no longer in the current revision..
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
@ -1,111 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>6to4 Tunnels</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Eric</firstname>
|
||||
|
||||
<surname>de Thouars</surname>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Eric de Thoars and Tom Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4
|
||||
tunneling. It does not provide any IPv6 security measures.</para>
|
||||
</warning>
|
||||
|
||||
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
||||
to another IPv6 network over an IPv4 infrastructure.</para>
|
||||
|
||||
<para>More information on Linux and IPv6 can be found in the <ulink
|
||||
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
|
||||
Details on how to setup a 6to4 tunnels are described in the section <ulink
|
||||
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
||||
of 6to4 tunnels</ulink>.</para>
|
||||
|
||||
<section>
|
||||
<title>Connecting two IPv6 Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoIPv6Nets1.png" />
|
||||
|
||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||
accomplished through use of the <filename><filename>/etc/shorewall/tunnels</filename></filename>
|
||||
file and the <quote>ip</quote> utility for network interface and routing
|
||||
configuration.</para>
|
||||
|
||||
<para>Unlike GRE and IPIP tunneling, the <filename>/etc/shorewall/policy</filename>,
|
||||
<filename>/etc/shorewall/interfaces</filename> and <filename>/etc/shorewall/zones</filename>
|
||||
files are not used. There is no need to declare a zone to represent the
|
||||
remote IPv6 network. This remote network is not visible on IPv4 interfaces
|
||||
and to iptables. All that is visible on the IPv4 level is an IPv4 stream
|
||||
which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules
|
||||
need to be defined to handle this traffic.</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
|
||||
the following:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
6to4 net 134.28.54.2</programlisting>
|
||||
|
||||
<para>This entry in <filename>/etc/shorewall/tunnels</filename>, opens the
|
||||
firewall so that the IPv6 encapsulation protocol (41) will be accepted
|
||||
to/from the remote gateway.</para>
|
||||
|
||||
<para>Use the following commands to setup system A:</para>
|
||||
|
||||
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
|
||||
><command>ip link set dev tun6to4 up</command>
|
||||
><command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
|
||||
><command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
|
||||
|
||||
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
|
||||
B we have:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
6to4 net 206.191.148.9</programlisting>
|
||||
|
||||
<para>And use the following commands to setup system B:</para>
|
||||
|
||||
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
|
||||
><command>ip link set dev tun6to4 up</command>
|
||||
><command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
|
||||
><command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
|
||||
|
||||
<para>On both systems, restart Shorewall and issue the configuration
|
||||
commands as listed above. The systems in both IPv6 subnetworks can now
|
||||
talk to each other using IPv6.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,231 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall Traffic Accounting</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Shorewall Traffic Accounting support was added in Shorewall release
|
||||
1.4.7.</para>
|
||||
|
||||
<para>Shorewall accounting rules are described in the file
|
||||
/etc/shorewall/accounting. By default, the accounting rules are placed in a
|
||||
chain called <quote>accounting</quote> and can thus be displayed using
|
||||
<quote>shorewall show accounting</quote>. All traffic passing into, out of
|
||||
or through the firewall traverses the accounting chain including traffic
|
||||
that will later be rejected by interface options such as <quote>tcpflags</quote>
|
||||
and <quote>maclist</quote>. If your kernel doesn't support the
|
||||
connection tracking match extension (Kernel 2.4.21) then some traffic
|
||||
rejected under <quote>norfc1918</quote> will not traverse the accounting
|
||||
chain.</para>
|
||||
|
||||
<para>The columns in the accounting file are as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ACTION </emphasis>- What to do when a match
|
||||
is found. Possible values are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>COUNT- Simply count the match and continue trying to match the
|
||||
packet with the following accounting rules</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DONE- Count the match and don't attempt to match any
|
||||
following accounting rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis><chain></emphasis> - The name of a chain to
|
||||
jump to. Shorewall will create the chain automatically. If the name
|
||||
of the chain is followed by <quote>:COUNT</quote> then a COUNT rule
|
||||
matching this rule will automatically be added to <chain>.
|
||||
Chain names must start with a letter, must be composed of letters
|
||||
and digits, and may contain underscores (<quote>_</quote>) and
|
||||
periods (<quote>.</quote>). Beginning with Shorewall version 1.4.8,
|
||||
chain names man also contain embedded dashes (<quote>-</quote>) and
|
||||
are not required to start with a letter.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
|
||||
where the accounting rule is to be added. If empty or <quote>-</quote>
|
||||
then the <quote>accounting</quote> chain is assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The name
|
||||
of an interface, an address (host or net) or an interface name followed
|
||||
by <quote>:</quote> and a host or net address.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DESTINATION</emphasis> - Packet Destination
|
||||
Format the same as the SOURCE column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
|
||||
<filename>/etc/protocols</filename>) or a protocol number.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
||||
number. Service name from <filename>/etc/services</filename> or port
|
||||
number. May only be specified if the protocol is TCP or UDP (6 or 17).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port number.
|
||||
Service name from /etc/services or port number. May only be specified if
|
||||
the protocol is TCP or UDP (6 or 17).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,<quote>any</quote>
|
||||
and <quote>all</quote> are treated as wild-cards.</para>
|
||||
|
||||
<para>The accounting rules are evaluated in the Netfilter <quote>filter</quote>
|
||||
table. This is the same environment where the <quote>rules</quote> file
|
||||
rules are evaluated and in this environment, DNAT has already occurred in
|
||||
inbound packets and SNAT has not yet occurred on outbound ones.</para>
|
||||
|
||||
<para>Accounting rules are not stateful -- each rule only handles traffic in
|
||||
one direction. For example, if eth0 is your internet interface and you have
|
||||
a web server in your DMZ connected to eth1 then to count HTTP traffic in
|
||||
both directions requires two rules:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
DONE - eth0 eth1 tcp 80
|
||||
DONE - eth1 eth0 tcp - 80</programlisting>
|
||||
|
||||
<para>Associating a counter with a chain allows for nice reporting. For
|
||||
example:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web:COUNT - eth0 eth1 tcp 80
|
||||
web:COUNT - eth1 eth0 tcp - 80
|
||||
web:COUNT - eth0 eth1 tcp 443
|
||||
web:COUNT - eth1 eth0 tcp - 443
|
||||
DONE web</programlisting>
|
||||
|
||||
<para>Now <quote>shorewall show web</quote> will give you a breakdown of
|
||||
your web traffic:</para>
|
||||
|
||||
<programlisting> [root@gateway shorewall]# shorewall show web
|
||||
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
|
||||
|
||||
Counters reset Wed Aug 20 09:48:00 PDT 2003
|
||||
|
||||
Chain web (4 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
||||
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
||||
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
||||
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
||||
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
[root@gateway shorewall]#</programlisting>
|
||||
|
||||
<para>Here is a slightly different example:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web - eth0 eth1 tcp 80
|
||||
web - eth1 eth0 tcp - 80
|
||||
web - eth0 eth1 tcp 443
|
||||
web - eth1 eth0 tcp - 443
|
||||
COUNT web eth0 eth1
|
||||
COUNT web eth1 eth0</programlisting>
|
||||
|
||||
<para>Now <quote>shorewall show web</quote> simply gives you a breakdown by
|
||||
input and output:</para>
|
||||
|
||||
<programlisting> [root@gateway shorewall]# shorewall show accounting web
|
||||
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
|
||||
|
||||
Counters reset Wed Aug 20 10:24:33 PDT 2003
|
||||
|
||||
Chain accounting (3 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
||||
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
||||
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
||||
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
||||
|
||||
Chain web (4 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
|
||||
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
|
||||
[root@gateway shorewall]#</programlisting>
|
||||
|
||||
<para>Here's how the same example would be constructed on an HTTP server
|
||||
(READ THAT FOLKS -- IT SAYS <emphasis role="underline">SERVER</emphasis>. If
|
||||
you want to account for web browsing, you have to reverse the rules below)
|
||||
with only one interface (eth0):</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web - eth0 - tcp 80
|
||||
web - - eth0 tcp - 80
|
||||
web - eth0 - tcp 443
|
||||
web - - eth0 tcp - 443
|
||||
COUNT web eth0
|
||||
COUNT web - eth0</programlisting>
|
||||
|
||||
<para>Note that with only one interface, only the SOURCE (for input rules)
|
||||
or the DESTINATION (for output rules) is specified in each rule.</para>
|
||||
|
||||
<para>Here's the output:</para>
|
||||
|
||||
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
|
||||
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
|
||||
|
||||
Counters reset Sat Oct 11 08:12:57 PDT 2003
|
||||
|
||||
Chain accounting (3 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
||||
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
||||
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
||||
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
||||
|
||||
Chain web (4 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||
[root@mail shorewall]#</programlisting>
|
||||
</article>
|
@ -1,542 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Corporate Network</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<firstname>Graeme</firstname>
|
||||
|
||||
<surname>Boyle</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003 Thomas M. Eastep and Graeme Boyle</year>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>The Network</title>
|
||||
|
||||
<note>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>This configuration is used on a corporate network that has a
|
||||
Linux (RedHat 8.0) server with three interfaces, running Shorewall
|
||||
1.4.5 release,</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Make sure you know what public IP addresses are currently
|
||||
being used and verify these <emphasis>before</emphasis> starting.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Verify your DNS settings <emphasis>before</emphasis> starting
|
||||
any Shorewall configuration especially if you have split DNS.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>System names and Internet IP addresses have been changed to
|
||||
protect the innocent.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</note>
|
||||
|
||||
<warning>
|
||||
<para>This configuration uses a combination of One-to-one NAT and Proxy
|
||||
ARP. This is generally not relevant to a simple configuration with a
|
||||
single public IP address. If you have just a single public IP address,
|
||||
most of what you see here won't apply to your setup so beware of
|
||||
copying parts of this configuration and expecting them to work for you.
|
||||
What you copy may or may not work in your configuration.</para>
|
||||
</warning>
|
||||
|
||||
<para>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
||||
internet is connected to eth0. The local network is connected via eth1
|
||||
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
|
||||
an IPSec tunnel connecting our offices in Germany to our offices in the
|
||||
US. I host two Microsoft Exchange servers for two different companies
|
||||
behind the firewall hence, the two Exchange servers in the diagram below.</para>
|
||||
|
||||
<section>
|
||||
<title>Summary</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>SNAT for all systems connected to the LAN - Internal addresses
|
||||
10.10.x.x to external address 192.0.18.127.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>Polaris</emphasis> (Exchange
|
||||
Server #2). Internal address 10.10.1.8 and external address
|
||||
192.0.18.70.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>Sims</emphasis> (Inventory
|
||||
Management server). Internal address 10.10.1.56 and external address
|
||||
192.0.18.75.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>Project</emphasis> (Project Web
|
||||
Server). Internal address 10.10.1.55 and external address
|
||||
192.0.18.84.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>Fortress</emphasis> (Exchange
|
||||
Server). Internal address 10.10.1.252 and external address
|
||||
192.0.18.93.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>BBSRV</emphasis> (Blackberry
|
||||
Server). Internal address 10.10.1.230 and external address
|
||||
192.0.18.97.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>One-to-one NAT for <emphasis>Intweb</emphasis> (Intranet Web
|
||||
Server). Internal address 10.10.1.60 and external address
|
||||
192.0.18.115.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
|
||||
with RH8.0.</para>
|
||||
|
||||
<para>The Firewall is also a proxy server running Privoxy 3.0.</para>
|
||||
|
||||
<para>The single system in the DMZ (address 192.0.18.80) runs sendmail,
|
||||
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
|
||||
That server is managed through Proxy ARP.</para>
|
||||
|
||||
<para>All administration and publishing is done using ssh/scp. I have X
|
||||
installed on the firewall and the system in the DMZ. X applications
|
||||
tunnel through SSH to Hummingbird Exceed running on a PC located in the
|
||||
LAN. Access to the firewall using SSH is restricted to systems in the
|
||||
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</para>
|
||||
|
||||
<graphic fileref="images/CorpNetwork.gif" />
|
||||
|
||||
<para>The Ethernet 0 interface in the Server is configured with IP
|
||||
address 192.0.18.68, netmask 255.255.255.192. The server's default
|
||||
gateway is 192.0.18.65, the Router connected to my network and the ISP.
|
||||
This is the same default gateway used by the firewall itself. On the
|
||||
firewall, Shorewall automatically adds a host route to 192.0.18.80
|
||||
through Ethernet 2 (192.168.21.1) because of the entry in
|
||||
/etc/shorewall/proxyarp (see below). I modified the start, stop and init
|
||||
scripts to include the fixes suggested when having an IPSec tunnel.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Some Mistakes I Made</title>
|
||||
|
||||
<para>Yes, believe it or not, I made some really basic mistakes when
|
||||
building this firewall. Firstly, I had the new firewall setup in
|
||||
parallel with the old firewall so that there was no interruption of
|
||||
service to my users. During my out-bound testing, I set up systems on
|
||||
the LAN to utilize the firewall which worked fine. When testing my NAT
|
||||
connections, from the outside, these would fail and I could not
|
||||
understand why. Eventually, I changed the default route on the internal
|
||||
system I was trying to access, to point to the new firewall and
|
||||
<quote>bingo</quote>, everything worked as expected. This oversight
|
||||
delayed my deployment by a couple of days not to mention level of
|
||||
frustration it produced.</para>
|
||||
|
||||
<para>Another problem that I encountered was in setting up the Proxyarp
|
||||
system in the DMZ. Initially I forgot to remove the entry for the eth2
|
||||
from the /etc/shorewall/masq file. Once my file settings were correct, I
|
||||
started verifying that the ARP caches on the firewall, as well as the
|
||||
outside system <quote>kaos</quote>, were showing the correct Ethernet
|
||||
MAC address. However, in testing remote access, I could access the
|
||||
system in the DMZ only from the firewall and LAN but not from the
|
||||
Internet. The message I received was <quote>connection denied</quote> on
|
||||
all protocols. What I did not realize was that a <quote>helpful</quote>
|
||||
administrator that had turned on an old system and assigned the same
|
||||
address as the one I was using for Proxyarp without notifying me. How
|
||||
did I work this out. I shutdown the system in the DMZ, rebooted the
|
||||
router and flushed the ARP cache on the firewall and kaos. Then, from
|
||||
kaos, I started pinging that IP address and checked the updated ARP
|
||||
cache and lo-and-behold a different MAC address showed up. High levels
|
||||
of frustration etc., etc. The administrator will not be doing that
|
||||
again! :-)</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Lessons Learned</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Read the documentation.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Draw your network topology before starting.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Understand what services you are going to allow in and out of
|
||||
the firewall, whether they are TCP or UDP packets and make a note of
|
||||
these port numbers.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Try to get quiet time to build the firewall - you need to
|
||||
focus on the job at hand.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When asking for assistance, be honest and include as much
|
||||
detail as requested. Don't try and hide IP addresses etc., you
|
||||
will probably screw up the logs and make receiving assistance
|
||||
harder.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Read the documentation.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Futures</title>
|
||||
|
||||
<para>This is by no means the final configuration. In the near future, I
|
||||
will be moving more systems from the LAN to the DMZ. I will also be
|
||||
watching the logs for port scan programs etc. but, this should be
|
||||
standard security maintenance.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Configuation Files</title>
|
||||
|
||||
<para>Here are copies of my files. I have removed most of the internal
|
||||
documentation for the purpose of this space however, my system still has
|
||||
the original files with all the comments and I highly recommend you do the
|
||||
same.</para>
|
||||
|
||||
<section>
|
||||
<title>Shorewall.conf</title>
|
||||
|
||||
<programlisting>##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
LOGFILE=/var/log/messages
|
||||
LOGFORMAT=<quote>Shorewall:%s:%s:</quote>
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGUNCLEAN=info
|
||||
BLACKLIST_LOGLEVEL=
|
||||
LOGNEWNOTSYN=
|
||||
MACLIST_LOG_LEVEL=info
|
||||
TCP_FLAGS_LOG_LEVEL=debug
|
||||
RFC1918_LOG_LEVEL=debug
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
STATEDIR=/var/lib/shorewall
|
||||
MODULESDIR=
|
||||
FW=fw
|
||||
NAT_ENABLED=Yes
|
||||
MANGLE_ENABLED=Yes
|
||||
IP_FORWARDING=On
|
||||
ADD_IP_ALIASES=Yes
|
||||
ADD_SNAT_ALIASES=Yes
|
||||
TC_ENABLED=Yes
|
||||
CLEAR_TC=No
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
CLAMPMSS=No
|
||||
ROUTE_FILTER=Yes
|
||||
NAT_BEFORE_RULES=No
|
||||
MULTIPORT=Yes
|
||||
DETECT_DNAT_IPADDRS=Yes
|
||||
MUTEX_TIMEOUT=60
|
||||
NEWNOTSYN=Yes
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
TCP_FLAGS_DISPOSITION=DROP
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Zones File</title>
|
||||
|
||||
<programlisting>#
|
||||
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
|
||||
# /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local Networks
|
||||
dmz DMZ Demilitarized Zone
|
||||
vpn1 VPN1 VPN to Germany
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Interfaces File</title>
|
||||
|
||||
<programlisting>##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
|
||||
loc eth1 detect dhcp,routefilter
|
||||
dmz eth2 detect
|
||||
vpn1 ipsec0
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Routestopped File</title>
|
||||
|
||||
<programlisting>#INTERFACE HOST(S)
|
||||
eth1 -
|
||||
eth2 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Policy File</title>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
loc fw ACCEPT
|
||||
loc dmz ACCEPT
|
||||
# If you want open access to the Internet from your Firewall
|
||||
# remove the comment from the following line.
|
||||
fw net ACCEPT
|
||||
fw loc ACCEPT
|
||||
fw dmz ACCEPT
|
||||
dmz fw ACCEPT
|
||||
dmz loc ACCEPT
|
||||
dmz net ACCEPT
|
||||
#
|
||||
# Adding VPN Access
|
||||
loc vpn1 ACCEPT
|
||||
dmz vpn1 ACCEPT
|
||||
fw vpn1 ACCEPT
|
||||
vpn1 loc ACCEPT
|
||||
vpn1 dmz ACCEPT
|
||||
vpn1 fw ACCEPT
|
||||
#
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Masq File</title>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
eth0 eth1 1192.0.18.126
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>NAT File</title>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#
|
||||
# Intranet Web Server
|
||||
192.0.18.115 eth0:0 10.10.1.60 No No
|
||||
#
|
||||
# Project Web Server
|
||||
192.0.18.84 eth0:1 10.10.1.55 No No
|
||||
#
|
||||
# Blackberry Server
|
||||
192.0.18.97 eth0:2 10.10.1.55 No No
|
||||
#
|
||||
# Corporate Mail Server
|
||||
192.0.18.93 eth0:3 10.10.1.252 No No
|
||||
#
|
||||
# Second Corp Mail Server
|
||||
192.0.18.70 eth0:4 10.10.1.8 No No
|
||||
#
|
||||
# Sims Server
|
||||
192.0.18.75 eth0:5 10.10.1.56 No No
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Proxy ARP File</title>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE
|
||||
#
|
||||
# The Corporate email server in the DMZ
|
||||
192.0.18.80 eth2 eth0 No
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tunnels File</title>
|
||||
|
||||
<programlisting># TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
ipsec net 134.147.129.82
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
|
||||
|
||||
<programlisting>##############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
ACCEPT fw net tcp 53
|
||||
ACCEPT fw net udp 53
|
||||
#
|
||||
# Accept SSH from internet interface from kaos only
|
||||
#
|
||||
ACCEPT net:192.0.18.98 fw tcp 22
|
||||
#
|
||||
# Accept connections from the local network for administration
|
||||
#
|
||||
ACCEPT loc fw tcp 20:22
|
||||
ACCEPT loc net tcp 22
|
||||
ACCEPT loc fw tcp 53
|
||||
ACCEPT loc fw udp 53
|
||||
ACCEPT loc net tcp 53
|
||||
ACCEPT loc net udp 53
|
||||
#
|
||||
# Allow Ping To And From Firewall
|
||||
#
|
||||
ACCEPT loc fw icmp 8
|
||||
ACCEPT loc dmz icmp 8
|
||||
ACCEPT loc net icmp 8
|
||||
ACCEPT dmz fw icmp 8
|
||||
ACCEPT dmz loc icmp 8
|
||||
ACCEPT dmz net icmp 8
|
||||
DROP net fw icmp 8
|
||||
DROP net loc icmp 8
|
||||
DROP net dmz icmp 8
|
||||
ACCEPT fw loc icmp 8
|
||||
ACCEPT fw dmz icmp 8
|
||||
DROP fw net icmp 8
|
||||
#
|
||||
# Accept proxy web connections from the inside
|
||||
#
|
||||
ACCEPT loc fw tcp 8118
|
||||
#
|
||||
# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
|
||||
# From a specific IP Address on the Internet.
|
||||
#
|
||||
# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
|
||||
# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
|
||||
#
|
||||
# Intranet web server
|
||||
ACCEPT net loc:10.10.1.60 tcp 443
|
||||
ACCEPT dmz loc:10.10.1.60 tcp 443
|
||||
#
|
||||
# Projects web server
|
||||
ACCEPT net loc:10.10.1.55 tcp 80
|
||||
ACCEPT dmz loc:10.10.1.55 tcp 80
|
||||
#
|
||||
# Blackberry Server
|
||||
ACCEPT net loc:10.10.1.230 tcp 3101
|
||||
#
|
||||
# Corporate Email Server
|
||||
ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
|
||||
#
|
||||
# Corporate #2 Email Server
|
||||
ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
|
||||
#
|
||||
# Sims Server
|
||||
ACCEPT net loc:10.10.1.56 tcp 80,443
|
||||
ACCEPT net loc:10.10.1.56 tcp 7001:7002
|
||||
ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
|
||||
#
|
||||
# Access to DMZ
|
||||
ACCEPT loc dmz udp 53,177
|
||||
ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -
|
||||
ACCEPT net dmz udp 53
|
||||
ACCEPT net dmz tcp 25,53,22,21,123
|
||||
ACCEPT dmz net tcp 25,53,80,123,443,21,22
|
||||
ACCEPT dmz net udp 53
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Start File</title>
|
||||
|
||||
<programlisting>############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
#
|
||||
qt service ipsec start</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Stop File</title>
|
||||
|
||||
<programlisting>############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# <quote>shorewall stop</quote> command.
