diff --git a/STABLE/COPYING b/STABLE/COPYING new file mode 100644 index 000000000..2ba72d57f --- /dev/null +++ b/STABLE/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/STABLE/INSTALL b/STABLE/INSTALL new file mode 100644 index 000000000..9233faf91 --- /dev/null +++ b/STABLE/INSTALL @@ -0,0 +1,43 @@ +Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002 +----- ---- + +----------------------------------------------------------------------------- + + This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU General Public License + as published by the Free Software Foundation. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA + +--------------------------------------------------------------------------- +If your system supports rpm, I recommend that you install the Shorewall +.rpm. If you want to install from the tarball: + +o Unpack the tarball +o cd to the shorewall- directory +o If you have an earlier version of Shoreline Firewall installed,see the + upgrade instructions below +o Edit the files policy, interfaces, rules, nat, proxyarp and masq to + fit your environment. +o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or + Debian, then type "./install.sh". +o For other distributions, determine where your distribution installs + init scripts and type "./install.sh " +o Start the firewall by typing "shorewall start" +o If the install script was unable to configure Shoreline Firewall to + start audomatically at boot, see the HTML documentation contains in the + "documentation" directory. + +Upgrade: + +o run the install script as described above. +o shorewall restart + + diff --git a/STABLE/blacklist b/STABLE/blacklist new file mode 100644 index 000000000..5c7ce6d81 --- /dev/null +++ b/STABLE/blacklist @@ -0,0 +1,19 @@ +# +# Shorewall 1.3 -- Blacklist File +# +# /etc/shorewall/blacklist +# +# This file contains a list of IP addresses, MAC addresses and/or subnetworks. +# When a packet arrives on in interface that has the 'blacklist' option +# specified, its source IP address is checked against this file and disposed of +# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in +# /etc/shorewall/shorewall.conf +# +# MAC addresses must be prefixed with "~" and use "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +############################################################################### +#ADDRESS/SUBNET +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt new file mode 100644 index 000000000..cbd7403b1 --- /dev/null +++ b/STABLE/changelog.txt @@ -0,0 +1,15 @@ +Changes since 1.3.5 + +1. REDIRECT rules are now working again. + +2. proxyarp option now works. + +3. It is once again possible to specify a host list in an + /etc/shorewall/hosts entry. + +4. The lock file is now removed when the firewall script is killed by a + signal. + +5. Implemented "new not SYN" dropping. + + diff --git a/STABLE/common.def b/STABLE/common.def new file mode 100644 index 000000000..50edd3471 --- /dev/null +++ b/STABLE/common.def @@ -0,0 +1,40 @@ +############################################################################ +# Shorewall 1.3 -- /etc/shorewall/common.def +# +# This file defines the rules that are applied before a policy of +# DROP or REJECT is applied. In addition to the rules defined in this file, +# the firewall will also define a DROP rule for each subnet broadcast +# address defined in /etc/shorewall/interfaces (including "detect"). +# +# Do not modify this file -- if you wish to change these rules, create +# /etc/shorewall/common to replace it. It is suggested that you include +# the command "source /etc/shorewall/common.def" in your +# /etc/shorewall/common file so that you will continue to get the +# advantage of new releases of this file. +# +run_iptables -A common -p icmp -j icmpdef +############################################################################ +# Drop invalid state TCP packets +# +run_iptables -A common -m state -p tcp --state INVALID -j DROP +############################################################################ +# NETBIOS chatter +# +run_iptables -A common -p udp --dport 137:139 -j REJECT +run_iptables -A common -p udp --dport 445 -j REJECT +run_iptables -A common -p tcp --dport 135 -j reject +############################################################################ +# UPnP +# +run_iptables -A common -p udp --dport 1900 -j DROP +############################################################################ +# BROADCASTS +# +run_iptables -A common -d 255.255.255.255 -j DROP +run_iptables -A common -d 224.0.0.0/4 -j DROP +############################################################################ +# AUTH -- Silently reject it so that connections don't get delayed. +# +run_iptables -A common -p tcp --dport 113 -j reject + + diff --git a/STABLE/documentation/Documentation.htm b/STABLE/documentation/Documentation.htm new file mode 100644 index 000000000..cf5ee7eaf --- /dev/null +++ b/STABLE/documentation/Documentation.htm @@ -0,0 +1,2681 @@ + + + + + + + + Shorewall 1.3 Documentation + + + + + + + +

Shorewall 1.3 Reference

+ + + +

This documentation is intended primarily for reference. + Step-by-step instructions for configuring Shorewall in common setups may + be found in the QuickStart Guides.

+ + + +

Components

+ +

Shorewall consists of the following components:

