
using the <b>ip</b> utility. The above alias was added using:<br>
|
||||
<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd
|
||||
206.124.146.255
|
||||
dev eth0 label eth0:0</font></b><br>
|
||||
</blockquote>
|
||||
You probably want to arrange to add these addresses when the device is
|
||||
started
|
||||
rather than placing commands like the above in one of the Shorewall
|
||||
extension
|
||||
scripts. For example, on RedHat systems, you can place the commands in
|
||||
/sbin/ifup-local:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre>#!/bin/sh<br><br>case $1 in<br> eth0)<br> /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br> ;;<br>esac <br></pre>
|
||||
</blockquote>
|
||||
RedHat systems also allow adding such aliases from the network
|
||||
administration
|
||||
GUI (which works well if you have a graphical environment on your
|
||||
firewall).<br>
|
||||
<h2>So how do I handle more than one address on an interface?</h2>
|
||||
The answer depends on what you are trying to do with the interfaces. In
|
||||
the sub-sections that follow, we'll take a look at common scenarios.<br>
|
||||
<h3>Separate Rules</h3>
|
||||
If you need to make a rule for traffic to/from the firewall itself that
|
||||
only applies to a particular IP address, simply qualify the $FW zone
|
||||
with the IP address.<br>
|
||||
<br>
|
||||
Example (allow SSH from net to eth0:0 above):<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">$FW:206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">22<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<h3>DNAT</h3>
|
||||
Suppose that I had set up eth0:0 as above and I wanted to port
|
||||
forward from that virtual interface to a web server running in my local
|
||||
zone at 192.168.1.3. That is accomplised by a single rule in the
|
||||
/etc/shorewall/rules file:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">DNAT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<h3>SNAT</h3>
|
||||
If you wanted to use eth0:0 as the IP address for outbound connections
|
||||
from your local zone (eth1), then in /etc/shorewall/masq:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SUBNET<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ADDRESS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Shorewall can create the alias (additional address) for you if
|
||||
you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
|
||||
Beginning
|
||||
with Shorewall 1.3.14, Shorewall can actually create the "label"
|
||||
(virtual
|
||||
interface) so that you can see the created address using ifconfig. In
|
||||
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual
|
||||
interface
|
||||
name in the INTERFACE column as follows:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SUBNET<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ADDRESS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0:0<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
Shorewall can also set up SNAT to round-robin over a range of IP
|
||||
addresses. Do do that, you specify a range of IP addresses in the
|
||||
ADDRESS column. If you specify a label in the INTERFACE column,
|
||||
Shorewall will use that label for the first address of the range and
|
||||
will increment the label by one for each subsequent label.<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SUBNET<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ADDRESS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0:0<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178-206.124.146.180<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
The above would create three IP addresses:<br>
|
||||
<br>
|
||||
eth0:0 = 206.124.146.178<br>
|
||||
eth0:1 = 206.124.146.179<br>
|
||||
eth0:2 = 206.124.146.180<br>
|
||||
<h3>STATIC NAT</h3>
|
||||
If you wanted to use static NAT to link eth0:0 with local address
|
||||
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>EXTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ALL INTERFACES<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOCAL<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Shorewall can create the alias (additional address) for you if
|
||||
you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
|
||||
with Shorewall 1.3.14, Shorewall can actually create the "label"
|
||||
(virtual
|
||||
interface) so that you can see the created address using ifconfig. In
|
||||
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual
|
||||
interface
|
||||
name in the INTERFACE column as follows:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>EXTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ALL INTERFACES<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOCAL<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">eth0:0<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In either case, to create rules that pertain only to this NAT pair, you
|
||||
simply qualify the local zone with the internal IP address.<br>
|
||||
<br>
|
||||
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||||
192.168.1.3.<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">22<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<h3>MULTIPLE SUBNETS</h3>
|
||||
Sometimes multiple IP addresses are used because there are multiple
|
||||
subnetworks configured on a LAN segment. This technique does not
|
||||
provide for any security between the subnetworks if the users of the
|
||||
systems have administrative privileges because in that case, the users
|
||||
can simply manipulate their system's routing table to bypass your
|
||||
firewall/router. Nevertheless, there are cases where you simply want to
|
||||
consider the LAN segment itself as a zone and allow your
|
||||
firewall/router to route between the two subnetworks.<br>
|
||||
<br>
|
||||
Example 1: Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
|
||||
and eth1:0 is 192.168.20.254. You want to simply route all requests
|
||||
between the two subnetworks.<br>
|
||||
<h4>If you are running Shorewall 1.4.1 or Later</h4>
|
||||
In /etc/shorewall/interfaces:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BROADCAST<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.255,192.168.20.255<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/hosts:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOSTS<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1:192.168.1.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1:192.168.20.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Note that you do NOT need any entry in /etc/shorewall/policy as
|
||||
Shorewall 1.4.1 and later releases default to allowing intra-zone
|
||||
traffic.<br>
|
||||
<h4>If you are running Shorewall 1.4.0 or earlier<br>
|
||||
</h4>
|
||||
In /etc/shorewall/interfaces:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BROADCAST<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.255,192.168.20.255<br>
|
||||
</td>
|
||||
<td valign="top">Note 1:<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
|
||||
specify the <b>multi</b> option.<br>
|
||||
<br>
|
||||
In /etc/shorewall/policy:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST:LIMIT<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||||
eth1:0 is 192.168.20.254. You want to make these subnetworks into
|
||||
separate
|
||||
zones and control the access between them (the users of the systems do
|
||||
not have administrative privileges).<br>
|
||||
<br>
|
||||
In /etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DISPLAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESCRIPTION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">Local<br>
|
||||
</td>
|
||||
<td valign="top">Local Zone 1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc2<br>
|
||||
</td>
|
||||
<td valign="top">Local2<br>
|
||||
</td>
|
||||
<td valign="top">Local Zone 2<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/interfaces:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BROADCAST<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.255,192.168.20.255<br>
|
||||
</td>
|
||||
<td valign="top">Note 1:<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
|
||||
specify the <b>multi</b> option.<br>
|
||||
<br>
|
||||
In /etc/shorewall/hosts:<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOSTS<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1:192.168.1.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc2<br>
|
||||
</td>
|
||||
<td valign="top">eth1:192.168.20.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
|
||||
that you want to permit.<br>
|
||||
<br>
|
||||
<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,66 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
<base target="main">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Things to try if it doesn't
|
||||
work</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
|
||||
href="http://lists.shorewall.net"> </a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<ul>
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<ul>
|
||||
</ul>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
@ -1,68 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
<base target="main">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Things to try if it doesn't
|
||||
work</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
|
||||
href="http://lists.shorewall.net"> </a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<ul>
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<ul>
|
||||
</ul>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,141 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Controlling Traffic by UID/GID</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Controlling Output
|
||||
Traffic by UID/GID<br>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
This capability was added in Shorewall release
|
||||
1.4.7.<br>
|
||||
<br>
|
||||
Netfilter provides the capability to filter packets generated on the
|
||||
firewall system by User Id and/or Group Id. Shorewall provides two
|
||||
separate but related ways to use this Netfilter capability:<br>
|
||||
<ol>
|
||||
<li>Shorewall allows you to
|
||||
define collections of users called "<a href="#UserSet">User Sets</a>"
|
||||
and then to restrict
|
||||
certain rules in /etc/shorewall/rules to a given User Set.</li>
|
||||
<li>Shorewall also allows you to restrict a given <a href="#Rule">rule
|
||||
</a>to a particular user and/or group.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Since only packets created by programs running on the Shorewall box
|
||||
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
|
||||
using either of the facilities.<br>
|
||||
<h2><a name="UserSet"></a>User Sets<br>
|
||||
</h2>
|
||||
Given the way that this facility is implemented in Shorewall, it is not
|
||||
possible to control logging of individual rules using a User Set and
|
||||
logging is rather specified on the User Set itself.<br>
|
||||
<br>
|
||||
User Sets are defined in the /etc/shorewall/usersets file. Columns in
|
||||
that file include:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set. Must be a legal
|
||||
shell
|
||||
identifier of no more than six (6) characters in length.<br>
|
||||
REJECT
|
||||
Log level for connections rejected for this User Set.<br>
|
||||
ACCEPT Log
|
||||
level for connections accepted for this User Set.<br>
|
||||
DROP
|
||||
Log level for connections dropped for this User Set.<br>
|
||||
</div>
|
||||
<br>
|
||||
In the REJECT and ACCEPT columns, if you don't want to specify a value
|
||||
in the column but you want to specify a value in a following column,
|
||||
you may enter "-".<br>
|
||||
<br>
|
||||
Users and/or groups are added to User Sets using the
|
||||
/etc/shorewall/users file. Columns in that file are:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set defined in
|
||||
/etc/shorewall/usersets.<br>
|
||||
USER
|
||||
The name of a user defined on the system or a user number.<br>
|
||||
GROUP
|
||||
The name of a group defined on the system or a number.<br>
|
||||
</div>
|
||||
<p align="left">Only one of the USER and GROUP
|
||||
column needs to be non-empty. If you wish to specify a GROUP but not a
|
||||
USER, enter "-" in the user column.<br>
|
||||
</p>
|
||||
<p align="left">If both USER and GROUP are
|
||||
specified then only programs running under that USER:GROUP pair will
|
||||
match rules specifying the User Set named in the USERSET column.<br>
|
||||
</p>
|
||||
<p align="left">Once a user set has been defined, its name may be
|
||||
placed in the USER SET column of the /etc/shorewall/rules file. <span
|
||||
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
|
||||
</span></span>When
|
||||
the name of a user set is given in the USER SET column, you may not
|
||||
include a log level in the ACTION column; logging of such rules is
|
||||
governed solely by the user set's definition in the
|
||||
/etc/shorewall/userset file.