|
||||
#
|
||||
qt service ipsec stop</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Init File</title>
|
||||
|
||||
<programlisting>############################################################################
|
||||
# Shorewall 1.4 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a <quote>shorewall start</quote> or <quote>shorewall restart</quote> command.
|
||||
#
|
||||
qt service ipsec stop</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -1,385 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall Documentation</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<edition>1.4.10</edition>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para>Are you running Shorewall on <ulink
|
||||
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink>
|
||||
with a two-interface setup?</para>
|
||||
|
||||
<para>If so, this documentation will not apply directly to your
|
||||
environment. If you want to use the documentation that you find here, you
|
||||
will want to consider uninstalling what you have and installing a
|
||||
configuration that matches this documentation. See the <ulink
|
||||
url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
|
||||
details.</para>
|
||||
</caution>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="Introduction.html">Introduction to Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_quickstart_guide.htm">QuickStart Guides
|
||||
(HOWTOS)</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The remainder of the Documentation supplements the QuickStart Guides.
|
||||
Please review the appropriate guide before trying to use this documentation
|
||||
directly.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="Accounting.html">Accounting</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
|
||||
(virtual) Interfaces (e.g., eth0:0)</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="blacklisting_support.htm">Blacklisting</ulink></para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Static Blacklisting using /etc/shorewall/blacklist</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Dynamic Blacklisting using /sbin/shorewall</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="starting_and_stopping_shorewall.htm">Commands</ulink>
|
||||
(Description of all /sbin/shorewall commands)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="configuration_file_basics.htm">Common configuration
|
||||
file features </ulink><itemizedlist><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Comments">Comments in configuration
|
||||
files</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Continuation">Line Continuation</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Ports">Port Numbers/Service Names</ulink>configuration_file_basics.htm#Ports</para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Ranges">Port Ranges</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Variables">Using Shell Variables</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#dnsnames">Using DNS Names</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Compliment">Complementing an IP
|
||||
address or Subnet</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#Levels">Shorewall Configurations
|
||||
(making a test configuration)</ulink></para></listitem><listitem><para><ulink
|
||||
url="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</ulink></para></listitem></itemizedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Documentation.htm">Configuration File Reference Manual
|
||||
</ulink><itemizedlist><listitem><para><ulink
|
||||
url="Documentation.htm#Variables">params</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Zones">zones</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Interfaces">interfaces</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Common">common</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Tunnels">tunnels</ulink></para></listitem><listitem><para><ulink
|
||||
url="traffic_shaping.htm#tcrules">tcrules</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Conf">shorewall.conf</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#modules">modules</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#TOS">tos</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Blacklist">blacklist</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#rfc1918">rfc1918</ulink></para></listitem><listitem><para><ulink
|
||||
url="Documentation.htm#Routestopped">routestopped</ulink></para></listitem><listitem><para><ulink
|
||||
url="Accounting.html">accounting</ulink></para></listitem><listitem><para><ulink
|
||||
url="UserSets.html">usersets and users</ulink></para></listitem><listitem><para><ulink
|
||||
url="MAC_Validation.html">maclist</ulink></para></listitem><listitem><para><ulink
|
||||
url="User_defined_Actions.html">actions and action.template</ulink></para></listitem></itemizedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="CorpNetwork.htm">Corporate Network Example</ulink>
|
||||
(Contributed by a Graeme Boyle)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="dhcp.htm">DHCP</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="ECN.html">ECN Disabling by host or subnet</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="errata.htm">Errata</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_extension_scripts.htm">Extension Scripts</ulink>
|
||||
(How to extend Shorewall without modifying Shorewall code through the
|
||||
use of files in /etc/shorewall -- /etc/shorewall/start,
|
||||
/etc/shorewall/stopped, etc.)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="fallback.htm">Fallback/Uninstall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="FAQ.htm">FAQs</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_features.htm">Features</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Multiple_Zones.html">Forwarding Traffic on the Same
|
||||
Interface</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="FTP.html">FTP and Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="support.htm">Getting help or answers to questions</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Install.htm">Installation/Upgrade</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="IPSEC.htm">IPSEC</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_and_Kazaa.html">Kazaa Filtering</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="kernel.htm">Kernel Configuration</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_logging.html">Logging</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="MAC_Validation.html">MAC Verification</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Multiple_Zones.html">Multiple Zones Through One
|
||||
Interface</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="myfiles.htm">My Shorewall Configuration</ulink> (How I
|
||||
personally use Shorewall) (<ulink url="myfiles2.html">Shorewall 2.0
|
||||
Configuration</ulink>)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="NetfilterOverview.html">Netfilter Overview</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly referred to
|
||||
as Static NAT)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="OPENVPN.html">OpenVPN</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="starting_and_stopping_shorewall.htm">Operating
|
||||
Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="ping.html">'Ping' Management</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="ports.htm">Port Information</ulink></para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Which applications use which ports</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Ports used by Trojans</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="PPTP.htm">PPTP</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="ProxyARP.htm">Proxy ARP</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="samba.htm">Samba</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink><itemizedlist><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Concepts">Shorewall Concepts</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Interfaces">Network Interfaces</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and
|
||||
Routing</ulink></para><itemizedlist><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Addresses">IP Addresses</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#ARP">Address Resolution Protocol (ARP)</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Options">Setting up your Network</ulink></para><itemizedlist><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para><itemizedlist><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#ProxyARP">Proxy ARP</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#NAT">One-to-one NAT</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#OddsAndEnds">Odds and Ends</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
|
||||
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para></listitem><listitem><para><ulink
|
||||
url="starting_and_stopping_shorewall.htm">Starting and Stopping the
|
||||
Firewall</ulink></para></listitem></itemizedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
|
||||
the Firewall</ulink><itemizedlist><listitem><para>Description of all
|
||||
/sbin/shorewall commands</para></listitem><listitem><para>How to safely
|
||||
test a Shorewall configuration change</para></listitem></itemizedlist></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="traffic_shaping.htm">Traffic Shaping/QOS</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things to
|
||||
try if it doesn't work)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="User_defined_Actions.html">User-defined Actions</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="UserSets.html">UID/GID Based Rules</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>VPN</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="IPSEC.htm">IPSEC</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="IPIP.htm">GRE and IPIP</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="OPENVPN.html">OpenVPN</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="PPTP.htm">PPTP</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="6to4.htm">6to4</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="VPN.htm">IPSEC/PPTP passthrough from a system
|
||||
behind your firewall to a remote network</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="GenericTunnels.html">Other VPN types</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</article>
|
@ -1,92 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="ECN">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>ECN</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-03-28</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Explicit Congestion Notification (ECN)</title>
|
||||
|
||||
<para>Explicit Congestion Notification (ECN) is described in RFC 3168 and
|
||||
is a proposed internet standard. Unfortunately, not all sites support ECN
|
||||
and when a TCP connection offering ECN is sent to sites that don't
|
||||
support it, the result is often that the connection request is ignored.</para>
|
||||
|
||||
<para>To allow ECN to be used, Shorewall allows you to enable ECN on your
|
||||
Linux systems then disable it in your firewall when the destination
|
||||
matches a list that you create (the /etc/shorewall/ecn file).</para>
|
||||
|
||||
<para>You enable ECN by</para>
|
||||
|
||||
<programlisting>echo 1 > /proc/sys/net/ipv4/tcp_ecn</programlisting>
|
||||
|
||||
<para>You must arrange for that command to be executed at system boot.
|
||||
Most distributions have a method for doing that -- on RedHat, you make an
|
||||
entry in /etc/sysctl.conf.</para>
|
||||
|
||||
<programlisting>net.ipv4.tcp_ecn = 1</programlisting>
|
||||
|
||||
<para>Entries in /etc/shorewall/ecn have two columns as follows:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>INTERFACE</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an interface on your system</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>HOST(S)</term>
|
||||
|
||||
<listitem>
|
||||
<para>An address (host or subnet) of a system or group of systems
|
||||
accessed through the interface in the first column. You may include
|
||||
a comma-separated list of such addresses in this column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<example>
|
||||
<title>Your external interface is eth0 and you want to disable ECN for
|
||||
tcp connections to 192.0.2.0/24:</title>
|
||||
|
||||
<para><table><title>/etc/shorewall/ecn</title><tgroup cols="2"><thead><row><entry
|
||||
align="center">INTERFACE</entry><entry align="center">HOST(S)</entry></row></thead><tbody><row><entry>eth0</entry><entry>192.0.2.0/24</entry></row></tbody></tgroup></table></para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
@ -1,349 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="FTP">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall and FTP</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-12-01</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<important>
|
||||
<para>If you are running Mandrake 9.1 or 9.2 and are having problems with
|
||||
FTP, you have three choices:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Edit /usr/share/shorewall/firewall and replace this line:</para>
|
||||
|
||||
<programlisting>for suffix in o gz ko ; do</programlisting>
|
||||
|
||||
<para>with</para>
|
||||
|
||||
<programlisting>for suffix in o gz ko o.gz ; do</programlisting>
|
||||
|
||||
<para>and at a root shell prompt:</para>
|
||||
|
||||
<programlisting><command>shorewall restart</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Install the Mandrake <quote>cooker</quote> version of Shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Upgrade to Shorewall 1.4.7 or later.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</important>
|
||||
|
||||
<section>
|
||||
<title>FTP Protocol</title>
|
||||
|
||||
<para>FTP transfers involve two TCP connections. The first <emphasis
|
||||
role="bold">control</emphasis> connection goes from the FTP client to port
|
||||
21 on the FTP server. This connection is used for logon and to send
|
||||
commands and responses between the endpoints. Data transfers (including
|
||||
the output of <quote>ls</quote> and <quote>dir</quote> commands) requires
|
||||
a second data connection. The <emphasis role="bold">data</emphasis>
|
||||
connection is dependent on the <emphasis role="bold">mode</emphasis> that
|
||||
the client is operating in:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Passive Mode</term>
|
||||
|
||||
<listitem>
|
||||
<para>(often the default for web browsers) -- The client issues a
|
||||
PASV command. Upon receipt of this command, the server listens on a
|
||||
dynamically-allocated port then sends a PASV reply to the client.
|
||||
The PASV reply gives the IP address and port number that the server
|
||||
is listening on. The client then opens a second connection to that
|
||||
IP address and port number.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Active Mode</term>
|
||||
|
||||
<listitem>
|
||||
<para>(often the default for line-mode clients) -- The client
|
||||
listens on a dynamically-allocated port then sends a PORT command to
|
||||
the server. The PORT command gives the IP address and port number
|
||||
that the client is listening on. The server then opens a connection
|
||||
to that IP address and port number; the <emphasis role="bold">source
|
||||
port</emphasis> for this connection is 20 (ftp-data in
|
||||
/etc/services).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>You can see these commands in action using your linux ftp
|
||||
command-line client in debugging mode. Note that my ftp client defaults to
|
||||
passive mode and that I can toggle between passive and active mode by
|
||||
issuing a <quote>passive</quote> command:</para>
|
||||
|
||||
<programlisting>[teastep@wookie Shorewall]$ <emphasis role="bold">ftp ftp1.shorewall.net</emphasis>
|
||||
Connected to lists.shorewall.net.
|
||||
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=-
|
||||
220-You are user number 1 of 50 allowed.
|
||||
220-Local time is now 10:21 and the load is 0.14. Server port: 21.
|
||||
220 You will be disconnected after 15 minutes of inactivity.
|
||||
500 Security extensions not implemented
|
||||
500 Security extensions not implemented
|
||||
KERBEROS_V4 rejected as an authentication type
|
||||
Name (ftp1.shorewall.net:teastep): ftp
|
||||
331-Welcome to ftp.shorewall.net
|
||||
331-
|
||||
331 Any password will work
|
||||
Password:
|
||||
230 Any password will work
|
||||
Remote system type is UNIX.
|
||||
Using binary mode to transfer files.
|
||||
ftp> <emphasis role="bold">debug</emphasis>
|
||||
Debugging on (debug=1).
|
||||
ftp> <emphasis role="bold">ls</emphasis>
|
||||
---> <emphasis>PASV</emphasis>
|
||||
<emphasis>227 Entering Passive Mode (192,168,1,193,195,210)</emphasis>
|
||||
---> LIST
|
||||
150 Accepted data connection
|
||||
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
|
||||
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
|
||||
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
|
||||
226-Options: -l
|
||||
226 3 matches total
|
||||
ftp> <emphasis role="bold">passive</emphasis>
|
||||
Passive mode off.
|
||||
ftp> <emphasis role="bold">ls</emphasis>
|
||||
<emphasis>---> PORT 192,168,1,3,142,58</emphasis>
|
||||
200 PORT command successful
|
||||
---> LIST
|
||||
150 Connecting to port 36410
|
||||
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
|
||||
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
|
||||
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
|
||||
226-Options: -l
|
||||
226 3 matches total
|
||||
ftp></programlisting>
|
||||
|
||||
<para>Things to notice:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The commands that I issued are <emphasis role="bold">strongly
|
||||
emphasized</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Commands sent by the client to the server are preceded by
|
||||
---></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Command responses from the server over the control connection
|
||||
are numbered.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>FTP uses a comma as a separator between the bytes of the IP
|
||||
address; and</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When sending a port number, FTP sends the MSB then the LSB and
|
||||
separates the two bytes by a comma. As shown in the PORT command, port
|
||||
142,58 translates to 142*256+58 = 36410.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Linux FTP connection-tracking</title>
|
||||
|
||||
<para>Given the normal loc->net policy of ACCEPT, passive mode access
|
||||
from local clients to remote servers will always work but active mode
|
||||
requires the firewall to dynamically open a <quote>hole</quote> for the
|
||||
server's connection back to the client. Similarly, if you are running
|
||||
an FTP server in your local zone then active mode should always work but
|
||||
passive mode requires the firewall to dynamically open a <quote>hole</quote>
|
||||
for the client's second connection to the server. This is the role of
|
||||
FTP connection-tracking support in the Linux kernel.</para>
|
||||
|
||||
<para>Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
|
||||
involved, the PORT commands and PASV responses may also need to be
|
||||
modified by the firewall. This is the job of the FTP nat support kernel
|
||||
function.</para>
|
||||
|
||||
<para>Including FTP connection-tracking and NAT support normally means
|
||||
that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
|
||||
need to be loaded. Shorewall automatically loads these <quote>helper</quote>
|
||||
modules from /lib/modules/<<emphasis>kernel-version</emphasis>>/kernel/net/ipv4/netfilter/
|
||||
and you can determine if they are loaded using the <quote>lsmod</quote>
|
||||
command. The <<emphasis>kernel-version</emphasis>> may be obtained
|
||||
by typing</para>
|
||||
|
||||
<programlisting><command>uname -r</command></programlisting>
|
||||
|
||||
<example>
|
||||
<title></title>
|
||||
|
||||
<programlisting>[root@lists etc]# lsmod
|
||||
Module Size Used by Not tainted
|
||||
autofs 12148 0 (autoclean) (unused)
|
||||
ipt_TOS 1560 12 (autoclean)
|
||||
ipt_LOG 4120 5 (autoclean)
|
||||
ipt_REDIRECT 1304 1 (autoclean)
|
||||
ipt_REJECT 3736 4 (autoclean)
|
||||
ipt_state 1048 13 (autoclean)
|
||||
ip_nat_irc 3152 0 (unused)
|
||||
<emphasis role="bold">ip_nat_ftp 3888 0 (unused)</emphasis>
|
||||
ip_conntrack_irc 3984 1
|
||||
<emphasis role="bold">ip_conntrack_ftp 5008 1</emphasis>
|
||||
ipt_multiport 1144 2 (autoclean)
|
||||
ipt_conntrack 1592 0 (autoclean)
|
||||
iptable_filter 2316 1 (autoclean)
|
||||
iptable_mangle 2680 1 (autoclean)
|
||||
iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]
|
||||
ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc
|
||||
ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp
|
||||
ipt_conntrack iptable_nat]
|
||||
ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state
|
||||
ipt_multiport ipt_conntrack iptable_filter
|
||||
iptable_mangle iptable_nat]
|
||||
tulip 42464 0 (unused)
|
||||
e100 50596 1
|
||||
keybdev 2752 0 (unused)
|
||||
mousedev 5236 0 (unused)
|
||||
hid 20868 0 (unused)
|
||||
input 5632 0 [keybdev mousedev hid]
|
||||
usb-uhci 24684 0 (unused)
|
||||
usbcore 73280 1 [hid usb-uhci]
|
||||
ext3 64704 2
|
||||
jbd 47860 2 [ext3]
|
||||
[root@lists etc]#</programlisting>
|
||||
</example>
|
||||
|
||||
<para>If you want Shorewall to load these modules from an alternate
|
||||
directory, you need to set the MODULESDIR variable in
|
||||
/etc/shorewall/shorewall.conf to point to that directory.</para>
|
||||
|
||||
<para>If your FTP helper modules are compressed and have the names
|
||||
<emphasis>ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz</emphasis> then you
|
||||
will need Shorewall 1.4.7 or later if you want Shorewall to load them for
|
||||
you.</para>
|
||||
|
||||
<para>Server configuration is covered in the <ulink type=""
|
||||
url="Documentation.htm#Rules">/etc/shorewall/rules documentation</ulink>,</para>
|
||||
|
||||
<para>For a client, you must open outbound TCP port 21.</para>
|
||||
|
||||
<para>The above discussion about commands and responses makes it clear
|
||||
that the FTP connection-tracking and NAT helpers must scan the traffic on
|
||||
the control connection looking for PASV and PORT commands as well as PASV
|
||||
responses. If you run an FTP server on a nonstandard port or you need to
|
||||
access such a server, you must therefore let the helpers know by
|
||||
specifying the port in /etc/shorewall/modules entries for the helpers. For
|
||||
example, if you run an FTP server that listens on port 49 or you need to
|
||||
access a server on the internet that listens on that port then you would
|
||||
have:</para>
|
||||
|
||||
<example>
|
||||
<title>if you run an FTP server that listens on port 49 or you need to
|
||||
access a server on the internet that listens on that port then you would
|
||||
have:</title>
|
||||
|
||||
<programlisting>loadmodule ip_conntrack_ftp ports=21,49
|
||||
loadmodule ip_nat_ftp ports=21,49</programlisting>
|
||||
|
||||
<para><note><para>you MUST include port 21 in the ports list or you may
|
||||
have problems accessing regular FTP servers.</para></note></para>
|
||||
|
||||
<para>If there is a possibility that these modules might be loaded
|
||||
before Shorewall starts, then you should include the port list in
|
||||
/etc/modules.conf:</para>
|
||||
|
||||
<programlisting>options ip_conntrack_ftp ports=21,49
|
||||
options ip_nat_ftp ports=21,49</programlisting>
|
||||
|
||||
<para><important><para>Once you have made these changes to
|
||||
/etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
|
||||
the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
|
||||
</example>
|
||||
|
||||
<para>One problem that I see occasionally involves active mode and the FTP
|
||||
server in my DMZ. I see the active data connection to <emphasis
|
||||
role="bold">certain client IP addresses</emphasis> being continuously
|
||||
rejected by my firewall. It is my conjecture that there is some broken
|
||||
client out there that is sending a PORT command that is being either
|
||||
missed or mis-interpreted by the FTP connection tracking helper yet it is
|
||||
being accepted by my FTP server. My solution is to add the following rule:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT(S)</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ACCEPT:info</entry>
|
||||
|
||||
<entry>dmz</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>20</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>The above rule accepts and logs all active mode connections from my
|
||||
DMZ to the net.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,292 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="GenericTunnels">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Generic Tunnels</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-08-09</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Shorewall includes built-in support for a wide range of VPN solutions.
|
||||
If you have need for a tunnel type that does not have explicit support, you
|
||||
can generally describe the tunneling software using <quote>generic tunnels</quote>.</para>
|
||||
|
||||
<section>
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</para>
|
||||
|
||||
<para>Suppose that you have tunneling software that uses two different
|
||||
protocols:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>TCP port 1071</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>GRE (Protocol 47)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The tunnel interface on system A is <quote>tun0</quote> and the
|
||||
tunnel interface on system B is also <quote>tun0</quote>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>On each firewall, you will need to declare a zone to represent the
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
|
||||
zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry>10.255.255.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>generic:tcp:1071</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>generic:47</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>These entries in /etc/shorewall/tunnels, opens the firewall so that
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
|
||||
be accepted to/from the remote gateway.</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>generic:tcp:1071</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.191.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>generic:47</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||
admit all traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>On both systems, restart Shorewall and start your VPN software on
|
||||
each system. The systems in the two masqueraded subnetworks can now talk
|
||||
to each other</para>
|
||||
</section>
|
||||
</article>
|
@ -1,434 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<appendix id="gfdl">
|
||||
<title>GNU Free Documentation License</title>
|
||||
<subtitle>Version 1.2, November 2002</subtitle>
|
||||
|
||||
<blockquote id="fsf-copyright">
|
||||
<para>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
|
||||
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.</para>
|
||||
</blockquote>
|
||||
|
||||
<section id="gfdl-0"><title>PREAMBLE</title>
|
||||
|
||||
<para>The purpose of this License is to make a manual, textbook, or
|
||||
other functional and useful document "free" in the sense of freedom: to
|
||||
assure everyone the effective freedom to copy and redistribute it, with
|
||||
or without modifying it, either commercially or noncommercially.
