diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 054a8158e..40c6b2229 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -15,10 +15,10 @@ - 2005-11-02 + 2006-06-12 - 2003-2005 + 2003-2002 Thomas M. Eastep @@ -44,9 +44,9 @@ Shorewall accounting rules are described in the file /etc/shorewall/accounting. By default, the accounting rules are placed in a chain called accounting and can thus be displayed using - shorewall show accounting. All traffic passing into, out of - or through the firewall traverses the accounting chain including traffic - that will later be rejected by interface options such as + shorewall[-lite] show accounting. All traffic passing into, + out of or through the firewall traverses the accounting chain including + traffic that will later be rejected by interface options such as tcpflags and maclist. If your kernel doesn't support the connection tracking match extension (Kernel 2.4.21) then some traffic rejected under norfc1918 will not traverse the @@ -184,8 +184,9 @@ web:COUNT - eth1 eth0 tcp - 443 DONE web - Now shorewall show web will give you a breakdown of - your web traffic: + Now shorewall show web (or "shorewall-lite show web" + for Shorewall Lite users) will give you a breakdown of your web + traffic: [root@gateway shorewall]# shorewall show web Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003 @@ -212,8 +213,9 @@ COUNT web eth0 eth1 COUNT web eth1 eth0 - Now shorewall show web simply gives you a breakdown by - input and output: + Now shorewall show web (or "shorewall-lite show web" + for Shorewall Lite users) simply gives you a breakdown by input and + output: [root@gateway shorewall]# shorewall show accounting web Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003 diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml index 9b1783006..fd8ce47cc 100644 --- a/docs/CompiledPrograms.xml +++ b/docs/CompiledPrograms.xml @@ -15,7 +15,7 @@ - 2006-06-10 + 2006-06-12 2006 @@ -39,15 +39,9 @@ Beginning with Shorewall version 3.1, Shorewall has the capability to compile a Shorewall configuration and produce a runnable firewall - program script. The script is a complete program which can be placed in - the /etc/init.d/ directory on a system without Shorewall installed and can - serve as the firewall creation script for that system. - - Compiled programs can also be created to instantiate special - configurations during parts of the day; for example, to disallow web - browsing between the hours of 9pm and 7AM. The program can be run as a - cron job at 9PM and another program run at 6AM to restore normal - operation. + program script. The script is a complete program which can be placed on a + system with Shorewall Lite installed and can serve as + the firewall creation script for that system.
Restrictions @@ -197,7 +191,7 @@ The firewall systems do NOT need to have the full Shorewall product installed but rather only the Shorewall Lite product. Shorewall and Shorewall LIte may be - installed on the same system. + installed on the same system but that isn't encouraged. @@ -225,6 +219,15 @@ directory appropriately. It's a good idea to include the IP address of the administrative system in the routestopped file. + + It is important to understand that with Shorewall Lite, the + firewall's configuration directory on the administrative system + acts as /etc/shorewall for + that firewall. So when the Shorewall documentation gives + instructions for placing entries in files in the firewall's + /etc/shorewall, when using + Shorewall Lite you make those changes in the firewall's + configuration directory on the administrative system. @@ -348,15 +351,12 @@ shorewall stop - We strongly recommend that you uninstall + We recommend that you uninstall Shorewall at this point. - Install Shorewall Lite on the firewall system; If you did not uninstall Shorewall in the previous step, - then you must switch /sbin/shorewall to - Shorewall Lite as described above. + Install Shorewall Lite on the firewall system. diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 2415ba43c..a0dac405a 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -193,8 +193,8 @@ DNAT net loc:<local IP address>[:< - As root type shorewall show nat - + As root type shorewall[-lite] show + nat @@ -244,11 +244,11 @@ DNAT net loc:<local IP address>[:< the connection is being dropped or rejected. If it is, then you may have a zone definition problem such that the server is in a different zone than what is specified in the DEST column. At a - root promt, type "shorewall show zones" then be - sure that in the DEST column you have specified the first zone in the list that matches - OUT=<dev> and DEST= <ip>from the REJECT/DROP log - message. + root promt, type "shorewall[-lite] show zones" + then be sure that in the DEST column you have specified the + first zone in the list that + matches OUT=<dev> and DEST= <ip>from the REJECT/DROP + log message.
