diff --git a/docs/Actions.xml b/docs/Actions.xml index 51f5a2e24..ba6f369ce 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -113,8 +113,8 @@ ACCEPT - - tcp 135,139,445 /etc/shorewall/actions and are defined in action.* files in /etc/shorewall or in another directory - listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf). + listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf). @@ -164,8 +164,8 @@ ACCEPT - - tcp 135,139,445 In addition, the default specified in /etc/shorewall/shorewall.conf may be overridden by - specifying a different default in the POLICY column of /etc/shorewall/policy. + specifying a different default in the POLICY column of /etc/shorewall/policy. Entries in the DROP and REJECT default actions Shorewall-lite. Shorewall allows for central administration of multiple firewalls through use of - Shorewall lite. The full Shorewall product (along with Shorewall-shell - and/or Shorewall-perl) are installed on a central administrative - system where compiled Shorewall scripts are generated. These scripts - are copied to the firewall systems where they run under the control of - Shorewall-lite. + Shorewall lite. The full Shorewall product (including Shorewall-common + with Shorewall-shell and/or Shorewall-perl) is installed on a central + administrative system where compiled Shorewall scripts are generated. + These scripts are copied to the firewall systems where they run under + the control of Shorewall-lite. @@ -77,7 +77,7 @@ Shorewall-common The Shorewall-common package includes a large number of files which - are installed in /sbin, /sbin, /usr/share/shorewall, /etc/shorewall, /etc/init.d and /sbin - The /sbin/shorewall shell program is use to + The /sbin/shorewall shell program is used to interact with Shorewall. See shorewall(8). @@ -208,7 +208,7 @@ - .iptables-restore-input - The file passed + .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the - last start or restart. + last start or restart. @@ -358,10 +358,10 @@
Shorewall-lite - The Shorewall-lite product includes files installed in /sbin, /usr/share/shorewall-lite, /etc/shorewall-lite, + The Shorewall-lite product includes files installed in /sbin, /usr/share/shorewall-lite, /etc/shorewall-lite, /etc/init.d and /var/lib/shorewall/. These are described in the sub-sections that follow. @@ -463,7 +463,7 @@ - .iptables-restore-input - The file passed + .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see All extension scripts used are copied into the program (with the exception of those - executed a compile-time by Shorewall-perl). The + executed at compile-time by Shorewall-perl). The ramifications of this are: @@ -152,8 +152,8 @@ Specifies the compiler to use. Overrides the - SHOREWALL_COMPILER setting in shorewall.conf. + SHOREWALL_COMPILER setting in shorewall.conf. @@ -206,15 +206,15 @@ /etc/shorewall/shorewall.conf must be readable by all users on the administrative system. Not all packages secure the files that way and you may have to change the file permissions - yourself. /sbin/shorewall uses the SHOREWALL_COMPILER setting to - determine which compiler to launch. If the compiler is - shorewall-shell, then the SHOREWALL_SHELL setting from - /etc/shorewall/shorewall.conf determines the - shell to use. /sbin/shorewall also uses the VERBOSITY setting for - determining how much output the compiler generates. All other - settings are taken from the shorewall.conf file - in the remote systems export directory (see - below). + yourself. /sbin/shorewall uses the + SHOREWALL_COMPILER setting to determine which compiler to launch. If + the compiler is shorewall-shell, then the SHOREWALL_SHELL setting + from /etc/shorewall/shorewall.conf determines + the shell to use. /sbin/shorewall also uses the + VERBOSITY setting for determining how much output the compiler + generates. All other settings are taken from the + shorewall.conf file in the remote systems + export directory (see below). @@ -234,12 +234,14 @@ On the administrative system you create a separate 'export directory' for each firewall system. You copy the contents of - /usr/share/shorewall/configfiles into each export directory. + /usr/share/shorewall/configfiles + into each export directory. If you are running Debian or one of its derivatives like Ubuntu - then edit /etc/default/shorewall-lite and set startup=1. + then edit /etc/default/shorewall-lite and set + startup=1. @@ -268,7 +270,7 @@ The value of CONFIG_PATH in - /etc/shorewall/shorewall.conf is ignored + /etc/shorewall/shorewall.conf is ignored when compiling for export (the -e option in given) and when the load or reload command is being executed (see below). @@ -535,8 +537,8 @@ clean: Install Shorewall Lite on the firewall system. If you are running Debian or one of its