|
||||
Secondarily, this License preserves for the author and publisher a way
|
||||
to get credit for their work, while not being considered responsible for
|
||||
modifications made by others.</para>
|
||||
|
||||
<para>This License is a kind of "copyleft", which means that derivative
|
||||
works of the document must themselves be free in the same sense. It
|
||||
complements the GNU General Public License, which is a copyleft license
|
||||
designed for free software.</para>
|
||||
|
||||
<para>We have designed this License in order to use it for manuals for
|
||||
free software, because free software needs free documentation: a free
|
||||
program should come with manuals providing the same freedoms that the
|
||||
software does. But this License is not limited to software manuals; it
|
||||
can be used for any textual work, regardless of subject matter or
|
||||
whether it is published as a printed book. We recommend this License
|
||||
principally for works whose purpose is instruction or reference.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-1"><title>APPLICABILITY AND DEFINITIONS</title>
|
||||
|
||||
<para id="gfdl-doc">This License applies to any manual or other work, in
|
||||
any medium, that contains a notice placed by the copyright holder saying
|
||||
it can be distributed under the terms of this License. Such a notice
|
||||
grants a world-wide, royalty-free license, unlimited in duration, to use
|
||||
that work under the conditions stated herein. The "Document", below,
|
||||
refers to any such manual or work. Any member of the public is a
|
||||
licensee, and is addressed as "you". You accept the license if you
|
||||
copy, modify or distribute the work in a way requiring permission under
|
||||
copyright law.</para>
|
||||
|
||||
<para id="gfdl-mod-ver">A "Modified Version" of the Document means any
|
||||
work containing the Document or a portion of it, either copied verbatim,
|
||||
or with modifications and/or translated into another language.</para>
|
||||
|
||||
<para id="gfdl-secnd-sect">A "Secondary Section" is a named appendix or
|
||||
a front-matter section of the Document that deals exclusively with the
|
||||
relationship of the publishers or authors of the Document to the
|
||||
Document's overall subject (or to related matters) and contains nothing
|
||||
that could fall directly within that overall subject. (Thus, if the
|
||||
Document is in part a textbook of mathematics, a Secondary Section may
|
||||
not explain any mathematics.) The relationship could be a matter of
|
||||
historical connection with the subject or with related matters, or of
|
||||
legal, commercial, philosophical, ethical or political position
|
||||
regarding them.</para>
|
||||
|
||||
<para id="gfdl-inv-sect">The "Invariant Sections" are certain Secondary
|
||||
Sections whose titles are designated, as being those of Invariant
|
||||
Sections, in the notice that says that the Document is released under
|
||||
this License. If a section does not fit the above definition of
|
||||
Secondary then it is not allowed to be designated as Invariant. The
|
||||
Document may contain zero Invariant Sections. If the Document does not
|
||||
identify any Invariant Sections then there are none.</para>
|
||||
|
||||
<para id="gfdl-cov-text">The "Cover Texts" are certain short passages of
|
||||
text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
|
||||
notice that says that the Document is released under this License. A
|
||||
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
|
||||
most 25 words.</para>
|
||||
|
||||
<para id="gfdl-transparent">A "Transparent" copy of the Document means a
|
||||
machine-readable copy, represented in a format whose specification is
|
||||
available to the general public, that is suitable for revising the
|
||||
document straightforwardly with generic text editors or (for images
|
||||
composed of pixels) generic paint programs or (for drawings) some widely
|
||||
available drawing editor, and that is suitable for input to text
|
||||
formatters or for automatic translation to a variety of formats suitable
|
||||
for input to text formatters. A copy made in an otherwise Transparent
|
||||
file format whose markup, or absence of markup, has been arranged to
|
||||
thwart or discourage subsequent modification by readers is not
|
||||
Transparent. An image format is not Transparent if used for any
|
||||
substantial amount of text. A copy that is not "Transparent" is called
|
||||
"Opaque".</para>
|
||||
|
||||
<para>Examples of suitable formats for Transparent copies include plain
|
||||
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
|
||||
XML using a publicly available DTD, and standard-conforming simple HTML,
|
||||
PostScript or PDF designed for human modification. Examples of
|
||||
transparent image formats include PNG, XCF and JPG. Opaque formats
|
||||
include proprietary formats that can be read and edited only by
|
||||
proprietary word processors, SGML or XML for which the DTD and/or
|
||||
processing tools are not generally available, and the machine-generated
|
||||
HTML, PostScript or PDF produced by some word processors for output
|
||||
purposes only.</para>
|
||||
|
||||
<para id="gfdl-title-page">The "Title Page" means, for a printed book,
|
||||
the title page itself, plus such following pages as are needed to hold,
|
||||
legibly, the material this License requires to appear in the title page.
|
||||
For works in formats which do not have any title page as such, "Title
|
||||
Page" means the text near the most prominent appearance of the work's
|
||||
title, preceding the beginning of the body of the text.</para>
|
||||
|
||||
<para id="gfdl-entitled">A section "Entitled XYZ" means a named subunit
|
||||
of the Document whose title either is precisely XYZ or contains XYZ in
|
||||
parentheses following text that translates XYZ in another language.
|
||||
(Here XYZ stands for a specific section name mentioned below, such as
|
||||
"Acknowledgements", "Dedications", "Endorsements", or "History".) To
|
||||
"Preserve the Title" of such a section when you modify the Document
|
||||
means that it remains a section "Entitled XYZ" according to this
|
||||
definition.</para>
|
||||
|
||||
<para>The Document may include Warranty Disclaimers next to the notice
|
||||
which states that this License applies to the Document. These Warranty
|
||||
Disclaimers are considered to be included by reference in this License,
|
||||
but only as regards disclaiming warranties: any other implication that
|
||||
these Warranty Disclaimers may have is void and has no effect on the
|
||||
meaning of this License.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-2"><title>VERBATIM COPYING</title>
|
||||
|
||||
<para>You may copy and distribute the Document in any medium, either
|
||||
commercially or noncommercially, provided that this License, the
|
||||
copyright notices, and the license notice saying this License applies to
|
||||
the Document are reproduced in all copies, and that you add no other
|
||||
conditions whatsoever to those of this License. You may not use
|
||||
technical measures to obstruct or control the reading or further copying
|
||||
of the copies you make or distribute. However, you may accept
|
||||
compensation in exchange for copies. If you distribute a large enough
|
||||
number of copies you must also follow the conditions in section 3.
|
||||
</para>
|
||||
|
||||
<para>You may also lend copies, under the same conditions stated above,
|
||||
and you may publicly display copies.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-3"><title>COPYING IN QUANTITY</title>
|
||||
|
||||
<para>If you publish printed copies (or copies in media that commonly
|
||||
have printed covers) of the Document, numbering more than 100, and the
|
||||
Document's license notice requires Cover Texts, you must enclose the
|
||||
copies in covers that carry, clearly and legibly, all these Cover Texts:
|
||||
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
|
||||
cover. Both covers must also clearly and legibly identify you as the
|
||||
publisher of these copies. The front cover must present the full title
|
||||
with all words of the title equally prominent and visible. You may add
|
||||
other material on the covers in addition. Copying with changes limited
|
||||
to the covers, as long as they preserve the title of the Document and
|
||||
satisfy these conditions, can be treated as verbatim copying in other
|
||||
respects.</para>
|
||||
|
||||
<para>If the required texts for either cover are too voluminous to fit
|
||||
legibly, you should put the first ones listed (as many as fit
|
||||
reasonably) on the actual cover, and continue the rest onto adjacent
|
||||
pages.</para>
|
||||
|
||||
<para>If you publish or distribute Opaque copies of the Document
|
||||
numbering more than 100, you must either include a machine-readable
|
||||
Transparent copy along with each Opaque copy, or state in or with each
|
||||
Opaque copy a computer-network location from which the general
|
||||
network-using public has access to download using public-standard
|
||||
network protocols a complete Transparent copy of the Document, free of
|
||||
added material. If you use the latter option, you must take reasonably
|
||||
prudent steps, when you begin distribution of Opaque copies in quantity,
|
||||
to ensure that this Transparent copy will remain thus accessible at the
|
||||
stated location until at least one year after the last time you
|
||||
distribute an Opaque copy (directly or through your agents or retailers)
|
||||
of that edition to the public.</para>
|
||||
|
||||
<para>It is requested, but not required, that you contact the authors of
|
||||
the Document well before redistributing any large number of copies, to
|
||||
give them a chance to provide you with an updated version of the
|
||||
Document.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-4"><title>MODIFICATIONS</title>
|
||||
|
||||
<para>You may copy and distribute a Modified Version of the Document
|
||||
under the conditions of sections 2 and 3 above, provided that you
|
||||
release the Modified Version under precisely this License, with the
|
||||
Modified Version filling the role of the Document, thus licensing
|
||||
distribution and modification of the Modified Version to whoever
|
||||
possesses a copy of it. In addition, you must do these things in the
|
||||
Modified Version:</para>
|
||||
|
||||
<orderedlist id="gfdl-modif-cond" numeration="upperalpha">
|
||||
<listitem><simpara>Use in the Title Page (and on the covers, if any) a
|
||||
title distinct from that of the Document, and from those of previous
|
||||
versions (which should, if there were any, be listed in the History
|
||||
section of the Document). You may use the same title as a previous
|
||||
version if the original publisher of that version gives permission.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>List on the Title Page, as authors, one or more
|
||||
persons or entities responsible for authorship of the modifications in
|
||||
the Modified Version, together with at least five of the principal
|
||||
authors of the Document (all of its principal authors, if it has fewer
|
||||
than five), unless they release you from this requirement.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>State on the Title page the name of the publisher of
|
||||
the Modified Version, as the publisher.</simpara></listitem>
|
||||
<listitem><simpara>Preserve all the copyright notices of the Document.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Add an appropriate copyright notice for your
|
||||
modifications adjacent to the other copyright notices.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Include, immediately after the copyright notices, a
|
||||
license notice giving the public permission to use the Modified
|
||||
Version under the terms of this License, in the form shown in the
|
||||
<link linkend="gfdl-addendum">Addendum</link> below.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Preserve in that license notice the full lists of
|
||||
Invariant Sections and required Cover Texts given in the Document's
|
||||
license notice.</simpara></listitem>
|
||||
<listitem><simpara>Include an unaltered copy of this License.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Preserve the section Entitled "History", Preserve its
|
||||
Title, and add to it an item stating at least the title, year, new
|
||||
authors, and publisher of the Modified Version as given on the Title
|
||||
Page. If there is no section Entitled "History" in the Document,
|
||||
create one stating the title, year, authors, and publisher of the
|
||||
Document as given on its Title Page, then add an item describing the
|
||||
Modified Version as stated in the previous sentence.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Preserve the network location, if any, given in the
|
||||
Document for public access to a Transparent copy of the Document, and
|
||||
likewise the network locations given in the Document for previous
|
||||
versions it was based on. These may be placed in the "History"
|
||||
section. You may omit a network location for a work that was
|
||||
published at least four years before the Document itself, or if the
|
||||
original publisher of the version it refers to gives permission.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>For any section Entitled "Acknowledgements" or
|
||||
"Dedications", Preserve the Title of the section, and preserve in the
|
||||
section all the substance and tone of each of the contributor
|
||||
acknowledgements and/or dedications given therein.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Preserve all the Invariant Sections of the Document,
|
||||
unaltered in their text and in their titles. Section numbers or the
|
||||
equivalent are not considered part of the section titles.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Delete any section Entitled "Endorsements".
|
||||
Such a section may not be included in the Modified Version.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Do not retitle any existing section to be Entitled
|
||||
"Endorsements" or to conflict in title with any Invariant Section.
|
||||
</simpara></listitem>
|
||||
<listitem><simpara>Preserve any Warranty Disclaimers.
|
||||
</simpara></listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If the Modified Version includes new front-matter sections or
|
||||
appendices that qualify as Secondary Sections and contain no material
|
||||
copied from the Document, you may at your option designate some or all
|
||||
of these sections as invariant. To do this, add their titles to the
|
||||
list of Invariant Sections in the Modified Version's license notice.
|
||||
These titles must be distinct from any other section titles.</para>
|
||||
|
||||
<para>You may add a section Entitled "Endorsements", provided it
|
||||
contains nothing but endorsements of your Modified Version by various
|
||||
parties--for example, statements of peer review or that the text has
|
||||
been approved by an organization as the authoritative definition of a
|
||||
standard.</para>
|
||||
|
||||
<para>You may add a passage of up to five words as a Front-Cover Text,
|
||||
and a passage of up to 25 words as a Back-Cover Text, to the end of the
|
||||
list of Cover Texts in the Modified Version. Only one passage of
|
||||
Front-Cover Text and one of Back-Cover Text may be added by (or through
|
||||
arrangements made by) any one entity. If the Document already includes
|
||||
a cover text for the same cover, previously added by you or by
|
||||
arrangement made by the same entity you are acting on behalf of, you may
|
||||
not add another; but you may replace the old one, on explicit permission
|
||||
from the previous publisher that added the old one.</para>
|
||||
|
||||
<para>The author(s) and publisher(s) of the Document do not by this
|
||||
License give permission to use their names for publicity for or to
|
||||
assert or imply endorsement of any Modified Version.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-5"><title>COMBINING DOCUMENTS</title>
|
||||
|
||||
<para>You may combine the Document with other documents released under
|
||||
this License, under the terms defined in <link linkend="gfdl-4">section
|
||||
4</link> above for modified versions, provided that you include in the
|
||||
combination all of the Invariant Sections of all of the original
|
||||
documents, unmodified, and list them all as Invariant Sections of your
|
||||
combined work in its license notice, and that you preserve all their
|
||||
Warranty Disclaimers.</para>
|
||||
|
||||
<para>The combined work need only contain one copy of this License, and
|
||||
multiple identical Invariant Sections may be replaced with a single
|
||||
copy. If there are multiple Invariant Sections with the same name but
|
||||
different contents, make the title of each such section unique by adding
|
||||
at the end of it, in parentheses, the name of the original author or
|
||||
publisher of that section if known, or else a unique number. Make the
|
||||
same adjustment to the section titles in the list of Invariant Sections
|
||||
in the license notice of the combined work.</para>
|
||||
|
||||
<para>In the combination, you must combine any sections Entitled
|
||||
"History" in the various original documents, forming one section
|
||||
Entitled "History"; likewise combine any sections Entitled
|
||||
"Acknowledgements", and any sections Entitled "Dedications". You must
|
||||
delete all sections Entitled "Endorsements".</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-6"><title>COLLECTIONS OF DOCUMENTS</title>
|
||||
|
||||
<para>You may make a collection consisting of the Document and other
|
||||
documents released under this License, and replace the individual copies
|
||||
of this License in the various documents with a single copy that is
|
||||
included in the collection, provided that you follow the rules of this
|
||||
License for verbatim copying of each of the documents in all other
|
||||
respects.</para>
|
||||
|
||||
<para>You may extract a single document from such a collection, and
|
||||
distribute it individually under this License, provided you insert a
|
||||
copy of this License into the extracted document, and follow this
|
||||
License in all other respects regarding verbatim copying of that
|
||||
document.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-7"><title>AGGREGATION WITH INDEPENDENT WORKS</title>
|
||||
|
||||
<para>A compilation of the Document or its derivatives with other
|
||||
separate and independent documents or works, in or on a volume of a
|
||||
storage or distribution medium, is called an "aggregate" if the
|
||||
copyright resulting from the compilation is not used to limit the legal
|
||||
rights of the compilation's users beyond what the individual works
|
||||
permit. When the Document is included in an aggregate, this License does
|
||||
not apply to the other works in the aggregate which are not themselves
|
||||
derivative works of the Document.</para>
|
||||
|
||||
<para>If the Cover Text requirement of section 3 is applicable to these
|
||||
copies of the Document, then if the Document is less than one half of
|
||||
the entire aggregate, the Document's Cover Texts may be placed on covers
|
||||
that bracket the Document within the aggregate, or the electronic
|
||||
equivalent of covers if the Document is in electronic form. Otherwise
|
||||
they must appear on printed covers that bracket the whole
|
||||
aggregate.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-8"><title>TRANSLATION</title>
|
||||
|
||||
<para>Translation is considered a kind of modification, so you may
|
||||
distribute translations of the Document under the terms of section 4.
|
||||
Replacing Invariant Sections with translations requires special
|
||||
permission from their copyright holders, but you may include
|
||||
translations of some or all Invariant Sections in addition to the
|
||||
original versions of these Invariant Sections. You may include a
|
||||
translation of this License, and all the license notices in the
|
||||
Document, and any Warranty Disclaimers, provided that you also include
|
||||
the original English version of this License and the original versions
|
||||
of those notices and disclaimers. In case of a disagreement between the
|
||||
translation and the original version of this License or a notice or
|
||||
disclaimer, the original version will prevail.</para>
|
||||
|
||||
<para>If a section in the Document is Entitled "Acknowledgements",
|
||||
"Dedications", or "History", the requirement (section 4) to Preserve its
|
||||
Title (section 1) will typically require changing the actual
|
||||
title.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-9"><title>TERMINATION</title>
|
||||
|
||||
<para>You may not copy, modify, sublicense, or distribute the Document
|
||||
except as expressly provided for under this License. Any other attempt
|
||||
to copy, modify, sublicense or distribute the Document is void, and will
|
||||
automatically terminate your rights under this License. However,
|
||||
parties who have received copies, or rights, from you under this License
|
||||
will not have their licenses terminated so long as such parties remain
|
||||
in full compliance.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-10"><title>FUTURE REVISIONS OF THIS LICENSE</title>
|
||||
|
||||
<para>The Free Software Foundation may publish new, revised versions of
|
||||
the GNU Free Documentation License from time to time. Such new versions
|
||||
will be similar in spirit to the present version, but may differ in
|
||||
detail to address new problems or concerns. See
|
||||
http://www.gnu.org/copyleft/.</para>
|
||||
|
||||
<para>Each version of the License is given a distinguishing version
|
||||
number. If the Document specifies that a particular numbered version of
|
||||
this License "or any later version" applies to it, you have the option
|
||||
of following the terms and conditions either of that specified version
|
||||
or of any later version that has been published (not as a draft) by the
|
||||
Free Software Foundation. If the Document does not specify a version
|
||||
number of this License, you may choose any version ever published (not
|
||||
as a draft) by the Free Software Foundation.</para>
|
||||
</section>
|
||||
|
||||
<section id="gfdl-addendum"><title>ADDENDUM: How to use this License for
|
||||
your documents</title>
|
||||
|
||||
<para>To use this License in a document you have written, include a copy
|
||||
of the License in the document and put the following copyright and
|
||||
license notices just after the title page:</para>
|
||||
|
||||
<blockquote id="copyright-sample"><para>
|
||||
Copyright (c) YEAR YOUR NAME.
|
||||
Permission is granted to copy, distribute and/or modify this document
|
||||
under the terms of the GNU Free Documentation License, Version 1.2
|
||||
or any later version published by the Free Software Foundation;
|
||||
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||||
A copy of the license is included in the section entitled "GNU
|
||||
Free Documentation License".
|
||||
</para></blockquote>
|
||||
|
||||
<para>If you have Invariant Sections, Front-Cover Texts and Back-Cover
|
||||
Texts, replace the "with...Texts." line with this:</para>
|
||||
|
||||
<blockquote id="inv-cover-sample"><para>
|
||||
with the Invariant Sections being LIST THEIR TITLES, with the
|
||||
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
|
||||
</para></blockquote>
|
||||
|
||||
<para>If you have Invariant Sections without Cover Texts, or some other
|
||||
combination of the three, merge those two alternatives to suit the
|
||||
situation.</para>
|
||||
|
||||
<para>If your document contains nontrivial examples of program code, we
|
||||
recommend releasing these examples in parallel under your choice of free
|
||||
software license, such as the GNU General Public License, to permit
|
||||
their use in free software.</para>
|
||||
</section>
|
||||
</appendix>
|
@ -1,324 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="IPIP">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>GRE and IPIP Tunnels</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-02-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>GRE and IPIP Tunnels are insecure when used over the internet; use
|
||||
them at your own risk</para>
|
||||
</warning>
|
||||
|
||||
<para>GRE and IPIP tunneling with Shorewall can be used to bridge two
|
||||
masqueraded networks.</para>
|
||||
|
||||
<para>The simple scripts described in the <citetitle><ulink
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink></citetitle>
|
||||
work fine with Shorewall. Shorewall also includes a tunnel script for
|
||||
automating tunnel configuration. If you have installed the RPM, the tunnel
|
||||
script may be found in the Shorewall documentation directory (usually
|
||||
/usr/share/doc/shorewall-<version>/).</para>
|
||||
|
||||
<section>
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</para>
|
||||
|
||||
<para>The <quote>tunnel</quote> script is not installed in /etc/shorewall
|
||||
by default -- If you install using the tarball, the script is included in
|
||||
the tarball; if you install using the RPM, the file is in your Shorewall
|
||||
documentation directory (normally
|
||||
/usr/share/doc/shorewall-<version>).</para>
|
||||
|
||||
<para>In the /etc/shorewall/tunnel script, set the <quote>tunnel_type</quote>
|
||||
parameter to the type of tunnel that you want to create.</para>
|
||||
|
||||
<example>
|
||||
<title>/etc/shorewall/tunnel</title>
|
||||
|
||||
<programlisting>tunnel_type=gre</programlisting>
|
||||
</example>
|
||||
|
||||
<para>On each firewall, you will need to declare a zone to represent the
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system A & B</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
|
||||
zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tosysb</entry>
|
||||
|
||||
<entry>10.255.255.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipip</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IP encapsulation protocol (4) will be accepted to/from the remote gateway.</para>
|
||||
|
||||
<para>In the tunnel script on system A:</para>
|
||||
|
||||
<example>
|
||||
<title>tunnel script on system A</title>
|
||||
|
||||
<programlisting>tunnel=tosysb
|
||||
myrealip=206.161.148.9 (for GRE tunnel only)
|
||||
myip=192.168.1.1
|
||||
hisip=10.0.0.1
|
||||
gateway=134.28.54.2
|
||||
subnet=10.0.0.0/8
|
||||
</programlisting>
|
||||
</example>
|
||||
|
||||
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
|
||||
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tosysa</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipip</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.191.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>And in the tunnel script on system B:</para>
|
||||
|
||||
<example>
|
||||
<title>tunnel script on system B</title>
|
||||
|
||||
<programlisting>tunnel=tosysa
|
||||
myrealip=134.28.54.2 (for GRE tunnel only)
|
||||
myip=10.0.0.1
|
||||
hisip=192.168.1.1
|
||||
gateway=206.191.148.9
|
||||
subnet=192.168.1.0/24</programlisting>
|
||||
</example>
|
||||
|
||||
<para>You can rename the modified tunnel scripts if you like; be sure that
|
||||
they are secured so that root can execute them.</para>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||
admit all traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A & B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On both systems, restart Shorewall and run the modified tunnel
|
||||
script with the <quote>start</quote> argument on each system. The systems
|
||||
in the two masqueraded subnetworks can now talk to each other</para>
|
||||
</section>
|
||||
</article>
|
@ -1,832 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="IPSEC">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>IPSEC Tunnels</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<warning>
|
||||
<para>This documentation does not cover configuring IPSEC under the 2.6
|
||||
Linux Kernel. David Hollis has provided i<ulink
|
||||
url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
|
||||
about how to set up a simple tunnel under 2.6</ulink>. One important point
|
||||
that is not made explicit in David's post is that the <emphasis
|
||||
role="bold">vpn</emphasis> zone must be defined before the <emphasis
|
||||
role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<title>Configuring FreeS/Wan</title>
|
||||
|
||||
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
|
||||
url="http://www.geocities.com/jixen66/">http://www.geocities.com/jixen66/</ulink>.