@@ -550,8 +550,9 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0 With dynamic IP addresses, you probably don't want to use - shorewall - save and shorewall + shorewall[-lite] + save and shorewall[-lite] restore. @@ -1063,8 +1064,8 @@ LOGBURST="" The packet has a source IP address that isn't in any of your - defined zones (shorewall check and look at the - printed zone definitions) or the chain is FORWARD and the + defined zones (shorewall[-lite] show zones and look + at the printed zone definitions) or the chain is FORWARD and the destination IP isn't in any of your defined zones. If the chain is FORWARD and the IN and OUT interfaces are the same, then you probably need the routeback @@ -1083,8 +1084,8 @@ LOGBURST="" The packet has a destination IP address that isn't in any of - your defined zones("shorewall check" and look at the printed zone - definitions). + your defined zones("shorewall show zones" and look at the printed + zone definitions). @@ -1247,9 +1248,9 @@ LOGBURST=""
- (FAQ 52) When I blacklist an IP address with "shorewall drop - www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT entries - from that address? + (FAQ 52) When I blacklist an IP address with "shorewall[-lite] + drop www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT + entries from that address? I blacklisted the address 130.252.100.59 using shorewall drop 130.252.100.59 but I am still seeing these log @@ -1312,7 +1313,7 @@ LOGBURST="" Starting and Stopping
- (FAQ 7) When I stop Shorewall using <quote>shorewall + <title>(FAQ 7) When I stop Shorewall using <quote>shorewall[-lite] stop</quote>, I can't connect to anything. Why doesn't that command work? @@ -1320,7 +1321,7 @@ LOGBURST="" to place your firewall into a safe state whereby only those hosts listed in /etc/shorewall/routestopped' are activated. If you want to totally open up your firewall, you must use the - shorewall clear command. + shorewall[-lite] clear command.
@@ -1512,8 +1513,8 @@ Creating input Chains...
- (FAQ 45) Why does "shorewall start fail" when trying to set up - SNAT/Masquerading? + (FAQ 45) Why does "shorewall[-lite] start" fail when trying to + set up SNAT/Masquerading? shorewall start produces the following output: @@ -1595,12 +1596,12 @@ iptables: Invalid argument
- (FAQ 25) How to I tell which version of Shorewall I am - running? + (FAQ 25) How to I tell which version of Shorewall or Shorewall + Lite I am running? At the shell prompt, type: - /sbin/shorewall version + /sbin/shorewall[-lite] version
@@ -1988,7 +1989,7 @@ REJECT fw net:216.239.39.99 allGiven that support? Answer: Use the - shorewall show capabilities command at a root + shorewall[-lite] show capabilities command at a root prompt. gateway:~# shorewall show capabilities diff --git a/docs/Install.xml b/docs/Install.xml index 4274e4a80..5ead29e7e 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -15,12 +15,12 @@ - 2005-11-23 + 2006-06-12 2001- - 2005 + 2006 Thomas M. Eastep diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 5bfa95128..0b4d624a8 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -15,7 +15,7 @@ - 2006-03-23 + 2006-06-12 2002-2006 @@ -157,7 +157,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP Dynamic Blacklisting Dynamic blacklisting doesn't use any configuration parameters but is - rather controlled using /sbin/shorewall commands: + rather controlled using /sbin/shorewall[-lite] commands: @@ -219,7 +219,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP Ignore packets from a pair of systems - shorewall drop 192.0.2.124 192.0.2.125 + shorewall[-lite] drop 192.0.2.124 192.0.2.125 Drops packets from hosts 192.0.2.124 and 192.0.2.125 @@ -227,7 +227,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP Re-enable packets from a system - shorewall allow 192.0.2.125 + shorewall[-lite] allow 192.0.2.125 Re-enables traffic from 192.0.2.125. diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 936a309c6..896c5cfbe 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2006-06-04 + 2006-06-12 2004 @@ -589,6 +589,13 @@ respectively. The default level of verbosity is determined by the setting of the VERBOSITY option in /etc/shorewall/shorewall.conf. + + For Shorewall Lite, the general command form is: + + shorewall-lite [ <options> ] <command> [ + <command options> ] [ <argument> ... ] + + where the options are the same as with