+ + + + + + + + + + + + + + + + + + + + + + + +
bullet + shorewall.conf -- a parameter file installed in /etc/shorewall + that is used to set several firewall parameters.
bullet + zones - a parameter file installed in /etc/shorewall that defines + a network partitioning into "zones"
bullet + policy -- a parameter file installed in /etc/shorewall/ that +establishes overall firewall policy.
bullet + rules -- a parameter file installed in /etc/shorewall and used + to express firewall rules that are exceptions to the high-level + policies established in /etc/shorewall/policy.
bulletblacklist -- a parameter file installed in /etc/shorewall and used + to list blacklisted IP/subnet/MAC addresses.
bullet + functions -- a set of shell functions used by both the firewall and + shorewall shell programs. Installed in /etc/shorewall prior to version 1.3.2 + and in /var/lib/shorewall in later versions.
bullet + modules -- a parameter file installed in /etc/shorewall and that + specifies kernel modules and their parameters. Shorewall will automatically + load the modules specified in this file.
bullet + tos -- a parameter file installed in /etc/shorewall that is used to + specify how the Type of Service (TOS) field in packets is to be set.
bullet + icmp.def -- a parameter file installed in /etc/shorewall and that + specifies the default handling of ICMP packets when the applicable policy is + DROP or REJECT.
bulletcommon.def -- a parameter file installed in + in /etc/shorewall that defines firewall-wide rules that are applied before a + DROP or REJECT policy is applied.
bullet + interfaces -- a parameter file installed in /etc/shorewall/ and + used to describe the interfaces on the firewall system.
bullet + hosts -- a parameter file installed in /etc/shorewall/ and used + to describe individual hosts or subnetworks in zones.
bullet + masq - This file also describes IP masquerading under Shorewall + and is installed in /etc/shorewall.
bulletfirewall -- a shell program that reads the configuration files in + /etc/shorewall and configures your firewall. This file is + installed in your init.d directory (/etc/rc.d/init.d ) where it is renamed shorewall.  + /etc/shorewall/firewall (/var/lib/shorewall/firewall in version 1.3.2 and + later) is a symbolic link to this program.
bullet + nat -- a parameter file in /etc/shorewall used to define + static NAT + .
bullet + proxyarp -- a parameter file in /etc/shorewall used to define + Proxy Arp + .
bulletroutestopped -- a parameter file in + /etc/shorewall used to define those hosts that can access the firewall when + Shorewall is stopped.
bullettcrules -- a parameter file in /etc/shorewall used to define rules for + classifying packets for Traffic + Shaping/Control.
bullet + tunnels -- a parameter file in /etc/shorewall used to define +IPSec tunnels.
bullet + shorewall -- a shell program (requiring a Bourne +shell or derivative) used to control and monitor + the firewall. This should be placed in /sbin or in /usr/sbin +(the install.sh script and the rpm install this file in /sbin).
bullet + version -- a file created in /etc/shorewall/ + (/var/lib/shorewall in version 1.3.2 and later) that describes +the version of  Shorewall installed on your system.
+ + +

+ /etc/shorewall/params

+ +

You may use the file /etc/shorewall/params + file to set shell variables that you can then use in some of the other + configuration files.

+ +

It is suggested that variable names begin with an upper case letter + to distinguish them from variables used internally within the +Shorewall programs

+ +

Example:

+ +
+

NET_IF=eth0
+ NET_BCAST=130.252.100.255
+ NET_OPTIONS=noping,norfc1918

+
+ +


+ Example (/etc/shorewall/interfaces record):

+ + + +
+

net $NET_IF $NET_BCAST $NET_OPTIONS

+
+ + + +

The result will be the same as if the record had been written

+ + + +
+

net eth0 130.252.100.255 noping,norfc1918

+
+ + + +

Variables may be used anywhere in the + other configuration files.

+ +

+ /etc/shorewall/zones

+ +

This file is used + to define the network zones. There is one entry in /etc/shorewall/zones + for each zone; Columns in an entry are:

+ + + + + +
bullet + ZONE - short name for the zone. The name should be 5 characters or less in + length and consist of lower-case letters or numbers. Short names must begin + with a letter and the name assigned to the firewall is reserved for use by Shorewall itself. Note that the output produced + by iptables is much easier to read if you select short names that +are three characters or less in length.
bullet + DISPLAY - The name of the zone as displayed during Shorewall startup.
bullet + COMMENTS - Any comments that you want to make about the zone. Shorewall + ignores these comments.
+ + +

The /etc/shorewall/zones file released with Shorewall + is as follows:

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + DISPLAY + COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
+

You may +add, delete and modify entries in the /etc/shorewall/zones file as desired +so long as you have at least one zone defined.

+ +

+ Warning 1: If you rename or delete a zone, +you should perform "shorewall stop; shorewall start" to install the change +rather than "shorewall restart".

+ +

Warning 2: The + order of entries in the /etc/shorewall/zones file is significant in + some cases.

+ +

+ /etc/shorewall/interfaces

+ +

This file +is used to tell the firewall which of your firewall's network interfaces +are connected to which zone. There will be one entry in /etc/shorewall/interfaces +for each of your interfaces. Columns in an entry are:

+ + + + + +
bullet + ZONE - A zone defined in the /etc/shorewall/zones + file or  "-". If you specify "-", you must use the + /etc/shorewall/hosts + file to define the zones accessed via this interface.
bullet + INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+)
bullet + BROADCAST - the broadcast address for the sub-network attached to the + interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); + if you need to specify options for such an interface, enter "-" in +this column. If you supply the special value "detect" in this column, +the firewall will automatically determine the broadcast address. Note +that to use this feature, you must have iproute installed and the interface + must be up before you start your firewall. 
bullet + OPTIONS - a comma-separated list of options. Possible options include: +

+ blacklist - This option causes incoming packets on this + interface to be checked against the blacklist.
+
+ dhcp - The interface is assigned an IP address via DHCP or is used + by a DHCP server running on the firewall. The firewall will be configured + to allow DHCP traffic to and from the interface even when the firewall + is stopped. You may also wish to use this option if you have a static IP but + you are on a LAN segment that has a lot of Laptops that use DHCP and you + select the norfc1918 option (see below).

+ +

+ + noping - ICMP echo-request (ping) packets addressed to the firewall will be ignored by this + interface.
+
+ filterping - ICMP echo-request (ping) packets addressed to the firewall + will be handled according to the /etc/shorewall/rules and + /etc/shorewall/policy file. If the applicable policy is DROP or REJECT and you + have supplied your own /etc/shorewall/icmpdef file then these 'ping' requests + will be passed through the rules in that file before being dropped or + rejected. If neither noping nor filterping is specified then the + firewall will automatically ACCEPT these 'ping' requests. If both noping + and filterping are specified, filterping takes precedence.

+ +

+ + routestopped - Beginning with Shorewall 1.3.4, this option is deprecated + in favor of the /etc/shorewall/routestopped file. When the firewall is stopped, traffic to and from +this interface will be accepted and routing will occur between this + interface and other routestopped interfaces.

+ +

+ + norfc1918 - Packets arriving on this interface and that have a source + address that is reserved in RFC 1918 or in other RFCs will be dropped after + being optionally logged. If packet mangling is + enabled in /etc/shorewall/shorewall.conf + , then packets arriving on this interface that have a destination address + that is reserved by one of these RFCs will also be logged and dropped.
+
+ Addresses blocked by the standard rfc1918 file + include those addresses reserved by RFC1918 plus other ranges reserved by the + IANA or by other RFCs.