|
||||
I highly recommend that you consult that site for information about
|
||||
configuring FreeS/Wan.</para>
|
||||
|
||||
<warning>
|
||||
<para>IPSEC and Proxy ARP don't work well together unless you have
|
||||
Shorewall version 1.4.10 with the approriate <ulink url="errata.htm">Errata</ulink>
|
||||
fix applied or are running Shorewall 1.4.10e or later.</para>
|
||||
</warning>
|
||||
|
||||
<important>
|
||||
<para>The documentation below assumes that you have disabled
|
||||
opportunistic encryption feature in FreeS/Wan 2.0 using the following
|
||||
additional entries in ipsec.conf:</para>
|
||||
|
||||
<programlisting>conn block
|
||||
auto=ignore
|
||||
|
||||
conn private
|
||||
auto=ignore
|
||||
|
||||
conn private-or-clear
|
||||
auto=ignore
|
||||
|
||||
conn clear-or-private
|
||||
auto=ignore
|
||||
|
||||
conn clear
|
||||
auto=ignore
|
||||
|
||||
conn packetdefault
|
||||
auto=ignore</programlisting>
|
||||
|
||||
<para>For further information see <ulink
|
||||
url="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</ulink>.</para>
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPSec Gateway on the Firewall System</title>
|
||||
|
||||
<para>Suppose that we have the following sutuation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network.</para>
|
||||
|
||||
<para>To make this work, we need to do two things:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Open the firewall so that the IPSEC tunnel can be established
|
||||
(allow the ESP and AH protocols and UDP Port 500).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Allow traffic through the tunnel.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Opening the firewall for the IPSEC tunnel is accomplished by adding
|
||||
an entry to the /etc/shorewall/tunnels file.</para>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.161.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>If either of the endpoints is behind a NAT gateway then the
|
||||
tunnels file entry on the <emphasis role="bold">other</emphasis>
|
||||
endpoint should specify a tunnel type of ipsecnat rather than ipsec and
|
||||
the GATEWAY address should specify the external address of the NAT
|
||||
gateway.</para>
|
||||
</note>
|
||||
|
||||
<example>
|
||||
<title>VPN</title>
|
||||
|
||||
<para>You need to define a zone for the remote subnet or include it in
|
||||
your local zone. In this example, we'll assume that you have created
|
||||
a zone called <quote>vpn</quote> to represent the remote subnet.</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
|
||||
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>At both systems, ipsec0 would be included in
|
||||
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/interfaces system local & remote</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
|
||||
align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/policy local & remote</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
|
||||
align="center">DEST</entry><entry align="center">POLICY</entry><entry
|
||||
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>Once you have these entries in place, restart Shorewall (type
|
||||
shorewall restart); you are now ready to configure the tunnel in <ulink
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>VPN Hub</title>
|
||||
|
||||
<para>Shorewall can be used in a VPN Hub environment where multiple remote
|
||||
networks are connected to a gateway running Shorewall. This environment is
|
||||
shown in this diatram.</para>
|
||||
|
||||
<graphic fileref="images/ThreeNets.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks and
|
||||
we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to
|
||||
communicate.</para>
|
||||
|
||||
<para>To make this work, we need to do several things:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Open the firewall so that two IPSEC tunnels can be established
|
||||
(allow the ESP and AH protocols and UDP Port 500).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Allow traffic through the tunnels two/from the local zone
|
||||
(192.168.1.0/24).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Deny traffic through the tunnels between the two remote
|
||||
networks.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Opening the firewall for the IPSEC tunnels is accomplished by adding
|
||||
two entries to the /etc/shorewall/tunnels file.</para>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>130.152.100.14</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.161.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>If either of the endpoints is behind a NAT gateway then the
|
||||
tunnels file entry on the <emphasis role="bold">other</emphasis>
|
||||
endpoint should specify a tunnel type of <emphasis>ipsecnat</emphasis>
|
||||
rather than ipsec and the GATEWAY address should specify the external
|
||||
address of the NAT gateway.</para>
|
||||
</note>
|
||||
|
||||
<para>On each system, we will create a zone to represent the remote
|
||||
networks. On System A:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system A</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>VPN1</entry>
|
||||
|
||||
<entry>Remote Subnet on system B</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>VPN2</entry>
|
||||
|
||||
<entry>Remote Subnet on system C</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On systems B and C:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system B & C</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet on system A</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>At system A, ipsec0 represents two zones so we have the following in
|
||||
/etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts system A</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ipsec0:10.0.0.0/16</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ipsec0:10.1.0.0/16</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>At systems B and C, ipsec0 represents a single zone so we have the
|
||||
following in /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ipsec0</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On systems A, you will need to allow traffic between the
|
||||
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
|
||||
between <quote>vpn2</quote> and the <quote>loc</quote> zone -- if you
|
||||
simply want to admit all traffic in both directions, you can use the
|
||||
following policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On systems B and C, you will need to allow traffic between the
|
||||
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
|
||||
want to admit all traffic in both directions, you can use the following
|
||||
policy file entries on all three gateways:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system B & C</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Once you have the Shorewall entries added, restart Shorewall on each
|
||||
gateway (type shorewall restart); you are now ready to configure the
|
||||
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
|
||||
<note>
|
||||
<para>to allow traffic between the networks attached to systems B and C,
|
||||
it is necessary to simply add two additional entries to the
|
||||
/etc/shorewall/policy file on system A.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>If you find traffic being rejected/dropped in the OUTPUT chain,
|
||||
place the names of the remote VPN zones as a comma-separated list in the
|
||||
GATEWAY ZONE column of the /etc/shorewall/tunnels file entry.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Mobile System (Road Warrior)</title>
|
||||
|
||||
<para>Suppose that you have a laptop system (B) that you take with you
|
||||
when you travel and you want to be able to establish a secure connection
|
||||
back to your local network.</para>
|
||||
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<example>
|
||||
<title>Road Warrior VPN</title>
|
||||
|
||||
<para>You need to define a zone for the laptop or include it in your
|
||||
local zone. In this example, we'll assume that you have created a
|
||||
zone called <quote>vpn</quote> to represent the remote host.</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
|
||||
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
|
||||
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
|
||||
Subnet</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the /etc/shorewall/tunnels
|
||||
file on system A, the following entry should be made:</para>
|
||||
|
||||
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">TYPE</entry><entry
|
||||
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
|
||||
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para><note><para>the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the remote
|
||||
gateway is a standalone system.</para></note></para>
|
||||
|
||||
<para>You will need to configure /etc/shorewall/interfaces and establish
|
||||
your <quote>through the tunnel</quote> policy as shown under the first
|
||||
example above.</para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Dynamic RoadWarrior Zones</title>
|
||||
|
||||
<para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
|
||||
zones and add and delete remote endpoints dynamically using
|
||||
/sbin/shorewall. In /etc/shorewall/zones:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn1</entry>
|
||||
|
||||
<entry>VPN-1</entry>
|
||||
|
||||
<entry>First VPN Zone</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn2</entry>
|
||||
|
||||
<entry>VPN-2</entry>
|
||||
|
||||
<entry>Second VPN Zone</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn3</entry>
|
||||
|
||||
<entry>VPN-3</entry>
|
||||
|
||||
<entry>Third VPN Zone</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>ipsec</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>0.0.0.0/0</entry>
|
||||
|
||||
<entry>vpn1,vpn2,vpn3</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and
|
||||
Shorewall will issue warnings to that effect. These warnings may be safely
|
||||
ignored. FreeS/Wan may now be configured to have three different Road
|
||||
Warrior connections with the choice of connection being based on X-509
|
||||
certificates or some other means. Each of these connectioins will utilize
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
|
||||
|
||||
<para>and the <quote>down</quote> part will:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2</programlisting>
|
||||
|
||||
<section>
|
||||
<title>Limitations of Dynamic Zones</title>
|
||||
|
||||
<para>If you include a dynamic zone in the exclude list of a DNAT rule,
|
||||
the dynamically-added hosts are not excluded from the rule.</para>
|
||||
|
||||
<example>
|
||||
<title>dyn=dynamic zone</title>
|
||||
|
||||
<para><informaltable><tgroup cols="7"><thead><row><entry
|
||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
||||
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
|
||||
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
|
||||
|
||||
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
|
||||
will have no effect on the above rule.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -1,397 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Install">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall Installation and Upgrade</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-03-01</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section id="Install_RPM">
|
||||
<title>Install using RPM</title>
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install Shorewall using the RPM:</para>
|
||||
|
||||
<warning>
|
||||
<para>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
|
||||
a shell prompt, type <quote>/sbin/iptables --version</quote>), you must
|
||||
upgrade to version 1.2.4 either from the <ulink
|
||||
url="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
|
||||
update site</ulink> or from the <ulink url="errata.htm">Shorewall Errata
|
||||
page</ulink> before attempting to start Shorewall.</para>
|
||||
</warning>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Install the RPM</para>
|
||||
|
||||
<programlisting>rpm -ivh <shorewall rpm></programlisting>
|
||||
|
||||
<note>
|
||||
<para>Some SuSE users have encountered a problem whereby rpm reports
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm.</para>
|
||||
|
||||
<programlisting>rpm -ivh --nodeps <shorewall rpm></programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
|
||||
iproute package. Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the installation of Shorewall to fail with
|
||||
the diagnostic:</para>
|
||||
|
||||
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
|
||||
|
||||
<para>This may be worked around by using the --nodeps option of rpm.</para>
|
||||
|
||||
<programlisting>rpm -ivh --nodeps <shorewall rpm></programlisting>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Edit the <link linkend="Config_Files">configuration files</link>
|
||||
to match your configuration.</para>
|
||||
|
||||
<warning>
|
||||
<para>YOU CAN <emphasis role="bold">NOT</emphasis> SIMPLY INSTALL
|
||||
THE RPM AND ISSUE A <quote>shorewall start</quote> COMMAND. SOME
|
||||
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
|
||||
ISSUE A <quote>start</quote> COMMAND AND THE FIREWALL FAILS TO
|
||||
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF
|
||||
THIS HAPPENS, ISSUE A <quote>shorewall clear</quote> COMMAND TO
|
||||
RESTORE NETWORK CONNECTIVITY.</para>
|
||||
</warning>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Start the firewall by typing</para>
|
||||
|
||||
<programlisting>shorewall start</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section id="Install_Tarball">
|
||||
<title>Install using tarball</title>
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install Shorewall using the tarball and install script:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in <quote>shorewall-1.1.10</quote>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are using <ulink
|
||||
url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
|
||||
<ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
|
||||
url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
|
||||
url="http://www.corel.com">Corel</ulink>, <ulink
|
||||
url="http://www.slackware.com/">Slackware</ulink> or <ulink
|
||||
url="http://www.debian.org">Debian</ulink> then type</para>
|
||||
|
||||
<programlisting>./install.sh</programlisting>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>If you are using <ulink url="http://www.suse.com">SuSe</ulink>
|
||||
then type</para>
|
||||
|
||||
<programlisting>./install.sh /etc/init.d</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type</para>
|
||||
|
||||
<programlisting>./install.sh</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>For other distributions, determine where your distribution
|
||||
installs init scripts and type</para>
|
||||
|
||||
<programlisting>./install.sh <init script directory></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Edit the <link linkend="Config_Files">configuration files</link>
|
||||
to match your configuration.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Start the firewall by typing</para>
|
||||
|
||||
<programlisting>shorewall start</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the install script was unable to configure Shorewall to be
|
||||
started automatically at boot, see <ulink
|
||||
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section id="LRP">
|
||||
<title>Install the .lrp</title>
|
||||
|
||||
<important>
|
||||
<para>Before attempting installation, I strongly urge you to read and
|
||||
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart</ulink> Guide for the configuration that most closely matches
|
||||
your own.</para>
|
||||
</important>
|
||||
|
||||
<para>To install my version of Shorewall on a fresh Bering disk, simply
|
||||
replace the <quote>shorwall.lrp</quote> file on the image with the file
|
||||
that you downloaded. See the <ulink url="two-interface.htm">two-interface
|
||||
QuickStart Guide</ulink> for information about further steps required.</para>
|
||||
</section>
|
||||
|
||||
<section id="Upgrade_RPM">
|
||||
<title>Upgrade using RPM</title>
|
||||
|
||||
<important>
|
||||
<para>Before upgrading, be sure to review the <ulink
|
||||
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>If you already have the Shorewall RPM installed and are upgrading to
|
||||
a new version:</para>
|
||||
|
||||
<important>
|
||||
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version or and you have entries in the /etc/shorewall/hosts file then
|
||||
please check your /etc/shorewall/interfaces file to be sure that it
|
||||
contains an entry for each interface mentioned in the hosts file. Also,
|
||||
there are certain 1.2 rule forms that are no longer supported under 1.4
|
||||
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
|
||||
upgrade issues</ulink> for details.</para>
|
||||
</important>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Upgrade the RPM</para>
|
||||
|
||||
<programlisting>rpm -Uvh <shorewall rpm file></programlisting>
|
||||
|
||||
<note>
|
||||
<para>If you are installing version 1.2.0 and have one of the 1.2.0
|
||||
Beta RPMs installed, you must use the <quote>--oldpackage</quote>
|
||||
option to rpm.</para>
|
||||
|
||||
<informalexample>
|
||||
<programlisting>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</programlisting>
|
||||
</informalexample>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Some SuSE users have encountered a problem whereby rpm reports
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm.</para>
|
||||
|
||||
<programlisting>rpm -Uvh --nodeps <shorewall rpm></programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
|
||||
iproute package. Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the upgrade of Shorewall to fail with the
|
||||
diagnostic:</para>
|
||||
|
||||
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
|
||||
|
||||
<para>This may be worked around by using the --nodeps option of rpm.</para>
|
||||
|
||||
<programlisting>rpm -Uvh --nodeps <shorewall rpm></programlisting>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>See if there are any incompatibilities between your
|
||||
configuration and the new Shorewall version and correct as necessary.</para>
|
||||
|
||||
<programlisting>shorewall check</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Restart the firewall.</para>
|
||||
|
||||
<programlisting>shorewall restart</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section id="Upgrade_Tarball">
|
||||
<title>Upgrade using tarball</title>
|
||||
|
||||
<important>
|
||||
<para>Before upgrading, be sure to review the <ulink
|
||||
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>If you already have Shorewall installed and are upgrading to a new
|
||||
version using the tarball:</para>
|
||||
|
||||
<important>
|
||||
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version and you have entries in the /etc/shorewall/hosts file then
|
||||
please check your /etc/shorewall/interfaces file to be sure that it
|
||||
contains an entry for each interface mentioned in the hosts file. Also,
|
||||
there are certain 1.2 rule forms that are no longer supported under 1.4
|
||||
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
|
||||
upgrade issues</ulink> for details.</para>
|
||||
</important>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>unpack the tarball.</para>
|
||||
|
||||
<programlisting>tar -zxf shorewall-x.y.z.tgz</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in <quote>shorewall-3.0.1</quote>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are using <ulink
|
||||
url="http://www.caldera.com/openstore/openlinux/">Caldera</ulink>,
|
||||
<ulink url="http://www.redhat.com">RedHat</ulink>, <ulink
|
||||
url="http://www.linux-mandrake.com">Mandrake</ulink>, <ulink
|
||||
url="http://www.corel.com">Corel</ulink>, <ulink
|
||||
url="http://www.slackware.com/">Slackware</ulink> or <ulink
|
||||
url="http://www.debian.org">Debian</ulink> then type</para>
|
||||
|
||||
<programlisting>./install.sh</programlisting>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>If you are using <ulink url="http://www.suse.com">SuSe</ulink>
|
||||
then type</para>
|
||||
|
||||
<programlisting>./install.sh /etc/init.d</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type</para>
|
||||
|
||||
<programlisting>./install.sh</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>For other distributions, determine where your distribution
|
||||
installs init scripts and type</para>
|
||||
|
||||
<programlisting>./install.sh <init script directory></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>See if there are any incompatibilities between your
|
||||
configuration and the new Shorewall version and correct as necessary.</para>
|
||||
|
||||
<programlisting>shorewall check</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Start the firewall by typing</para>
|
||||
|
||||
<programlisting>shorewall start</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the install script was unable to configure Shorewall to be
|
||||
started automatically at boot, see <ulink
|
||||
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section id="LRP_Upgrade">
|
||||
<title>Upgrade the .lrp</title>
|
||||
|
||||
<important>
|
||||
<para>Before upgrading, be sure to review the <ulink
|
||||
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>If you already have a running Bering installation and wish to
|
||||
upgrade to a later version of Shorewall:</para>
|
||||
|
||||
<remark>UNDER CONSTRUCTION...</remark>
|
||||
</section>
|
||||
|
||||
<section id="Config_Files">
|
||||
<title>Configuring Shorewall</title>
|
||||
|
||||
<para>You will need to edit some or all of the configuration files to
|
||||
match your setup. In most cases, the <ulink
|
||||
url="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</ulink>
|
||||
contain all of the information you need.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Uninstall/Fallback</title>
|
||||
|
||||
<para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,194 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="usefull_links">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Introduction</title>
|
||||
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-01-26</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>The information in this document applies only to 1.4.x releases of
|
||||
Shorewall.</para>
|
||||
|
||||
<section>
|
||||
<title>Glossary</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
|
||||
packet filter facility built into the 2.4 and later Linux kernels.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ipchains - the packet filter facility built into the 2.2 Linux
|
||||
kernels. Also the name of the utility program used to configure and
|
||||
control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>iptables - the utility program used to configure and control
|
||||
Netfilter. The term <quote>iptables</quote> is often used to refer
|
||||
to the combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>What is Shorewall?</title>
|
||||
|
||||
<para>The Shoreline Firewall, more commonly known as <quote>Shorewall</quote>,
|
||||
is high-level tool for configuring Netfilter. You describe your
|
||||
firewall/gateway requirements using entries in a set of configuration
|
||||
files. Shorewall reads those configuration files and with the help of
|
||||
the iptables utility, Shorewall configures Netfilter to match your
|
||||
requirements. Shorewall can be used on a dedicated firewall system, a
|
||||
multi-function gateway/router/server or on a standalone GNU/Linux
|
||||
system. Shorewall does not use Netfilter's ipchains compatibility
|
||||
mode and can thus take advantage of Netfilter's connection state
|
||||
tracking capabilities.</para>
|
||||
|
||||
<para>Shorewall is not a daemon. Once Shorewall has configured
|
||||
Netfilter, it's job is complete although the <ulink
|
||||
url="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
|
||||
used at any time to monitor the Netfilter firewall</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Getting Started with Shorewall</title>
|
||||
|
||||
<para>New to Shorewall? Start by selecting the <ulink
|
||||
url="shorewall_quickstart_guide.htm">QuickStart Guide</ulink> that most
|
||||
closely match your environment and follow the step by step instructions.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Looking for Information?</title>
|
||||
|
||||
<para>The <ulink url="Documentation_Index.html">Documentation Index</ulink>
|
||||
is a good place to start.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you will only need to deal with a few of them.</para>
|
||||
|
||||
<para>Shorewall views the network where it is running as being composed of
|
||||
a set of zones. In the <ulink url="three-interface.htm">three-interface
|
||||
sample configuration</ulink> for example, the following zone names are
|
||||
used: <informaltable frame="all" pgwide="0"><tgroup align="left" cols="2"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">Name</entry><entry
|
||||
align="left">Description</entry></row></thead><tbody valign="middle"><row
|
||||
valign="middle"><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left">The Internet</entry></row><row valign="middle"><entry
|
||||
align="left"><varname>loc</varname></entry><entry align="left">Your Local
|
||||
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
|
||||
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>Zones
|
||||
are defined in the <ulink url="Documentation.htm#Zones"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<para>Shorewall also recognizes the firewall system as its own zone - by
|
||||
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
|
||||
|
||||
<para>Rules about what traffic to allow and what traffic to deny are
|
||||
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
|
||||
express your default policy for connections from one zone to another zone
|
||||
in the <ulink url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
|
||||
file.</para></listitem><listitem><para>You define exceptions to those
|
||||
default policies in the <ulink url="Documentation.htm#Rules"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
|
||||
file.</para></listitem></itemizedlist>For each connection request entering
|
||||
the firewall, the request is first checked against the <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
file. If no rule in that file matches the connection request then the
|
||||
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
that matches the request is applied. If that policy is <varname>REJECT</varname>
|
||||
or <varname>DROP</varname> the request is first checked against the rules
|
||||
in <filename class="directory">/etc/shorewall/</filename><filename>common</filename>
|
||||
if that file exists; otherwise the rules in <filename class="directory">/etc/shorewall/</filename><filename>common.def</filename>
|
||||
are checked.</para>
|
||||
|
||||
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
fw net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist><listitem><para>Allow all connection requests from your
|
||||
local network to the internet</para></listitem><listitem><para>Drop
|
||||
(ignore) all connection requests from the internet to your firewall or
|
||||
local network</para></listitem><listitem><para>Optionally accept all
|
||||
connection requests from the firewall to the internet (if you uncomment
|
||||
the additional policy)</para></listitem><listitem><para>reject all other
|
||||
connection requests.</para></listitem></itemizedlist></para>
|
||||
|
||||
<para>The simplest way to define a zone is to associate the zone with a
|
||||
network interface using the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file. In the three-interface sample, the three zones are defined using
|
||||
that file as follows:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,norfc1918
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The above file defines the net zone as all hosts interfacing to the
|
||||
firewall through eth0, the loc zone as all hosts interfacing through eth1
|
||||
and the dmz as all hosts interfacing through eth2.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>License</title>
|
||||
|
||||
<para>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <ulink url="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</ulink> as published by the Free
|
||||
Software Foundation.</para>
|
||||
|
||||
<para>This program is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more detail.</para>
|
||||
|
||||
<para>You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</para>
|
||||
</section>
|
||||
</article>
|
@ -1,184 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="MAC_Validation">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>MAC Verification</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-06</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>All traffic from an interface or from a subnet on an interface can be
|
||||
verified to originate from a defined set of MAC addresses. Furthermore, each
|
||||
MAC address may be optionally associated with one or more IP addresses.</para>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">MAC addresses are only visible within a
|
||||
ethernet segment so all MAC addresses used in verification must belong to
|
||||
devices physically connected to one of the LANs to which your firewall is
|
||||
connected.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Your kernel must include MAC match support
|
||||
(CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</emphasis></para>
|
||||
</important>
|
||||
|
||||
<section>
|
||||
<title>Components</title>
|
||||
|
||||
<para>There are four components to this facility.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">maclist</emphasis> interface option in
|
||||
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
|
||||
When this option is specified, all traffic arriving on the interface
|
||||
is subjet to MAC verification.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">maclist</emphasis> option in <ulink
|
||||
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>. When this
|
||||
option is specified for a subnet, all traffic from that subnet is
|
||||
subject to MAC verification.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses
|
||||
with MAC addresses.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">MACLIST_DISPOSITION</emphasis> and
|
||||
<emphasis role="bold">MACLIST_LOG_LEVEL</emphasis> variables in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
|
||||
and determines the disposition of connection requests that fail MAC
|
||||
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
|
||||
at which connection requests that fail verification are to be logged.