|
||||
</p>
|
||||
<p align="left">Example: You want members of the
|
||||
'admin' group and 'root' to be able to use ssh on the firewall to
|
||||
connect to local systems. You want to log all connections accepted for
|
||||
these users using syslog at the 'info' level.<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET REJECT ACCEPT DROP<br>admins - info<br></pre>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET USER GROUP<br>admins - admin<br>admins root<br></pre>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules<br>
|
||||
</div>
|
||||
<pre style="margin-left: 80px;">#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 22 - - - admins<br></pre>
|
||||
<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
|
||||
group<br>
|
||||
</h2>
|
||||
In cases where you may want to restrict a rule to a particular user
|
||||
and/or group, the USER SET column in the rules file may be specified as:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">[ <<span style="font-style: italic;">user
|
||||
name or number</span>> ] : [ <<span style="font-style: italic;">group
|
||||
name or number</span>> ]<br>
|
||||
<div style="text-align: left;"><br>
|
||||
</div>
|
||||
</div>
|
||||
When a user and/or group name is given in the USER SET column, it is OK
|
||||
to specify a log level in the ACTION column. <br>
|
||||
<br>
|
||||
Example: You want user <span style="font-style: italic;">mail </span>to
|
||||
be able to send email from the firewall to the local net zone<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
|
||||
the ":" in the USER SET column entry).<br>
|
||||
<pre>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 25 - - - mail:</pre>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 9/19/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
</body>
|
||||
</html>
|
@ -1,84 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">VPN<br>
|
||||
</h1>
|
||||
<p>It is often the case that a system behind the firewall needs to be
|
||||
able to access a remote network through Virtual Private Networking
|
||||
(VPN). The two most common means for doing this are IPSEC and PPTP. The
|
||||
basic setup is shown in the following diagram:</p>
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568"
|
||||
height="796"> </p>
|
||||
<p align="left">A system with an RFC 1918 address needs to access a
|
||||
remote network through a remote gateway. For this example, we will
|
||||
assume that the local system has IP address 192.168.1.12 and that the
|
||||
remote gateway has
|
||||
IP address 192.0.2.224.</p>
|
||||
<p align="left">If PPTP is being used, there are no firewall
|
||||
requirements beyond the default loc->net ACCEPT policy. There is one
|
||||
restriction however: Only one local system at a time can be connected
|
||||
to a single remote gateway unless you patch your kernel from the
|
||||
'Patch-o-matic' patches available at
|
||||
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
<p align="left">If IPSEC is being used then only one system may connect
|
||||
to the remote gateway and there are firewall configuration requirements
|
||||
as follows:</p>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td height="38"><u><b>ACTION</b></u></td>
|
||||
<td height="38"><u><b>SOURCE</b></u></td>
|
||||
<td height="38"><u><b>DESTINATION</b></u></td>
|
||||
<td height="38"><u><b>PROTOCOL</b></u></td>
|
||||
<td height="38"><u><b>PORT</b></u></td>
|
||||
<td height="38"><u><b>CLIENT<br>
|
||||
PORT</b></u></td>
|
||||
<td height="38"><u><b>ORIGINAL<br>
|
||||
DEST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
<td height="19">net:192.0.2.224</td>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">50</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
<td height="19">net:192.0.2.224</td>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">udp</td>
|
||||
<td height="19">500</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>If you want to be able to give access to all of your local systems
|
||||
to the remote network, you should consider running a VPN client on your
|
||||
firewall. As starting points, see <a
|
||||
href="http://www.shorewall.net/Documentation.htm#Tunnels">
|
||||
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
|
||||
href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p> </p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
Before Width: | Height: | Size: 200 B |
Before Width: | Height: | Size: 203 B |
Before Width: | Height: | Size: 547 B |
Before Width: | Height: | Size: 73 B |
Before Width: | Height: | Size: 63 B |
Before Width: | Height: | Size: 66 B |
Before Width: | Height: | Size: 230 B |
Before Width: | Height: | Size: 243 B |
Before Width: | Height: | Size: 198 B |
Before Width: | Height: | Size: 203 B |
Before Width: | Height: | Size: 247 B |
Before Width: | Height: | Size: 202 B |
Before Width: | Height: | Size: 206 B |
Before Width: | Height: | Size: 189 B |
Before Width: | Height: | Size: 198 B |
Before Width: | Height: | Size: 200 B |
Before Width: | Height: | Size: 230 B |
Before Width: | Height: | Size: 241 B |
Before Width: | Height: | Size: 241 B |
Before Width: | Height: | Size: 807 B |
Before Width: | Height: | Size: 161 B |
Before Width: | Height: | Size: 165 B |
Before Width: | Height: | Size: 164 B |
Before Width: | Height: | Size: 809 B |
Before Width: | Height: | Size: 162 B |
@ -1,93 +0,0 @@
|
||||
a:link
|
||||
{
|
||||
color: rgb(102,102,255);
|
||||
}
|
||||
a:visited
|
||||
{
|
||||
color: rgb(153,51,51);
|
||||
}
|
||||
a:active
|
||||
{
|
||||
color: rgb(102,204,204);
|
||||
}
|
||||
body
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
background-color: rgb(255,255,255);
|
||||
}
|
||||
h1
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
h2, marquee
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
h3
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
h4
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
h5
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
h6
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
BUTTON
|
||||
{
|
||||
background-color: rgb(102,102,102);
|
||||
border-color: rgb(204,204,204);
|
||||
color: white;
|
||||
}
|
||||
LABEL, .MSTHEME-LABEL
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
}
|
||||
TEXTAREA
|
||||
{
|
||||
border-color: rgb(102,102,102);
|
||||
color: black;
|
||||
}
|
||||
FIELDSET
|
||||
{
|
||||
border-color: rgb(102,102,102);
|
||||
color: black;
|
||||
}
|
||||
LEGEND
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
SELECT
|
||||
{
|
||||
border-color: rgb(102,102,102);
|
||||
color: black;
|
||||
}
|
||||
TABLE
|
||||
{
|
||||
border-color: rgb(102,102,102);
|
||||
color: rgb(0,0,0);
|
||||
table-border-color-light: rgb(204,204,204);
|
||||
table-border-color-dark: rgb(102,102,102);
|
||||
}
|
||||
CAPTION
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
TH
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
}
|
||||
HR
|
||||
{
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
TD
|
||||
{
|
||||
border-color: rgb(102,102,102);
|
||||
}
|
@ -1,93 +0,0 @@
|
||||
a:link
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
a:visited
|
||||
{
|
||||
color: rgb(153,102,102);
|
||||
}
|
||||
a:active
|
||||
{
|
||||
color: rgb(102,153,153);
|
||||
}
|
||||
body
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
background-color: rgb(255,255,255);
|
||||
}
|
||||
h1
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
h2, marquee
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
h3
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
h4
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
h5
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
h6
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
BUTTON
|
||||
{
|
||||
background-color: rgb(102,102,204);
|
||||
border-color: rgb(153,153,255);
|
||||
color: white;
|
||||
}
|
||||
LABEL, .MSTHEME-LABEL
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
}
|
||||
TEXTAREA
|
||||
{
|
||||
border-color: rgb(51,0,153);
|
||||
color: black;
|
||||
}
|
||||
FIELDSET
|
||||
{
|
||||
border-color: rgb(51,0,153);
|
||||
color: black;
|
||||
}
|
||||
LEGEND
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
SELECT
|
||||
{
|
||||
border-color: rgb(51,0,153);
|
||||
color: black;
|
||||
}
|
||||
TABLE
|
||||
{
|
||||
border-color: rgb(51,0,153);
|
||||
color: rgb(0,0,0);
|
||||
table-border-color-light: rgb(153,153,255);
|
||||
table-border-color-dark: rgb(51,0,153);
|
||||
}
|
||||
CAPTION
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
TH
|
||||
{
|
||||
color: rgb(0,0,0);
|
||||
}
|
||||
HR
|
||||
{
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
TD
|
||||
{
|
||||
border-color: rgb(51,0,153);
|
||||
}
|
@ -1,70 +0,0 @@
|
||||
.mstheme
|
||||
{
|
||||
nav-banner-image: url(radbnr.gif);
|
||||
separator-image: url(radrule.gif);
|
||||
list-image-1: url(radbul1.gif);
|
||||
list-image-2: url(radbul2.gif);
|
||||
list-image-3: url(radbul3.gif);
|
||||
navbutton-horiz-pushed: url(radhsel.gif);
|
||||
navbutton-horiz-normal: url(radhbtn.gif);
|
||||
navbutton-vert-pushed: url(radvsel.gif);
|
||||
navbutton-vert-normal: url(radvbtn.gif);
|
||||
navbutton-home-normal: url(radhom.gif);
|
||||
navbutton-up-normal: url(radup.gif);
|
||||
navbutton-prev-normal: url(radbck.gif);
|
||||
navbutton-next-normal: url(radnxt.gif);
|
||||
}
|
||||
.mstheme-bannertxt
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-size: 6;
|
||||
color: rgb(255,255,255);
|
||||
}
|
||||
.mstheme-horiz-navtxt
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
.mstheme-vert-navtxt
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
.mstheme-navtxthome
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
.mstheme-navtxtup
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
.mstheme-navtxtprev
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
.mstheme-navtxtnext
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
UL
|
||||
{
|
||||
list-style-image: url(radbul1.gif);
|
||||
}
|
||||
UL UL
|
||||
{
|
||||
list-style-image: url(radbul2.gif);
|
||||
}
|
||||
UL UL UL
|
||||
{
|
||||
list-style-image: url(radbul3.gif);
|
||||
}
|
@ -1,80 +0,0 @@
|
||||
.mstheme
|
||||
{
|
||||
nav-banner-image: url(aradbnr.gif);
|
||||
separator-image: url(aradrule.gif);
|
||||
list-image-1: url(aradbul1.gif);
|
||||
list-image-2: url(aradbul2.gif);
|
||||
list-image-3: url(aradbul3.gif);
|
||||
navbutton-horiz-pushed: url(aradhsel.gif);
|
||||
navbutton-horiz-normal: url(aradhbtn.gif);
|
||||
navbutton-horiz-hovered: url(aradhhov.gif);
|
||||
navbutton-vert-pushed: url(aradvsel.gif);
|
||||
navbutton-vert-normal: url(aradvbtn.gif);
|
||||
navbutton-vert-hovered: url(aradvhov.gif);
|
||||
navbutton-home-normal: url(aradhom.gif);
|
||||
navbutton-home-hovered: url(aradhomh.gif);
|
||||
navbutton-home-pushed: url(blhomep.gif);
|
||||
navbutton-up-normal: url(aradup.gif);
|
||||
navbutton-up-hovered: url(araduph.gif);
|
||||
navbutton-up-pushed: url(blupp.gif);
|
||||
navbutton-prev-normal: url(aradbck.gif);
|
||||
navbutton-prev-hovered: url(aradbckh.gif);
|
||||
navbutton-prev-pushed: url(blprevp.gif);
|
||||
navbutton-next-normal: url(aradnxt.gif);
|
||||
navbutton-next-hovered: url(aradnxth.gif);
|
||||
navbutton-next-pushed: url(blnextp.gif);
|
||||
}
|
||||
.mstheme-bannertxt
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-size: 6;
|
||||
color: rgb(255,255,255);
|
||||
}
|
||||
.mstheme-horiz-navtxt
|
||||
{
|
||||
font-family: Arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
.mstheme-vert-navtxt
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,204);
|
||||
}
|
||||
.mstheme-navtxthome
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
.mstheme-navtxtup
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
.mstheme-navtxtprev
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
.mstheme-navtxtnext
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(102,102,102);
|
||||
}
|
||||
UL
|
||||
{
|
||||
list-style-image:url(aradbul1.gif);
|
||||
}
|
||||
UL UL
|
||||
{
|
||||
list-style-image:url(aradbul2.gif);
|
||||
}
|
||||
UL UL UL
|
||||
{
|
||||
list-style-image:url(aradbul3.gif);
|
||||
}
|
Before Width: | Height: | Size: 203 B |
Before Width: | Height: | Size: 1.0 KiB |
Before Width: | Height: | Size: 498 B |
Before Width: | Height: | Size: 58 B |
Before Width: | Height: | Size: 58 B |
Before Width: | Height: | Size: 58 B |
Before Width: | Height: | Size: 131 B |
Before Width: | Height: | Size: 230 B |
Before Width: | Height: | Size: 203 B |
Before Width: | Height: | Size: 241 B |
@ -1,38 +0,0 @@
|
||||
[info]
|
||||
refcount=2
|
||||
version=3.00
|
||||
readonly=true
|
||||
codepage=65001
|
||||
format=2.00
|
||||
title=Radial
|
||||
[titles]
|
||||
1033=Radial
|
||||
1069=Radyal
|
||||
1046=Radial
|
||||
1050=Poluzaobljenja
|
||||
1029=Oblouky
|
||||
1030=Radial
|
||||
1043=Radiaal
|
||||
1036=Transversal
|
||||
1035=Säde
|
||||
1031=Radial
|
||||
1032=Ακτίνες
|
||||
1038=Kerekített
|
||||
2070=Radial
|
||||
1040=Radiale
|
||||
1044=Radiell
|
||||
1045=Wiraże
|
||||
1048=Radial
|
||||
1049=Закругление
|
||||
1051=Lúče
|
||||
1060=Zaobljena
|
||||
3082=Radial
|
||||
1053=Radie
|
||||
1055=Radyal
|
||||
1041=半円
|
||||
1042=캡슐 구성
|
||||
1028=交織如梭
|
||||
2052=射线
|
||||
1037=מוקדי
|
||||
1054=เป็นรัศมี
|
||||
1025=شعاعي
|
@ -1,38 +0,0 @@
|
||||
[info]
|
||||
refcount=2
|
||||
version=3.00
|
||||
readonly=true
|
||||
codepage=65001
|
||||
format=2.00
|
||||
title=Radial
|
||||
[titles]
|
||||
1033=Radial
|
||||
1069=Radyal
|
||||
1046=Radial
|
||||
1050=Poluzaobljenja
|
||||
1029=Oblouky
|
||||
1030=Radial
|
||||
1043=Radiaal
|
||||
1036=Transversal
|
||||
1035=Säde
|
||||
1031=Radial
|
||||
1032=Ακτίνες
|
||||
1038=Kerekített
|
||||
2070=Radial
|
||||
1040=Radiale
|
||||
1044=Radiell
|
||||
1045=Wiraże
|
||||
1048=Radial
|
||||
1049=Закругление
|
||||
1051=Lúče
|
||||
1060=Zaobljena
|
||||
3082=Radial
|
||||
1053=Radie
|
||||
1055=Radyal
|
||||
1041=半円
|
||||
1042=캡슐 구성
|
||||
1028=交織如梭
|
||||
2052=射线
|
||||
1037=מוקדי
|
||||
1054=เป็นรัศมี
|
||||
1025=شعاعي
|
Before Width: | Height: | Size: 206 B |
Before Width: | Height: | Size: 66 B |
Before Width: | Height: | Size: 200 B |
Before Width: | Height: | Size: 230 B |
Before Width: | Height: | Size: 241 B |
@ -1,549 +0,0 @@
|
||||
.mstheme
|
||||
{
|
||||
navbutton-background-color: rgb(255,255,255);
|
||||
top-bar-button: url(radglobl.gif);
|
||||
}
|
||||
.mstheme-topbar-font
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-size: 1;
|
||||
color: rgb(51,102,102);
|
||||
}
|
||||
body
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
background-image: url(radbkgnd.gif);
|
||||
}
|
||||
h1
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 24pt;
|
||||
}
|
||||
h2
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 18pt;
|
||||
}
|
||||
h3
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 14pt;
|
||||
}
|
||||
h4
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 12pt;
|
||||
}
|
||||
h5
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 10pt;
|
||||
}
|
||||
h6
|
||||
{
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-weight: normal;
|
||||
font-style: normal;
|
||||
font-size: 8pt;
|
||||
}
|
||||
BUTTON
|
||||
{
|
||||
border-style: solid;
|
||||
border-width: 1pt;
|
||||
font-size: 8pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
LABEL, .MSTHEME-LABEL
|
||||
{
|
||||
font-size: 8pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style:normal;
|
||||
}
|
||||
TEXTAREA
|
||||
{
|
||||
border-style: solid;
|
||||
border-width: 1pt;
|
||||
font-size: 8pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
FIELDSET
|
||||
{
|
||||
border-style: solid;
|
||||
border-width: 1pt;
|
||||
font-size: 8pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
LEGEND
|
||||
{
|
||||
font-size: 8pt;
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-style: normal;
|
||||
}
|
||||
SELECT
|
||||
{
|
||||
border-style: solid;
|
||||
border-width: 1pt;
|
||||
font-size: 8pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
TABLE
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