derivatives like - Ubuntu then edit /etc/default/shorewall-lite and set - startup=1. + Ubuntu then edit /etc/default/shorewall-lite and + set startup=1. @@ -546,12 +548,12 @@ clean: administrative system in the firewall system's routestopped file. - Also, edit the shorewall.conf file in the firewall's export - directory and change the CONFIG_PATH setting to remove /etc/shorewall. You can replace it with - /usr/share/shorewall/configfiles if you - like. + Also, edit the shorewall.conf file in the + firewall's export directory and change the CONFIG_PATH setting to + remove /etc/shorewall. You can + replace it with /usr/share/shorewall/configfiles if + you like. Example: @@ -605,8 +607,9 @@ clean: url="starting_and_stopping_shorewall.htm#Load">load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile - -e), copies that file to the remote system via scp and - starts Shorewall Lite on the remote system via ssh. + -e), copies that file to the remote system via + scp and starts Shorewall Lite on the remote system + via ssh. @@ -621,14 +624,15 @@ clean: url="starting_and_stopping_shorewall.htm#Reload">reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile - -e), copies that file to the remote system via scp and - restarts Shorewall Lite on the remote system via ssh. + -e), copies that file to the remote system via + scp and restarts Shorewall Lite on the remote + system via ssh. If the kernel/iptables configuration on the firewall later - changes and you need to create a new capabilities file, do the - following: + changes and you need to create a new + capabilities file, do the following: /usr/share/shorewall-lite/shorecap > capabilities scp capabilities <admin system>:<this system's config dir> @@ -645,8 +649,9 @@ clean: The /etc/shorewall/capabilities file and the shorecap program - As mentioned above, the /etc/shorewall/capabilities file specifies - that kernel/iptables capabilities of the target system. Here is a sample + As mentioned above, the + /etc/shorewall/capabilities file specifies that + kernel/iptables capabilities of the target system. Here is a sample file:
@@ -690,8 +695,8 @@ CAPVERSION=30405 To aid in creating this file, Shorewall Lite includes a shorecap program. The program is installed in the - /usr/share/shorewall-lite/ directory and may be run - as follows: + /usr/share/shorewall-lite/ directory + and may be run as follows:
[ IPTABLES=<iptables binary> ] [ @@ -707,23 +712,23 @@ CAPVERSION=30405 system with Shorewall installed and used when compiling firewall programs to run on the remote system. - Beginning with Shorewall Lite version 3.2.2, the capabilities file - may also be creating using - /sbin/shorewall-lite:
+ Beginning with Shorewall Lite version 3.2.2, the + capabilities file may also be creating using + /sbin/shorewall-lite:
shorewall-lite show -f capabilities > capabilities
- Note that unlike the shorecap program, the show - capabilities command shows the kernel's current capabilities; it - does not attempt to load additional kernel modules. + Note that unlike the shorecap program, the + show capabilities command shows the kernel's current + capabilities; it does not attempt to load additional kernel modules.
Running compiled programs directly Compiled firewall programs are complete programs that support the - following run-line commands: + following command line forms:
@@ -753,9 +758,9 @@ CAPVERSION=30405
- The options have their same meaning is when they are passed to + The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level - is the level specified in the shorewall.conf file used when then program - was compiled. + is the level specified in the shorewall.conf file used + when the program was compiled.
diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 876609286..6fb2e858e 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -58,7 +58,7 @@ (FAQ 37) I just installed Shorewall on Debian and the /etc/shorewall directory is almost empty!!! - Answer: + Answer: Once you have installed the .deb package and before you attempt @@ -83,7 +83,7 @@ (FAQ 37a) I just installed Shorewall on Debian and I can't find the sample configurations. - Answer: With Shorewall 3.x, the + Answer: With Shorewall 3.x, the samples are included in the shorewall package and are installed in /usr/share/doc/shorewall/examples/. @@ -97,7 +97,7 @@ (FAQ 75) I can't find the Shorewall 4.x shorewall-common RPM. Where is it? - Answer: If you use Simon Matter's + Answer: If you use Simon Matter's Redhat/Fedora/CentOS rpms, be aware that Simon calls the shorewall-common RPM shorewall. So you should download and install the @@ -113,14 +113,14 @@ (FAQ 66) I'm trying to upgrade to Shorewall 4.0; where is the 'shorewall' package? - Answer: Please see the Answer: Please see the upgrade issues.