|
||||
If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then
|
||||
failing connection requests are not logged.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/shorewall/maclist</title>
|
||||
|
||||
<para>The columns in /etc/shorewall/maclist are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>INTERFACE</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an ethernet interface on the Shorewall system.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>MAC</term>
|
||||
|
||||
<listitem>
|
||||
<para>The MAC address of a device on the ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in
|
||||
this column although you may use that format if you so choose.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IP Address</term>
|
||||
|
||||
<listitem>
|
||||
<para>An optional comma-separated list of IP addresses for the
|
||||
device whose MAC is listed in the MAC column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Examples</title>
|
||||
|
||||
<example>
|
||||
<title>Here are my files (look <ulink url="myfiles.htm">here</ulink> for
|
||||
details about my setup)</title>
|
||||
|
||||
<para>/etc/shorewall/shorewall.conf:</para>
|
||||
|
||||
<programlisting>MACLIST_DISPOSITION=REJECT
|
||||
MACLIST_LOG_LEVEL=info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
|
||||
loc eth2 192.168.1.255 dhcp
|
||||
dmz eth1 192.168.2.255
|
||||
WiFi eth3 192.168.3.255 dhcp,maclist
|
||||
- texas 192.168.9.255</programlisting>
|
||||
|
||||
<para>/etc/shorewall/maclist:</para>
|
||||
|
||||
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
|
||||
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
|
||||
eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11
|
||||
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</programlisting>
|
||||
|
||||
<para>As shown above, I use MAC Verification on my wireless zone.</para>
|
||||
|
||||
<para><note><para>While marketed as a wireless bridge, the WET11 behaves
|
||||
like a wireless router with DHCP relay. When forwarding DHCP traffic, it
|
||||
uses the MAC address of the host (TIPPER) but for other forwarded
|
||||
traffic it uses it's own MAC address. Consequently, I list the IP
|
||||
addresses of both devices in /etc/shorewall/maclist.</para></note></para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Router in Wireless Zone</title>
|
||||
|
||||
<para>Suppose now that I add a second wireless segment to my wireless
|
||||
zone and gateway that segment via a router with MAC address
|
||||
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
|
||||
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
|
||||
following entry to my /etc/shorewall/maclist file:</para>
|
||||
|
||||
<programlisting>eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24</programlisting>
|
||||
|
||||
<para>This entry accomodates traffic from the router itself
|
||||
(192.168.3.253) and from the second wireless segment (192.168.4.0/24).
|
||||
Remember that all traffic being sent to my firewall from the
|
||||
192.168.4.0/24 segment will be forwarded by the router so that
|
||||
traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
and not that of the host sending the traffic.</para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
@ -1,330 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Multiple_Zones">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Routing on One Interface</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-07</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>While most configurations can be handled with each of the
|
||||
firewall's network interfaces assigned to a single zone, there are
|
||||
cases where you will want to divide the hosts accessed through an
|
||||
interface between two or more zones.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The interface has multiple addresses on multiple subnetworks.
|
||||
This case is covered in the <ulink
|
||||
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
||||
documentation</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You are using some form of NAT and want to access a server by
|
||||
its external IP address from the same LAN segment. This is covered in
|
||||
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>There are routers accessible through the interface and you want
|
||||
to treat the networks accessed through that router as a separate zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Some of the hosts accessed through an interface have
|
||||
significantly different firewalling requirements from the others so
|
||||
you want to assign them to a different zone.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The key points to keep in mind when setting up multiple zones per
|
||||
interface are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall generates rules for zones in the order that the zone
|
||||
declarations appear in /etc/shorewall/zones.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The order of entries in /etc/shorewall/hosts is immaterial as
|
||||
far as the generated ruleset is concerned.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">These examples use the local zone but the same
|
||||
technique works for any zone.</emphasis> Remember that Shorewall
|
||||
doesn't have any conceptual knowledge of <quote>Internet</quote>,
|
||||
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
|
||||
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
|
||||
the examples use private (RFC 1918) addresses but public IP addresses can
|
||||
be used in exactly the same way.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Router in the Local Zone</title>
|
||||
|
||||
<para>Here is an example of a router in the local zone.</para>
|
||||
|
||||
<note>
|
||||
<para>the <emphasis role="bold">box called <quote>Router</quote> could
|
||||
be a VPN server</emphasis> or other such device; from the point of view
|
||||
of this discussion, it makes no difference.</para>
|
||||
</note>
|
||||
|
||||
<graphic fileref="images/MultiZone1.png" />
|
||||
|
||||
<section>
|
||||
<title>Can You Use the Standard Configuration?</title>
|
||||
|
||||
<para>In many cases, the <ulink url="two-interface.htm">standard
|
||||
two-interface Shorewall setup</ulink> will work fine in this
|
||||
configuration. It will work if:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The firewall requirements to/from the internet are the same
|
||||
for 192.168.1.0/24 and 192.168.2.0/24.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The hosts in 192.168.1.0/24 know that the route to
|
||||
192.168.2.0/24 is through the <emphasis role="bold">router</emphasis>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>All you have to do on the firewall is add a route to
|
||||
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
|
||||
restart Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Will One Zone be Enough?</title>
|
||||
|
||||
<para>If the firewalling requirements for the two local networks is the
|
||||
same but the hosts in 192.168.1.0/24 don't know how to route to
|
||||
192.168.2.0/24 then you need to configure the firewall slightly
|
||||
differently. This type of configuration is rather stupid from an IP
|
||||
networking point of view but it is sometimes necessary because you
|
||||
simply don't want to have to reconfigure all of the hosts in
|
||||
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
||||
firewall:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add a route to 192.168.2.0/24 through the <emphasis
|
||||
role="bold">Router</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
|
||||
options for eth1 (the local firewall interface) in
|
||||
/etc/shorewall/interfaces.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Restart Shorewall.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>I Need Separate Zones</title>
|
||||
|
||||
<para>If you need to make 192.168.2.0/24 into it's own zone, you can
|
||||
do it one of two ways; Nested Zones or Parallel Zones.</para>
|
||||
|
||||
<section>
|
||||
<title>Nested Zones</title>
|
||||
|
||||
<para>You can define one zone (called it <quote>loc</quote>) as being
|
||||
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
|
||||
(192.168.2.0/24) as a sub-zone.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1A.png" />
|
||||
|
||||
<para>The advantage of this approach is that the zone <quote>loc1</quote>
|
||||
can use CONTINUE policies such that if a connection request
|
||||
doesn't match a <quote>loc1</quote> rule, it will be matched
|
||||
against the <quote>loc</quote> rules. For example, if your
|
||||
loc1->net policy is CONTINUE then if a connection request from
|
||||
loc1 to the internet doesn't match any rules for loc1->net
|
||||
then it will be checked against the loc->net rules.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 Hosts accessed through internal router
|
||||
loc Local All hosts accessed via eth1</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
</note>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 192.168.1.255</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
<programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.2.0/24</programlisting>
|
||||
|
||||
<para>If you don't need Shorewall to set up infrastructure to
|
||||
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
||||
these two policies.</para>
|
||||
|
||||
<para>/etc/shorewall/policy</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
loc loc1 NONE
|
||||
loc1 loc NONE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Parallel Zones</title>
|
||||
|
||||
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||||
two disjoint zones.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1B.png" />
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 Hosts accessed Directly from Firewall
|
||||
loc2 Local2 Hosts accessed via the internal Router</programlisting>
|
||||
|
||||
<note>
|
||||
<para>Here it doesn't matter which zone is defined first.</para>
|
||||
</note>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
<programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.1.0/24
|
||||
loc2 eth1:192.168.2.0/24</programlisting>
|
||||
|
||||
<para>You don't need Shorewall to set up infrastructure to route
|
||||
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
||||
these two policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
loc1 loc2 NONE
|
||||
loc2 loc1 NONE</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Some Hosts have Special Firewalling Requirements</title>
|
||||
|
||||
<para>There are cases where a subset of the addresses associated with an
|
||||
interface need special handling. Here's an example.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone2.png" />
|
||||
|
||||
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||||
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc1 Local1 192.168.1.8-192.168.1.15
|
||||
loc Local All hosts accessed via eth1</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc1) is defined first!</para>
|
||||
</note>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 192.168.1.255</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.1.8/29</programlisting></para>
|
||||
|
||||
<para>You probably don't want Shorewall to set up infrastructure to
|
||||
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
|
||||
should add these two policies.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename></para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
loc loc1 NONE
|
||||
loc1 loc NONE</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="OneArmed">
|
||||
<title>One-armed Router</title>
|
||||
|
||||
<para>Nested zones may also be used to configure a <quote>one-armed</quote>
|
||||
router (I don't call it a <quote>firewall</quote> because it is very
|
||||
insecure. For example, if you connect to the internet via cable modem,
|
||||
your next door neighbor has full access to your local systems as does
|
||||
everyone else connected to the same cable modem head-end controller). Here
|
||||
eth0 is configured with both a public IP address and an RFC 1918 address
|
||||
(More on that topic may be found <ulink
|
||||
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
|
||||
<quote>loc</quote> zone are configured with their default gateway set to
|
||||
the Shorewall router's RFC1918 address.<graphic
|
||||
fileref="images/MultiZone3.png" /></para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
loc Local Local Zone
|
||||
net Internet The big bad Internet</programlisting>
|
||||
|
||||
<note>
|
||||
<para>the sub-zone (loc) is defined first!</para>
|
||||
</note>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
net eth0 detect</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
<programlisting>#ZONE HOSTS
|
||||
loc eth0:192.168.1.0/24</programlisting>
|
||||
</section>
|
||||
</article>
|
@ -1,156 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="NAT">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">If all you want to do is forward ports to
|
||||
servers behind your firewall, you do NOT want to use one-to-one NAT.
|
||||
Port forwarding can be accomplished with simple entries in the <ulink
|
||||
url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<para>One-to-one NAT is a way to make systems behind a firewall and
|
||||
configured with private IP addresses (those reserved for private use in
|
||||
RFC 1918) appear to have public IP addresses. Before you try to use this
|
||||
technique, I strongly recommend that you read the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||
|
||||
<para>The following figure represents a one-to-one NAT environment.</para>
|
||||
|
||||
<graphic fileref="images/staticnat.png" />
|
||||
|
||||
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
|
||||
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
||||
that the interface to the upper subnet is eth0, then the following
|
||||
/etc/shorewall/NAT file would make the lower left-hand system appear to
|
||||
have IP address 130.252.100.18 and the right-hand one to have IP address
|
||||
130.252.100.19.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/NAT</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">EXTERNAL</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">INTERNAL</entry>
|
||||
|
||||
<entry align="center">ALL INTERFACES</entry>
|
||||
|
||||
<entry align="center">LOCAL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>130.252.100.18</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>10.1.1.2</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>130.252.100.19</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>10.1.1.3</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
|
||||
<entry>yes</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
|
||||
above example) is (are) not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
|
||||
|
||||
<note>
|
||||
<para>The <quote>ALL INTERFACES</quote> column is used to specify
|
||||
whether access to the external IP from all firewall interfaces should
|
||||
undergo NAT (Yes or yes) or if only access from the interface in the
|
||||
INTERFACE column should undergo NAT. If you leave this column empty,
|
||||
<quote>Yes</quote> is assumed. The ALL INTERFACES column was added in
|
||||
version 1.1.6. <emphasis role="bold">Specifying <quote>Yes</quote> in
|
||||
this column will not allow systems on the lower LAN to access each other
|
||||
using their public IP addresses.</emphasis> For example, the lower
|
||||
left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect
|
||||
to be connected to the lower right-hand system. <ulink
|
||||
url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <ulink
|
||||
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
|
||||
(or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
|
||||
set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
|
||||
<quote>yes</quote> then you must NOT configure your own alias(es).</para>
|
||||
|
||||
<para><important><para>Shorewall versions earlier than 1.4.6 can only
|
||||
add external addresses to an interface that is configured with a single
|
||||
subnetwork -- if your external interface has addresses in more than one
|
||||
subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
|
||||
first one.</para></important></para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
<para>The contents of the <quote>LOCAL</quote> column determine whether
|
||||
packets originating on the firewall itself and destined for the EXTERNAL
|
||||
address are redirected to the internal ADDRESS. If this column contains
|
||||
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
|
||||
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
|
||||
packets are redirected; otherwise, such packets are not redirected. The
|
||||
LOCAL column was added in version 1.1.8.</para>
|
||||
</note>
|
||||
</section>
|
||||
</article>
|
@ -1,223 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="NetfilterOverview">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Netfilter Overview</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-10-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Netfilter Overview</title>
|
||||
|
||||
<para>Netfilter consists of three tables: <emphasis role="bold">Filter</emphasis>,
|
||||
<emphasis role="bold">Nat</emphasis> and <emphasis role="bold">Mangle</emphasis>.
|
||||
Each table has a number of build-in chains: <emphasis role="bold">PREROUTING</emphasis>,
|
||||
<emphasis role="bold">INPUT</emphasis>, <emphasis role="bold">FORWARD</emphasis>,
|
||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis role="bold">POSTROUTING</emphasis>.</para>
|
||||
|
||||
<para>Rules in the various tables are used as follows:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Filter</term>
|
||||
|
||||
<listitem>
|
||||
<para>Packet filtering (rejecting, dropping or accepting packets)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Nat</term>
|
||||
|
||||
<listitem>
|
||||
<para>Network Address Translation including DNAT, SNAT and
|
||||
Masquerading</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Mangle</term>
|
||||
|
||||
<listitem>
|
||||
<para>General packet header modification such as setting the TOS
|
||||
value or marking packets for policy routing and traffic shaping.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The following diagram shows how packets traverse the various builtin
|
||||
chains within Netfilter. Note that not all table/chain combinations are
|
||||
used.</para>
|
||||
|
||||
<graphic fileref="images/Netfilter.png" />
|
||||
|
||||
<para><quote>Local Process</quote> means a process running on the
|
||||
Shorewall system itself.</para>
|
||||
|
||||
<para>In the above diagram are boxes similar to this:</para>
|
||||
|
||||
<graphic fileref="images/Legend.png" />
|
||||
|
||||
<para>The above box gives the name of the built-in chain (<emphasis
|
||||
role="bold">INPUT</emphasis>) along with the names of the tables (<emphasis
|
||||
role="bold">Mangle</emphasis> and <emphasis role="bold">Filter</emphasis>)
|
||||
that the chain exists in and in the order that the chains are traversed.
|
||||
The above sample indicates that packets go first through the <emphasis
|
||||
role="bold">INPUT</emphasis> chain of the <emphasis role="bold">Mangle</emphasis>
|
||||
table then through the <emphasis role="bold">INPUT</emphasis> chain of the
|
||||
<emphasis role="bold">Filter</emphasis> table. When a chain is enclosed in
|
||||
parentheses, Shorewall does not use the named chain (<emphasis role="bold">INPUT</emphasis>)
|
||||
in that table (<emphasis role="bold">Mangle</emphasis>).</para>
|
||||
|
||||
<important>
|
||||
<para>Keep in mind that chains in the <emphasis role="bold">Nat</emphasis>
|
||||
table are <emphasis role="bold">only traversed for new connection
|
||||
requests</emphasis> (including those related to existing connections)
|
||||
while the chains in the other tables are traversed on every packet.</para>
|
||||
</important>
|
||||
|
||||
<para>The above diagram should help you understand the output of
|
||||
<quote>shorewall status</quote>.</para>
|
||||
|
||||
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
||||
server with one interface (eth0):</para>
|
||||
|
||||
<programlisting>[root@lists html]# shorewall status
|
||||
|
||||
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
|
||||
|
||||
Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
|
||||
|
||||
<para>The first table shown is the <emphasis role="bold">Filter</emphasis>
|
||||
table.</para>
|
||||
|
||||
<programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
|
||||
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</programlisting>
|
||||
|
||||
<para>The following rule indicates that all traffic destined for the
|
||||
firewall that comes into the firewall on eth0 is passed to a chain called
|
||||
<quote>eth0_in</quote>. That chain will be shown further down.</para>
|
||||
|
||||
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain FORWARD (policy DROP 0 packets, 0 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
|
||||
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
|
||||
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
|
||||
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||
|
||||
<para>Here is the eth0_in chain:</para>
|
||||
|
||||
<programlisting>Chain eth0_in (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||
|
||||
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
|
||||
is done.</para>
|
||||
|
||||
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
|
||||
|
||||
<programlisting>NAT Table
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain net_dnat (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
|
||||
</programlisting>
|
||||
|
||||
<para>And finally, the <emphasis role="bold">Mangle</emphasis> table:</para>
|
||||
|
||||
<programlisting>Mangle Table
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||
|
||||
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain outtos (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
|
||||
|
||||
Chain pretos (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
|
||||
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
|
||||
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
|
||||
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</programlisting>
|
||||
</section>
|
||||
</article>
|
@ -1,340 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="OPENVPN">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>OpenVPN Tunnels</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<author>
|
||||
<firstname>Simon</firstname>
|
||||
|
||||
<surname>Mater</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-02-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
|
||||
<holder>Simon Mater</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||
Network) daemon which can be used to securely link two or more private
|
||||
networks using an encrypted tunnel over the internet. OpenVPN is an Open
|
||||
Source project and is <ulink
|
||||
url="http://openvpn.sourceforge.net/license.html">licensed under the GPL</ulink>.