CAPTION
|
||||
{
|
||||
font-size: 14pt;
|
||||
font-family: times new roman, Times New Roman, Times;
|
||||
font-style: normal;
|
||||
}
|
||||
TH
|
||||
{
|
||||
font-family: arial, Arial, Helvetica;
|
||||
font-style: normal;
|
||||
}
|
||||
MARQUEE
|
||||
{
|
||||
font-size: 14pt;
|
||||
font-family: arial, Arial, Helvetica;
|
||||
}
|
||||
.ms-main {
|
||||
border-right: 0 solid #cccccc;
|
||||
}
|
||||
.ms-bannerframe {
|
||||
background-color: #6666cc;
|
||||
}
|
||||
.ms-banner {
|
||||
color: #ffffff;
|
||||
font-size: 9pt;
|
||||
font-family: Arial, sans-serif;
|
||||
}
|
||||
.ms-banner a:link {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #ffffff;
|
||||
font-weight: normal;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-banner a:visited {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #ffffff;
|
||||
font-weight: normal;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-nav td {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
font-weight: normal;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-nav th {
|
||||
font-size: 9pt;
|
||||
font-family: Arial, sans-serif;
|
||||
font-weight: normal;
|
||||
text-align: left;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-navframe {
|
||||
color: #000000;
|
||||
}
|
||||
.ms-nav a {
|
||||
text-decoration: none;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
font-weight: normal;
|
||||
color: #6666ff;
|
||||
}
|
||||
.ms-nav a:link {
|
||||
}
|
||||
.ms-nav a:hover {
|
||||
text-decoration: underline;
|
||||
color: #66cccc;
|
||||
}
|
||||
.ms-nav a:visited {
|
||||
color: #993333;
|
||||
}
|
||||
.ms-verticaldots {
|
||||
background-image: url(bluedot.gif);
|
||||
background-position: right;
|
||||
background-repeat: repeat-y;
|
||||
}
|
||||
.ms-viewselect A:link{
|
||||
font-size: 9pt;
|
||||
font-family: Arial, sans-serif;
|
||||
color: #6666ff;
|
||||
}
|
||||
.ms-titlearea {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-titleareaframe {
|
||||
color: #000000;
|
||||
}
|
||||
.ms-pagetitle {
|
||||
color: #669999;
|
||||
font-family: Times New Roman, serif;
|
||||
font-size: 1.25em;
|
||||
font-weight: bold;
|
||||
}
|
||||
.ms-pagetitle a {
|
||||
text-decoration:underline;
|
||||
color: #669999;
|
||||
}
|
||||
.ms-pagetitle a:hover {
|
||||
text-decoration: underline;
|
||||
color: #669999;
|
||||
}
|
||||
.ms-announcementtitle {
|
||||
font-weight: normal;
|
||||
}
|
||||
|
||||
.ms-formlabel {
|
||||
text-align: left;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
font-weight: normal;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-formdescription a {
|
||||
color: #6666ff;
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-formbody {
|
||||
text-align: left;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
}
|
||||
.ms-formdescription
|
||||
{
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-radiotext {
|
||||
cursor:default;
|
||||
text-align: left;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 10pt;
|
||||
height: 19px;
|
||||
}
|
||||
.ms-searchbox {
|
||||
width: 100%;
|
||||
}
|
||||
.ms-input {
|
||||
font-size: 9pt;
|
||||
font-family: Arial, sans-serif;
|
||||
vertical-align: baseline;
|
||||
}
|
||||
.ms-long {
|
||||
font-size: 9pt;
|
||||
font-family: Arial, sans-serif;
|
||||
width: 300px;
|
||||
}
|
||||
.ms-wvsel {
|
||||
color: #3366cc;
|
||||
}
|
||||
.ms-selected {
|
||||
background-color: #6666cc;
|
||||
color: #ffffff;
|
||||
}
|
||||
.ms-selected SPAN {
|
||||
color: #ffffff;
|
||||
}
|
||||
.ms-filedialog TD {
|
||||
height: 16px;
|
||||
}
|
||||
.ms-descriptiontext {
|
||||
color: #000000;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
}
|
||||
.ms-descriptiontext a {
|
||||
color: #6666ff;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
}
|
||||
.ms-toolbar {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
text-decoration: none;
|
||||
color: #669999;
|
||||
}
|
||||
.ms-separator {
|
||||
color: #996666;
|
||||
font-size: 10pt;
|
||||
}
|
||||
.ms-authoringcontrols{
|
||||
background-color: #f2f2f2;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-sectionheader{
|
||||
color: #669999;
|
||||
font-family: Times New Roman, serif;
|
||||
font-size: 12pt;
|
||||
font-weight: normal;
|
||||
}
|
||||
.ms-sectionline
|
||||
{
|
||||
background-color: #6666cc;
|
||||
height: 1px;
|
||||
}
|
||||
.ms-propertysheet {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
}
|
||||
.ms-propertysheet th {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #000000;
|
||||
font-weight: normal;
|
||||
}
|
||||
.ms-propertysheet a {
|
||||
text-decoration: none;
|
||||
color: #6666ff;
|
||||
}
|
||||
.ms-propertysheet a:hover {
|
||||
text-decoration: underline;
|
||||
color: #66cccc;
|
||||
}
|
||||
.ms-propertysheet a:visited {
|
||||
text-decoration: none;
|
||||
color: #993333;
|
||||
}
|
||||
.ms-propertysheet a:visited:hover {
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-itemheader a {
|
||||
font-size: 10pt;
|
||||
font-family: Arial, sans-serif;
|
||||
font-weight: normal;
|
||||
color: #6666ff;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-itemheader a:hover {
|
||||
text-decoration: underline;
|
||||
color: #66cccc;
|
||||
}
|
||||
.ms-itemheader a:visited {
|
||||
text-decoration: none;
|
||||
color: #993333;
|
||||
}
|
||||
.ms-itemheader a:visited:hover {
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-discussiontitle {
|
||||
font-size: 12pt;
|
||||
font-family: Times New Roman, serif;
|
||||
color: #000000;
|
||||
font-weight: normal;
|
||||
}
|
||||
.ms-vh {
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
color: #000000;
|
||||
text-align: left;
|
||||
text-decoration: none;
|
||||
font-weight: normal;
|
||||
}
|
||||
.ms-vh a {
|
||||
color: #6666ff;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-vh a:hover {
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-vb{
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: 9pt;
|
||||
height: 18px;
|
||||
vertical-align: top;
|
||||
}
|
||||
.ms-vb a {
|
||||
color: #6666ff;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-vb a:hover {
|
||||
color: #66cccc;
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-vb a:visited {
|
||||
color: #993333;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-vb a:visited:hover {
|
||||
text-decoration: underline;
|
||||
}
|
||||
.ms-homepagetitle {
|
||||
font-family: Time New Roman, serif;
|
||||
font-size: 12pt;
|
||||
color: #000000;
|
||||
font-weight: bold;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-homepagetitle:Hover {
|
||||
text-decoration: underline;
|
||||
color: #000000;
|
||||
}
|
||||
.ms-addnew {
|
||||
font-weight: normal;
|
||||
font-family: Arial, sans-serif;
|
||||
font-size: .68em;
|
||||
color: #669999;
|
||||
text-decoration: none;
|
||||
}
|
||||
.ms-cal {
|
||||
border-collapse:collapse;
|
||||
table-layout:fixed;
|
||||
font-family: Arial, sans-serif;
|
||||
cursor:default;
|
||||
}
|
||||
.ms-caltop {
|
||||
border-top:1px solid black;
|
||||
border-left:1px solid black;
|
||||
border-right:1px solid black;
|
||||
vertical-align:top;
|
||||
font-size: 10pt;
|
||||
width: 14%;
|
||||
height:30px;
|
||||
}
|
||||
.ms-calhead {
|
||||
border:none;
|
||||
text-align:center;
|
||||
background-color: #6666cc;
|
||||
color: #ffffff;
|
||||
font-size: 16pt;
|
||||
font-family: Arial, sans-serif;
|
||||
padding: 2px;
|
||||
}
|
||||
.ms-caldow {
|
||||
border-top:1px solid black;
|
||||
border-left:1px solid black;
|
||||
border-right:1px solid black;
|
||||
vertical-align:top;
|
||||
text-align:center;
|
||||
font-weight: bold;
|
||||
font-size: 10pt;
|
||||
height:20px;
|
||||
}
|
||||
.ms-calmid {
|
||||
border-left:1px solid black;
|
||||
border-right:1px solid black;
|
||||
height:20px;
|
||||
}
|
||||
.ms-calspacer {
|
||||
border-left:1px solid black;
|
||||
border-right:1px solid black;
|
||||
height:4px;
|
||||
}
|
||||
.ms-calbot {
|
||||
border-top:none;
|
||||
border-left:1px solid black;
|
||||
border-right:1px solid black;
|
||||
border-bottom:1px solid black;
|
||||
height:2px;
|
||||
}
|
||||
.ms-appt a {
|
||||
color: #000000;
|
||||
}
|
||||
.ms-appt a:hover {
|
||||
color: red;
|
||||
}
|
||||
.ms-appt {
|
||||
border:2px solid #669999;
|
||||
text-align:center;
|
||||
vertical-align: middle;
|
||||
font-size:8pt;
|
||||
height:18px;
|
||||
overflow:hidden;
|
||||
background-color: #cccccc;
|
||||
color: black;
|
||||
}
|
||||
.ms-caldowdown {
|
||||
font-family: Arial, sans-serif;
|
||||
font-weight: bold;
|
||||
color: #000000;
|
||||
text-align: center;
|
||||
vertical-align: middle;
|
||||
}
|
||||
.ms-caldown {
|
||||
font-size: 8pt;
|
||||
color: #000000;
|
||||
text-align: left;
|
||||
vertical-align: top;
|
||||
}
|
||||
.ms-datepickeriframe {
|
||||
position:absolute;
|
||||
display:none;
|
||||
background:white;
|
||||
}
|
||||
.ms-datepicker {
|
||||
font-family: Arial, sans-serif;
|
||||
background-color: #ffffff;
|
||||
border: 2 outset activeborder;
|
||||
cursor:default;
|
||||
}
|
||||
.ms-dpdow {
|
||||
border:none;
|
||||
vertical-align:top;
|
||||
text-align:center;
|
||||
font-weight: bold;
|
||||
font-size: 8pt;
|
||||
border-bottom:1px solid black;
|
||||
}
|
||||
.ms-dpday {
|
||||
border:none;
|
||||
font-size: 8pt;
|
||||
text-align: center;
|
||||
}
|
||||
.ms-dpselectedday {
|
||||
border:none;
|
||||
background-color:#cccccc;
|
||||
font-size: 8pt;
|
||||
text-align: center;
|
||||
}
|
||||
.ms-dpnonmonth {
|
||||
color:gray;
|
||||
border:none;
|
||||
font-size: 8pt;
|
||||
text-align: center;
|
||||
}
|
||||
.ms-dphead {
|
||||
border:none;
|
||||
text-align:center;
|
||||
font-weight: bold;
|
||||
font-size: 8pt;
|
||||
background-color: #669999;
|
||||
color: #ffffff;
|
||||
}
|
||||
.ms-dpfoot {
|
||||
text-align:center;
|
||||
font-size: 8pt;
|
||||
text-align: center;
|
||||
font-style: italic;
|
||||
border-top:1px solid;
|
||||
border-left:none;
|
||||
border-bottom:none;
|
||||
border-right:none;
|
||||
height:24px;
|
||||
}
|
||||
IMG.ms-button {
|
||||
cursor:hand;
|
||||
}
|
@ -1,350 +0,0 @@
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
<meta name="Microsoft Theme" content="radial 011">
|
||||
</head>
|
||||
|
||||
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
|
||||
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guide<br>
|
||||
Version 1.3-2<!--mstheme--></font></h1>
|
||||
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Introduction<!--mstheme--></font></h2>
|
||||
<p>One of the design goals of Shorewall was that "it should be simple to do
|
||||
simple things". With that in mind, I've written this QuickStart guide to
|
||||
demonstrate how easy it is to configure common firewall setups.</p>
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||||
Shorewall. It rather focuses on what is required to configure Shorewall in three
|
||||
common basic configurations. If you don't find what you are looking for in this
|
||||
Guide, check the <a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed (on
|
||||
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
|
||||
package is installed by the presence of an <b>ip</b> program on your firewall
|
||||
system. As root, you can use the 'which' command to check for this program:</p>
|
||||
<!--mstheme--></font><pre> [root@gateway root]# which ip
|
||||
/sbin/ip
|
||||
[root@gateway root]# </pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>After you have <a href="Install.htm">installed Shorewall</a>, simply pick the sample
|
||||
configuration that best fits your needs and copy the files to
|
||||
/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to
|
||||
match your setup as described below. If you have servers, you will also need to
|
||||
modify /etc/shorewall/rules.</p>
|
||||
<p>Available samples include:</p>
|
||||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/one-interface.tgz">Standalone System</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interface Masquerading Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interface Masquerading Firewall with DMZ</a><!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>All of these samples assume that you have a single external IP address - it
|
||||
may be static or dynamic. Configuring Shorewall with multiple external IP
|
||||
addresses is outside of the scope of this guide; see the
|
||||
<a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
|
||||
<p><font color="#FF0000"><b>Do <u>not</u> try to install Shorewall on a remote
|
||||
system -- you will almost certainly end up not being able to communicate with
|
||||
that system. </b></font></p>
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configuration Concepts<!--mstheme--></font></h2>
|
||||
<p>The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you will only need to deal with a few of
|
||||
these as described in this guide. As each file is introduced, I suggest that you
|
||||
look through the actual file on your system -- each file contains detailed
|
||||
configuration instructions and default entries.</p>
|
||||
<p>Shorewall views the network where it is running as being composed of a set of
|
||||
<i>zones.</i> In the sample configurations, the following zone names are used:</p>
|
||||
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber1">
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>dmz</b><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your demilitarized Zone</b><!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Shorewall also recognizes the firewall system as its own zone - by default,
|
||||
the firewall itself is known as <b>fw</b> although you can change that name in the
|
||||
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf </a>file. As
|
||||
shown in the above table, not all zones are available with all sample
|
||||
configurations.</p>
|
||||
<p>The simplest way to define a zone is to associate the zone with a
|
||||
network interface on your firewall system. You do that using the
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file. So
|
||||
for a standalone system, you would associate your single network interface with
|
||||
<b>net</b>; on a two-interface firewall, you would associate one interface with
|
||||
<b>net</b> and one with <b>loc</b>; and on a three-interface firewall with DMZ,
|
||||
you would associate one interface with <b>net</b>, a second with <b>loc</b> and
|
||||
a third with <b>dmz</b>. The sample interfaces do this as follows:</p>
|
||||
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2">
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Zone</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Interface</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>If your configuration doesn't match the sample then you will need to modify
|
||||
/etc/shorewall/interfaces.</p>
|
||||
<p>Rules about what traffic to allow and what traffic to deny are expressed in
|
||||
terms of zones.</p>
|
||||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
|
||||
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
|
||||
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/rules file is also used to define port forwarding.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>For each connection request entering the firewall, the request is first checked against the
|
||||
/etc/shorewall/rules file. If the connection request doesn't match any rule in
|
||||
that file, the first policy in /etc/shorewall/policy that matches the
|
||||
|
||||
request is then applied. If the policy is DROP or REJECT then the connection
|
||||
request is passed through the rules in /etc/shorewall/common (the samples supply
|
||||
that file for you).</p>
|
||||
<p>If you have more than one interface and you have a single external IP address you will need to use
|
||||
either IP masquerade (if your IP address is dynamic) or Source Network Address
|
||||
Translation (SNAT). Whichever applies, you will define it in <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>
|
||||
file. <b>Note:</b> This file is used to describe "many-to-one outbound NAT".