(FAQ 66a) I'm trying to upgrade to Shorewall 4.0; do I have to uninstall the 'shorewall' package? - Answer: Please see the Answer: Please see the upgrade issues.
@@ -128,7 +128,7 @@ (FAQ 66b) I'm trying to upgrade to Shorewall 4.0: which of these packages do I need to install? - Answer: Please see the Answer: Please see the upgrade issues. @@ -142,9 +142,9 @@ allow the installer to replace their working /etc/shorewall/shorewall.conf with one that has default settings. Failure to forward traffic (such as during masqueraded - net access from a local network) usually means that /etc/shorewall/shorewall.conf contains the Debian - default setting IP_FORWARDING=Keep; it should be + net access from a local network) usually means that /etc/shorewall/shorewall.conf + contains the Debian default setting IP_FORWARDING=Keep; it should be IP_FORWARDING=On.
@@ -339,7 +339,7 @@ DNAT net:address loc:local-IP-address - Answer:In + Answer:In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT @@ -352,7 +352,7 @@ DNAT net loc:192.168.1.3:22 tcp 1022 works fine but when my local users try to connect to the server using the Firewall's external IP address, it doesn't work. - Answer: See Answer: See FAQ 2b.
@@ -378,13 +378,13 @@ DNAT net fw:192.168.1.1:22 tcp 4104 (FAQ 1f) Why must the server that I port forward to have it's default gateway set to my Shorewall system's IP address? - Answer: Let's take an example. + Answer: Let's take an example. Suppose that Your Shorewall firewall's external IP address is - 206.124.146.176 (eth0) and internal IP address 192.168.1.1 + 206.124.146.176 (eth0) and its internal IP address is 192.168.1.1 (eth1). @@ -419,7 +419,7 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1 - 16.105.221.4 sends a TCP syn packet to 206.124.146.176 + 16.105.221.4 sends a TCP SYN packet to 206.124.146.176 specifying destination port 21. @@ -465,7 +465,7 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 - Answer: This requires a vile + Answer: This requires a vile hack similar to the one in FAQ 2. Assuming that your Internet zone is named net and connects on interface eth0: @@ -492,7 +492,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993(FAQ 30) I'm confused about when to use DNAT rules and when to use ACCEPT rules. - Answer:It would be a good idea to + Answer: It would be a good idea to review the QuickStart Guide appropriate for your setup; the guides cover this topic in a tutorial fashion. DNAT rules should be used for connections that need @@ -509,7 +509,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 (FAQ 38) Where can I find more information about DNAT? - Answer: Ian Allen has written a + Answer: Ian Allen has written a Paper about DNAT and Linux. @@ -518,7 +518,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993(FAQ 48) How do I Set up Transparent HTTP Proxy with Shorewall? - Answer: See Answer: See Shorewall_Squid_Usage.html. @@ -624,8 +624,10 @@ DNAT loc loc:192.168.1.5 tcp www - If you are running Shorewall 3.2.6 on a Debian-based - system, the call to find_first_interface_address in - /etc/shorewall/params must be preceded with a load of the + system, the call to + find_first_interface_address in + /etc/shorewall/params must be preceded with + a load of the Shorewall function library:. /usr/share/shorewall/functions ETH0_IP=`find_first_interface_address eth0` @@ -704,7 +706,7 @@ dmz eth2 192.168.2.255 routeback www.mydomain.com. That works fine but when my local users try to connect to www.mydomain.com, it doesn't work. - Answer: Let's assume the + Answer: Let's assume the following: @@ -728,9 +730,9 @@ dmz eth2 192.168.2.255 routeback If your external IP address is dynamic, then you must do the following: - In /etc/shorewall/params (or in your - export-directory/init file if you are using - Shorewall Lite on the firewall system): + In /etc/shorewall/params (or in your + <export directory>/init file if you are using + Shorewall Lite on the firewall system): ETH0_IP=`find_first_interface_address eth0` @@ -751,7 +753,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - If you are running Shorewall 3.2.6 on a Debian-based system, - the call to find_first_interface_address in /etc/shorewall/params + the call to find_first_interface_address