|
||||
OpenVPN can be downloaded from <ulink url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
|
||||
|
||||
<para>OpenVPN support was added to Shorewall in version 1.3.14.</para>
|
||||
|
||||
<section>
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file and the
|
||||
/etc/shorewall/policy file and OpenVPN.</para>
|
||||
|
||||
<para>While it was possible to use the Shorewall start and stop script to
|
||||
start and stop OpenVPN, I decided to use the init script of OpenVPN to
|
||||
start and stop it.</para>
|
||||
|
||||
<para>On each firewall, you will need to declare a zone to represent the
|
||||
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/zones system A & B</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">DISPLAY</entry>
|
||||
|
||||
<entry align="center">COMMENTS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>VPN</entry>
|
||||
|
||||
<entry>Remote Subnet</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
|
||||
zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>etc/shorewall/interfaces system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system A</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>openvpn</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>This entry in /etc/shorewall/tunnels opens the firewall so that
|
||||
OpenVPN traffic on the default port 5000/udp will be accepted to/from the
|
||||
remote gateway. If you change the port used by OpenVPN to 7777, you can
|
||||
define /etc/shorewall/tunnels like this:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels port 7777</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>openvpn:7777</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>134.28.54.2</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>This is the OpenVPN config on system A:</para>
|
||||
|
||||
<programlisting>dev tun
|
||||
local 206.162.148.9
|
||||
remote 134.28.54.2
|
||||
ifconfig 192.168.99.1 192.168.99.2
|
||||
up ./route-a.up
|
||||
tls-server
|
||||
dh dh1024.pem
|
||||
ca ca.crt
|
||||
cert my-a.crt
|
||||
key my-a.key
|
||||
comp-lzo
|
||||
verb 5</programlisting>
|
||||
|
||||
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
|
||||
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>tun0</entry>
|
||||
|
||||
<entry>192.168.1.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/tunnels system B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">TYPE</entry>
|
||||
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">GATEWAY</entry>
|
||||
|
||||
<entry align="center">GATEWAY ZONE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>openvpn</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>206.191.148.9</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>And in the OpenVPN config on system B:</para>
|
||||
|
||||
<programlisting>dev tun
|
||||
local 134.28.54.2
|
||||
remote 206.162.148.9
|
||||
ifconfig 192.168.99.2 192.168.99.1
|
||||
up ./route-b.up
|
||||
tls-client
|
||||
ca ca.crt
|
||||
cert my-b.crt
|
||||
key my-b.key
|
||||
comp-lzo
|
||||
verb 5</programlisting>
|
||||
|
||||
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||
admit all traffic in both directions, you can use the policy file:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy system A & B</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>vpn</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>On both systems, restart Shorewall and start OpenVPN. The systems in
|
||||
the two masqueraded subnetworks can now talk to each other.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,201 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="ProxyARP">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Proxy ARP</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet. Before
|
||||
you try to use this technique, I strongly recommend that you read the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||
|
||||
<section>
|
||||
<title>Example</title>
|
||||
|
||||
<para>The following figure represents a Proxy ARP environment.</para>
|
||||
|
||||
<graphic fileref="images/proxyarp.png" />
|
||||
|
||||
<para>Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper
|
||||
(130.252.100.*) subnet. Assuming that the upper firewall interface is eth0
|
||||
and the lower interface is eth1, this is accomplished using the following
|
||||
entries in /etc/shorewall/proxyarp:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/proxyarp</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ADDRESS</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">EXTERNAL</entry>
|
||||
|
||||
<entry align="center">HAVEROUTE</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>130.252.100.18</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>no</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>130.252.100.19</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>no</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
|
||||
in the above example) are not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/nat.</para>
|
||||
|
||||
<note>
|
||||
<para>I've used an RFC1918 IP address for eth1 - that IP address is
|
||||
irrelevant.</para>
|
||||
</note>
|
||||
|
||||
<para>The lower systems (130.252.100.18 and 130.252.100.19) should have
|
||||
their subnet mask and default gateway configured exactly the same way that
|
||||
the Firewall system's eth0 is configured. In other words, they should
|
||||
be configured just like they would be if they were parallel to the
|
||||
firewall rather than behind it.</para>
|
||||
|
||||
<warning>
|
||||
<para>Do not add the Proxy ARP'ed address(es) (130.252.100.18 and
|
||||
130.252.100.19 in the above example) to the external interface (eth0 in
|
||||
this example) of the firewall.</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>ARP cache</title>
|
||||
|
||||
<para>A word of warning is in order here. ISPs typically configure their
|
||||
routers with a long ARP cache timeout. If you move a system from parallel
|
||||
to your firewall to behind your firewall with Proxy ARP, it will probably
|
||||
be HOURS before that system can communicate with the internet. There are a
|
||||
couple of things that you can try:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>A reading of <citetitle>TCP/IP Illustrated, Vol 1</citetitle> by
|
||||
Stevens reveals<footnote><para>Courtesy of Bradey Honsinger</para></footnote>
|
||||
that a <quote>gratuitous</quote> ARP packet should cause the ISP's
|
||||
router to refresh their ARP cache (section 4.7). A gratuitous ARP is
|
||||
simply a host requesting the MAC address for its own IP; in addition
|
||||
to ensuring that the IP address isn't a duplicate...</para>
|
||||
|
||||
<blockquote>
|
||||
<para>if the host sending the gratuitous ARP has just changed its
|
||||
hardware address..., this packet causes any other host...that has an
|
||||
entry in its cache for the old hardware address to update its ARP
|
||||
cache entry accordingly.</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Which is, of course, exactly what you want to do when you switch
|
||||
a host from being exposed to the Internet to behind Shorewall using
|
||||
proxy ARP (or one-to-one NAT for that matter). Happily enough, recent
|
||||
versions of Redhat's iputils package include <quote>arping</quote>,
|
||||
whose <quote>-U</quote> flag does just that:</para>
|
||||
|
||||
<programlisting>arping -U -I <<emphasis>net if</emphasis>> <<emphasis>newly proxied IP</emphasis>>
|
||||
arping -U -I eth0 66.58.99.83 # for example</programlisting>
|
||||
|
||||
<para>Stevens goes on to mention that not all systems respond
|
||||
correctly to gratuitous ARPs, but googling for <quote>arping -U</quote>
|
||||
seems to support the idea that it works most of the time.</para>
|
||||
|
||||
<para>To use arping with Proxy ARP in the above example, you would
|
||||
have to:</para>
|
||||
|
||||
<programlisting>shorewall clear
|
||||
ip addr add 130.252.100.18 dev eth0
|
||||
ip addr add 130.252.100.19 dev eth0
|
||||
arping -U -I eth0 130.252.100.18
|
||||
arping -U -I eth0 130.252.100.19
|
||||
ip addr del 130.252.100.18 dev eth0
|
||||
ip addr del 130.252.100.19 dev eth0
|
||||
shorewall start</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>You can determine if your ISP's gateway ARP cache is stale using
|
||||
ping and tcpdump. Suppose that we suspect that the gateway router has a
|
||||
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as
|
||||
follows:</para>
|
||||
|
||||
<programlisting>tcpdump -nei eth0 icmp</programlisting>
|
||||
|
||||
<para>Now from 130.252.100.19, ping the ISP's gateway (which we will
|
||||
assume is 130.252.100.254):</para>
|
||||
|
||||
<programlisting>ping 130.252.100.254</programlisting>
|
||||
|
||||
<para>We can now observe the tcpdump output:</para>
|
||||
|
||||
<programlisting>13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
|
||||
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</programlisting>
|
||||
|
||||
<para>Notice that the source MAC address in the echo request is different
|
||||
from the destination MAC address in the echo reply!! In this case
|
||||
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
|
||||
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left. In
|
||||
other words, the gateway's ARP cache still associates 130.252.100.19
|
||||
with the NIC in that system rather than with the firewall's eth0.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,87 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Shorewall_Doesnt">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Some Things that Shorewall Cannot Do</title>
|
||||
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-03-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<holder>Thomas M Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Shorewall Cannot:</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Be used to filter traffic through a Layer 2 Bridge (although
|
||||
experimental Shorewall Bridge code is available — check <ulink
|
||||
url="2.0/bridge.html">here</ulink> for details).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Act as a <quote>Personal Firewall</quote> that allows internet
|
||||
access by application.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Be used with an Operating System other than Linux (version
|
||||
>= 2.4.0)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do content filtering:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>HTTP - better to use <ulink url="Shorewall_Squid_Usage.html">Squid</ulink>
|
||||
for that.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Email -- Install something like <ulink
|
||||
url="http://www.postfix.org">Postfix</ulink> on your firewall and
|
||||
integrate it with <ulink url="http://www.spamassassin.org/">SpamAssassin</ulink>
|
||||
and <ulink url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>In Addition:</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall does not contain any support for Netfilter <ulink
|
||||
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic</ulink>
|
||||
features -- Shorewall only supports features from released kernels.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
@ -1,317 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Shorewall_Squid_Usage">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Using Shorewall with Squid</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-04-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para></para>
|
||||
|
||||
<para>This page covers Shorewall configuration to use with <ulink
|
||||
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
|
||||
Proxy or as a Manual Proxy.</para>
|
||||
|
||||
<para>If you are running Shorewall 1.3, please see <ulink
|
||||
url="1.3/Shorewall_Squid_Usage.html">this documentation</ulink>.</para>
|
||||
|
||||
<section>
|
||||
<title>Squid as a Transparent Proxy</title>
|
||||
|
||||
<caution>
|
||||
<para>Please observe the following general requirements:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>In all cases, Squid should be configured to run as a transrent
|
||||
proxy as described at
|
||||
http://tldp.org/HOWTO/mini/TransparentProxy.html.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The following instructions mention the files
|
||||
/etc/shorewall/start and /etc/shorewall/init -- if you don't
|
||||
have those files, siimply create them.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When the Squid server is in the DMZ zone or in the local zone,
|
||||
that zone must be defined ONLY by its interface -- no
|
||||
/etc/shorewall/hosts file entries. That is because the packets being
|
||||
routed to the Squid server still have their original destination IP
|
||||
addresses.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You must have iptables installed on your Squid server.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you run a Shorewall version earlier than 1.4.6, you must
|
||||
have NAT and MANGLE enabled in your /etc/shorewall/conf file</para>
|
||||
|
||||
<programlisting>NAT_ENABLED=Yes
|
||||
MANGLE_ENABLED=Yes</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Configurations</title>
|
||||
|
||||
<para>Three different configurations are covered:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Squid (transparent) Running on the Firewall</member>
|
||||
|
||||
<member>Squid (transparent) Running in the local Network</member>
|
||||
|
||||
<member>Squid (transparent) Running in a DMZ</member>
|
||||
</simplelist>
|
||||
|
||||
<section id="Firewall">
|
||||
<title>Squid (transparent) Running on the Firewall</title>
|
||||
|
||||
<para>You want to redirect all local www connection requests EXCEPT
|
||||
those to your own http server (206.124.146.177) to a Squid transparent
|
||||
proxy running on the firewall and listening on port 3128. Squid will of
|
||||
course require access to remote web servers.</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
REDIRECT loc 3228 tcp www - !206.124.146.177
|
||||
ACCEPT fw net tcp www</programlisting>
|
||||
|
||||
<para>There may be a requirement to exclude additional destination hosts
|
||||
or networks from being redirected. For example, you might also want
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid.</para>
|
||||
|
||||
<para>If you are running Shorewall version 1.4.5 or later, you may just
|
||||
add the additional hosts/networks to the ORIGINAL DEST column in your
|
||||
REDIRECT rule.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||
|
||||
<para>If you are running a Shorewall version earlier than 1.4.5, you
|
||||
must add a manual rule in /etc/shorewall/start:</para>
|
||||
|
||||
<programlisting><command>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</command></programlisting>
|
||||
|
||||
<para>To exclude additional hosts or networks, just add additional
|
||||
similar rules.</para>
|
||||
</section>
|
||||
|
||||
<section id="Local">
|
||||
<title>Squid (transparent) Running in the local network</title>
|
||||
|
||||
<para>You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy running in your local zone at 192.168.1.3 and
|
||||
listening on port 3128. Your local interface is eth1. There may also be
|
||||
a web server running on 192.168.1.3. It is assumed that web access is
|
||||
already enabled from the local zone to the internet..</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>* On your firewall system, issue the following command</para>
|
||||
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/init, put:</para>
|
||||
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
ip rule add fwmark CA table www.out # Note 0xCA = 202
|
||||
ip route add default via 192.168.1.3 dev eth1 table www.out
|
||||
ip route flush cache
|
||||
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
|
||||
fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<important>
|
||||
<para>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
|
||||
please upgrade to Shorewall 1.4.2 or later.</para>
|
||||
</important>
|
||||
|
||||
<para>If you are running Shorewall 1.4.2 or later, then in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc loc tcp www</programlisting>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>Alternativfely, if you are running Shorewall 1.4.0 you can
|
||||
have the following policy in place of the above rule.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename></para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY
|
||||
loc loc ACCEPT</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/start</filename> add:</para>
|
||||
|
||||
<programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>On 192.168.1.3, arrange for the following command to be
|
||||
executed after networking has come up</para>
|
||||
|
||||
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
|
||||
|
||||
<para>If you are running RedHat on the server, you can simply
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:</para>
|
||||
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
chkconfig --level 35 iptables on</command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section id="DMZ">
|
||||
<title>Squid (transparent) Running in the DMZ</title>
|
||||
|
||||
<para>You have a single Linux system in your DMZ with IP address
|
||||
192.0.2.177. You want to run both a web server and Squid on that system.
|
||||
Your DMZ interface is eth1 and your local interface is eth2.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>On your firewall system, issue the following command</para>
|
||||
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/init, put:</para>
|
||||
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
ip rule add fwmark CA table www.out # Note 0xCA = 202
|
||||
ip route add default via 192.0.2.177 dev eth1 table www.out
|
||||
ip route flush cache
|
||||
fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do <emphasis role="bold">one</emphasis> of the following:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/start</filename> add</para>
|
||||
|
||||
<programlisting><command>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
|
||||
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
||||
202 eth2 0.0.0.0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Run Shorewall 1.3.14 or later and add the following entry
|
||||
in <filename>/etc/shorewall/tcrules</filename>:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
||||
202:P eth2 0.0.0.0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc dmz tcp 80
|
||||
ACCEPT dmz net tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>On 192.0.2.177 (your Web/Squid server), arrange for the
|
||||
following command to be executed after networking has come up</para>
|
||||
|
||||
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
|
||||
|
||||
<para>If you are running RedHat on the server, you can simply
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:</para>
|
||||
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
chkconfig --level 35 iptables on</command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Squid as a Manual Proxy</title>
|
||||
|
||||
<para>Assume that Squid is running in zone SZ and listening on port SP;
|
||||
all web sites that are to be accessed through Squid are in the
|
||||
<quote>net</quote> zone. Then for each zone Z that needs access to the
|
||||
Squid server.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT Z SZ tcp SP
|
||||
ACCEPT SZ net tcp 80</programlisting>
|
||||
|
||||
<example>
|
||||
<title>Squid on the firewall listening on port 8080 with access from the
|
||||
<quote>loc</quote> zone:</title>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc fw tcp 8080
|
||||
ACCEPT fw net tcp 80</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
@ -1,582 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Shorewall_and_Aliased_Interfaces">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall and Aliased Interfaces</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-11-13</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Background</title>
|
||||
|
||||
<para>The traditional net-tools contain a program called
|
||||
<emphasis>ifconfig</emphasis> which is used to configure network devices.
|
||||
ifconfig introduced the concept of <emphasis>aliased</emphasis> or
|
||||
<emphasis>virtual</emphasis> interfaces. These virtual interfaces have
|
||||
names of the form <emphasis>interface:integer</emphasis> (e.g., eth0:0)
|
||||
and ifconfig treats them more or less like real interfaces.</para>
|
||||
|
||||
<example>
|
||||
<title>ifconfig</title>
|
||||
|
||||
<programlisting>[root@gateway root]# ifconfig eth0:0
|
||||
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
|
||||
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
||||
Interrupt:11 Base address:0x2000
|
||||
[root@gateway root]# </programlisting>
|
||||
</example>
|
||||
|
||||
<para>The ifconfig utility is being gradually phased out in favor of the
|
||||
ip utility which is part of the <emphasis>iproute</emphasis> package. The
|
||||
ip utility does not use the concept of aliases or virtual interfaces but
|
||||
rather treats additional addresses on an interface as objects in their own
|
||||
right. The ip utility does provide for interaction with ifconfig in that
|
||||
it allows addresses to be <emphasis>labeled</emphasis> where these labels
|
||||
take the form of ipconfig virtual interfaces.</para>
|
||||
|
||||
<example>
|
||||
<title>ip</title>
|
||||
|
||||
<programlisting>[root@gateway root]# ip addr show dev eth0
|
||||
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
|
||||
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
|
||||
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
|
||||
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
|
||||
[root@gateway root]# </programlisting>
|
||||
|
||||
<para><note><para>One <emphasis role="bold">cannot</emphasis> type
|
||||
<quote>ip addr show dev eth0:0</quote> because <quote>eth0:0</quote> is
|
||||
a label for a particular address rather than a device name.</para><programlisting>[root@gateway root]# ip addr show dev eth0:0
|
||||
Device "eth0:0" does not exist.
|
||||
[root@gateway root]#</programlisting></note></para>
|
||||
</example>
|
||||
|
||||
<para>The iptables program doesn't support virtual interfaces in
|
||||
either it's <quote>-i</quote> or <quote>-o</quote> command options; as
|
||||
a consequence, Shorewall does not allow them to be used in the
|
||||
/etc/shorewall/interfaces file or anywhere else except as described in the
|
||||
discussion below.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Adding Addresses to Interfaces</title>
|
||||
|
||||
<para>Most distributions have a facility for adding additional addresses
|
||||
to interfaces. If you have already used your distribution's capability
|
||||
to add your required addresses, you can skip this section.</para>
|
||||
|
||||
<para>Shorewall provides facilities for automatically adding addresses to
|
||||
interfaces as described in the following section. It is also easy to add
|
||||
them yourself using the <emphasis role="bold">ip</emphasis> utility. The
|
||||
above alias was added using:</para>
|
||||
|
||||
<programlisting>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</programlisting>
|
||||
|
||||
<para>You probably want to arrange to add these addresses when the device
|
||||
is started rather than placing commands like the above in one of the
|
||||
Shorewall extension scripts. For example, on RedHat systems, you can place
|
||||
the commands in /sbin/ifup-local:</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
case $1 in
|
||||
eth0)
|
||||
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
|
||||
;;
|
||||
esac</programlisting>
|
||||
|
||||
<para>RedHat systems also allow adding such aliases from the network
|
||||
administration GUI (which only works well if you have a graphical
|
||||
environment on your firewall).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>So how do I handle more than one address on an interface?</title>
|
||||
|
||||
<para>The answer depends on what you are trying to do with the interfaces.