Shorewall. Following in alphabetical order are the supported commands. Except @@ -773,7 +780,8 @@ drop - shorewall drop <address> ... + shorewall[-lite] drop <address> + ... Causes packets from the specified <address> to be ignored @@ -784,7 +792,7 @@ dump - shorewall [ -x ] dump + shorewall[-lite] [ -x ] dump Produce a verbose report about the firewall. @@ -797,7 +805,7 @@ forget - shorewall forget [ <filename> + shorewall[-lite] forget [ <filename> ] Deletes @@ -813,8 +821,8 @@ help - shorewall help [<command> | host | address - ] + shorewall[-lite] help [<command> | host | + address ] Display helpful information about the shorewall commands. @@ -825,7 +833,7 @@ hits - hits + shorewall[-lite] hits Produces several reports about the Shorewall packet log messages in the current log file specified by the LOGFILE option in @@ -838,8 +846,8 @@ ipcalc - shorewall ipcalc { <address> <mask> | - <address>/<vlsm> } + shorewall[-lite] ipcalc { <address> + <mask> | <address>/<vlsm> } Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the @@ -847,7 +855,8 @@ Example: - ipcalc 192.168.1.0/24 + shorewall[-lite] ipcalc + 192.168.1.0/24 @@ -855,7 +864,7 @@ iprange - shorewall iprange + shorewall[-lite] iprange <address1>-<address2> Iprange decomposes the specified range of IP addresses into @@ -867,7 +876,7 @@ logdrop - shorewall logdrop <address> + shorewall[-lite] logdrop <address> ... Causes packets from the specified @@ -879,7 +888,7 @@ logwatch - shorewall logwatch [ -m ] [<refresh + shorewall[-lite] logwatch [ -m ] [<refresh interval>] Monitors the log file specified by theLOGFILE option in logreject - shorewall logreject <address> + shorewall[-lite] logreject <address> ... Causes packets from the specified @@ -926,7 +935,8 @@ reject - shorewall reject <address> ... + shorewall[-lite] reject <address> + ... Causes packets from the specified <address>s to be rejected @@ -937,7 +947,7 @@ reset - shorewall reset + shorewall[-lite] reset All the packet and byte counters in the firewall are reset. @@ -948,7 +958,7 @@ restart - shorewall [ -q ] restart + shorewall[-lite] [ -q ] restart <configuration-directory> Restart is similar to shorewall stop @@ -962,7 +972,7 @@ restore - shorewall [ -q ] restore [ <filename> + shorewall[-lite] [ -q ] restore [ <filename> ] Restore Shorewall to a state saved using the @@ -1016,15 +1026,16 @@ save - shorewall save [ <filename> ] + shorewall[-lite] save [ <filename> + ] The dynamic data is stored in /var/lib/shorewall/save. The state of the firewall is stored in /var/lib/shorewall/<filename> for use by - the shorewall restore and shorewall -f - start commands. If <filename> - is not given then the state is saved in the file specified by the - RESTOREFILE option in shorewall[-lite] restore and + shorewall[-lite] -f start commands. If + <filename> is not given then the state is + saved in the file specified by the RESTOREFILE option in /etc/shorewall/shorewall.conf. @@ -1033,40 +1044,52 @@ show - shorewall [ -x ] show [ <chain> [ <chain> - ...] |classifiers|connections|log|nat|tc|tos] + shorewall [ -x ] show actions (Not supported by + Shorewall Lite) — produces a list of actions available on + the system. - shorewall [ -x ] show <chain> [ <chain> - ... ] - produce a verbose report about the Netfilter - chain(s). (iptables -L chain -n -v) + shorewall[-lite] [ -x ] show [ <chain> [ + <chain> ...] + |classifiers|connections|log|nat|tc|tos] - shorewall [ -x ] show mangle - produce a - verbose report about the mangle table. (iptables -t mangle - -L -n -v) - - shorewall [ -x ] show nat - produce a - verbose report about the nat table. (iptables -t nat -L -n + shorewall[-lite] [ -x ] show <chain> [ + <chain> ... ] - produce a verbose report about the + Netfilter chain(s). (iptables -L chain -n -v) - shorewall show [- m ] log - display the - last 20 packet log entries. The '-m' option is available in + shorewall[-lite] [ -x ] show mangle - + produce a verbose report about the mangle table. (iptables + -t mangle -L -n -v) + + shorewall[-lite] [ -x ] show nat - produce + a verbose report about the nat table. (iptables -t nat -L + -n -v) + + shorewall[-lite] show [- m ] log - display + the last 20 packet log entries. The '-m' option is available in Shorewall version 3.2.0 Beta5 and later and causes the MAC address of each packet source to be displayed if that information is available. - shorewall