in + /etc/shorewall/params must be preceded with a load of the Shorewall function library:. /usr/share/shorewall/functions ETH0_IP=`find_first_interface_address eth0` @@ -762,7 +765,7 @@ DNAT loc dmz:192.168.2.4 tcp 80 - (FAQ 2c) I tried to apply the answer to FAQ 2 to my external interface and the net zone and it didn't work. Why? - Answer: Did you set Answer: Did you set IP_FORWARDING=On in shorewall.conf? @@ -776,13 +779,14 @@ DNAT loc dmz:192.168.2.4 tcp 80 - (FAQ 63) I just blacklisted IP address 206.124.146.176 and I can still ping it. What did I do wrong? - Answer: Nothing. + Answer: Nothing. Blacklisting an IP address blocks incoming traffic from that IP - address. And if you set BLACKLISTNEWONLY=Yes in shorewall.conf, then - only new connections from that address - are disallowed; traffic from that address that is part of an established - connection (such as ping replies) is allowed. + address. And if you set BLACKLISTNEWONLY=Yes in + shorewall.conf, then only new connections + from that address are disallowed; + traffic from that address that is part of an established connection + (such as ping replies) is allowed. @@ -794,7 +798,7 @@ DNAT loc dmz:192.168.2.4 tcp 80 - Answer: There is an H.323 + url="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/">H.323 connection tracking/NAT module that helps with Netmeeting. Note however that one of the Netfilter developers recently posted the following: @@ -965,8 +969,9 @@ to debug/develop the newnat interface. - The entry for the local network in the /etc/shorewall/masq - file is wrong or missing. + The entry for the local network in the + /etc/shorewall/masq file is wrong or + missing. @@ -993,7 +998,7 @@ to debug/develop the newnat interface.
(FAQ 29) FTP Doesn't Work - Answer:See the Answer: See the Shorewall and FTP page.
@@ -1002,23 +1007,23 @@ to debug/develop the newnat interface. sites fail. Connections to the same sites from the firewall itself work fine. What's wrong. - Answer: Most likely, you need to - set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf. + Answer: Most likely, you need to + set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.
(FAQ 35) I have two Ethernet interfaces to my local network which I have bridged. When Shorewall is started, I'm unable to pass traffic through the bridge. I have defined the bridge interface (br0) as the - local interface in /etc/shorewall/interfaces; the bridged Ethernet - interfaces are not defined to Shorewall. How do I tell Shorewall to - allow traffic through the bridge? + local interface in /etc/shorewall/interfaces; the + bridged Ethernet interfaces are not defined to Shorewall. How do I tell + Shorewall to allow traffic through the bridge? - Answer: Add the + Answer: Add the routeback option to br0 in /etc/shorewall/interfaces. + class="devicefile">br0 in /etc/shorewall/interfaces. For more information on this type of configuration, see the Shorewall Simple Bridge @@ -1063,14 +1068,14 @@ to debug/develop the newnat interface. kernel's equivalent of syslog (see man syslog) to log messages. It always uses the LOG_KERN (kern) facility (see man openlog) and you get to choose the log level (again, see - man syslog) in your policies and rules. The destination for - messages logged by syslog is controlled by + man syslog) in your policies and + rules. + The destination for messages logged by syslog is controlled by /etc/syslog.conf (see man - syslog.conf). When you have changed /etc/syslog.conf, be sure to - restart syslogd (on a RedHat system, service syslog - restart). + syslog.conf). When you have changed + /etc/syslog.conf, be sure to restart syslogd (on a + RedHat system, service syslog restart). By default, older versions of Shorewall rate-limited log messages through settings in @@ -1092,11 +1097,9 @@ LOGBURST="" http://www.shorewall.net/pub/shorewall/parsefw/ - http://www.fireparse.com + http://aaron.marasco.com/linux.html http://cert.uni-stuttgart.de/projects/fwlogwatch http://www.logwatch.org - http://gege.org/iptables - http://home.regit.org/ulogd-php.html I personally use