|
||||
Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend <u>against</u>
|
||||
one-to-one NAT in most applications unless you are willing to deal with the DNS
|
||||
issues involved. The two- and three-interface samples assume that you will be
|
||||
using IP masquerade as follows:</p>
|
||||
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Traffic coming in on this interface</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Will be masqueraded if it goes out this interface</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b><u>Three Interfaces</u></b><!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
|
||||
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica"> <!--mstheme--></font></td>
|
||||
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
|
||||
</tr>
|
||||
</table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h2>
|
||||
<p>The detailed documentation for this file may be found
|
||||
<a href="Documentation.htm#Interfaces">here.</a> Entries in this file have four
|
||||
columns:</p>
|
||||
<ol>
|
||||
<li>The name of the zone that this interface connects to - this must be the
|
||||
name of a zone defined in the /etc/shorewall/zones file.</li>
|
||||
<li>The name of the interface.</li>
|
||||
<li>The broadcast address for the subnet on this interface. If you want
|
||||
Shorewall to detect this address for you, place 'detect' in that column.</li>
|
||||
<li>A comma-separated list of <a href="Documentation.htm#Interfaces">options</a> that apply to this interface.</li>
|
||||
</ol>
|
||||
<p>Some examples:</p>
|
||||
<p>Standalone system with ethernet interface to the internet.</p>
|
||||
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Two interface system with eth0 connected to the local network and eth1
|
||||
connected to the internet. eth1 gets its IP address via DHCP.</p>
|
||||
<!--mstheme--></font><pre> loc eth0 detect routestopped
|
||||
net eth1 detect norfc1918,dhcp,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Three interface system with eth0 connected to the internet, eth1 connected to
|
||||
the DMZ and eth2 connected to the local network. eth0 gets its IP address via
|
||||
DHCP and the firewall runs a DHCP server for configuring local hosts (those
|
||||
connected to eth2).</p>
|
||||
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter,dhcp
|
||||
dmz eth1 detect routestopped
|
||||
loc eth2 detect routestopped,dhcp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>At this point, please edit /etc/shorewall/interfaces to match your setup.</p>
|
||||
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Some other considerations<!--mstheme--></font></h3>
|
||||
<p>If your primary internet interface uses PPPoE, PPP or PPTP then you will want
|
||||
to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
|
||||
/etc/shorewall/shorewall.conf.</a></p>
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy<!--mstheme--></font></h2>
|
||||
<p>The /etc/shorewall/policy file documentation is
|
||||
<a href="Documentation.htm#Policy">here</a>. I recommend the following (which
|
||||
are
|
||||
in the standalone sample):</p>
|
||||
<p>Standalone system:</p>
|
||||
<!--mstheme--></font><pre> fw net ACCEPT
|
||||
all all DROP info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>So by default, all connection requests from your firewall to the internet are
|
||||
accepted (allowed) and all other connection requests (i.e., those from the
|
||||
internet to your firewall) are dropped (ignored).</p>
|
||||
<p>Two and three interface firewalls:</p>
|
||||
<!--mstheme--></font><pre> loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<p>If you want your firewall system to have full access to servers on the
|
||||
internet, add the following rule before the last rule above (Note -- in the two-
|
||||
and three-interface samples, the line below is included but commented out).</p>
|
||||
</blockquote>
|
||||
<!--mstheme--></font><pre> fw net ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>The above policy will:</p>
|
||||
<ol>
|
||||
<li>allow all connection requests from your local network to the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your firewall
|
||||
or local network</li>
|
||||
<li>optionally accept all connection requests from the firewall to the
|
||||
internet (if you uncomment the additional policy)</li>
|
||||
<li>reject all other connection requests.</li>
|
||||
</ol>
|
||||
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
|
||||
wish.</p>
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/masq<!--mstheme--></font></h2>
|
||||
<p>The /etc/shorewall/masq file (documentation <a href="Documentation.htm#Masq">
|
||||
here</a>) describes output many-to-one source Network Address Translation.</p>
|
||||
<p>If you have a static external IP address (assume 206.124.146.176 in these
|
||||
examples), then:</p>
|
||||
<blockquote>
|
||||
<p>Two interface firewall with eth0 interfacing to the internet and eth1
|
||||
interfacing to the local network:</p>
|
||||
</blockquote>
|
||||
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<p>Three interface firewall with eth0 interfacing to the internet, eth1
|
||||
interfacing to the DMZ and eth2 interfacing to the local network:</p>
|
||||
</blockquote>
|
||||
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176
|
||||
eth0 eth2 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>If you have a dynamic internet IP address, simply omit the third column! So
|
||||
for the two interface firewall, your /etc/shorewall/masq file would have:</p>
|
||||
<!--mstheme--></font><pre> eth0 eth1</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>If you don't want to use IP masquerade or SNAT (two- and three-interface
|
||||
samples), simple delete the entry/entries from /etc/shorewall/masq.</p><p>At
|
||||
this point, edit your /etc/shorewall/masq file and change it to match your
|
||||
configuration.</p>
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h2>
|
||||
<p>The rules file (documentation <a href="Documentation.htm#Rules">here</a>) is
|
||||
probably the most important of the Shorewall configuration files.</p>
|
||||
<p>The general simplified format for an ACCEPT rule that doesn't involve port forwarding
|
||||
is:</p>
|
||||
<!--mstheme--></font><pre> ACCEPT <i><source zone> <dest zone>[:<server IP address>] <protocol> <port(s)></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Here are some rules that I recommend that everyone use (and that I've
|
||||
included in the samples):</p>
|
||||
<!--mstheme--></font><pre> ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
|
||||
ACCEPT fw net tcp 53 # " " " " " " " " "</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>You can omit these rules if your firewall to net policy is
|
||||
ACCEPT (In other words, if you uncommented the appropriate line in the policy
|
||||
file as described above).</p>
|
||||
<p>If you have three interfaces with a DMZ, you probably need DNS access to the
|
||||
net from your DMZ. To permit that, I've included:</p>
|
||||
<!--mstheme--></font><pre> ACCEPT dmz net udp 53
|
||||
ACCEPT dmz net tcp 53</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>If you run servers on your firewall system that you want to make accessible
|
||||
to internet clients, you need to include rules to permit that access (note that
|
||||
the default policy for net->fw in the policy file above is DROP which causes all
|
||||
inbound traffic to be ignored by default). For example, if you have a web server
|
||||
running on your firewall system, you would include the following rule:</p>
|
||||
<!--mstheme--></font><pre> ACCEPT net fw tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>With multiple local zones, you will probably want to open some ports between
|
||||
these zones.</p>
|
||||
<p>Example - You have server system 192.168.2.2 in your DMZ and you want to be
|
||||
able to access its FTP server from your local systems:</p>
|
||||
<!--mstheme--></font><pre> ACCEPT loc dmz:192.168.2.2 tcp ftp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>For FTP to work properly, you will need kernel support for FTP connection
|
||||
tracking and NAT but all commercial 2.4 kernel's have such support built in.</p>
|
||||
<p>If you don't know which protocol and/or port that one of your applications
|
||||
uses, try looking <a href="ports.htm">here</a>.</p>
|
||||
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h3>
|
||||
<p>When you are using many-to-one network address translation
|
||||
outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an
|
||||
internal server (either in your local zone or in your DMZ), then you need to use
|
||||
<i>port forwarding </i>(also known as Destination Network Address Translation or
|
||||
<b>DNAT</b>). Inbound connection requests are selective forwarded to internal systems
|
||||
based on rules that you supply.</p>
|
||||
<p>The general form of a simple port forwarding rule in
|
||||
/etc/shorewall/rules is:</p>
|
||||
<!--mstheme--></font><pre> DNAT net <i><server zone>:<server local ip address> <protocol> <port></i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Example - you run a Web Server on your local zone at 192.168.1.5 and you want
|
||||
to forward incoming TCP port 80 to that system. You have a single external IP
|
||||
address:</p>
|
||||
<!--mstheme--></font><pre> DNAT net loc:192.168.1.5 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you
|
||||
want to allow access to that server from your local zone:</p>
|
||||
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
|
||||
ACCEPT loc dmz:192.168.2.4 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<p>If you have a static IP address (assume 206.124.146.176)
|
||||
and you want your local clients to be able to access your web server using that
|
||||
external address, you can use these entries instead:</p>
|
||||
</blockquote>
|
||||
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>Example - You have a static external IP address (206.124.146.176) and you
|
||||
have DNS set up so that <a href="http://www.yourdomain.com">www.yourdomain.com</a>
|
||||
resolves to that address. You want to run a web server in your local network (I
|
||||
think that this is a BAD IDEA -- see <a href="FAQ.htm#faq2">FAQ 2</a>) on system
|
||||
192.168.1.4 and you want internet users and your local users to be able to
|
||||
access <a href="http://www.yourdomain.com">www.yourdomain.com</a>. Your
|
||||
firewall's internal IP address is 192.168.1.254 and is on eth1.</p>
|
||||
<!--mstheme--></font><pre> DNAT net loc:192.168.1.4 tcp 80
|
||||
DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<p>In addition, you must specify the<b> multi</b> option on eth1<b> </b>in
|
||||
/etc/shorewall/interfaces:</p>
|
||||
</blockquote>
|
||||
<!--mstheme--></font><pre> loc eth1 detect routestopped,multi</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||||
<p>If you have requirements for port forwarding beyond what is shown here (like
|
||||
forwarding to a different port number or redirecting to a proxy), see the
|
||||
<a href="Documentation.htm#Rules">rules file documentation</a>.</p>
|
||||
<p>At this point, please edit the /etc/shorewall/rules file and make any
|
||||
additions required by your setup.</p><p>You are now ready to start shorewall. If
|
||||
you encounter problems, see the <a href="troubleshoot.htm">troubleshooting
|
||||
information.</a></p>
|
||||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2><p>The firewall is started using the
|
||||
"shorewall start" command and stopped using "shorewall stop". When the firewall
|
||||
is stopped, routing is enabled on those interfaces that have the "routestopped"
|
||||
option specified in /etc/shorewall/interfaces. If you want to totally remove any
|
||||
trace of Shorewall from your Netfilter configuration, use "shorewall clear".</p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
|
||||
|
||||
<!--mstheme--></font></body>
|
||||
|
||||
</html>
|
@ -1,77 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Blacklisting Support</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
|
||||
</h1>
|
||||
<p>Shorewall supports two different forms of blacklisting; static and
|
||||
dynamic.</p>
|
||||
<h2>Static Blacklisting</h2>
|
||||
<p>Shorewall static blacklisting support has the following
|
||||
configuration
|
||||
parameters:</p>
|
||||
<ul>
|
||||
<li>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
||||
setting in /etc/shorewall/shorewall.conf</li>
|
||||
<li>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the <a
|
||||
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
|
||||
/etc/shorewall/shorewall.conf</li>
|
||||
<li>You list the IP addresses/subnets that you wish to blacklist in <a
|
||||
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
|
||||
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
|
||||
and
|
||||
Port numbers/Service names in the blacklist file.<br>
|
||||
</li>
|
||||
<li>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the "<a
|
||||
href="Documentation.htm#Interfaces">blacklist</a>" option in
|
||||
/etc/shorewall/interfaces.</li>
|
||||
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
|
||||
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
|
||||
</ul>
|
||||
<h2>Dynamic Blacklisting</h2>
|
||||
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
|
||||
blacklisting doesn't use any configuration parameters but is rather
|
||||
controlled using /sbin/shorewall commands:</p>
|
||||
<ul>
|
||||
<li>drop <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be silently dropped by the firewall.</li>
|
||||
<li>reject <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be rejected by the firewall.</li>
|
||||
<li>allow <i><ip address list> </i>- re-enables receipt of
|
||||
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
|
||||
command.</li>
|
||||
<li>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</li>
|
||||
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
||||
</ul>
|
||||
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
|
||||
in /etc/shorewall/interfaces.<br>
|
||||
<p>Example 1:</p>
|
||||
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
|
||||
<p> Drops packets from hosts 192.0.2.124 and
|
||||
192.0.2.125</p>
|
||||
<p>Example 2:</p>
|
||||
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
|
||||
<p> Reenables access from 192.0.2.125.</p>
|
||||
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,335 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Configuration File Basics</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Configuration Files<br>
|
||||
</h1>
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
before you use them with Shorewall.</b></p>
|
||||
<h2><a name="Files"></a>Files</h2>
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to
|
||||
set several firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell variables that
|
||||
you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's view of the world
|
||||
into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces on the
|
||||
firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in terms of
|
||||
individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where to use
|
||||
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
|
||||
and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to load kernel
|
||||
modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions to the
|
||||
overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT
|
||||
rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
|
||||
hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets for later use
|
||||
by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
|
||||
packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC,
|
||||
GRE and IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at
|
||||
the beginning of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the
|
||||
completion of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at
|
||||
the beginning of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute
|
||||
at the completion of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification
|
||||
(ECN - RFC 3168) to remote hosts or networks.</li>
|
||||
<li>/etc/shorewall/accounting - define IP traffic accounting rules</li>
|
||||
<li>/etc/shorewall/usersets and /etc/shorewall/users - define sets of
|
||||
users/groups with
|
||||
similar access rights<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h2>Comments</h2>
|
||||
<p>You may place comments in configuration files by making the first
|
||||
non-whitespace character a pound sign ("#"). You may also place
|
||||
comments at the end of any line, again by delimiting the comment from
|
||||
the
|
||||
rest of the line with a pound sign.</p>
|
||||
<p>Examples:</p>
|
||||
<pre># This is a comment</pre>
|
||||
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
|
||||
<h2><a name="Continuation"></a>Line Continuation</h2>
|
||||
<p>You may continue lines in the configuration files using the usual
|
||||
backslash ("\") followed immediately by a new line character.</p>
|
||||
<p>Example:</p>
|
||||
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
|
||||
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE
|
||||
Directive</h2>
|
||||
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
|
||||
directives. An INCLUDE directive consists of the word INCLUDE followed
|
||||
by a file name and causes the contents of the named file to be
|
||||
logically included into the file containing the INCLUDE. File names
|
||||
given in an INCLUDE directive are assumed to reside in /etc/shorewall
|
||||
or in an alternate configuration directory if one has been specified
|
||||