+ +

+ Beware that as IPv4 addresses become in increasingly short supply, ISPs are + beginning to use RFC 1918 addresses within their own infrastructure. Also, + many cable and DSL "modems" have an RFC 1918 address that can be used through + a web browser for management and monitoring functions. If you want to specify + norfc1918 on your external interface but need to allow access to + certain addresses from the above list, see FAQ 14.

+ +

+ + routefilter - Invoke the Kernel's route filtering (anti-spoofing) facility on this + interface. The kernel will reject any packets incoming on this interface + that have a source address that would be routed outbound through another + interface on the firewall. Warning: If + you specify this option for an interface then the interface must be + up prior to starting the firewall.

+ +

+ + multi - The interface has multiple addresses and you want to be able + to route between them. Example: you have two addresses on your single + local interface eth1, one each in subnets 192.168.1.0/24 and 192.168.2.0/24 + and you want to route between these subnets. Because you only have +one interface in the local zone, Shorewall won't normally create a +rule to forward packets from eth1 to eth1. Adding "multi" to the entry +for eth1 will cause Shorewall to create the loc2loc chain and the +appropriate forwarding rule.

+

dropunclean - Packets from this interface that + are selected by the 'unclean' match target in iptables will + be optionally logged and then dropped. Warning: This feature + requires that UNCLEAN match support be configured in your + kernel, either in the kernel itself or as a module. UNCLEAN + support is broken in some versions of the kernel but appears + to work ok in 2.4.17-rc1.
+
+ Update 12/17/2001: The unclean match patch from + 2.4.17-rc1 is available + for download. I am currently running this patch applied + to kernel 2.4.16.

+

Update + 12/20/2001: I've + seen a number of tcp connection requests with OPT (020405B40000080A...) + being dropped in the badpkt chain. This appears to be + a bug in the remote TCP stack whereby it is 8-byte aligning + a timestamp (TCP option 8) but rather than padding with 0x01 + it is padding with 0x00. It's a tough call whether to deny + people access to your servers because of this rather minor + bug in their networking software. If you wish to disable the + check that causes these connections to be dropped, here's + a kernel patch against 2.4.17-rc2.

+

logunclean + - This option works like dropunclean + with the exception that packets selected by the 'unclean' + match target in iptables are logged but not dropped. + The level at which the packets are logged is determined by + the setting of LOGUNCLEAN and if + LOGUNCLEAN has not been set, "info" is assumed.

+

proxyarp (Added in version 1.3.5) - This option + causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp + and is used when implementing Proxy ARP Sub-netting as + described at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do + not set this option if you are implementing Proxy ARP + through entries in + /etc/shorewall/proxyarp.

+
+ +

Example + 1: You have a conventional firewall setup in which eth0 connects to a +Cable or DSL modem and eth1 connects to your local network and eth0 gets + its IP address via DHCP. You want to ignore ping requests from the internet + and you want to check all packets entering from the internet + against the black list. Your /etc/shorewall/interfaces file would be as follows:

+ +
+ + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + INTERFACE + BROADCAST + OPTIONS
neteth0detectdhcp,noping,norfc1918,blacklist
loceth1detectroutestopped
+ +

Example + 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:

+ +
+ + + + + + + + + + + + + + + + + + +
+ ZONE + INTERFACE + BROADCAST + OPTIONS
netppp0  
+ +

+ /etc/shorewall/hosts Configuration

+ +

For most applications, specifying zones entirely + in terms of network interfaces is sufficient. There may be times though + where you need to define a zone to be a more general collection of hosts. + This is the purpose of the /etc/shorewall/hosts file.

+ + +

WARNING: 90% of + Shorewall users don't need to put entries in this file and + 80% of those who try to add such entries do it wrong. + Unless you are ABSOLUTELY SURE that you need entries in + this file, don't touch it.

+ + +

Columns in this +file are:

+ + + + + +
bullet + ZONE - A zone defined in the /etc/shorewall/zones + file.
bullet + HOST(S) - The name of a network interface followed by a colon (":") + followed by either:
+ + +
+ +
    + +
  1. An IP address (example - eth1:192.168.1.3)
    2. + +
  2. A subnet in the form <subnet address>/<width> + (example - eth2:192.168.2.0/2)
    3. + +
+ +

The interface name much match an entry in + /etc/shorewall/interfaces.

+
+ + + + +
bullet + OPTIONS - A comma-separated list of options. Currently only a single + option is defined:
+ + +
+ +

routestopped - Beginning with Shorewall + 1.3.4, this option is deprecated in favor of the + /etc/shorewall/routestopped + file. When the firewall is stopped, + traffic to and from this host (these hosts) will be accepted and routing + will occur between this host and other routestopped interfaces + and hosts.

+
+ +

If you don't define any hosts for a zone, the + hosts in the zone default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, + i1, ... are the interfaces to the zone.

+ +

Note 1: + You probably DON'T want to specify any hosts for your internet zone +since the hosts that you specify will be the only ones that you will be +able to access without adding additional rules.

+ +

Note 2: + + + The setting of the MERGE_HOSTS variable in + /etc/shorewall/shorewall.conf has + an important effect on how the host file is processed. + Please read the description of that variable + carefully.

+ +

Example:

+ +

Your local interface is eth1 and you have two + groups of local hosts that you want to make into separate zones:

+ + + + + +
bullet192.168.1.0/25 
bullet192.168.1.128/25
+ +

+ Your /etc/shorewall/interfaces file might look like:

+ +
+ + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + INTERFACE + BROADCAST + OPTIONS
neteth0detectdhcp,noping,norfc1918
-eth1detect 
+ +

+ The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.