|
||||
In the sub-sections that follow, we'll take a look at common
|
||||
scenarios.</para>
|
||||
|
||||
<section>
|
||||
<title>Separate Rules</title>
|
||||
|
||||
<para>If you need to make a rule for traffic to/from the firewall itself
|
||||
that only applies to a particular IP address, simply qualify the $FW
|
||||
zone with the IP address.</para>
|
||||
|
||||
<example>
|
||||
<title>allow SSH from net to eth0:0 above</title>
|
||||
|
||||
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry
|
||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
||||
align="center">PORT(S)</entry><entry align="center">SOURCE PORT(S)</entry><entry
|
||||
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>net</entry><entry>$FW:206.124.146.178</entry><entry>tcp</entry><entry>22</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>DNAT</title>
|
||||
|
||||
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
||||
forward from that virtual interface to a web server running in my local
|
||||
zone at 192.168.1.3. That is accomplised by a single rule in the
|
||||
/etc/shorewall/rules file:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT(S)</entry>
|
||||
|
||||
<entry align="center">SOURCE PORT(S)</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DESTINATION</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net</entry>
|
||||
|
||||
<entry>loc:192.168.1.3</entry>
|
||||
|
||||
<entry>tcp</entry>
|
||||
|
||||
<entry>80</entry>
|
||||
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>206.124.146.178</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>SNAT</title>
|
||||
|
||||
<para>If you wanted to use eth0:0 as the IP address for outbound
|
||||
connections from your local zone (eth1), then in /etc/shorewall/masq:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>206.124.146.178</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
|
||||
with Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
|
||||
(virtual interface) so that you can see the created address using
|
||||
ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the
|
||||
virtual interface name in the INTERFACE column as follows:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:0</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>206.124.146.178</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>Shorewall can also set up SNAT to round-robin over a range of IP
|
||||
addresses. Do do that, you specify a range of IP addresses in the
|
||||
ADDRESS column. If you specify a label in the INTERFACE column,
|
||||
Shorewall will use that label for the first address of the range and
|
||||
will increment the label by one for each subsequent label.</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/masq</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">SUBNET</entry>
|
||||
|
||||
<entry align="center">ADDRESS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>eth0:0</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>206.124.146.178-206.124.146.180</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>The above would create three IP addresses:</para>
|
||||
|
||||
<programlisting>eth0:0 = 206.124.146.178
|
||||
eth0:1 = 206.124.146.179
|
||||
eth0:2 = 206.124.146.180</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<para>If you wanted to use one-to-one NAT to link eth0:0 with local
|
||||
address 192.168.1.3, you would have the following in /etc/shorewall/nat:<table><title>/etc/shorewall/nat</title><tgroup
|
||||
cols="5"><thead><row><entry align="center">EXTERNAL</entry><entry
|
||||
align="center">INTERFACE</entry><entry align="center">INTERNAL</entry><entry
|
||||
align="center">ALL INTERFACES</entry><entry align="center">LOCAL</entry></row></thead><tbody><row><entry>206.124.146.178</entry><entry>eth0</entry><entry>192.168.1.3</entry><entry>no</entry><entry>no</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
|
||||
Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
|
||||
(virtual interface) so that you can see the created address using
|
||||
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
|
||||
virtual interface name in the INTERFACE column as follows:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/nat</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">EXTERNAL</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">INTERNAL</entry>
|
||||
|
||||
<entry align="center">ALL INTERFACES</entry>
|
||||
|
||||
<entry align="center">LOCAL</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>206.124.146.178</entry>
|
||||
|
||||
<entry>eth0:0</entry>
|
||||
|
||||
<entry>192.168.1.3</entry>
|
||||
|
||||
<entry>no</entry>
|
||||
|
||||
<entry>no</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In either case, to create rules that pertain only to this NAT
|
||||
pair, you simply qualify the local zone with the internal IP address.</para>
|
||||
|
||||
<example>
|
||||
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||||
192.168.1.3.</title>
|
||||
|
||||
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry
|
||||
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
|
||||
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
|
||||
align="center">PORT(S)</entry><entry align="center">SOURCE PORT(S)</entry><entry
|
||||
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>net</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>22</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>MULTIPLE SUBNETS</title>
|
||||
|
||||
<para>Sometimes multiple IP addresses are used because there are
|
||||
multiple subnetworks configured on a LAN segment. This technique does
|
||||
not provide for any security between the subnetworks if the users of the
|
||||
systems have administrative privileges because in that case, the users
|
||||
can simply manipulate their system's routing table to bypass your
|
||||
firewall/router. Nevertheless, there are cases where you simply want to
|
||||
consider the LAN segment itself as a zone and allow your firewall/router
|
||||
to route between the two subnetworks.</para>
|
||||
|
||||
<example>
|
||||
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||||
eth1:0 is 192.168.20.254. You want to simply route all requests
|
||||
between the two subnetworks.</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>If you are running Shorewall 1.4.1 or Later</term>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>192.168.1.255,192.168.20.255</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>In /etc/shorewall/hosts:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/hosts</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">HOSTS</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>eth1:192.168.1.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>eth1:192.168.20.0/24</entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note>
|
||||
<para>You do NOT need any entry in /etc/shorewall/policy as
|
||||
Shorewall 1.4.1 and later releases default to allowing
|
||||
intra-zone traffic.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>If you are running Shorewall 1.4.0 or earlier</term>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ZONE</entry>
|
||||
|
||||
<entry align="center">INTERFACE</entry>
|
||||
|
||||
<entry align="center">BROADCAST</entry>
|
||||
|
||||
<entry align="center">OPTIONS</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>-</entry>
|
||||
|
||||
<entry>eth1</entry>
|
||||
|
||||
<entry>192.168.1.255,192.168.20.255</entry>
|
||||
|
||||
<entry><xref linkend="multiple_subnets-ex1-n1" /></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<note id="multiple_subnets-ex1-n1">
|
||||
<para>If you are running Shorewall 1.3.10 or earlier then you
|
||||
must specify the <emphasis role="bold">multi</emphasis>
|
||||
option.</para>
|
||||
</note>
|
||||
|
||||
<para>In /etc/shorewall/policy:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<tgroup cols="5">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">POLICY</entry>
|
||||
|
||||
<entry align="center">LOG LEVEL</entry>
|
||||
|
||||
<entry align="center">BURST:LIMIT</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>loc</entry>
|
||||
|
||||
<entry>ACCEPT</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||||
eth1:0 is 192.168.20.254. You want to make these subnetworks into
|
||||
separate zones and control the access between them (the users of the
|
||||
systems do not have administrative privileges).</title>
|
||||
|
||||
<para>In /etc/shorewall/zones:<table><title>etc/shorewall/zones</title><tgroup
|
||||
cols="3"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">DISPLAY</entry><entry align="center">DESCRIPTION</entry></row></thead><tbody><row><entry>loc</entry><entry>Local</entry><entry>Local
|
||||
Zone 1</entry></row><row><entry>loc2</entry><entry>Local2</entry><entry>Local
|
||||
Zone 2</entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>In /etc/shorewall/interfaces:<table><title>/etc/shorewall/interfaces</title><tgroup
|
||||
cols="4"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
|
||||
align="center">OPTIONS</entry></row></thead><tbody><row><entry>-</entry><entry>eth1</entry><entry>192.168.1.255,192.168.20.255</entry><entry><xref
|
||||
linkend="multiple_subnets-ex2-n1" /></entry></row></tbody></tgroup></table><note
|
||||
id="multiple_subnets-ex2-n1"><para>If you are running Shorewall 1.3.10
|
||||
or earlier then you must specify the <emphasis role="bold">multi</emphasis>
|
||||
option.</para></note></para>
|
||||
|
||||
<para>In /etc/shorewall/hosts:<table><title>/etc/shorewall/hosts</title><tgroup
|
||||
cols="3"><thead><row><entry align="center">ZONE</entry><entry
|
||||
align="center">HOSTS</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>loc</entry><entry>eth1:192.168.1.0/24</entry><entry></entry></row><row><entry>loc2</entry><entry>eth1:192.168.20.0/24</entry><entry></entry></row></tbody></tgroup></table></para>
|
||||
|
||||
<para>In /etc/shorewall/rules, simply specify ACCEPT rules for the
|
||||
traffic that you want to permit.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -1,61 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="Shorewall_and_Kazaa">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Kazaa Filtering</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-04</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
|
||||
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
|
||||
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
|
||||
user-space filter for applications based on the <quote>Fast Track</quote>
|
||||
peer to peer protocol. Applications using this protocol include Kazaa,
|
||||
KazaaLite, iMash and Grokster.</para>
|
||||
|
||||
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
|
||||
insert the following rules <emphasis role="bold">near the top</emphasis> of
|
||||
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
|
||||
<quote>loc</quote> zone).</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO
|
||||
QUEUE loc net tcp
|
||||
QUEUE loc net udp
|
||||
QUEUE loc fw udp</programlisting>
|
||||
|
||||
<para>Now simply configure ftwall as described in the ftwall documentation
|
||||
and restart Shorewall.</para>
|
||||
|
||||
<tip>
|
||||
<para>There are ftwall init scripts for use with <trademark>SuSE</trademark>
|
||||
and <trademark>Debian</trademark> Linux at <ulink
|
||||
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
|
||||
</tip>
|
||||
</article>
|
@ -1,209 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="UserSets">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Controlling Output Traffic by UID/GID</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-09-19</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Overview</title>
|
||||
|
||||
<para>This capability was added in Shorewall release 1.4.7.</para>
|
||||
|
||||
<para>Netfilter provides the capability to filter packets generated on the
|
||||
firewall system by User Id and/or Group Id. Shorewall provides two
|
||||
separate but related ways to use this Netfilter capability:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall allows you to define collections of users called
|
||||
<quote><link linkend="UserSet">User Sets</link></quote> and then to
|
||||
restrict certain rules in /etc/shorewall/rules to a given User Set.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall also allows you to restrict a given <link
|
||||
linkend="Rule">rule</link> to a particular user and/or group.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Since only packets created by programs running on the Shorewall box
|
||||
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
|
||||
using either of the facilities.</para>
|
||||
</section>
|
||||
|
||||
<section id="UserSet">
|
||||
<title>User Sets</title>
|
||||
|
||||
<para>Given the way that this facility is implemented in Shorewall, it is
|
||||
not possible to control logging of individual rules using a User Set and
|
||||
logging is rather specified on the User Set itself.</para>
|
||||
|
||||
<para>User Sets are defined in the /etc/shorewall/usersets file. Columns
|
||||
in that file include:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>USERSET</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a User Set. Must be a legal shell identifier of no
|
||||
more than six (6) characters in length.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>REJECT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Log level for connections rejected for this User Set.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>ACCEPT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Log level for connections accepted for this User Set.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DROP</term>
|
||||
|
||||
<listitem>
|
||||
<para>Log level for connections dropped for this User Set.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>In the REJECT and ACCEPT columns, if you don't want to specify a
|
||||
value in the column but you want to specify a value in a following column,
|
||||
you may enter <quote>-</quote>.</para>
|
||||
|
||||
<para>Users and/or groups are added to User Sets using the
|
||||
/etc/shorewall/users file. Columns in that file are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>USERSET</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a User Set defined in /etc/shorewall/usersets.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a user defined on the system or a user number.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>GROUP</term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a group defined on the system or a number.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Only one of the USER and GROUP column needs to be non-empty. If you
|
||||
wish to specify a GROUP but not a USER, enter <quote>-</quote> in the user
|
||||
column.</para>
|
||||
|
||||
<para>If both USER and GROUP are specified then only programs running
|
||||
under that USER:GROUP pair will match rules specifying the User Set named
|
||||
in the USERSET column.</para>
|
||||
|
||||
<para>Once a user set has been defined, its name may be placed in the USER
|
||||
SET column of the /etc/shorewall/rules file.</para>
|
||||
|
||||
<important>
|
||||
<para>When the name of a user set is given in the USER SET column, you
|
||||
may not include a log level in the ACTION column; logging of such rules
|
||||
is governed solely by the user set's definition in the
|
||||
/etc/shorewall/userset file.</para>
|
||||
</important>
|
||||
|
||||
<example>
|
||||
<title>You want members of the <quote>admin</quote> group and
|
||||
<quote>root</quote> to be able to use ssh on the firewall to connect to
|
||||
local systems. You want to log all connections accepted for these users
|
||||
using syslog at the <quote>info</quote> level.</title>
|
||||
|
||||
<para>/etc/shorewall/usersets</para>
|
||||
|
||||
<programlisting>#USERSET REJECT ACCEPT DROP
|
||||
admins - info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/users</para>
|
||||
|
||||
<programlisting>#USERSET USER GROUP
|
||||
admins - admin
|
||||
admins root</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
|
||||
# PORT(S) DESTINATION SET
|
||||
|
||||
ACCEPT $FW loc tcp 22 - - - admins</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="Rule">
|
||||
<title>Restricting a rule to a particular user and/or group</title>
|
||||
|
||||
<para>In cases where you may want to restrict a rule to a particular user
|
||||
and/or group, the USER SET column in the rules file may be specified as:</para>
|
||||
|
||||
<programlisting>[ <<emphasis>user name or number</emphasis>> ] : [ <<emphasis>group name or number</emphasis>> ]</programlisting>
|
||||
|
||||
<para>When a user and/or group name is given in the USER SET column, it is
|
||||
OK to specify a log level in the ACTION column.</para>
|
||||
|
||||
<example>
|
||||
<title>You want user <emphasis role="bold">mail</emphasis> to be able to
|
||||
send email from the firewall to the local net zone</title>
|
||||
|
||||
<para>/etc/shorewall/rules (be sure to note the <quote>:</quote> in the
|
||||
USER SET column entry).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
|
||||
# PORT(S) DESTINATION SET
|
||||
|
||||
ACCEPT $FW loc tcp 25 - - - mail:</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
@ -1,185 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>User-defined Actions</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-01-29</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
|
||||
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
|
||||
Beginning with Shorewall version 1.4.9, users may use sequences of these
|
||||
elementary operations to define more complex actions.</para>
|
||||
|
||||
<para>To define a new action:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
|
||||
that names your new action. Action names must be valid shell variable
|
||||
names as well as valid Netfilter chain names. It is recommended that the
|
||||
name you select for a new action begins with with a capital letter; that
|
||||
way, the name won't conflict with a Shorewall-defined chain name.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Once you have defined your new action name (ActionName), then copy
|
||||
/etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
|
||||
(for example, if your new action name is <quote>Foo</quote> then copy
|
||||
<filename>/etc/shorewall/action.template</filename> to
|
||||
<filename>/etc/shorewall/action.Foo</filename>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Now modify the new file to define the new action.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Columns in the action.template file are as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
|
||||
<action> where <action> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in your
|
||||
<filename>/etc/shorewall/actions</filename> file). The TARGET may
|
||||
optionally be followed by a colon (<quote>:</quote>) and a syslog log
|
||||
level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
|
||||
be logged at the specified level. You may also specify ULOG (must be in
|
||||
upper case) as a log level.This will log to the ULOG target for routing
|
||||
to a separate log through use of ulogd (<ulink
|
||||
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE - Source hosts to which the rule applies. A comma-separated
|
||||
list of subnets and/or hosts. Hosts may be specified by IP or MAC
|
||||
address; mac addresses must begin with <quote>~</quote> and must use
|
||||
<quote>-</quote> as a separator.</para>
|
||||
|
||||
<para>Alternatively, clients may be specified by interface name. For
|
||||
example, eth1 specifies a client that communicates with the firewall
|
||||
system through eth1. This may be optionally followed by another colon (<quote>:</quote>)
|
||||
and an IP/MAC/subnet address as described above (e.g.,
|
||||
eth1:192.168.1.5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST - Location of Server. Same as above with the exception that
|
||||
MAC addresses are not allowed.</para>
|
||||
|
||||
<para>Unlike in the SOURCE column, you may specify a range of up to 256
|
||||
IP addresses using the syntax <<emphasis>first ip</emphasis>>-<<emphasis>last
|
||||
ip</emphasis>>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <quote>udp</quote>,
|
||||
<quote>icmp</quote>, a number, or <quote>all</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from <filename>/etc/services</filename>), port numbers or port
|
||||
ranges; if the protocol is <quote>icmp</quote>, this column is
|
||||
interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <<emphasis>low port</emphasis>>:<<emphasis>high
|
||||
port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTOCOL = all but must be entered if
|
||||
any of the following ields are supplied. In that case, it is suggested
|
||||
that this field contain <quote>-</quote>.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and in the
|
||||
CLIENT PORT(S) list below:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>There are 15 or less ports listed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>No port ranges are included.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Otherwise, a separate rule will be generated for each port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
|
||||
source port is acceptable. Specified as a comma-separated list of port
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an ADDRESS in the next column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and in the DEST
|
||||
PORT(S) list above:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>There are 15 or less ports listed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>No port ranges are included.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Otherwise, a separate rule will be generated for each port.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded in
|
||||
the specification.</para>
|
||||
|
||||
<para><programlisting> Example: 10/sec:20</programlisting></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
|
||||
ACCEPT</programlisting></para>
|
||||
</article>
|
@ -1,124 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article id="VPN">
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>VPN</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2002-12-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Virtual Private Networking (VPN)</title>
|
||||
|
||||
<para>It is often the case that a system behind the firewall needs to be
|
||||
able to access a remote network through Virtual Private Networking (VPN).
|
||||
The two most common means for doing this are IPSEC and PPTP. The basic
|
||||
setup is shown in the following diagram:</para>
|
||||
|
||||
<graphic fileref="images/VPN.png" />
|
||||
|
||||
<para>A system with an RFC 1918 address needs to access a remote network
|
||||
through a remote gateway. For this example, we will assume that the local
|
||||
system has IP address 192.168.1.12 and that the remote gateway has IP
|
||||
address 192.0.2.224.</para>
|
||||
|
||||
<para>If PPTP is being used, there are no firewall requirements beyond the
|
||||
default loc->net ACCEPT policy. There is one restriction however: Only
|
||||
one local system at a time can be connected to a single remote gateway
|
||||
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
||||
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
||||
|
||||
<para>If IPSEC is being used then only one system may connect to the
|
||||
remote gateway and there are firewall configuration requirements as
|
||||
follows:</para>
|
||||
|
||||
<table>
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<tgroup cols="7">
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">ACTION</entry>
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DEST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net:192.0.2.224</entry>
|
||||
|
||||
<entry>loc:192.168.1.12</entry>
|
||||
|
||||
<entry>50</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>DNAT</entry>
|
||||
|
||||
<entry>net:192.0.2.224</entry>
|
||||
|
||||
<entry>loc:192.168.1.12</entry>
|
||||
|
||||
<entry>udp</entry>
|
||||
|
||||
<entry>500</entry>
|
||||
|
||||
<entry></entry>
|
||||
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>If you want to be able to give access to all of your local systems
|
||||
to the remote network, you should consider running a VPN client on your
|
||||
firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
|
||||
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,170 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall Blacklisting Support</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-17</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall supports two different forms of blacklisting; static and
|
||||
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
|
||||
option in /etc/shorewall/shorewall.conf controls the degree of blacklist
|
||||
filtering:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>BLACKLISTNEWONLY=No --  All incoming packets are checked
|
||||
against the blacklist. New blacklist entries can be used to terminate
|
||||
existing connections. Versions of Shorewall prior to 1.4.8 behave in
|
||||
this manner.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
|
||||
new connection requests. Blacklists may not be used to terminate
|
||||
existing connections. Only the source address is checked against the
|
||||
blacklists.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Only the source address is checked against
|
||||
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
|
||||
connecting to you — they do not stop you or your users from connecting
|
||||
to blacklisted hosts .</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Neither form of Shorewall blacklisting is
|
||||
appropriate for blacklisting 1,000s of different addresses</emphasis>.
|
||||
The blacklists will take forever to load and will have a very negative
|
||||
effect on firewall performance.</para>
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Static Blacklisting</title>
|
||||
|
||||
<para>Shorewall static blacklisting support has the following
|
||||
configuration parameters:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
|
||||
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
||||
in <ulink url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist in
|
||||
<ulink url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
|
||||
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
|
||||
and Port numbers/Service names in the blacklist file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the <quote>blacklist</quote>
|
||||
option in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The black list is refreshed from <filename>/etc/shorewall/blacklist</filename>
|
||||
by the <quote><ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
|
||||
refresh</command></ulink></quote> command.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Dynamic blacklisting support was added in version 1.3.2. Dynamic
|
||||
blacklisting doesn't use any configuration parameters but is rather
|
||||
controlled using /sbin/shorewall commands:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop <emphasis><ip address list></emphasis> - causes
|
||||
packets from the listed IP addresses to be silently dropped by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>reject <emphasis><ip address list></emphasis> - causes
|
||||
packets from the listed IP addresses to be rejected by the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>allow <emphasis><ip address list></emphasis> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> command.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>show dynamic - displays the dynamic blacklisting configuration.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
|
||||
option in <filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<example>
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Re-enable packetes from a system</title>
|
||||
|
||||
<programlisting> <command>shorewall allow 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
@ -1,450 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Configuration Files</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para>If you copy or edit your configuration files on a system running
|
||||
Microsoft Windows, you must run them through <ulink
|
||||
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
|
||||
before you use them with Shorewall.</para>
|
||||
</caution>
|
||||
|
||||
<section id="Files">
|
||||
<title>Files</title>
|
||||
|
||||
<para><itemizedlist><listitem><para><filename>/etc/shorewall/shorewall.conf</filename>
|
||||
- used to set several firewall parameters.</para></listitem><listitem><para><filename>/etc/shorewall/params</filename>
|
||||
- use this file to set shell variables that you will expand in other
|
||||
files.</para></listitem><listitem><para><filename>/etc/shorewall/zones</filename>
|
||||
- partition the firewall's view of the world into zones.</para></listitem><listitem><para><filename>/etc/shorewall/policy</filename>
|
||||
- establishes firewall high-level policy.</para></listitem><listitem><para><filename>/etc/shorewall/interfaces</filename>
|
||||
- describes the interfaces on the firewall system.</para></listitem><listitem><para><filename>/etc/shorewall/hosts</filename>
|
||||
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para><filename>/etc/shorewall/masq</filename>
|
||||
- directs the firewall where to use many-to-one (dynamic) Network Address
|
||||
Translation (a.k.a. Masquerading) and Source Network Address Translation
|
||||
(SNAT).</para></listitem><listitem><para><filename>/etc/shorewall/modules</filename>
|
||||
- directs the firewall to load kernel modules.</para></listitem><listitem><para><filename>/etc/shorewall/rules</filename>
|
||||
- defines rules that are exceptions to the overall policies established in
|
||||
/etc/shorewall/policy.</para></listitem><listitem><para><filename>/etc/shorewall/nat</filename>
|
||||
- defines one-to-one NAT rules.</para></listitem><listitem><para><filename>/etc/shorewall/proxyarp</filename>
|
||||
- defines use of Proxy ARP.</para></listitem><listitem><para><filename>/etc/shorewall/routestopped</filename>
|
||||
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
|
||||
stopped.</para></listitem><listitem><para><filename>/etc/shorewall/tcrules
|
||||
</filename>- defines marking of packets for later use by traffic
|
||||
control/shaping or policy routing.</para></listitem><listitem><para><filename>/etc/shorewall/tos</filename>
|
||||
- defines rules for setting the TOS field in packet headers.</para></listitem><listitem><para><filename>/etc/shorewall/tunnels</filename>
|
||||
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
|
||||
system.</para></listitem><listitem><para><filename>/etc/shorewall/blacklist</filename>
|
||||
- lists blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para><filename>/etc/shorewall/init</filename>
|
||||
- commands that you wish to execute at the beginning of a <quote>shorewall
|
||||
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/start</filename>
|
||||
- commands that you wish to execute at the completion of a <quote>shorewall
|
||||
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para><filename>/etc/shorewall/stop
|
||||
</filename>- commands that you wish to execute at the beginning of a
|
||||
<quote>shorewall stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/stopped</filename>
|
||||
- commands that you wish to execute at the completion of a <quote>shorewall
|
||||
stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/ecn</filename>
|
||||
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
|
||||
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
|
||||
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/usersets</filename>
|
||||
and /etc/shorewall/users - define sets of users/groups with similar access
|
||||
rights</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
|
||||
and <filename>/etc/shorewall/action.template</filename> - define your own
|
||||
actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later).</para></listitem></itemizedlist></para>
|
||||
</section>
|
||||
|
||||
<section id="Comments">
|
||||
<title>Comments</title>
|
||||
|
||||
<para>You may place comments in configuration files by making the first
|
||||
non-whitespace character a pound sign (<quote>#</quote>). You may also
|
||||
place comments at the end of any line, again by delimiting the comment
|
||||
from the rest of the line with a pound sign.</para>
|
||||
|
||||
<example>
|
||||
<title>Comments in a Configuration File</title>
|
||||
|
||||
<programlisting># This is a comment
|
||||
ACCEPT net fw tcp www #This is an end-of-line comment</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="Continuation">
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<para>You may continue lines in the configuration files using the usual
|
||||
backslash (<quote>\</quote>) followed immediately by a new line character.</para>
|
||||
|
||||
<example>
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<programlisting>ACCEPT net fw tcp \
|
||||
smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="INCLUDE">
|
||||
<title>INCLUDE Directive</title>
|
||||
|
||||
<para>Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
|
||||
directives. An INCLUDE directive consists of the word INCLUDE followed by
|
||||
a file name and causes the contents of the named file to be logically
|
||||
included into the file containing the INCLUDE. File names given in an
|
||||
INCLUDE directive are assumed to reside in /etc/shorewall or in an
|
||||
alternate configuration directory if one has been specified for the
|
||||
command.</para>
|
||||
|
||||
<para>INCLUDE's may be nested to a level of 3 -- further nested
|
||||
INCLUDE directives are ignored with a warning message.</para>
|
||||
|
||||
<example>
|
||||
<title>Use of INCLUDE</title>
|
||||
|
||||
<programlisting> shorewall/params.mgmt:
|
||||
|
||||
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
|
||||
   TIME_SERVERS=4.4.4.4
|
||||
   BACKUP_SERVERS=5.5.5.5
|
||||
|
||||
   ----- end params.mgmt -----
|
||||
|
||||
   shorewall/params:
|
||||
|
||||
   # Shorewall 1.3 /etc/shorewall/params
|
||||
   [..]
|
||||
   #######################################
|
||||
 
|
||||
   INCLUDE params.mgmt   
|
||||
 
|
||||
   # params unique to this host here
|
||||
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
   ----- end params -----
|
||||
|
||||
   shorewall/rules.mgmt:
|
||||
|
||||
   ACCEPT net:$MGMT_SERVERS   $FW    tcp    22
|
||||
   ACCEPT $FW          net:$TIME_SERVERS    udp    123
|
||||
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22
|
||||
|
||||
   ----- end rules.mgmt -----
|
||||
|
||||
   shorewall/rules:
|
||||
|
||||
   # Shorewall version 1.3 - Rules File
|
||||
   [..]
|
||||
   #######################################
|
||||
 
|
||||
   INCLUDE rules.mgmt    
|
||||
 
|
||||
   # rules unique to this host here
|
||||
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
   ----- end rules -----</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="dnsnames">
|
||||
<title>Using DNS Names</title>
|
||||
|
||||
<caution>
|
||||
<para>I personally recommend strongly against using DNS names in
|
||||
Shorewall configuration files. If you use DNS names and you are called
|
||||
out of bed at 2:00AM because Shorewall won't start as a result of
|
||||
DNS problems then don't say that you were not forewarned.</para>
|
||||
</caution>
|
||||
|
||||
<para>Beginning with Shorewall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified as either IP addresses or DNS Names.</para>
|
||||
|
||||
<para>DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset.</para>
|
||||
|
||||
<para>If your firewall rules include DNS names then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
||||
firewall won't start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
||||
your firewall won't start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your Name Server(s) is(are) down then your firewall won't
|
||||
start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Factors totally outside your control (your ISP's router is
|
||||
down for example), can prevent your firewall from starting.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You must bring up your network interfaces prior to starting your
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Each DNS name much be fully qualified and include a minumum of two
|
||||
periods (although one may be trailing). This restriction is imposed by
|
||||
Shorewall to insure backward compatibility with existing configuration
|
||||
files.</para>
|
||||
|
||||
<example>
|
||||
<title>Valid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>mail.shorewall.net</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>shorewall.net. (note the trailing period).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Invalid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>mail (not fully qualified)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>shorewall.net (only one period)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</example>
|
||||
|
||||
<para>DNS names may not be used as:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The server address in a DNAT rule (/etc/shorewall/rules file)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the <filename>/etc/shorewall/nat</filename> file.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These restrictions are imposed by Netfilter and not by Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section id="Compliment">
|
||||
<title>Complementing an Address or Subnet</title>
|
||||
|
||||
<para>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with <quote>!</quote> to specify the complement of the
|
||||
item. For example, !192.168.1.4 means <quote>any host but 192.168.1.4</quote>.