for the command.<br>
|
||||
<br>
|
||||
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
|
||||
directives are ignored with a warning message.<big><big><br>
|
||||
<br>
|
||||
</big></big> Examples:<big> </big> <br>
|
||||
<blockquote> shorewall/params.mgmt:<br>
|
||||
<blockquote> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
|
||||
TIME_SERVERS=4.4.4.4<br>
|
||||
BACKUP_SERVERS=5.5.5.5<br>
|
||||
</blockquote>
|
||||
----- end params.mgmt -----<br>
|
||||
</blockquote>
|
||||
<blockquote> shorewall/params:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote> # Shorewall 1.3 /etc/shorewall/params<br>
|
||||
[..]<br>
|
||||
#######################################<br>
|
||||
<br>
|
||||
INCLUDE params.mgmt <br>
|
||||
<br>
|
||||
# params unique to this host here<br>
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
|
||||
REMOVE<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> ----- end params -----<br>
|
||||
</blockquote>
|
||||
<blockquote> shorewall/rules.mgmt:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote> ACCEPT
|
||||
net:$MGMT_SERVERS
|
||||
$FW tcp 22<br>
|
||||
ACCEPT
|
||||
$FW
|
||||
net:$TIME_SERVERS udp 123<br>
|
||||
ACCEPT
|
||||
$FW
|
||||
net:$BACKUP_SERVERS tcp 22<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> ----- end rules.mgmt -----<br>
|
||||
</blockquote>
|
||||
<blockquote> shorewall/rules:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote> # Shorewall version 1.3 - Rules File<br>
|
||||
[..]<br>
|
||||
#######################################<br>
|
||||
<br>
|
||||
INCLUDE rules.mgmt <br>
|
||||
<br>
|
||||
# rules unique to this host here<br>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
|
||||
REMOVE<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> ----- end rules -----<br>
|
||||
</blockquote>
|
||||
<h2><a name="dnsnames"></a>Using DNS Names</h2>
|
||||
<p align="left"> </p>
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not
|
||||
forewarned. <br>
|
||||
</b></p>
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
<p align="left">Beginning with Shorewall 1.3.9, Host addresses in
|
||||
Shorewall configuration files may be specified as either IP addresses
|
||||
or DNS Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful
|
||||
as they first appear. When a DNS name appears in a rule, the iptables
|
||||
utility resolves the name to one or more IP addresses and inserts those
|
||||
addresses into the rule. So changes in the DNS->IP address
|
||||
relationship that occur after the firewall has started have absolutely
|
||||
no effect on the firewall's ruleset. </p>
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall won't start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall won't
|
||||
start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router is down
|
||||
for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior
|
||||
to starting your firewall.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<p align="left"> Each DNS name much be fully qualified and include a
|
||||
minumum of two periods (although one may be trailing). This restriction
|
||||
is imposed by Shorewall to insure backward compatibility with existing
|
||||
configuration files.<br>
|
||||
<br>
|
||||
Examples of valid DNS names:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
<ul>
|
||||
<li>mail (not fully qualified)</li>
|
||||
<li>shorewall.net (only one period)</li>
|
||||
</ul>
|
||||
DNS names may not be used as:<br>
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
</ul>
|
||||
These restrictions are not imposed by Shorewall simply for your
|
||||
inconvenience but are rather limitations of iptables.<br>
|
||||
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
|
||||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with "!" to specify the complement of the item. For
|
||||
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
|
||||
no white space following the "!".</p>
|
||||
<h2><a name="Lists"></a>Comma-separated Lists</h2>
|
||||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</p>
|
||||
<ul>
|
||||
<li>Must not have any embedded white space.<br>
|
||||
Valid: routefilter,dhcp,norfc1918<br>
|
||||
Invalid: routefilter,
|
||||
dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a
|
||||
comma-separated list, the continuation line(s) must begin
|
||||
in column 1 (or there would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in any order.</li>
|
||||
</ul>
|
||||
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
|
||||
<p>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services. </p>
|
||||
<h2><a name="Ranges"></a>Port Ranges</h2>
|
||||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||||
port number</i>>:<<i>high port number</i>>. For example, if
|
||||
you want to forward the range of tcp ports 4000 through 4100 to local
|
||||
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
|
||||
</p>
|
||||
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
|
||||
If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.<br>
|
||||
<h2><a name="Variables"></a>Using Shell Variables</h2>
|
||||
<p>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</p>
|
||||
<p>It is suggested that variable names begin with an upper case letter<font
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
<p>Example:<br>
|
||||
</p>
|
||||
<p> /etc/shorewall/params<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
|
||||
</blockquote>
|
||||
<p> /etc/shorewall/interfaces record:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
<p> The result will be the same as if the record had
|
||||
been written</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
<p>Variables may be used anywhere in the other configuration files.</p>
|
||||
<h2><a name="MAC"></a>Using MAC Addresses</h2>
|
||||
<p>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature, your
|
||||
kernel must have MAC Address Match support
|
||||
(CONFIG_IP_NF_MATCH_MAC) included.</p>
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a series of 6 hex
|
||||
numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176
|
||||
Bcast:206.124.146.255 Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500
|
||||
Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0
|
||||
overruns:0 frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0
|
||||
overruns:0 carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX
|
||||
bytes:1659782221 (1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address fields,
|
||||
Shorewall requires MAC addresses to be written in another way. In
|
||||
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex
|
||||
numbers separated by hyphens. In Shorewall, the MAC address in the
|
||||
example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall
|
||||
notation in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a>
|
||||
file.<br>
|
||||
</p>
|
||||
<h2><a name="Levels"></a>Shorewall Configurations</h2>
|
||||
<p> Shorewall allows you to have configuration directories other than
|
||||
/etc/shorewall. The <a href="starting_and_stopping_shorewall.htm">shorewall
|
||||
check, start and restart</a> commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the
|
||||
alternate directory rather than the corresponding files in
|
||||
/etc/shorewall. The alternate directory need not contain a complete
|
||||
configuration; those files not in the alternate directory will be read
|
||||
from /etc/shorewall.</p>
|
||||
<p> This facility permits you to easily create a test or temporary
|
||||
configuration by:</p>
|
||||
<ol>
|
||||
<li> copying the files that need modification from /etc/shorewall to
|
||||
a separate directory;</li>
|
||||
<li> modify those files in the separate directory; and</li>
|
||||
<li> specifying the separate directory in a shorewall start or
|
||||
shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> )</li>
|
||||
</ol>
|
||||
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
|
||||
allows you to attempt to restart using an alternate configuration and
|
||||
if an
|
||||
error occurs to automatically restart the standard configuration.<br>
|
||||
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,30 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Copyright<br>
|
||||
</h1>
|
||||
<p align="left">Copyright <font face="Trebuchet MS">©</font>
|
||||
2000, 2001, 2003 Thomas M Eastep<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p align="left">Permission is granted to copy, distribute and/or
|
||||
modify this document under the terms of the GNU Free Documentation
|
||||
License, Version 1.1 or any later version published by the Free
|
||||
Software Foundation; with no Invariant Sections, with no Front-Cover,
|
||||
and with no Back-Cover Texts. A copy of the license is included in the
|
||||
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
|
||||
License</a>".<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,65 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>DHCP</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">DHCP<br>
|
||||
</h1>
|
||||
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option on each interface to be
|
||||
served
|
||||
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from your
|
||||
firewall
|
||||
system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">When starting "dhcpd", you need to list those
|
||||
interfaces on the run line. On a RedHat system, this is done by
|
||||
modifying /etc/sysconfig/dhcpd. </p>
|
||||
</li>
|
||||
</ul>
|
||||
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option for this interface in the
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from
|
||||
your firewall system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you know that the dynamic address is always
|
||||
going to
|
||||
be in the same subnet, you can specify the subnet address in the
|
||||
interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you don't know the subnet address in advance,
|
||||
you should specify "detect" for the interface's subnet address in the <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||||
and start Shorewall after the interface has started. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">In the event that the subnet address might change
|
||||
while Shorewall is started, you need to arrange for a "shorewall
|
||||
refresh" command to be executed when a new dynamic IP address gets
|
||||
assigned to the interface. Check your DHCP client's documentation. </p>
|
||||
</li>
|
||||
</ul>
|
||||
<p align="left"><font size="2">Last updated 11/03/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,187 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Download</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Download<br>
|
||||
</h1>
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
<p>The entire set of Shorewall documentation is available in PDF format
|
||||
at:</p>
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
<p>The documentation in HTML format is included in the .rpm and in the
|
||||
.tgz
|
||||
packages below.</p>
|
||||
<p> Once you've printed the appropriate QuickStart Guide, download <u>
|
||||
one</u> of the modules:</p>
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux
|
||||
PPC</b>, <span style="font-weight: bold;">Trustix</span> or <b>
|
||||
TurboLinux</b> distribution with a 2.4 kernel, you can
|
||||
use the RPM version (note: the RPM should also work with other
|
||||
distributions that store init scripts in /etc/init.d and that include
|
||||
chkconfig or insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that I can mention
|
||||
them here. See the <a href="Install.htm">Installation Instructions</a>
|
||||
if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you might also
|
||||
want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and
|
||||
would like a .deb package, Shorewall is included in both the <a
|
||||
href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
|
||||
</ul>
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm
|
||||
files and there is an documentation .deb that also contains the
|
||||
documentation. The .rpm will install the documentation in
|
||||
your default document directory which can be obtained using the
|
||||
following command:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p><font color="#009900"><b>rpm --eval '%{_defaultdocdir}'</b></font></p>
|
||||
</blockquote>
|
||||
<p>Please check the <font color="#ff0000"> <a href="errata.htm">
|
||||
errata</a></font> to see if there are updates that apply to the version
|
||||
that you have downloaded.</p>
|
||||
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
|
||||
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME
|
||||
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have
|
||||
completed configuration of your firewall, you can enable startup by
|
||||
removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
<p><b></b></p>
|
||||
<p><b>Download Sites:</b></p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse (Temporarily
|
||||
Unavailable)</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">Taiwan<br>
|
||||
</td>
|
||||
<td valign="top">Greshko.com<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
|
||||
</a></td>
|
||||
<td valign="top"><a
|
||||
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">Argentina<br>
|
||||
</td>
|
||||
<td valign="top">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
|
||||
</td>
|
||||
<td valign="top">N/A<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">Brazil<br>
|
||||
</td>
|
||||
<td valign="top">securityopensource.org.br<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
|
||||
</td>
|
||||
<td valign="top">N/A<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
|
||||
target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><b>CVS:</b></p>
|
||||
<blockquote>
|
||||
<p align="left">The <a target="_top"
|
||||
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS
|
||||
repository at cvs.shorewall.net</a> contains the latest snapshots of
|
||||
the each Shorewall component. There's no guarantee that what you find
|
||||
there will work at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p align="left"><b>Shapshots:<br>
|
||||
</b></p>
|
||||
<blockquote>
|
||||
<p align="left">Periodic snapshots from CVS may be found at <a
|
||||
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
|
||||
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
|
||||
These snapshots have undergone initial testing and will have been
|
||||
installed and run at shorewall.net.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
@ -1,337 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall 1.4 Errata</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<p align="center"> </p>
|
||||
<h1 style="text-align: center;">Shorewall Errata<br>
|
||||
</h1>
|
||||
<p align="center"><b><u>IMPORTANT</u></b></p>
|
||||
<ol>
|
||||
<li>
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u> <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it
|
||||
to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar the
|
||||
archive, replace the 'firewall' script in the untarred directory with
|
||||
the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>When the instructions say to install a
|
||||
corrected firewall script in /usr/share/shorewall/firewall, you may
|
||||
rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
|
||||
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||
BELOW. For example, do NOT install the 1.3.9a firewall script if you
|
||||
are
|
||||
running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
</ol>
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
|
||||
</li>
|
||||
<li> <b><a href="errata_3.html">Problems in Version 1.3</a></b></li>
|
||||
<li> <b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font color="#660066"> <a href="errata_1.htm">Problems in
|
||||
Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a href="#iptables"> Problem with
|
||||
iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
||||
RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
||||
MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b></li>
|
||||
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
|
||||
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
|
||||
alt="(New)" width="28" height="12" border="0"> </a><br>
|
||||
</b></li>
|
||||
</ul>
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
||||
<h3></h3>
|
||||
<h3>1.4.7</h3>
|
||||
<ul>
|
||||
<li>Using some versions of 'ash' (such as from RH8) as the
|
||||
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so: <br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>When more than one ICMP type is listed in a rule and your kernel
|
||||
includes multiport match support, the firewall fails to
|
||||
start. </li>
|
||||
<li>Regardless of the setting of LOGUNCLEAN, the value
|
||||
LOGUNCLEAN=info was used.</li>
|
||||
<li>After the following error message, Shorewall was left in an
|
||||
inconsistent state:<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
</li>
|
||||
</ul>
|
||||
These problems have been corrected in this <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
|
||||
script</a> which may be installed in /var/share/shorewall/firewall as
|
||||
described above.<br>
|
||||
<h3>1.4.6</h3>
|
||||
<ul>
|
||||
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||
would fail to start with the error "ERROR: Traffic Control
|
||||
requires
|
||||
Mangle"; that problem has been corrected in <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall as described above. This problem is also
|
||||
corrected in bugfix release 1.4.6a.</li>
|
||||
<li>This problem occurs in all versions supporting traffic control.