(FAQ 6b) DROP messages on port 10619 are flooding the logs with - their connect requests. Can i exclude these error messages for this + their connect requests. Can I exclude these error messages for this port temporarily from logging in Shorewall? - Answer:Temporarily add the + Answer: Temporarily add the following rule: #ACTION SOURCE DEST PROTO DEST PORT(S) @@ -1153,7 +1156,7 @@ DROP net fw udp 10619 (FAQ 6d) Why is the MAC address in Shorewall log messages so long? I thought MAC addresses were only 6 bytes in length. - Answer:What is labeled as the + Answer: What is labeled as the MAC address in a Netfilter (Shorewall) log message is actually the Ethernet frame header. It contains: @@ -1228,7 +1231,8 @@ teastep@ursa:~$ The first number determines the maximum log If, on your system, the first number is 7 or greater, then the default Shorewall configurations will cause messages to be written to your console. The simplest solution is to add this to your - /etc/sysctl.conf file:kernel.printk = 4 4 1 7 + /etc/sysctl.conf + file:kernel.printk = 4 4 1 7 thensysctl -p /etc/sysctl.conf @@ -1319,10 +1323,10 @@ teastep@ursa:~$ The first number determines the maximum log or all2all - You have a policy that specifies - a log level and this packet is being logged under that policy. If - you intend to ACCEPT this traffic then you need a You have a policy that + specifies a log level and this packet is being logged under that + policy. If you intend to ACCEPT this traffic then you need a rule to that effect. @@ -1340,7 +1344,7 @@ teastep@ursa:~$ The first number determines the maximum log Either you have a policy for - zone1 to zone2 that + zone1 to zone2 that specifies a log level and this packet is being logged under that policy or this packet matches a rule that includes a @@ -1399,7 +1403,7 @@ teastep@ursa:~$ The first number determines the maximum log role="bold">routeback option on that interface in /etc/shorewall/interfaces - , you need the , you need the routeback option in the relevant entry in /etc/shorewall/hosts @@ -1528,9 +1532,6 @@ teastep@ursa:~$ The first number determines the maximum log - For additional information about the log message, see http://logi.cc/linux/netfilter-log-format.php3. - In this case, 192.168.2.2 was in the dmz zone and 192.168.1.3 is in the loc zone. I was missing the rule: @@ -1564,7 +1565,7 @@ teastep@ursa:~$ The first number determines the maximum log (ICMP) with ping, ICMP is a key piece of IP. ICMP is used to report problems back to the sender of a packet; this is what is happening here. Unfortunately, where NAT is involved (including SNAT, - DNAT and Masquerade), there are a lot of broken implementations. That is + DNAT and Masquerade), there are many broken implementations. That is what you are seeing with these messages. When Netfilter displays these messages, the part before the "[" describes the ICMP packet and the part between the "[" and "]" describes the packet for which the ICMP is a @@ -1607,7 +1608,7 @@ teastep@ursa:~$ The first number determines the maximum log SRC=130.252.100.59 DST=206.124.146.176 LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=42444 DF PROTO=TCP SPT=2215 DPT=139 WINDOW=53760 RES=0x00 SYN URGP=0 - Answer: Please refer to the + Answer: Please refer to the Shorewall Netfilter Documentation. Logging of REDIRECT and DNAT rules occurs in the nat table's PREROUTING chain where the original destination IP address @@ -1637,7 +1638,7 @@ modprobe: Can't locate module iptable_raw (FAQ 32) My firewall has two connections to the Internet from two different ISPs. How do I set this up in Shorewall? - Answer: See Answer: See this article on Shorewall and Multiple ISPs.
@@ -1646,7 +1647,7 @@ modprobe: Can't locate module iptable_raw (FAQ 49) When I start Shorewall, my routing table gets blown away. Why does Shorewall do that? - Answer: This is usually the + Answer: This is usually the consequence of a one-to-one nat configuration blunder: @@ -1679,10 +1680,10 @@ modprobe: Can't locate module iptable_raw stop, I can't connect to anything. Why doesn't that command work? - Answer:The + Answer: The stop command is intended to place your firewall into a safe state whereby only those hosts listed in - /etc/shorewall/routestopped' are activated. If you + /etc/shorewall/routestopped are activated. If you want to totally open up your firewall, you must use the shorewall[-lite] clear command.