+ +

+ Your /etc/shorewall/hosts file might look like:

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + HOST(S) + OPTIONS
loc1eth1:192.168.1.0/25 
loc2eth1:192.168.1.128/25routestopped
+ +

+ Hosts in 'loc2' can communicate with the firewall while Shorewall is stopped + -- those in 'loc1' cannot.

+ +

+ Nested and Overlapping Zones

+ +

+ The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you +to define nested or overlapping zones. Such overlapping/nested zones are + allowed and Shorewall processes zones in the order that they appear in +the /etc/shorewall/zones file. So if you have nested zones, you want the +sub-zone to appear before the super-zone and in the case of overlapping +zones, the rules that will apply to hosts that belong to both zones is determined +by which zone appears first in /etc/shorewall/zones.

+ +

+ Hosts that belong to more than +one zone may be managed by the rules of all of those zones. This is done through + use of the special CONTINUE policy + described below.

+ +

+ /etc/shorewall/policy Configuration.

+ +

This file is used to describe the firewall + policy regarding establishment of connections. Connection establishment + is described in terms of clients who initiate connections and + servers who receive those connection requests. Policies defined in + /etc/shorewall/policy describe which zones are allowed to establish connections + with other zones.

+ +

Policies established in /etc/shorewall/policy + can be viewed as default policies. If no rule in /etc/shorewall/rules +applies to a particular connection request then the policy from /etc/shorewall/policy + is applied.

+ +

Four policies are defined:

+ + + + + + + +
bullet + ACCEPT - The connection is allowed.
bullet + DROP - The connection request is ignored.
bullet + REJECT - The connection request is rejected with an RST (TCP) or an ICMP destination-unreachable + packet being returned to the client.
bullet + CONTINUE - The connection is neither ACCEPTed, DROPped nor REJECTed. + CONTINUE may be used when one or both of the zones named in the entry are + sub-zones of or intersect with another zone. For more information, see + below. 
+ +

+ For each policy specified in /etc/shorewall/policy, you can indicate +that you want a message sent to your system log each time that the policy +is applied.

+ +

+ Entries in /etc/shorewall/policy have four columns as follows:

+ +
    + +
  1. + + SOURCE - The name of a client zone (a zone defined in the + /etc/shorewall/zones file + , the name of the firewall zone or "all").
    2. + +
  2. + + DEST - The name of a destination zone (a zone defined in the + /etc/shorewall/zones file + , the name of the firewall zone or "all").
    3. + +
  3. + + POLICY - The default policy for connection requests from the SOURCE + zone to the DESTINATION zone.
    4. + +
  4. + + LOG LEVEL - Optional. If left empty, no log message is generated when + the policy is applied. Otherwise, this column should contain an integer + or name indicating a syslog level. See the syslog.conf man page for + a description of each log level.
    5. + +
  5. + LIMIT:BURST - Optional. If left empty, TCP + connection requests from the SOURCE zone to the DEST zone will + not be rate-limited. Otherwise, this column specifies the maximum rate at + which TCP connection requests will be accepted followed by a colon (":") + followed by the maximum burst size that will be tolerated. Example: + 10/sec:40 specifies that the maximum rate of TCP connection requests + allowed will be 10 per second and a burst of 40 connections will be tolerated. + Connection requests in excess of these limits will be dropped.
    6. + +
+ +

+ In the SOURCE and DEST columns, you can enter "all" to indicate all +zones. 

+ +

+ The policy file installed by default is as follows:

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SOURCEDEST + POLICY + LOG LEVELLIMIT:BURST
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
+ +

+ This table may be interpreted as follows:

+ + + + + +
bulletAll connection requests from the local network to hosts on the internet + are accepted.
bulletAll connection requests originating from the internet are ignored and + logged at level KERNEL.INFO.
bulletAll other connection requests are rejected and logged.
+

+ WARNING:

+

+ The firewall script processes  the /etc/shorewall/policy file +from top to bottom and uses the first applicable policy that it finds. + For example, in the following policy file, the policy for (loc, loc) + connections would be ACCEPT as specified in the first entry even though + the third entry in the file specifies REJECT.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT  
netallDROPinfo 
loclocREJECTinfo 
+

+ The CONTINUE policy

+

+ Where zones are nested or overlapping + , the CONTINUE policy allows hosts that are within multiple zones to be +managed under the rules of all of these zones. Let's look at an example:

+

+ /etc/shorewall/zones:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + DISPLAY + COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
+

+ /etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + INTERFACE + BROADCAST + OPTIONS
-eth0detectdhcp,noping,norfc1918
loceth1detectroutestopped
+

+ /etc/shorewall/hosts:

+
+ + + + + + + + + + + + + + + + + + + + + + + +
+ ZONE + HOST(S) + OPTIONS
neteth0:0.0.0.0/0 
sameth0:206.191.149.197routestopped
+

+ Note that Sam's home system is a member of both the sam zone and +the net zone and + as described above + , that means that sam must be listed before net  in /etc/shorewall/zones.

+

+ /etc/shorewall/policy:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ SOURCE + DEST + POLICY + LOG LEVEL
locnetACCEPT 
samallCONTINUE 
netallDROPinfo
allallREJECTinfo
+

+ The second entry above says that when Sam is the client, connection requests + should first be process under rules where the source zone is sam and +if there is no match then the connection request should be treated under + rules where the source zone is net. It is important that this policy + be listed BEFORE the next policy (net to all).

+

+ Partial /etc/shorewall/rules:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
...      
DNATsamloc:192.168.1.3tcpssh- 
DNATnetloc:192.168.1.5tcpwww- 
...      
+

+ Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. Like + all hosts in the net zone, Sam can connect to the firewall's internet + interface on TCP port 80 and the connection request will be forwarded to +192.168.1.5. The order of the rules is not significant.

+ +

+ Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH to the firewall + and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the + firewall's external IP, he should be connected to the firewall itself. Because + of the way that Netfilter is constructed, this requires two rules as follows:

+ +
+

+  

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
       
...      
DNATsamfwtcpssh- 
DNATnet!samloc:192.168.1.3tcpssh- 
...      
+
+ +

The first rule allows Sam SSH + access to the firewall. The second + rule says that any clients from the + net zone with the exception of those + in the 'sam' zone should have their + connection port forwarded to + 192.168.1.3. If you need to exclude + more than one zone in this way, you + can list the zones separated by + commas (e.g., net!sam,joe,fred). + This technique also may be used when + the ACTION is REDIRECT.