|
||||
If a MAC address is used in the SOURCE column, an error occurs as
|
||||
follows:<br>
|
||||
<br>
|
||||
<font size="3"><tt>iptables v1.2.8: Bad mac adress
|
||||
`00:08:B5:35:52:E7-d`</tt></font><br>
|
||||
<br>
|
||||
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
|
||||
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall as described above. For all other
|
||||
versions, you will have to edit your 'firewall' script (in versions
|
||||
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
|
||||
function add_tcrule_() and in that function, replace this line:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">r=`mac_match
|
||||
$source` </span><br>
|
||||
<br>
|
||||
with<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">r="`mac_match
|
||||
$source` "</span><br>
|
||||
<br>
|
||||
Note that there must be a space before the ending quote!<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4b</h3>
|
||||
<ul>
|
||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
|
||||
have an empty second column (HOSTS). This problem may be corrected by
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall
|
||||
as described above.</li>
|
||||
<li>The INCLUDE directive doesn't work when placed in the
|
||||
/etc/shorewall/zones file. This problem may be corrected by installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
||||
target="_top">this functions script</a> in
|
||||
/usr/share/shorewall/functions.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4-1.4.4a</h3>
|
||||
<ul>
|
||||
<li>Log messages are being displayed on the system console even
|
||||
though the log level for the console is set properly according to <a
|
||||
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall
|
||||
as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4<br>
|
||||
</h3>
|
||||
<ul>
|
||||
<li> If you have zone names that are 5 characters long, you may
|
||||
experience problems starting Shorewall because the --log-prefix in a
|
||||
logging rule is too long. Upgrade to Version 1.4.4a to fix this
|
||||
problem..</li>
|
||||
</ul>
|
||||
<h3>1.4.3</h3>
|
||||
<ul>
|
||||
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
|
||||
to allow integration of Shorewall with Fireparse
|
||||
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
|
||||
of the integration problem. I have implimented a new LOGFORMAT variable
|
||||
which will replace LOGMARKER which has completely solved this problem
|
||||
and is currently in production with fireparse here at shorewall.net.
|
||||
The
|
||||
updated files may be found at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
||||
See the 0README.txt file for details.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.2</h3>
|
||||
<ul>
|
||||
<li>When an 'add' or 'delete' command is executed, a temporary
|
||||
directory created in /tmp is not being removed. This problem may be
|
||||
corrected by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall
|
||||
as described above. <br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
||||
<ul>
|
||||
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
|
||||
port-unreachable response rather than the more appropriate TCP RST
|
||||
response. This problem is corrected in <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
|
||||
target="_top">this updated common.def file</a> which may be installed
|
||||
in /etc/shorewall/common.def.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.1</h3>
|
||||
<ul>
|
||||
<li>When a "shorewall check" command is executed, each "rule"
|
||||
produces the harmless additional message:<br>
|
||||
<br>
|
||||
/usr/share/shorewall/firewall: line 2174: [: =:
|
||||
unary operator
|
||||
expected<br>
|
||||
<br>
|
||||
You may correct the problem by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
||||
target="_top">this corrected script</a> in
|
||||
/usr/share/shorewall/firewall as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.0</h3>
|
||||
<ul>
|
||||
<li>When running under certain shells Shorewall will attempt to
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may either
|
||||
just remove /etc/shorewall/ecn or you can install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<hr width="100%" size="2">
|
||||
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
<p align="left">The upgrade issues have moved to <a
|
||||
href="upgrade_issues.htm">a separate page</a>.</p>
|
||||
<hr>
|
||||
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem
|
||||
with iptables version 1.2.3</font></h3>
|
||||
<blockquote>
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3
|
||||
that prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are
|
||||
currently
|
||||
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you
|
||||
upgrade to RedHat 7.2.</p>
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
|
||||
have installed this RPM on my firewall and it works fine.</p>
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
</ul>
|
||||
</blockquote>
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and RedHat
|
||||
iptables</h3>
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||
2.4.18/19 may experience the following:</p>
|
||||
<blockquote>
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
|
||||
<p>If you find that rpm complains about a conflict with kernel <=
|
||||
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
|
||||
option to rpm.</p>
|
||||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||||
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
|
||||
MULTIPORT=Yes</b></h3>
|
||||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||||
change to the syntax used to specify multiport match rules; as a
|
||||
consequence, if you install iptables 1.2.7 you must be running
|
||||
Shorewall
|
||||
1.3.7a or later or:</p>
|
||||
<ul>
|
||||
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall 1.3.6 you may install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this firewall script</a> in /var/lib/shorewall/firewall as described
|
||||
above.</li>
|
||||
</ul>
|
||||
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will result in
|
||||
Shorewall being unable to start:<br>
|
||||
<br>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
Error message is:<br>
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||
2.4.19 kernel contains corrected support under a new kernel
|
||||
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
<br>
|
||||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
|
||||
and
|
||||
REJECT (also applies to 2.4.21-RC1)</b></h3>
|
||||
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
|
||||
tcp-reset" is broken. The symptom most commonly seen is that REJECT
|
||||
rules act just like DROP rules when dealing with TCP. A kernel patch
|
||||
and
|
||||
precompiled modules to fix this problem are available at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
||||
<hr>
|
||||
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,196 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Errata for Version 1</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Errata for Version
|
||||
1.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3 align="left"><font color="#660066"><u>To those of you who downloaded
|
||||
the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
|
||||
pointed to a broken version of the firewall script. This has now been corrected.
|
||||
I apologize for any confusion this may have caused.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">Version 1.1.18</h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">In the original .lrp, /etc/init.d/shorewall was not
|
||||
secured for execute access. I have replaced the incorrect .lrp
|
||||
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.17</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">In shorewall.conf, ADD_IP_ALIASES was incorrectly
|
||||
spelled IP_ADD_ALIASAES. There is a corrected version of the
|
||||
file <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
|
||||
|
||||
<p align="left">This problem is also corrected in version 1.1.18.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.16</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
|
||||
spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
|
||||
install the <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> corrected
|
||||
firewall script</a> in the location pointed to by the symbolic link
|
||||
/etc/shorewall/firewall.</p>
|
||||
|
||||
<p align="left"> This problem is also corrected in version 1.1.17.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.14-1.1.15</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> There are no corrections for these versions.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.13</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> The firewall fails to start if a rule with the following
|
||||
format is given:</p>
|
||||
|
||||
<p align="left"> <disposition> z1:www.xxx.yyy.zzz z2
|
||||
proto p1,p2,p3</p>
|
||||
|
||||
<p align="left"> To correct this problem, install <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> this
|
||||
corrected firewall script</a> in the location pointed to by the symbolic
|
||||
link /etc/shorewall/firewall. </p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.12</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> The LRP version of Shorewall 1.1.12 has the incorrect
|
||||
/etc/shorewall/functions file. This incorrect file results in many error
|
||||
messages of the form:</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> separate_list: not found</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> The
|
||||
correct file may be obtained here</a> . This problem is also corrected
|
||||
in version 1.1.13.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.11</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> There are no known problems with this version.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.10</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> If the following conditions were met:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<p align="left"> A LAN segment attached to the firewall was served
|
||||
by a DHCP server running on the firewall.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> There were entries in /etc/shorewall/hosts that referred
|
||||
to the interface to that LAN segment.</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p align="left"> then up until now it has been necessary to include entries
|
||||
for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
|
||||
This version of the firewall script</a> makes those additions unnecessary
|
||||
provided that you simply include "dhcp" in the options for the interface
|
||||
in /etc/shorewall/interfaces. Install the script into the location pointed
|
||||
to by the symbolic link /etc/shorewall/firewall.</p>
|
||||
|
||||
<p align="left"> This problem has also been corrected in version 1.1.11.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left"><font color="#660066"> Version 1.1.9</font></h3>
|
||||
|
||||
<ul>
|
||||
<li>The shorewall "hits" command lists extraneous service names in
|
||||
the final report. <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> This
|
||||
version of the shorewall script</a> corrects this problem.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.1.8</h3>
|
||||
|
||||
<ul>
|
||||
<li>Under some circumstances, the "dhcp" option on an interface triggers
|
||||
a bug in the firewall script that results in a "chain already exists"
|
||||
error. <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> This
|
||||
version of the firewall script</a> corrects this problem. Install
|
||||
it into the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
|
||||
<br>
|
||||
This problem is also corrected in version 1.1.9.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.1.7</h3>
|
||||
|
||||
<ul>
|
||||
<li>If the /etc/shorewall/rules template from version 1.1.7 is used,
|
||||
a warning message appears during firewall startup:<br>
|
||||
<br>
|
||||
Warning: Invalid Target - rule "@ icmp-unreachable packet."
|
||||
ignored<br>
|
||||
<br>
|
||||
This warning may be eliminated by replacing the "@" in column 1 of
|
||||
line 17 with "#"</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"> This problem is also corrected in version 1.1.8</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2"> Last updated 12/21/2001 - </font><font
|
||||
size="2"> <a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,425 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall 1.2 Errata</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" height="90" bgcolor="#3366ff">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="center"> <font face="Century Gothic, Arial, Helvetica">
|
||||
<b><u>IMPORTANT</u></b></font></p>
|
||||
|
||||
<p align="center"> <b><u>If you use a Windows system to download a
|
||||
corrected script, be sure to run the script through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
after you have moved it to your Linux system.</u></b></p>
|
||||
|
||||
<p align="center"> <u><b>When the instructions say to install a corrected
|
||||
firewall script in /etc/shorewall/firewall, use the 'cp' (or 'scp')
|
||||
utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE
|
||||
OLD /etc/shorewall/firewall before you do that. /etc/shorewall/firewall
|
||||
is a symbolic link that points to the 'shorewall' file used by your
|
||||
system initialization scripts to start Shorewall during boot and it
|
||||
is that file that must be overwritten with the corrected script. </b></u></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3 align="left"><font color="#660066"> <a href="errata_1.htm"> Problems
|
||||
in Version 1.1</a></font></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3 align="left"><font color="#660066"><a href="#iptables"> Problem
|
||||
with iptables version 1.2.3</a></font></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and
|
||||
RedHat iptables</a></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
<h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
|
||||
|
||||
<h3 align="left">Version 1.2.13</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Some users have reported problems installing the RPM
|
||||
on SuSE 7.3 where rpm reports a conflict with kernel <= 2.2 even
|
||||
though a 2.4 kernel RPM is installed. To get around this problem,
|
||||
use the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
|
||||
shorewall-1.2-13.noarch.rpm").<br>
|
||||
<br>
|
||||
The problem stems from the fact that SuSE does not include
|
||||
a package named "kernel" but rather has a number of packages that
|
||||
provide the virtual package "kernel". Since virtual packages have
|
||||
no version associated with them, a conflict results. Since the
|
||||
workaround is simple, I don't intend to change the Shorewall package.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Shorewall accepts invalid rules of the form:<br>
|
||||
<br>
|
||||
<font face="Courier">ACCEPT <src> <dest>:<ip addr>
|
||||
all <port number> - <original ip address><br>
|
||||
<br>
|
||||
</font>The <port number> is ignored with the result that
|
||||
<u>all</u> connection requests from the <src> zone whose
|
||||
original destination IP address matches the last column are forwarded
|
||||
to the <dest> zone, IP address <ip addr>.