|
||||
There must be no white space following the <quote>!</quote>.</para>
|
||||
</section>
|
||||
|
||||
<section id="Lists">
|
||||
<title>Comma-separated Lists</title>
|
||||
|
||||
<para>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
|
||||
Invalid: routefilter,     dhcp,     norfc1818</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you use line continuation to break a comma-separated list,
|
||||
the continuation line(s) must begin in column 1 (or there would be
|
||||
embedded white space)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Entries in a comma-separated list may appear in any order.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section id="Ports">
|
||||
<title>Port Numbers/Service Names</title>
|
||||
|
||||
<para>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ranges">
|
||||
<title>Port Ranges</title>
|
||||
|
||||
<para>If you need to specify a range of ports, the proper syntax is
|
||||
<low port number>:<high port number>. For example, if you
|
||||
want to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||
DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
</section>
|
||||
|
||||
<section id="Variables">
|
||||
<title>Using Shell Variables</title>
|
||||
|
||||
<para>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</para>
|
||||
|
||||
<para>It is suggested that variable names begin with an upper case letter
|
||||
to distinguish them from variables used internally within the Shorewall
|
||||
programs</para>
|
||||
|
||||
<example>
|
||||
<title>Using Shell Variables</title>
|
||||
|
||||
<programlisting>    /etc/shorewall/params
|
||||
|
||||
NET_IF=eth0
|
||||
NET_BCAST=130.252.100.255
|
||||
NET_OPTIONS=routefilter,norfc1918
|
||||
|
||||
    /etc/shorewall/interfaces record:
|
||||
|
||||
net $NET_IF $NET_BCAST $NET_OPTIONS
|
||||
|
||||
    The result will be the same as if the record had been written
|
||||
|
||||
net eth0 130.252.100.255 routefilter,norfc1918
|
||||
</programlisting>
|
||||
|
||||
<para>Variables may be used anywhere in the other configuration files.</para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="MAC">
|
||||
<title>Using MAC Addresses</title>
|
||||
|
||||
<para>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature, your
|
||||
kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
|
||||
included.</para>
|
||||
|
||||
<para>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.</para>
|
||||
|
||||
<para>In GNU/Linux, MAC addresses are usually written as a series of 6 hex
|
||||
numbers separated by colons.</para>
|
||||
|
||||
<example>
|
||||
<title>MAC Address of an Ethernet Controller</title>
|
||||
|
||||
<programlisting>      [root@gateway root]# <command>ifconfig eth0</command>
|
||||
     eth0 Link encap:Ethernet HWaddr <emphasis
|
||||
role="bold">02:00:08:E3:FA:55</emphasis>
|
||||
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
|
||||
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
||||
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
|
||||
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
|
||||
     collisions:30394 txqueuelen:100
|
||||
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
|
||||
     Interrupt:11 Base address:0x1800
|
||||
</programlisting>
|
||||
</example>
|
||||
|
||||
<para>Because Shorewall uses colons as a separator for address fields,
|
||||
Shorewall requires MAC addresses to be written in another way. In
|
||||
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
|
||||
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
|
||||
the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
|
||||
|
||||
<note>
|
||||
<para>It is not necessary to use the special Shorewall notation in the
|
||||
<filename><ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
|
||||
file.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section id="Levels">
|
||||
<title>Shorewall Configurations</title>
|
||||
|
||||
<para>Shorewall allows you to have configuration directories other than
|
||||
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||
check, start and restart commands allow you to specify an alternate
|
||||
configuration directory and Shorewall will use the files in the alternate
|
||||
directory rather than the corresponding files in /etc/shorewall. The
|
||||
alternate directory need not contain a complete configuration; those files
|
||||
not in the alternate directory will be read from <filename
|
||||
class="directory">/etc/shorewall</filename>.</para>
|
||||
|
||||
<para>This facility permits you to easily create a test or temporary
|
||||
configuration by</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>copying the files that need modification from /etc/shorewall to
|
||||
a separate directory;</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>modify those files in the separate directory; and</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>specifying the separate directory in a shorewall start or
|
||||
shorewall restart command (e.g., <command>shorewall -c /etc/testconfig
|
||||
restart</command> )</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>The <ulink url="starting_and_stopping_shorewall.htm">try command</ulink>
|
||||
allows you to attempt to restart using an alternate configuration and if
|
||||
an error occurs to automatically restart the standard configuration.</para>
|
||||
</section>
|
||||
</article>
|
@ -1,104 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>DHCP</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-01-10</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<note>
|
||||
<para>For most operations, DHCP software interfaces to the Linux IP stack
|
||||
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
|
||||
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
|
||||
interface option described in this article allows for Netfilter to stay
|
||||
out of DHCP's way for those operations that can be controlled by
|
||||
Netfilter and prevents unwanted logging of DHCP-related traffic by
|
||||
Shorewall-generated Netfilter logging rules.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<title>If you want to Run a DHCP Server on your firewall</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Specify the <quote>dhcp</quote> option on each interface to be
|
||||
served by your server in the <filename><ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
|
||||
file. This will generate rules that will allow DHCP to and from your
|
||||
firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When starting <quote>dhcpd</quote>, you need to list those
|
||||
interfaces on the run line. On a RedHat system, this is done by
|
||||
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>If a Firewall Interface gets its IP Address via DHCP</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Specify the <quote>dhcp</quote> option for this interface in the
|
||||
<ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file. This will generate rules that will allow DHCP to and from
|
||||
your firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you know that the dynamic address is always going to be in
|
||||
the same subnet, you can specify the subnet address in the
|
||||
interface's entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you don't know the subnet address in advance, you should
|
||||
specify <quote>detect</quote> for the interface's subnet address
|
||||
in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
file and start Shorewall after the interface has started.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the event that the subnet address might change while
|
||||
Shorewall is started, you need to arrange for a <quote>shorewall
|
||||
refresh</quote> command to be executed when a new dynamic IP address
|
||||
gets assigned to the interface. Check your DHCP client's
|
||||
documentation.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
@ -1,693 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<articleinfo>
|
||||
<title>Shorewall Errata</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-08-30</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If you use a Windows system to download a corrected script, be
|
||||
sure to run the script through <ulink
|
||||
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
|
||||
after you have moved it to your Linux system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are installing Shorewall for the first time and plan to
|
||||
use the .tgz and install.sh script, you can untar the archive, replace
|
||||
the <quote>firewall</quote> script in the untarred directory with the
|
||||
one you downloaded below, and then run install.sh.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When the instructions say to install a corrected firewall script
|
||||
in /usr/share/shorewall/firewall, you may rename the existing file
|
||||
before copying in the new file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
|
||||
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||
BELOW.</emphasis> For example, do NOT install the 1.3.9a firewall
|
||||
script if you are running 1.3.7c.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<title>RFC1918 File</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
|
||||
is the most up to date version of the <ulink
|
||||
url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems in Version 1.4</title>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.10f</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Slackware users find that version 1.4.10f fails to start
|
||||
because their <command>mktemp</command> utility does not support the
|
||||
-d option. This may be corrected by installing <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.10/functions">this
|
||||
corrected <filename>functions</filename> file</ulink> in <filename
|
||||
class="directory">/var/lib/shorewall/functions</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Shorewall fails to start if there is no
|
||||
<command>mktemp</command> utility.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems have been corrected in Shorewall version
|
||||
1.4.10g.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.10</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||
the /etc/shorewall/masq file is being processed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">maclist</emphasis> interface option
|
||||
previously wasn't available on Atheros WiFi cards.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the /etc/shorewall/masq entry <quote>eth0:!10.1.1.150
|
||||
0.0.0.0/0!10.1.0.0/16 10.1.2.16</quote>,
|
||||
the <quote>!10.1.0.0/16</quote> is ignored.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A startup error occurs if an entry in the tcrules file has an
|
||||
empty USER/GROUP column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specifying multiple excluded source zones in a REDIRECT or
|
||||
DNAT rule produces a startup error. Example of problem
|
||||
rule:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When using an Action in the ACTIONS column of a rule, you may
|
||||
receive a warning message about the rule being a policy. While this
|
||||
warning may be safely ignored, it may be eliminated by installing
|
||||
the updated script linked below.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
|
||||
and IPSEC has been corrected.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A potentially exploitable vulnerability in the way that
|
||||
Shorewall handles temporary files and directories has been found by
|
||||
Javier Fernández-Sanguino Peña.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The first seven problems have been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
|
||||
<para>The first two problem corrections were included in Shorewall
|
||||
update 1.4.10a.</para>
|
||||
|
||||
<para>The first three problem corrections were included in Shorewall
|
||||
update 1.4.10b.</para>
|
||||
|
||||
<para>The first four problem corrections were included in Shorewall
|
||||
update 1.4.10c.</para>
|
||||
|
||||
<para>The first six problem corrections were included in Shorewall
|
||||
update 1.4.10d.</para>
|
||||
|
||||
<para>The first seven problems corrections were included in Shorewall
|
||||
update 1.4.10e;</para>
|
||||
|
||||
<para>All problem corrections were included in Shorewall update
|
||||
1.4.10f.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.9</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The column descriptions in the action.template file did not
|
||||
match the column headings.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>This problem has been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
|
||||
action.template file</ulink> which may be installed in
|
||||
/etc/shorewall.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The presence of IPV6 addresses on devices generates error
|
||||
messages during <command>[re]start </command>if ADD_IP_ALIASES=Yes
|
||||
or ADD_SNAT_ALIASES=Yes are specified in
|
||||
/etc/shorewall/shorewall.conf.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||
the /etc/shorewall/masq file is being processed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems have been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.9/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.8</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>When a DNAT rules specifies SNAT (e.g., when <original dest
|
||||
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
|
||||
the SNAT specification is effectively ignored in some cases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||
the /etc/shorewall/masq file is being processed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems have been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.7</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Using some versions of <quote>ash</quote> (such as from RH8)
|
||||
as the SHOREWALL_SHELL causes <quote>shorewall [re]start</quote> to
|
||||
fail with:<programlisting> local: --limit: bad variable name
|
||||
iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so:
|
||||
cannot open shared object file: No such file or directory
|
||||
Try `iptables -h' or 'iptables --help' for more information.</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When more than one ICMP type is listed in a rule and your
|
||||
kernel includes multiport match support, the firewall fails to
|
||||
start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Regardless of the setting of LOGUNCLEAN, the value
|
||||
LOGUNCLEAN=info was used.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>After the following error message, Shorewall was left in an
|
||||
inconsistent state:<programlisting> Error: Unable to determine the routes through interface xxx</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When a DNAT rules specifies SNAT (e.g., when <original dest
|
||||
addr>:<SNAT addr> is given in the ORIGINAL DEST column),
|
||||
the SNAT specification is effectively ignored in some cases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Unexplained errors may occur during "shorewall [re]start" when
|
||||
the /etc/shorewall/masq file is being processed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These problems have been corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.6</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||
would fail to start with the error <quote>ERROR: Traffic
|
||||
Control requires Mangle</quote>; that problem has been corrected in
|
||||
<ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/use/share/shorewall/firewall as described above. This problem is
|
||||
also corrected in bugfix release 1.4.6a.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>This problem occurs in all versions supporting traffic
|
||||
control. If a MAC address is used in the SOURCE column, an error
|
||||
occurs as follows:</para>
|
||||
|
||||
<para><programlisting> iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`</programlisting>For
|
||||
Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in
|
||||
<ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above. For all other
|
||||
versions, you will have to edit your <quote>firewall</quote> script
|
||||
(in versions 1.4.*, it is located in /usr/share/shorewall/firewall).
|
||||
Locate the function add_tcrule_() and in that function, replace this
|
||||
line:<programlisting> r=`mac_match $source` </programlisting>with<programlisting> r="`mac_match $source` "</programlisting>Note
|
||||
that there must be a space before the ending quote!</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.4b</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Shorewall is ignoring records in /etc/shorewall/routestopped
|
||||
that have an empty second column (HOSTS). This problem may be
|
||||
corrected by installing <ulink
|
||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall">this
|
||||
firewall script</ulink> in /usr/share/shorewall/firewall as
|
||||
described above.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The INCLUDE directive doesn't work when placed in the
|
||||
/etc/shorewall/zones file. This problem may be corrected by
|
||||
installing <ulink
|
||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions">this
|
||||
functions script</ulink> in /usr/share/shorewall/functions.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.4-1.4.4a</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Log messages are being displayed on the system console even
|
||||
though the log level for the console is set properly according to
|
||||
FAQ 16. This problem may be corrected by installing <ulink
|
||||
url="???">this firewall script</ulink> in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.4</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If you have zone names that are 5 characters long, you may
|
||||
experience problems starting Shorewall because the --log-prefix in a
|
||||
logging rule is too long. Upgrade to Version 1.4.4a to fix this
|
||||
problem..</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.3</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The LOGMARKER variable introduced in version 1.4.3 was
|
||||
intended to allow integration of Shorewall with Fireparse
|
||||
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved
|
||||
part of the integration problem. I have implimented a new LOGFORMAT
|
||||
variable which will replace LOGMARKER which has completely solved
|
||||
this problem and is currently in production with fireparse here at
|
||||
shorewall.net. The updated files may be found at <ulink
|
||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</ulink>.
|
||||
See the 0README.txt file for details.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.2</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>When an <quote>add</quote> or <quote>delete</quote> command is
|
||||
executed, a temporary directory created in /tmp is not being
|
||||
removed. This problem may be corrected by installing <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall">this
|
||||
firewall script</ulink> in /usr/share/shorewall/firewall as
|
||||
described above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.1a, 1.4.1 and 1.4.0</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Some TCP requests are rejected in the <quote>common</quote>
|
||||
chain with an ICMP port-unreachable response rather than the more
|
||||
appropriate TCP RST response. This problem is corrected in <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def">this
|
||||
updated common.def file</ulink> which may be installed in
|
||||
/etc/shorewall/common.def.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.1</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>When a <quote>shorewall check</quote> command is executed,
|
||||
each <quote>rule</quote> produces the harmless additional
|
||||
message:<programlisting> /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected</programlisting>You
|
||||
may correct the problem by installing <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall">this
|
||||
corrected script</ulink> in /usr/share/shorewall/firewall as
|
||||
described above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 1.4.0</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>When running under certain shells Shorewall will attempt to
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may
|
||||
either just remove /etc/shorewall/ecn or you can install <ulink
|
||||
url="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||
correct script</ulink> in /usr/share/shorewall/firewall as described
|
||||
above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Upgrade Issues</title>
|
||||
|
||||
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
|
||||
separate page</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problem with iptables version 1.2.3</title>
|
||||
|
||||
<para>There are a couple of serious bugs in iptables 1.2.3 that prevent it
|
||||
from working with Shorewall. Regrettably, RedHat released this buggy
|
||||
iptables in RedHat 7.2. </para>
|
||||
|
||||
<para>I have built a <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">corrected
|
||||
1.2.3 rpm which you can download here</ulink> and I have also built
|
||||
an <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">iptables-1.2.4
|
||||
rpm which you can download here</ulink>. If you are currently running
|
||||
RedHat 7.1, you can install either of these RPMs before you upgrade to
|
||||
RedHat 7.2.</para>
|
||||
|
||||
<para><emphasis role="bold">Update 11/9/2001:</emphasis> RedHat has
|
||||
released an iptables-1.2.4 RPM of their own which you can download from
|
||||
<ulink
|
||||
url="http://www.redhat.com/support/errata/RHSA-2001-144.html.">http://www.redhat.com/support/errata/RHSA-2001-144.html</ulink>.I
|
||||
have installed this RPM on my firewall and it works fine.</para>
|
||||
|
||||
<para>If you would like to patch iptables 1.2.3 yourself, the patches are
|
||||
available for download. This <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</ulink>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</ulink>
|
||||
corrects a problem in handling the TOS target.</para>
|
||||
|
||||
<para>To install one of the above patches:<programlisting> cd iptables-1.2.3/extensions
|
||||
patch -p0 < the-patch-file</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems with kernels >= 2.4.18 and RedHat iptables</title>
|
||||
|
||||
<para>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||
2.4.18/19 may experience the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting># shorewall start
|
||||
Processing /etc/shorewall/shorewall.conf ...
|
||||
Processing /etc/shorewall/params ...
|
||||
Starting Shorewall...
|
||||
Loading Modules...
|
||||
Initializing...
|
||||
Determining Zones...
|
||||
Zones: net
|
||||
Validating interfaces file...
|
||||
Validating hosts file...
|
||||
Determining Hosts in Zones...
|
||||
Net Zone: eth0:0.0.0.0/0
|
||||
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
||||
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
||||
Aborted (core dumped)
|
||||
iptables: libiptc/libip4tc.c:380: do_check: Assertion
|
||||
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
|
||||
Aborted (core dumped)</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in the
|
||||
Netfilter <quote>mangle</quote> table. You can correct the problem by
|
||||
installing <ulink
|
||||
url="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">this
|
||||
iptables RPM</ulink>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
|
||||
<quote>iptables -Uvh --oldpackage
|
||||
iptables-1.2.5-1.i386.rpm</quote>).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems with iptables version 1.2.7 and MULTIPORT=Yes</title>
|
||||
|
||||
<para>The iptables 1.2.7 release of iptables has made an incompatible
|
||||
change to the syntax used to specify multiport match rules; as a
|
||||
consequence, if you install iptables 1.2.7 you must be running Shorewall
|
||||
1.3.7a or later or:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are running Shorewall 1.3.6 you may install <ulink
|
||||
url="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">this
|
||||
firewall script</ulink> in /usr/lib/shorewall/firewall as described
|
||||
above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems with RH Kernel 2.4.18-10 and NAT</title>
|
||||
|
||||
<para>/etc/shorewall/nat entries of the following form will result in
|
||||
Shorewall being unable to start:</para>
|
||||
|
||||
<programlisting> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
192.0.2.22 eth0 192.168.9.22 yes yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>Error message is:</para>
|
||||
|
||||
<programlisting> Setting up NAT...
|
||||
iptables: Invalid argument
|
||||
Terminated</programlisting>
|
||||
|
||||
<para>The solution is to put <quote>no</quote> in the LOCAL column. Kernel
|
||||
support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
|
||||
it. The 2.4.19 kernel contains corrected support under a new kernel
|
||||
configuraiton option; see <ulink
|
||||
url="http://www.shorewall.net/Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
|
||||
2.4.21-RC1)</title>
|
||||
|
||||
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
|
||||
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
|
||||
is that REJECT rules act just like DROP rules when dealing with TCP. A
|
||||
kernel patch and precompiled modules to fix this problem are available at
|
||||
<ulink
|
||||
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
|
||||
|
||||
<note>
|
||||
<para>RedHat have corrected this problem in their 2.4.20-27.x
|
||||
kernels.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History4</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>1.9</revnumber>
|
||||
|
||||
<date>2004-03-20</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Proxy ARP/IPSEC fix.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.8</revnumber>
|
||||
|
||||
<date>2004-03-04</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Multiple excluded zones problem..</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2004-02-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>TCrules file problem..</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2004-02-09</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Masq file exclusion problem.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2004-02-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Startup Problem</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2004-01-19</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>IPV6 address problems. Make RFC1918 file section more
|
||||
prominent.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2004-01-14</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Confusing template file in 1.4.9</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2004-01-03</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Added note about REJECT RedHat Kernal problem being
|
||||
corrected.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.2</revnumber>
|
||||
|
||||
<date>2003-12-29</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Updated RFC1918 file</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.1</revnumber>
|
||||
|
||||
<date>2003-12-17</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Conversion to Docbook XML</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -1,93 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Fallback and Uninstall</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2001-03-26</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Falling Back to the Previous Version of Shorewall using the
|
||||
Fallback Script</title>
|
||||
|
||||
<para>If you install Shorewall and discover that it doesn't work for
|
||||
you, you can fall back to your previously installed version. To do that:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>cd to the distribution directory for the version of Seattle
|
||||
Firewall that you are currently running (NOT the version that you want
|
||||
to fall back to).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Type <quote>./fallback.sh</quote></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<caution>
|
||||
<para>The fallback script will replace /etc/shorewall/policy,
|
||||
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
|
||||
/etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
|
||||
these files from before the current version was installed. Any changes
|
||||
to any of these files will be lost.</para>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Falling Back to the Previous Version of Shorewall using rpm</title>
|
||||
|
||||
<para>If your previous version of Shorewall was installed using RPM, you
|
||||
may fall back to that version by typing <quote>rpm -Uvh --force <old
|
||||
rpm></quote> at a root shell prompt (Example: <quote>rpm -Uvh --force
|
||||
/downloads/shorewall-3.1=0noarch.rpm</quote> would fall back to the 3.1-0
|
||||
version of Shorewall).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Uninstalling Shorewall</title>
|
||||
|
||||
<para>If you no longer wish to use Shorewall, you may remove it by:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>cd to the distribution directory for the version of Shorewall
|
||||
that you have installed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>type <quote>./uninstall.sh</quote></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If you installed using an rpm, at a root shell prompt type
|
||||
<quote>rpm -e shorewall</quote>.</para>
|
||||
</section>
|
||||
</article>
|
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 101 B |
Before Width: | Height: | Size: 48 KiB |
Before Width: | Height: | Size: 50 KiB |
Before Width: | Height: | Size: 49 KiB |
Before Width: | Height: | Size: 52 KiB |
Before Width: | Height: | Size: 36 KiB |
Before Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 35 KiB |
Before Width: | Height: | Size: 65 KiB |
Before Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 2.0 KiB |
Before Width: | Height: | Size: 2.0 KiB |
Before Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 2.6 KiB |