+ + +

+ /etc/shorewall/rules

+ + +

The /etc/shorewall/rules file + defines exceptions to the policies established in the /etc/shorewall/policy + file. There is one entry in /etc/shorewall/rules for each of these rules. 

+ + +

Entries in the file have the + following columns:

+ + + + + + + + +
bulletACTION + + + +
bulletACCEPT, DROP or REJECT. These have the same meaning here as in the + policy file above.
bulletDNAT -- Causes the connection request to be forwarded to the system + specified in the DEST column (port forwarding). "DNAT" stands for "Destination + Network Address Translation"
bulletREDIRECT -- Causes the connection request to be redirected to a port on + the local (firewall) system.
+

The ACTION may optionally be followed by + ":" and a syslogd log level (example: REJECT:info). This causes the + packet to be logged at the specified level prior to being processed according + to the specified ACTION.
+
+ The use of DNAT or REDIRECT requires that you have NAT enabled.

bulletSOURCE - Describes the source hosts to which the rule applies.. The contents of this field must begin + with the name of a zone defined in /etc/shorewall/zones or $FW. If the + ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule by + following the initial zone name with "!' and a comma-separated list of those + sub-zones to be excluded. There is an example above.
+
+ The source may be further restricted by adding a colon (":") followed by a + comma-separated list of qualifiers. Qualifiers are may + include: + + + + + +
bulletAn interface name - refers to any connection requests arriving on + the specified interface (example loc:eth4).
bulletAn IP address - refers to a connection request from the host with + the specified address (example net:155.186.235.151)
bulletA MAC Address in Shorewall format.
bulletA subnet - refers to a connection request from any host in the specified + subnet (example net:155.186.235.0/24).
+
bulletDEST - Describes the destination host(s) to which the rule applies. May take any of the forms described + above for SOURCE plus the following two additional forms: + + + +
bulletAn IP address followed by a colon and the port number that + the server is listening on (service names from /etc/services are not + allowed - example loc:192.168.1.3:80). 
bulletA single port number (again, service names are not allowed) -- this form is only allowed + if the ACTION is REDIRECT and refers to a server running on the firewall itself and + listening on the specified port.
+
bullet + PROTO - Protocol. Must be a protocol name from /etc/protocols, a number, + "all" or "related". Specifies the protocol + of the connection request. "related" should be specified only if you + have given ALLOWRELATED="no" in /etc/shorewall/shorewall.conf and +you wish to override that setting for related connections originating +with the client(s) and server(s) specified in this rule. When "related" + is given for the protocol, the remainder of the columns should be left + blank.
bullet + DEST + PORT(S) - Port or port range (<low port>:<high port>) being connected to. May only be specified + if the protocol is tcp, udp or icmp. For icmp, this column's contents + are interpreted as an icmp type. If you don't want to specify DEST PORT(S) + but need to include information in one of the columns to the right, + enter "-" in this column. You may give a list of ports and/or port ranges + separated by commas. Port numbers may be either integers or service names + from /etc/services.
bullet + SOURCE PORTS(S) - May be used to restrict the rule to a particular + client port or port range (a port range is specified as <low port + number>:<high port number>). If you don't want to restrict client ports but + want to specify something in the next column, enter "-" in this column. If + you wish to specify a list of port number or ranges, separate the list + elements with commas (with no embedded white space). Port numbers may be + either integers or service names from /etc/services.
bulletORIGINAL DEST - This column may only be non-empty if the ACTION is DNAT + or + REDIRECT.
+
+ If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column is left empty, + any connection request arriving at the firewall from the SOURCE that matches + the rule will be forwarded or redirected. This works fine for connection + requests arriving from the internet where the firewall has only a single + external IP address. When the firewall has multiple external IP addresses or + when the SOURCE is other than the internet, there will usually be a desire + for the rule to only apply to those connection requests directed to a + particular IP address (see Example 2 below for another usage). That IP + address (or a comma-separated list of such addresses) is specified in the + ORIGINAL DEST column.
+
+ The IP address may be optionally followed by ":" and a + second IP address. This latter address, if present, is used as the source + address for packets forwarded to the server (This is called "Source NAT" or + SNAT).
+
+ Note:  + When using SNAT, it is a good idea to qualify the source with an IP address + or subnet. Otherwise, it is likely that SNAT will occur on connections other + than those described in the rule. The reason for this is that SNAT occurs in + the Netfilter POSTROUTING hook where it is not possible to restrict the scope + of a rule by incoming interface.
+
+ Example: DNAT     loc:192.168.1.0/24    + loc:192.168.1.3    tcp    www    + -    206.124.146.179:192.168.1.3
+
+ If SNAT is not used (no ":" and second IP address), the + original source address is used. If you want any destination address to match + the rule but want to specify SNAT, simply use a colon followed by the SNAT + address.
+ + +

+ + + Example 1. You wish to forward all ssh connection requests from the + internet to local system 192.168.1.3. 

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetloc:192.168.1.3tcpssh  
+ +

+ Example 2. You want to redirect all local www connection requests EXCEPT + those to your own http server + (206.124.146.177) to a Squid + transparent proxy running on the firewall and listening on port 3128. Squid + will of course require access to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + + (notice the "!") originally + destined to 206.124.146.177 are + redirected to local port 3128.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
REDIRECTloc3128tcpwww !206.124.146.177
ACCEPTfwnettcpwww  
+ +

+ Example 3. You want to run a web server at 155.186.235.222 in your +DMZ and have it accessible remotely and locally. the DMZ is managed by +Proxy ARP or by classical sub-netting.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTnetdmz:155.186.235.222tcpwww- 
ACCEPTlocdmz:155.186.235.222tcpwww  
+ +

+ Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded + DMZ. Your internet interface address is 155.186.235.151 and you want the + FTP server to be accessible from the internet in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24 + subnetworks. Note that since the server is in the 192.168.2.0/24 subnetwork, + we can assume that access to the server from that subnet will not involve + the firewall (but see FAQ 2). Note that unless you + have more than one external + IP address, you can leave + the ORIGINAL DEST column + blank in the first rule. You + cannot leave it blank in the + second rule though because + then all ftp connections + originating in the local + subnet 192.168.1.0/24 would + be sent to 192.168.2.2 + regardless of the site that + the user was trying to + connect to. That is + clearly not what you want + .