@@ -1723,8 +1724,8 @@ rmmod ipchains (FAQ 9) Why can't Shorewall detect my interfaces properly at startup? - I just installed Shorewall and when I issue the start command, I - see the following: + I just installed Shorewall and when I issue the + start command, I see the following: Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf ... @@ -1745,38 +1746,38 @@ Creating input Chains... Why can't Shorewall detect my interfaces properly? Answer: The above output is - perfectly normal. The Net zone is defined as all hosts that are - connected through eth0 and the local zone is defined as all hosts - connected through eth1. You can - set the routefilter option on an - internal interface if you wish to guard against - 'Martians' (a Martian is a packet with a source - IP address that is not routed out of the interface on which the packet - was received). If you do that, it is a good idea to also set the - logmartians option. + perfectly normal. The Net zone is defined as all hosts that are connected + through eth0 and the local zone + is defined as all hosts connected through eth1. You can set the routefilter option on an internal interface if + you wish to guard against 'Martians' (a Martian is + a packet with a source IP address that is not routed out of the interface + on which the packet was received). If you do that, it is a good idea to + also set the logmartians option.
(FAQ 22) I have some iptables commands that I want to run when Shorewall starts. Which file do I put them in? - Answer:You can place these + Answer:You can place these commands in one of the Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) - that you will be modifying with your commands to be sure that the - commands will do what they are intended. Many iptables commands - published in HOWTOs and other instructional material use the -A command - which adds the rules to the end of the chain. Most chains that Shorewall - constructs end with an unconditional DROP, ACCEPT or REJECT rule and any - rules that you add after that will be ignored. Check man - iptables and look at the -I (--insert) command. + that you will be modifying with your commands so that the commands will + do what is intended. Many iptables commands published in HOWTOs and other + instructional material use the -A command which adds the rules to the end + of the chain. Most chains that Shorewall constructs end with an + unconditional DROP, ACCEPT or REJECT rule and any rules that you add + after that will be ignored. Check man iptables and look at + the -I (--insert) command.
(FAQ 34) How can I speed up Shorewall start (restart)? - Answer: Switch to using Answer: Switch to using Shorewall-perl.
@@ -1784,7 +1785,7 @@ Creating input Chains... (FAQ 69) When I restart Shorewall, new connections are blocked for a long time. Is there a way to avoid that? - Answer: Switch to using Answer: Switch to using Shorewall-perl. @@ -1792,11 +1793,11 @@ Creating input Chains... (FAQ 43) I just installed the Shorewall RPM and Shorewall doesn't start at boot time. - Answer: When you install using + Answer: When you install using the "rpm -U" command, Shorewall doesn't run your distribution's tool for configuring Shorewall startup. You will need to run that tool (insserv, chkconfig, run-level editor, …) to configure Shorewall to start in the - run-levels that you run your firewall system at. + the default run-levels of your firewall system.
@@ -1816,7 +1817,7 @@ Masqueraded Networks and Hosts: iptables: Invalid argument ERROR: Command "/sbin/iptables -t nat -A …" Failed - Answer: 99.999% of the time, this + Answer: 99.999% of the time, this error is caused by a mismatch between your iptables and kernel. @@ -1839,7 +1840,7 @@ iptables: Invalid argument (FAQ 59) After I start Shorewall, there are lots of unused Netfilter modules loaded. How do I avoid that? - Answer: Copy + Answer: Copy /usr/share/shorewall[-lite]/modules to /etc/shorewall/modules and modify the copy to include only the modules that you need. @@ -1893,7 +1894,7 @@ iptables: Invalid argument ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" failed. - Answer: At a root shell prompt, + Answer: At a root shell prompt, type the iptables command shown in the error message. If the command fails, you OpenVZ Netfilter/iptables configuration is incorrect. Until that command can run without error, no stateful iptables firewall will @@ -1939,11 +1940,11 @@ iptables: Invalid argument
- (FAQ 74) When I "shorewall start" or "shorewall check" on my SuSE - 10.0 system, I get FATAL ERROR messages and/or the system - crashes" + (FAQ 74) When I "<command>shorewall start</command>" or + "<command>shorewall check</command>" on my SuSE 10.0 system, I get FATAL + ERROR messages and/or the system crashes" - Answer: These failures result + Answer: These failures result from trying to load a particular combination of kernel modules. To work around the problem: @@ -1984,7 +1985,7 @@ iptables: Invalid argument (FAQ 58) But if I specify 'balance' then won't Shorewall balance the traffic between the interfaces? I don't want that! - Answer: Suppose that you want all + Answer: Suppose that you want all traffic to go out through ISP1 (mark 1) unless you specify otherwise. Then simply add these two rules as the first marking rules in your /etc/shorewall/tcrules file: @@ -2012,7 +2013,7 @@ We have an error talking to the kernel ERROR: Command "tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1" FailedAnswer: This message indicates that your kernel + role="bold">Answer: This message indicates that your kernel doesn't have 'traffic policing' support. If your kernel is modularized, you may be able to resolve the problem by loading the act_police kernel module. Other kernel modules @@ -2034,7 +2035,7 @@ We have an error talking to the kernel
(FAQ 10) What Distributions does Shorewall work with? - Answer: Shorewall works with any + Answer: Shorewall works with any GNU/Linux distribution that includes the proper prerequisites.