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
|
||||
This corrected firewall script</a> correctly generates an error when
|
||||
such a rule is encountered.</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.11</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The 'try' command is broken. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">The usage text printed by the shorewall utility
|
||||
doesn't show the optional timeout for the 'try' command. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p align="left">Both problems are corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
|
||||
this new version of /sbin/shorewall</a>.</p>
|
||||
|
||||
<h3 align="left">Sample Configurations:</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">There have been several problems with SSH, DNS and
|
||||
ping in the two- and three-interface examples. Before reporting
|
||||
problems with these services, please verify that you have the latest
|
||||
version of the appropriate sample 'rules' file. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 align="left">All Versions through 1.2.10</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The <a href="PPTP.htm#ServerFW">documentation for
|
||||
running PoPToP on the firewall system</a> contained an incorrect entry
|
||||
in the /etc/shorewall/hosts file. The corrected entry (underlined)
|
||||
is shown here: </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>HOST(S)</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td><u>eth2</u>:192.168.1.0/24</td>
|
||||
<td>routestopped</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>ppp+:192.168.1.0/24</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">All Versions through 1.2.8</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The shorewall.conf file and the documentation
|
||||
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
|
||||
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
|
||||
href="Documentation.htm#Conf">see the corrected online documentation</a>).
|
||||
Users of the rpm should change the name (and possibly the value)
|
||||
of this parameter so that Shorewall interacts properly with the
|
||||
SysV init scripts. The documentation on this web site has been
|
||||
corrected and <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
|
||||
here's a corrected version of shorewall.conf</a>.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">The documentation indicates that a comma-separated
|
||||
list of IP/subnet addresses may appear in an entry in the hosts file.
|
||||
This is not the case; if you want to specify multiple addresses
|
||||
for a zone, you need to have a separate entry for each address.</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.7</h3>
|
||||
|
||||
<p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
|
||||
|
||||
<p>If you have installed and started version 1.2.7 then before trying
|
||||
to restart under 1.2.8:</p>
|
||||
|
||||
<ol>
|
||||
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
|
||||
named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.</li>
|
||||
<li>Remove the file 'lock' in the directory determined in step 1.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>You may now restart using 1.2.8.</p>
|
||||
|
||||
<h3 align="left">Version 1.2.6</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">GRE and IPIP tunnels are broken. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">The following rule results in a start error:<br>
|
||||
<br>
|
||||
ACCEPT z1 z2 icmp </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p align="left">To correct the above problems, install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
|
||||
corrected firewall script</a> in /etc/shorewall/firewall..</p>
|
||||
<h3 align="left">Version 1.2.5</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The new ADDRESS column in /etc/shorewall/masq cannot
|
||||
contain a $-variable name. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Errors result if $FW appears in the /etc/shorewall/policy
|
||||
file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
|
||||
results in an error at start time. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p align="left">To correct the above problems, install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
|
||||
corrected firewall script</a> in /etc/shorewall/firewall.</p>
|
||||
<p align="left"> </p>
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The /sbin/shorewall script produces error messages
|
||||
saying that 'mygrep' cannot be found. <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
|
||||
Here is the correct version of /sbin/shorewall.</a> </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.4</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">This version will not install "out of the box" without
|
||||
modification. Before attempting to start the firewall, please change
|
||||
the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall.
|
||||
This only applies to fresh installations -- if you are upgrading from
|
||||
a previous version of Shorewall, version 1.2.4 will work without modification.
|
||||
</p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.3</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
|
||||
hosts aren't logged. Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
|
||||
corrected firewall script</a> in /etc/shorewall/firewall. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
|
||||
</blockquote>
|
||||
|
||||
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
|
||||
|
||||
<blockquote>
|
||||
<p>to</p>
|
||||
</blockquote>
|
||||
|
||||
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
|
||||
|
||||
<h3 align="left">Version 1.2.2</h3>
|
||||
|
||||
<ul>
|
||||
<li>The "shorewall status" command hangs after it displays
|
||||
the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
|
||||
a corrected /sbin/shorewall.</a> if you want to simply modify
|
||||
your copy of /sbin/shorewall, then at line 445 change this:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<div align="left">
|
||||
<pre align="Left"> status)<br> clear</pre>
|
||||
</div>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">to this:</p>
|
||||
</blockquote>
|
||||
|
||||
<div align="left">
|
||||
<pre align="Left"> status)<br> get_config<br> clear</pre>
|
||||
</div>
|
||||
|
||||
<ul>
|
||||
<li>The "shorewall monitor" command doesn't show the icmpdef chain
|
||||
- <a href="pub/shorewall/errata/1.2.2/shorewall">this corrected /sbin/shorewall</a>
|
||||
fixes that problem as well as the status problem described above.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules
|
||||
is ignored. This is corrected in <a
|
||||
href="/pub/shorewall/errata/1.2.2/firewall">this updated firewall script</a>.
|
||||
Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
|
||||
spotting this bug.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.1</h3>
|
||||
|
||||
<ul>
|
||||
<li>The new <i>logunclean </i>interface option is not described
|
||||
in the help text in /etc/shorewall/interfaces. An <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
|
||||
interfaces file</a> is available.</li>
|
||||
<li>When REJECT is specified in a TCP rule, Shorewall correctly
|
||||
replies with a TCP RST packet. Previous versions of the firewall
|
||||
script are broken in the case of a REJECT policy, however; in REJECT
|
||||
policy chains, all requests are currently replied to with an ICMP
|
||||
port-unreachable packet. <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
|
||||
corrected firewall script</a> replies to TCP requests with TCP
|
||||
RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.2.0</h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left"><b>Note: </b>If you are upgrading from one of the Beta
|
||||
RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
|
||||
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
|
||||
|
||||
<p align="left">The tunnel script released in version 1.2.0 contained
|
||||
errors -- a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
|
||||
script</a> is available.</p>
|
||||
</blockquote>
|
||||
|
||||
<hr>
|
||||
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
|
||||
iptables version 1.2.3</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||||
prevent it from working with Shorewall. Regrettably, RedHat released
|
||||
this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also built
|
||||
an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
<p align="left"><font face="Century Gothic, Arial, Helvetica"
|
||||
color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released
|
||||
an iptables-1.2.4 RPM of their own which you can download from<font
|
||||
face="Century Gothic, Arial, Helvetica" color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and it works fine.</p>
|
||||
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
|
||||
</ul>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="Debug"></a>Problems with kernel 2.4.18
|
||||
and RedHat iptables</h3>
|
||||
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
|
||||
may experience the following:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
||||
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
|
||||
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> Last updated
|
||||
5/24/2002 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,656 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall 1.3 Errata</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u>
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar
|
||||
the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>If you are running a Shorewall version earlier
|
||||
than 1.3.11, when the instructions say to install a corrected firewall
|
||||
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
|
||||
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
|
||||
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
|
||||
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
|
||||
are symbolic links that point to the 'shorewall' file used by your
|
||||
system initialization scripts to start Shorewall during boot.
|
||||
It is that file that must be overwritten with the corrected
|
||||
script. Beginning with Shorewall 1.3.11, you may rename the existing file
|
||||
before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
|
||||
For example, do NOT install the 1.3.9a firewall script if you are running
|
||||
1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li> <b><a
|
||||
href="#V1.3">Problems in Version 1.3</a></b></li>
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font
|
||||
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font
|
||||
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
|
||||
on RH7.2</a></font></b></li>
|
||||
<li> <b><a
|
||||
href="#Debug">Problems with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading
|
||||
RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables
|
||||
version 1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
|
||||
and NAT</a></b><br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
|
||||
<h3>Version 1.3.14</h3>
|
||||
|
||||
<ul>
|
||||
<li>There is an <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
|
||||
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
|
||||
223.0.0.0/8.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>The documentation for the routestopped file claimed that a comma-separated
|
||||
list could appear in the second column while the code only supported a
|
||||
single host or network address.</li>
|
||||
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
|
||||
rate-limited.</li>
|
||||
<li>802.11b devices with names of the form <i>wlan</i><n> don't
|
||||
support the 'maclist' interface option.</li>
|
||||
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
|
||||
<li>The firewall fails to start in the case where you have "eth0 eth1"
|
||||
in /etc/shorewall/masq and the default route is through eth1.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
These problems have been corrected in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
|
||||
firewall script</a> which may be installed in /usr/lib/shorewall as described
|
||||
above.<br>
|
||||
|
||||
<h3>Version 1.3.13</h3>
|
||||
|
||||
<ul>
|
||||
<li>The 'shorewall add' command produces an error message referring
|
||||
to 'find_interfaces_by_maclist'.</li>
|
||||
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
|
||||
<li>The 'shorewall add' command can fail with "iptables: Index of
|
||||
insertion too big".<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
All three problems are corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
|
||||
firewall script</a> which may be installed in /usr/lib/shorewall as described
|
||||
above.<br>
|
||||
|
||||
<ul>
|
||||
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
|
||||
eth0.1) are not supported in this version or in 1.3.12. If you need such
|
||||
support, post on the users list and I can provide you with a patched version.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.12</h3>
|
||||
|
||||
<ul>
|
||||
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
|
||||
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
|
||||
is corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
|
||||
firewall script</a> which may be installed in /usr/lib/shorewall as described
|
||||
above.</li>
|
||||
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
|
||||
eth0.1) are not supported in this version or in 1.3.13. If you need such
|
||||
support, post on the users list and I can provide you with a patched version.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.12 LRP</h3>
|
||||
|
||||
<ul>
|
||||
<li>The .lrp was missing the /etc/shorewall/routestopped file
|
||||
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
|
||||
problem.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.11a</h3>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
|
||||
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
|
||||
82.0.0.0/8.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.11</h3>
|
||||
|
||||
<ul>
|
||||
<li>When installing/upgrading using the .rpm, you may receive
|
||||
the following warnings:<br>
|
||||
<br>
|
||||
user teastep does not exist - using root<br>
|
||||
group teastep does not exist - using root<br>
|
||||
<br>
|
||||
These warnings are harmless and may be ignored. Users downloading
|
||||
the .rpm from shorewall.net or mirrors should no longer see these warnings
|
||||
as the .rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column
|
||||
contains ! followed by a sub-zone list) result in an error message and
|
||||
Shorewall fails to start.<br>
|
||||
<br>
|
||||
Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this
|
||||
problem. Thanks go to Roger Aich who analyzed this problem and provided
|
||||
a fix.<br>
|
||||
<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.10</h3>
|
||||
|
||||
<ul>
|
||||
<li>If you experience problems connecting to a PPTP server
|
||||
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
|
||||
version of the firewall script</a> may help. Please report any cases
|
||||
where installing this script in /usr/lib/shorewall/firewall solved your
|
||||
connection problems. Beginning with version 1.3.10, it is safe to save
|
||||
the old version of /usr/lib/shorewall/firewall before copying in the
|
||||
new one since /usr/lib/shorewall/firewall is the real script now and
|
||||
not just a symbolic link to the real script.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.9a</h3>
|
||||
|
||||
<ul>
|
||||
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
|
||||
then the following message appears during "shorewall [re]start":</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<pre> recalculate_interfacess: command not found<br></pre>
|
||||
|
||||
<blockquote> The updated firewall script at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
|
||||
as described above.<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
|
||||
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
|
||||
to 'recalculate_interface'. <br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>The installer (install.sh) issues a misleading message
|
||||
"Common functions installed in /var/lib/shorewall/functions" whereas
|
||||
the file is installed in /usr/lib/shorewall/functions. The installer
|
||||
also performs incorrectly when updating old configurations that had the
|
||||
file /etc/shorewall/functions. <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
|
||||
is an updated version that corrects these problems.<br>
|
||||
</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.9</h3>
|
||||
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
|
||||
firewall script at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
|
||||
<br>
|
||||
Version 1.3.8
|
||||
<ul>
|
||||
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
|
||||
columns of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP
|
||||
addresses but with different port numbers doesn't work (e.g., "DNAT
|
||||
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
Installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects these
|
||||
problems.