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetdmz:192.168.2.2tcpftp  
DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
+ + +

If you are running + wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess + file. I only need a few simultaneous FTP sessions so I use port range +65500-65535. In /etc/ftpaccess, this entry is appropriate:

+ + +
+ + +

passive ports  + 0.0.0.0/0 65500 65534

+
+ + +

If you are running + pure-ftpd, you would include "-p 65500:65534" on the pure-ftpd runline.

+ + +

The important +point here is to ensure that the port range used for FTP passive connections +is unique and will not overlap with any usage on the firewall system.

+ + +

Example 5. You + wish to allow unlimited + DMZ access to the host + with MAC address + 02:00:08:E3:FA:55.

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTloc:~02-00-08-E3-FA-55dmzall   
+
+ + +

+ Look here for information on other services. +

+ + +

+ /etc/shorewall/common

+ + +

Shorewall allows + definition of rules that + apply between all zones. + By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather + than modify + /etc/shorewall/common.def, + you should copy that + file to + /etc/shorewall/common + and modify that file.

+ + +

The + /etc/shorewall/common + file is expected to + contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely + stopped.

+ + +

+ /etc/shorewall/masq

+ + +

The /etc/shorewall/masq + file is used to define classical IP Masquerading and Source Network Address Translation  (SNAT). There is one entry in + the file for each subnet that you want to masquerade. In order to make +use of this feature, you must have NAT enabled + .

+ + +

Columns are:

+ + + + +
bullet + INTERFACE - The interface that will masquerade the subnet; this is + normally your internet interface. This interface name can be optionally + qualified by adding ":" and a subnet or host IP. When this qualification + is added, only packets addressed to that host or subnet will be masqueraded.
bullet + SUBNET - The subnet that you want to have masqueraded through the + INTERFACE. This may be expressed as a single IP address, a subnet or an + interface name. In the latter instance, the interface must be configured and + started before Shorewall is started as Shorewall will determine the subnet + based on information obtained from the 'ip' utility.
+
+ The subnet may be optionally followed by "!' + and a comma-separated list of addresses and/or subnets that are to be + excluded from masquerading.
bulletADDRESS - The source address to be used + for outgoing packets. This column is optional and if left blank, the current + primary IP address of the interface in the first column is used. If you have + a static IP on that interface, listing it here makes processing of output + packets a little less expensive for the firewall.
+ +

+ Example 1: You have eth0 connected to a cable modem and eth1 connected + to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file +would look like:    

+ +
+ + + + + + + + + + + + + + + + + +
+ INTERFACE + SUBNETADDRESS
eth0192.168.9.0/24 
+ +

+ Example 2: You have a number of IPSEC tunnels through ipsec0 and +you want to masquerade traffic from your 192.168.9.0/24 subnet to the +remote subnet 10.1.0.0/16 only.

+ +
+ + + + + + + + + + + + + + + + + +
+ INTERFACE + SUBNETADDRESS
ipsec0:10.1.0.0/16192.168.9.0/24 
+ +

+ Example 3: You have a DSL line connected on eth0 and a local network + (192.168.10.0/24) + connected to eth1. You + want all local->net + connections to use + source address + 206.124.146.176.

+ +
+ + + + + + + + + + + + + +
+ INTERFACE + SUBNETADDRESS
eth0192.168.10.0/24206.124.146.176
+
+ +

Example 4: + Same as example 3 + except that you wish + to exclude + 192.168.10.44 and + 192.168.10.45 from + the SNAT rule.

+ + +
+ + + + + + + + + + + + + +
+ INTERFACE + SUBNETADDRESS
eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
+
+ +

+ /etc/shorewall/proxyarp

+ + +

If you want to + use proxy ARP on an + entire sub-network, + I suggest that you + look at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. + If you decide to use + the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including the + proxyarp option + in the interface's + record in + + /etc/shorewall/interfaces. + When using Proxy ARP + sub-netting, you do + NOT include + any entries in + /etc/shorewall/proxyarp.

+ + +

The /etc/shorewall/proxyarp + file is used to define Proxy ARP. The file is + typically used for + enabling Proxy ARP + on a small set of + systems since you + need one entry in + this file for each + system using proxy + ARP. Columns are:

+ + + + + +
bullet + ADDRESS - address of the system.
bullet + INTERFACE - the interface that connects to the system. If the interface +is obvious from the subnetting, you may enter "-" in this column.
bullet + EXTERNAL - the external interface that you want to honor ARP requests + for the ADDRESS specified in the first column.
bulletHAVEROUTE - If + you already have + a route through + INTERFACE to + ADDRESS, this + column should + contain + "Yes" + or + "yes". + If you want + Shorewall to add + the route, the + column should + contain + "No" + or + "no".
+

Note: After you have made a change to the + /etc/shorewall/proxyarp file, you may need to flush the ARP cache of all + routers on the LAN segment connected to the interface specified in the EXTERNAL + column of the change/added entry(s). If you are having problems communicating + between an individual host (A) on that segment and a system whose entry has + changed, you may need to flush the ARP cache on host A as well.

+ + +

ISPs typically have ARP configured with long TTL + (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump + -nei <external interface> host <IP addr>"), it may take a long while to time + out. I personally have had to contact my ISP and ask them to delete a stale + entry in order to restore a system to working order after changing my proxy ARP + settings.