show capabilities - Displays your - kernel/iptables capabilities + shorewall[-lite] show capabilities - + Displays your kernel/iptables capabilities - shorewall show connections - displays the - IP connections currently being tracked by the firewall. + shorewall[-lite] show connections - + displays the IP connections currently being tracked by the + firewall. - shorewall show classifiers - displays - information about the traffic control/shaping classifiers. + shorewall[-lite] show classifiers - + displays information about the traffic control/shaping + classifiers. - shorewall show tc - displays information - about the traffic control/shaping configuration. + shorewall [ -x ] show macros (Not supported by + Shorewall Lite) — produces a list of macros available on + the system. - shorewall show zones — Displays the + shorewall[-lite] show tc - displays + information about the traffic control/shaping configuration. + + shorewall[-lite] show zones — Displays the composition of each zone. When -x is given, that option is also passed to iptables to @@ -1078,7 +1101,7 @@ start - shorewall [ -q ] [ -f ] start [ + shorewall[-lite] [ -q ] [ -f ] start [ <configuration-directory> ] Start shorewall. Existing connections through shorewall @@ -1096,7 +1119,7 @@ stop - shorewall stop + shorewall[-lite] stop Stops the firewall. All existing connections, except those listed in status - shorewall status + shorewall[-lite] status Produce a short report about the firewall's status and state relative to the diagram below. @@ -1146,7 +1169,7 @@ version - shorewall version + shorewall[-lite] version Show the current shorewall version @@ -1161,13 +1184,6 @@ - You will note that mose of the commands that result in state - transitions use the word firewall rather than - shorewall. That is because the actual transitions are done - by /usr/share/shorewall/firewall; - /sbin/shorewall runs firewall according - to the following table: - @@ -1268,11 +1284,11 @@ The only time that a program other than - /usr/share/shorewall/firewall performs a state - transition itself is when it executes the shorewall + /usr/share/shorewall[-lite[/firewall performs a state + transition itself is when it executes the shorewall[-lite] restore command is executed. In that case, the - /var/lib/shorewall/restore program sets the state to - "Started". + /var/lib/shorewall[-lite]/restore program sets the + state to "Started".
Notes for Shorewall 3.2.0 and Later diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 162b236a2..f4c8f62b3 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -191,6 +191,52 @@ + + + Beginning with this release, the way in which packet marking in + the PREROUTING chain interracts with the 'track' option in + /etc/shorewall/providers has changed in two ways: + + + + Packets arriving on a tracked interface are now passed to + the PREROUTING marking chain so that they may be marked with a + mark other than the 'track' mark (the connection still retains the + 'track' mark). + + + + When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on + packets in the PREROUTING chain (i.e., you can specify a mark + value of zero). + + + + + + Kernel version 2.6.16 introduces 'xtables', a new common packet + filtering and connection tracking facility that supports both IPv4 and + IPv6. Because a different set of kernel modules must be loaded for + xtables, Shorewall now includes two 'modules' files: + + + + /usr/share/shorewall/modules -- the + former /etc/shorewall/modules + + + + /usr/share/shorewall/xmodules -- a new file that support + xtables. + + + + If you wish to use the new file, then simply execute this + command: + + cp -f /usr/share/shorewall/xmodules + /etc/shorewall/modules +
diff --git a/tools/build/makeshorewall b/tools/build/makeshorewall index 8fe16d061..cdeaf3401 100755 --- a/tools/build/makeshorewall +++ b/tools/build/makeshorewall @@ -59,7 +59,7 @@ DIR=$PWD # # location and options for GnuPG # -GPG="/usr/bin/gpg -ab --batch --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" +GPG="/usr/bin/gpg -ab --no-use-agent --comment 'To verify this, you can download our public key at https://lists.shorewall.net/shorewall.gpg.key'" ################################################################################ # V A R I A B L E S ################################################################################