@@ -2068,7 +2069,7 @@ We have an error talking to the kernel
(FAQ 23) Why do you use such ugly fonts on your web site? - Answer: The Shorewall web site is + Answer: The Shorewall web site is almost font neutral (it doesn't explicitly specify fonts except on a few pages) so the fonts you see are largely the default fonts configured in your browser. If you don't like them then reconfigure your @@ -2079,7 +2080,7 @@ We have an error talking to the kernel (FAQ 25) How do I tell which version of Shorewall or Shorewall Lite I am running? - Answer: At the shell prompt, + Answer: At the shell prompt, type: /sbin/shorewall[-lite] version @@ -2088,7 +2089,7 @@ We have an error talking to the kernel (FAQ 25a) How do I tell which version of Shorewall-perl and Shorewall-shell that I have installed? - Answer: At the shell prompt, + Answer: At the shell prompt, type: /sbin/shorewall version -a @@ -2104,7 +2105,7 @@ We have an error talking to the kernel internal LAP IP address as the source address? - Answer: Yes. + Answer: Yes. @@ -2113,7 +2114,7 @@ We have an error talking to the kernel fragments? - Answer: This is the + Answer: This is the responsibility of the IP stack, not the Netfilter-based firewall since fragment reassembly occurs before the stateful packet filter ever touches each packet. @@ -2125,7 +2126,7 @@ We have an error talking to the kernel broadcast address as the source address? - Answer: Shorewall can be + Answer: Shorewall can be configured to do that using the blacklisting facility. Shorewall versions 2.0.0 and later filter these packets under the @@ -2139,7 +2140,7 @@ We have an error talking to the kernel source and destination address? - Answer: Yes, if the Answer: Yes, if the routefilter interface option is selected. @@ -2149,7 +2150,7 @@ We have an error talking to the kernel DOS: - SYN Dos - ICMP Dos - Per-host Dos protection - Answer: Shorewall has + Answer: Shorewall has facilities for limiting SYN and ICMP packets. Netfilter as included in standard Linux kernels doesn't support per-remote-host limiting except by explicit rule that specifies the host IP @@ -2162,7 +2163,7 @@ We have an error talking to the kernel
(FAQ 65) How do I accomplish failover with Shorewall? - Answer: Answer: This article by Paul Gear should help you get started.
@@ -2182,8 +2183,8 @@ We have an error talking to the kernel modem in/out but still block all other rfc1918 addresses? Answer: Add the following to - /etc/shorewall/rfc1918 + /etc/shorewall/rfc1918 (Note: If you are running Shorewall 2.0.0 or later, you may need to first copy /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918): @@ -2197,9 +2198,10 @@ We have an error talking to the kernel If you add a second IP address to your external firewall interface to correspond to the modem address, you must also make an - entry in /etc/shorewall/rfc1918 for that address. For example, if you - configure the address 192.168.100.2 on your firewall, then you would - add two entries to /etc/shorewall/rfc1918: + entry in /etc/shorewall/rfc1918 for that address. + For example, if you configure the address 192.168.100.2 on your + firewall, then you would add two entries to + /etc/shorewall/rfc1918: #SUBNET TARGET 192.168.100.1 RETURN @@ -2211,7 +2213,7 @@ We have an error talking to the kernel DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease. - Answer: The solution is the + Answer: The solution is the same as above. Simply substitute the IP address of your ISPs DHCP server.