|
||||
<h3>Version 1.3.7b</h3>
|
||||
|
||||
<p>DNAT rules where the source zone is 'fw' ($FW) result in an error
|
||||
message. Installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects this
|
||||
problem.</p>
|
||||
|
||||
<h3>Version 1.3.7a</h3>
|
||||
|
||||
<p>"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes.
|
||||
Consequently, after "shorewall refresh", the firewall will not
|
||||
forward icmp echo-request (ping) packets. Installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects this
|
||||
problem.</p>
|
||||
|
||||
<h3>Version <= 1.3.7a</h3>
|
||||
|
||||
<p>If "norfc1918" and "dhcp" are both specified as options on a
|
||||
given interface then RFC 1918 checking is occurring before DHCP
|
||||
checking. This means that if a DHCP client broadcasts using
|
||||
an RFC 1918 source address, then the firewall will
|
||||
reject the broadcast (usually logging it). This
|
||||
has two problems:</p>
|
||||
|
||||
<ol>
|
||||
<li>If the firewall
|
||||
is running a DHCP server, the client
|
||||
won't be able to obtain an IP address lease from
|
||||
that server.</li>
|
||||
<li>With this order
|
||||
of checking, the "dhcp" option
|
||||
cannot be used as a noise-reduction measure where there are both
|
||||
dynamic and static clients on a LAN segment.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p> <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
This version of the 1.3.7a firewall script </a>
|
||||
corrects the problem. It must be installed
|
||||
in /var/lib/shorewall as described
|
||||
above.</p>
|
||||
|
||||
<h3>Version 1.3.7</h3>
|
||||
|
||||
<p>Version 1.3.7 dead on arrival -- please use version 1.3.7a and check
|
||||
your version against these md5sums -- if there's a difference, please
|
||||
download again.</p>
|
||||
|
||||
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
|
||||
|
||||
<p>In other words, type "md5sum <<i>whatever package you downloaded</i>>
|
||||
and compare the result with what you see above.</p>
|
||||
|
||||
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
|
||||
.7 version in each sequence from now on.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.6</h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
|
||||
an error occurs when the firewall script attempts to
|
||||
add an SNAT alias. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
|
||||
cause errors during startup when Shorewall is run with iptables
|
||||
1.2.7. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">These problems are fixed in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this correct firewall script</a> which must be installed in /var/lib/shorewall/
|
||||
as described above. These problems are also corrected in version 1.3.7.</p>
|
||||
|
||||
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
|
||||
|
||||
<p align="left">A line was inadvertently deleted from the "interfaces
|
||||
file" -- this line should be added back in if the version that you
|
||||
downloaded is missing it:</p>
|
||||
|
||||
<p align="left">net eth0 detect routefilter,dhcp,norfc1918</p>
|
||||
|
||||
<p align="left">If you downloaded two-interfaces-a.tgz then the above
|
||||
line should already be in the file.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.5-1.3.5b</h3>
|
||||
|
||||
<p align="left">The new 'proxyarp' interface option doesn't work :-(
|
||||
This is fixed in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> which must be installed in
|
||||
/var/lib/shorewall/ as described above.</p>
|
||||
|
||||
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
|
||||
|
||||
<p align="left">Prior to version 1.3.4, host file entries such as the
|
||||
following were allowed:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
||||
possible to include a single host specification on each line.
|
||||
This problem is corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
||||
modified 1.3.5a firewall script</a>. Install the script in
|
||||
/var/lib/pub/shorewall/firewall as instructed above.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">This problem is corrected in version 1.3.5b.</p>
|
||||
</div>
|
||||
|
||||
<h3 align="left">Version 1.3.5</h3>
|
||||
|
||||
<p align="left">REDIRECT rules are broken in this version. Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
||||
as instructed above. This problem is corrected in version
|
||||
1.3.5a.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 4</h3>
|
||||
|
||||
<p align="left">The "shorewall start" and "shorewall restart" commands
|
||||
to not verify that the zones named in the /etc/shorewall/policy file
|
||||
have been previously defined in the /etc/shorewall/zones file.
|
||||
The "shorewall check" command does perform this verification so
|
||||
it's a good idea to run that command after you have made configuration
|
||||
changes.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 3</h3>
|
||||
|
||||
<p align="left">If you have upgraded from Shorewall 1.2 and after "Activating
|
||||
rules..." you see the message: "iptables: No chains/target/match
|
||||
by that name" then you probably have an entry in /etc/shorewall/hosts
|
||||
that specifies an interface that you didn't include
|
||||
in /etc/shorewall/interfaces. To correct this problem, you
|
||||
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
|
||||
and later versions produce a clearer error message in this
|
||||
case.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.2</h3>
|
||||
|
||||
<p align="left">Until approximately 2130 GMT on 17 June 2002, the download
|
||||
sites contained an incorrect version of the .lrp file. That file
|
||||
can be identified by its size (56284 bytes). The correct version
|
||||
has a size of 38126 bytes.</p>
|
||||
|
||||
<ul>
|
||||
<li>The code to detect a duplicate interface
|
||||
entry in /etc/shorewall/interfaces contained a typo that
|
||||
prevented it from working correctly. </li>
|
||||
<li>"NAT_BEFORE_RULES=No" was broken;
|
||||
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Both problems are corrected in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
|
||||
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
|
||||
as described above.</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">The IANA have just announced the allocation of subnet
|
||||
221.0.0.0/8. This <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
|
||||
updated rfc1918</a> file reflects that allocation.</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">Version 1.3.1</h3>
|
||||
|
||||
<ul>
|
||||
<li>TCP SYN packets may be double counted
|
||||
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
|
||||
(i.e., each packet is sent through the limit chain twice).</li>
|
||||
<li>An unnecessary jump to the policy
|
||||
chain is sometimes generated for a CONTINUE policy.</li>
|
||||
<li>When an option is given for more
|
||||
than one interface in /etc/shorewall/interfaces then
|
||||
depending on the option, Shorewall may ignore all but
|
||||
the first appearence of the option. For example:<br>
|
||||
<br>
|
||||
net eth0 dhcp<br>
|
||||
loc eth1 dhcp<br>
|
||||
<br>
|
||||
Shorewall will ignore the 'dhcp' on eth1.</li>
|
||||
<li>Update 17 June 2002 - The bug described
|
||||
in the prior bullet affects the following options:
|
||||
dhcp, dropunclean, logunclean, norfc1918, routefilter,
|
||||
multi, filterping and noping. An additional bug has been
|
||||
found that affects only the 'routestopped' option.<br>
|
||||
<br>
|
||||
Users who downloaded the corrected script
|
||||
prior to 1850 GMT today should download and install
|
||||
the corrected script again to ensure that this second
|
||||
problem is corrected.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">These problems are corrected in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
|
||||
this firewall script</a> which should be installed in /etc/shorewall/firewall
|
||||
as described above.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.0</h3>
|
||||
|
||||
<ul>
|
||||
<li>Folks who downloaded 1.3.0 from the
|
||||
links on the download page before 23:40 GMT, 29 May
|
||||
2002 may have downloaded 1.2.13 rather than 1.3.0.
|
||||
The "shorewall version" command will tell you which version
|
||||
that you have installed.</li>
|
||||
<li>The documentation NAT.htm file uses
|
||||
non-existent wallpaper and bullet graphic files. The
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
||||
corrected version is here</a>.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
|
||||
<p align="left">The upgrade issues have moved to <a
|
||||
href="upgrade_issues.htm">a separate page</a>.</p>
|
||||
|
||||
<hr>
|
||||
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
|
||||
iptables version 1.2.3</font></h3>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||||
prevent it from working with Shorewall. Regrettably,
|
||||
RedHat released this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
|
||||
rpm which you can download here</a>. If you are currently running
|
||||
RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can
|
||||
download from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and it works
|
||||
fine.</p>
|
||||
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
|
||||
</ul>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18
|
||||
and RedHat iptables</h3>
|
||||
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
|
||||
may experience the following:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by
|
||||
installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option
|
||||
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading
|
||||
RPM on SuSE</h3>
|
||||
|
||||
<p>If you find that rpm complains about a conflict with kernel <=
|
||||
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
|
||||
option to rpm.</p>
|
||||
|
||||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
|
||||
MULTIPORT=Yes</b></h3>
|
||||
|
||||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||||
change to the syntax used to specify multiport match rules; as
|
||||
a consequence, if you install iptables 1.2.7 you must
|
||||
be running Shorewall 1.3.7a or later or:</p>
|
||||
|
||||
<ul>
|
||||
<li>set MULTIPORT=No
|
||||
in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running
|
||||
Shorewall 1.3.6 you may install
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will
|
||||
result in Shorewall being unable to start:<br>
|
||||
<br>
|
||||
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
Error message is:<br>
|
||||
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel
|
||||
support for LOCAL=yes has never worked properly and 2.4.18-10 has
|
||||
disabled it. The 2.4.19 kernel contains corrected support under a new
|
||||
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
|
||||
<p><font size="2"> Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,61 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Fallback and Uninstall</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<div style="text-align: left;">
|
||||
<h1 style="text-align: center;">Fallback and Uninstall<br>
|
||||
</h1>
|
||||
<h1><strong></strong></h1>
|
||||
<h1><strong></strong></h1>
|
||||
</div>
|
||||
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
|
||||
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
|
||||
script</strong></a><strong>.</strong></p>
|
||||
<h2><a name="fallback"></a>Falling Back to the Previous Version of
|
||||
Shorewall using the Fallback Script</h2>
|
||||
<p>If you install Shorewall and discover that it doesn't work for you,
|
||||
you
|
||||
can fall back to your previously installed version. To do that:</p>
|
||||
<ul>
|
||||
<li>cd to the distribution directory for the version of Seattle
|
||||
Firewall <u>that you are currently running </u>(NOT the version that
|
||||
you want to fall back to).</li>
|
||||
<li>Type "./fallback.sh"</li>
|
||||
</ul>
|
||||
<h3><strong><u>Warning:</u> The fallback script will replace
|
||||
/etc/shorewall/policy,
|
||||
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
|
||||
/etc/shorewall/proxyarp
|
||||
and /etc/shorewall/masq with the version of these files from before the
|
||||
current
|
||||
version was installed. Any changes to any of these files will be lost.</strong></h3>
|
||||
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
|
||||
using rpm</h2>
|
||||
<p>If your previous version of Shorewall was installed using RPM, you
|
||||
may
|
||||
fall back to that version by typing "rpm -Uvh --force <old rpm>"
|
||||
at
|
||||
a root shell prompt (Example: "rpm -Uvh --force
|
||||
/downloads/shorewall-3.1=0noarch.rpm"
|
||||
would fall back to the 3.1-0 version of Shorewall).</p>
|
||||
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
|
||||
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
|
||||
<ul>
|
||||
<li>cd to the distribution directory for the version of Shorewall
|
||||
that you have installed.</li>
|
||||
<li>type "./uninstall.sh"</li>
|
||||
</ul>
|
||||
<p>If you installed using an rpm, at a root shell prompt type "rpm -e
|
||||
shorewall".</p>
|
||||
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
@ -1,57 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>GNU Mailman</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1 align="center">GNU Mailman/Postfix the Easy Way </h1>
|
||||
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
|
||||
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
|
||||
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
|
||||
<br>
|
||||
A: Mailman uses a setgid wrapper that is designed to be used in
|
||||
system-wide aliases file so that rest of mailman's mail handling
|
||||
processes will run with proper uid/gid. Postfix has an ability to run a
|
||||
command specified in an alias as owner of that alias, thus mailman's
|
||||
wrapper is not needed here. The best method to invoke mailman's mail
|
||||
handling via aliases is to use separate alias file especially for
|
||||
mailman, and made it owned by mailman and group mailman. Like:<br>
|
||||
<br>
|
||||
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
|
||||
<br>
|
||||
Make sure that /var/mailman/aliases.db is owned by mailman user (this
|
||||
may be done by executing postalias as mailman userid).<br>
|
||||
<br>
|
||||
Next, instead of using mailman-suggested aliases entries with wrapper,
|
||||
use the following:<br>
|
||||
<br>
|
||||
instead of<br>
|
||||
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
|
||||
...<br>
|
||||
<br>
|
||||
use<br>
|
||||
mailinglist: /var/mailman/scripts/post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
|
||||
...</p>
|
||||
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
|
||||
something very similar so that no workaround is necessary. See the
|
||||
README.POSTFIX file included with Mailman-2.1. </h4>
|
||||
<p align="left"><font size="2">Last updated 12/29/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
|
||||
Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 48 KiB |
Before Width: | Height: | Size: 187 KiB |
Before Width: | Height: | Size: 36 KiB |