+ + +

Example: + You have + public IP addresses 155.182.235.0/28. You configure your firewall as follows:

+ + + + +
bulleteth0 - 155.186.235.1 (internet connection)
bulleteth1 - 192.168.9.0/24 (masqueraded local systems)
bulleteth2 - 192.168.10.1 (interface to your DMZ)
+ +

+ In your DMZ, you want to install a Web/FTP server with public address + 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 +and you configure 155.186.235.1 as the default gateway. In your /etc/shorewall/proxyarp +file, you will have:

+ +
+ + + + + + + + + + + + + + + + + + + +
+ ADDRESS + INTERFACE + EXTERNALHAVEROUTE
155.186.235.4eth2eth0No
+ +

+ Note: You may want to configure the servers in your DMZ with a subnet +that is smaller than the subnet of your internet interface. See the Proxy +ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) for details. In this case you will want to place + "Yes" in the HAVEROUTE column.

+ +

To learn how I use Proxy ARP + in my DMZ, see my configuration files.

+ +

Warning: Do not use Proxy ARP and + FreeS/Wan on the same system unless you are prepared to suffer the + consequences. If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device + (ipsecX) rather than to the interface that you specify in the INTERFACE column + of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I + can't say if it is a bug in the Kernel or in FreeS/Wan. 

+

You might be able to work around this problem using the following (I + haven't tried it):

+

In /etc/shorewall/init, include:

+

     qt service ipsec stop

+

In /etc/shorewall/start, include:

+

    qt service ipsec start

+ +

+ /etc/shorewall/nat

+ + +

The /etc/shorewall/nat + file is used to define static NAT. There is one entry in the file for +each static NAT relationship that you wish to define. In order to make +use of this feature, you must have NAT enabled + .

+ + +

+ + IMPORTANT: If + all you want to do + is forward ports + to servers behind + your firewall, you + do NOT want to use + static NAT. Port + forwarding can be + accomplished with + simple entries in + the + + rules file. + Also, in most + cases + + Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems + are accessed using + the same IP + address internally + and externally.

+ + +

Columns +in an entry are:

+ + + + + + +
bullet + EXTERNAL - External IP address - This should NOT be the primary IP + address of the interface named in the next column.
bullet + INTERFACE - Interface that you want the EXTERNAL IP address to appear + on.
bullet + INTERNAL - Internal IP address.
bulletALL + INTERFACES + - If Yes + or yes (or + left + empty), + NAT will + be + effective + from all + hosts. If + No or no + then NAT + will be + effective + only + through + the + interface + named in + the + INTERFACE + column. + Note: If two or more NATed systems are connected to the same firewall + interface and you want them to be able to communicate using their EXTERNAL IP + addresses, then you will want to specify the multi option in the + /etc/shorewall/interface entry for that interface.
bulletLOCAL - If Yes or yes and the ALL INTERFACES column contains Yes + or yes, NAT will be effective from the firewall system. Note: For this + to work, you must be running kernel 2.4.19 or later and iptables 1.2.6a or + later and you must have enabled  CONFIG_IP_NF_NAT_LOCAL in your + kernel.
+

+ Look here for additional information and an example. +

+ +

+ /etc/shorewall/tunnels

+ +

+ The /etc/shorewall/tunnels file allows you to define IPSec, GRE and IPIP tunnels + with end-points on your firewall. To use ipsec, you must install version + 1.9, 1.91 or the current FreeS/WAN + development snapshot. 

+ +

+ Note: For kernels 2.4.4 and above, you will need to use version 1.91 or +a development snapshot as patching with version 1.9 results in kernel compilation + errors.

+ +

+ Instructions for setting up IPSEC tunnels may be found here + and instructions for IPIP tunnels are here + . Look here for information about setting up PPTP + tunnels under + Shorewall.

+ +

+ /etc/shorewall/shorewall.conf

+ +

+ This file is used to set the following firewall parameters:

+ + + + + + + + + + + + + + + + + + + + + + +
bulletLOGNEWNOTSYN - Added in Version 1.3.6
+ Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that are + not part of an existing connection. If you would like to log these packets, + set LOGNEWNOTSYN to the syslog level at which you want the packets logged. + Example: LOGNEWNOTSYN=debug|
+
+ Note: Packets logged under this option are usually the result of + broken remote IP stacks rather than the result of any sort of attempt to + breach your firewall.
bulletMERGE_HOSTS - Added in Version 1.3.5
+ Prior to 1.3.5, when the /etc/shorewall/hosts file + included an entry for a zone then the entire zone had to be defined in the + /etc/shorewall/hosts file and any associations between the zone and + interfaces in the /etc/shorewall/interfaces file + were ignored. This behavior is preserved if MERGE_HOSTS=No or if MERGE_HOSTS + is not set or is set to the empty value.
+
+ Beginning with version 1.3.5, if MERGE_HOSTS=Yes, then zone assignments in + the /etc/shorewall/hosts file are ADDED to those in the + /etc/shorewall/interfaces file.
+
+ Example:
+
+ Interfaces File:
 + + + + + + + + + + + + + + + + + + +
ZONEHOSTSBROADCASTOPTIONS
loceth1-dhcp
-ppp+  
+


+ Hosts File:

+ + + + + + + + + +
ZONEHOSTS
locppp+:192.168.12.0/24
+


+ With MERGE_HOSTS=No, the loc zone consists of only ppp+:192.168.12.0/24; + with MERGE_HOSTS=Yes, it includes eth1:0.0.0.0/0 and ppp+:192.168.12.0/24.

bulletMULTIPORT - Added in Version 1.3.2
+ If set to "Yes" or "yes", Shorewall will use the Netfilter multiport + facility. In order to use this facility, your kernel must have multiport + support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall + will generate a single rule from each record in the /etc/shorewall/rules file + that meets these criteria:
 + + +
bulletNo port range(s) specified
bulletSpecifies 15 or fewer ports
+

Rules not meeting those criteria will continue to generate an individual + rule for each listed port or port range.