@@ -2226,7 +2228,7 @@ We have an error talking to the kernel Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 - Answer: The fact that the + Answer: The fact that the message is being logged from the OUTPUT chain means that the destination IP address is not in any defined zone (see FAQ 17). You need to: @@ -2299,7 +2301,7 @@ eth0 eth1 # eth1 = interface to local netwo
(FAQ 53) What is Shorewall Lite? - Answer: Shorewall Lite is a + Answer: Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. See the Compiled @@ -2310,7 +2312,7 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 54) If I want to use Shorewall Lite, do I also need to install Shorewall on the same system? - Answer: No. In fact, we recommend + Answer: No. In fact, we recommend that you do NOT install Shorewall on systems where you wish to use Shorewall Lite. You must have Shorewall installed on at least one system within your network in order to use @@ -2321,7 +2323,7 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 55) How do I decide which product to use - Shorewall or Shorewall Lite? - Answer: If you plan to have only + Answer: If you plan to have only a single firewall system, then Shorewall is the logical choice. I also think that Shorewall is the appropriate choice for laptop systems that may need to have their firewall configuration changed while on the road. @@ -2336,7 +2338,7 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 60) What are the compatibility restrictions between Shorewall and Shorewall Lite - Answer: Beginning with version + Answer: Beginning with version 3.2.3, there are no compatibility constraints between Shorewall and Shorewall-lite.
@@ -2348,7 +2350,7 @@ eth0 eth1 # eth1 = interface to local netwo
(FAQ 70) What is Shorewall-Perl? - Answer: Shorewall-perl is a + Answer: Shorewall-perl is a re-implementation of the Shorewall configuration compiler written in Perl.
@@ -2356,7 +2358,7 @@ eth0 eth1 # eth1 = interface to local netwo
(FAQ 71) What are the advantages of using Shorewall-perl? - Answer: + Answer: @@ -2395,7 +2397,7 @@ eth0 eth1 # eth1 = interface to local netwo (FAQ 72) Can I switch to using Shorewall-perl without changing my Shorewall configuration? - Answer: Maybe yes, maybe no. See + Answer: Maybe yes, maybe no. See the Shorewall Perl article for a list of the incompatibilities between Shorewall-shell and Shorewall-perl. @@ -2434,17 +2436,17 @@ rmmod nf_conntrack_sipThen change the DONT_LOAD specification (FAQ 20) I have just set up a server. Do I have to change Shorewall to allow access to my server from the Internet? - Answer: Yes. Consult the Answer: Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
- (FAQ 24) How can I allow connections to let's say the ssh port + <title>(FAQ 24) How can I allow connections to, let's say, the ssh port only from specific IP Addresses on the Internet? - Answer: In the SOURCE column of + Answer: In the SOURCE column of the rule, follow net by a colon and a list of the host/subnet addresses as a comma-separated list. @@ -2462,7 +2464,7 @@ rmmod nf_conntrack_sipThen change the DONT_LOAD specification behind the firewall, I get operation not permitted. How can I use nmap with Shorewall?" - Answer: Temporarily remove and + Answer: Temporarily remove and rejNotSyn, dropNotSyn and dropInvalid rules from /etc/shorewall/rules and restart Shorewall.
@@ -2471,7 +2473,7 @@ rmmod nf_conntrack_sipThen change the DONT_LOAD specification (FAQ 27) I'm compiling a new kernel for my firewall. What should I look out for? - Answer: First take a look at the + Answer: First take a look at the Shorewall kernel configuration page. You probably also want to be sure that you have selected the NAT of local connections (READ HELP) @@ -2510,7 +2512,7 @@ iptables: Invalid argument
(FAQ 28) How do I use Shorewall as a Bridging Firewall? - Answer: Shorewall Bridging + Answer: Shorewall Bridging Firewall support is available — check here for details.
@@ -2576,7 +2578,7 @@ REJECT fw net:216.239.39.99 allGiven that (FAQ 42) How can I tell which features my kernel and iptables support? - Answer: Use the + Answer: Use the shorewall[-lite] show capabilities command at a root prompt.