bulletNAT_BEFORE_RULES
+ If set to "No" or "no", port forwarding rules can override the contents of + the /etc/shorewall/nat file. If set to "Yes" or "yes", + port forwarding rules cannot override static NAT. If not set or set to an + empty value, "Yes" is assumed.
bulletFW
+ This + parameter + specifies the + name of the + firewall zone. + If not set or + if set to an + empty string, + the value + "fw" + is assumed.
bulletSUBSYSLOCK
+ This parameter should be set to the name of a file that the firewall + should create if it starts successfully and remove when it stops. Creating + and removing this file allows Shorewall to work with your distribution's + initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. + For Debian, the value is /var/state/shorewall and in LEAF it is + /var/run/shorwall. + Example: + SUBSYSLOCK=/var/lock/subsys/shorewall.
bullet + STATEDIR
+ This parameter specifies the name of a directory where Shorewall +stores state information. If the directory doesn't exist when Shorewall +starts, it will create the directory. Example: STATEDIR=/tmp/shorewall.
+
+ NOTE: If you change the STATEDIR variable while the firewall is + running, create the new directory if necessary then copy the contents of the + old directory to the new directory.
bullet + ALLOWRELATED
+ This parameter must be assigned the value "Yes" ("yes") or +"No" ("no") and specifies whether Shorewall allows connection requests +that are related to an already allowed connection. If you say "No" ("no"), +you can still override this setting by including "related" rules in + /etc/shorewall/rules ("related" given as the protocol).
bullet + MODULESDIR
+ This parameter specifies the directory where your kernel netfilter + modules may be found. If you leave the variable empty, Shorewall will + supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
bullet + LOGRATE and LOGBURST
+ These parameters set the match rate and initial burst size for logged + packets. Please see the iptables man page for a description of the behavior + of these parameters (the iptables option --limit is set by LOGRATE and + --limit-burst is set by LOGBURST). If both parameters are + set empty, no rate-limiting will occur.
+
+ Example:
+    LOGRATE=10/minute
+    LOGBURST=5
bulletLOGFILE
+ This parameter + tells the + /sbin/shorewall + program where + to look for + Shorewall + messages when + processing the + "show + log", + "monitor", + "status" + and + "hits" + commands. If + not assigned + or if assigned + an empty + value, + /var/log/messages + is assumed.
bulletNAT_ENABLED
+ This parameter determines whether Shorewall supports NAT operations. NAT + operations include:
+
+     Static NAT
+     Port Forwarding
+     Port Redirection
+     Masquerading
+
+ If the parameter has no value or has a value of "Yes" or "yes" + then NAT is enabled. If the parameter has a value of "no" or "No" +then NAT is disabled.
+ +
bullet + MANGLE_ENABLED
+ This parameter determines if packet mangling is enabled. If the +parameter has no value or has a value of "Yes" or "yes" than + packet mangling is enabled. If the parameter has a value of "no" +or "No" then packet mangling is disabled. If packet mangling is disabled, +the /etc/shorewall/tos file is ignored.
+ +
bullet + IP_FORWARDING
+ This parameter determines whether Shorewall enables or disables +IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible values + are:
+
+     On or on - packet forwarding will be enabled.
+     Off or off - packet forwarding will be disabled.
+     Keep or keep - Shorewall will neither enable nor disable + packet forwarding.
+
+ If this variable is not set or is given an empty value (IP_FORWARD="") + then IP_FORWARD=On is assumed.
+ +
bulletADD_IP_ALIASES
+ This parameter determines whether Shorewall automatically adds the + external + address(es) in /etc/shorewall/nat + . If the variable is set to "Yes" or "yes" then Shorewall automatically + adds these aliases. If it is set to "No" or "no", you must add +these aliases yourself using your distribution's network configuration +tools.
+
+ If this variable is not set or is given an empty value (ADD_IP_ALIASES="") + then ADD_IP_ALIASES=Yes is assumed.
bulletADD_SNAT_ALIASES
+ This parameter determines whether Shorewall automatically adds the SNAT + ADDRESS in /etc/shorewall/masq. If the variable is + set to "Yes" or "yes" then Shorewall automatically adds these addresses. If + it is set to "No" or "no", you must add these addresses yourself using your + distribution's network configuration tools.
+
+ If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="") + then ADD_SNAT_ALIASES=No is assumed.
+
bulletLOGUNCLEAN
+ This parameter + determines the + logging level + of + mangled/invalid + packets + controlled by + the 'dropunclean + and logunclean' + interface + options. If + LOGUNCLEAN is + empty + (LOGUNCLEAN=) + then packets + selected by + 'dropclean' are + dropped + silently + ('logunclean' + packets are + logged under + the 'info' log + level). + Otherwise, + these packets + are logged at + the specified + level + (Example: + LOGUNCLEAN=debug).
bulletBLACKLIST_DISPOSITION
+ This parameter + determines the + disposition of + packets from + blacklisted + hosts. It may + have the value + DROP if the + packets are to + be dropped or + REJECT if the + packets are to + be replied + with an ICMP + port + unreachable + reply or a TCP + RST (tcp + only). If you + do not assign + a value or if + you assign an + empty value + then DROP is + assumed.
bulletBLACKLIST_LOGLEVEL
+ This paremter + determines if + packets from + blacklisted + hosts are + logged and it + determines the + syslog level + that they are + to be logged + at. Its value + is a syslog + log level + (Example: + BLACKLIST_LOGLEVEL=debug). + If you do not + assign a value + or if you + assign an + empty value + then packets + from + blacklisted + hosts are not + logged.
bulletCLAMPMSS
+ This parameter + enables the + TCP Clamp MSS + to PMTU + feature of + Netfilter and + is usually + required when + your internet + connection is + through PPPoE + or PPTP. If + set to + "Yes" + or + "yes", + the feature is + enabled. If + left blank or + set to + "No" + or + "no", + the feature is + not enabled. + Note: This + option + requires + CONFIG_IP_NF_TARGET_TCPMSS + in + your kernel.
bulletROUTE_FILTER
+ If this parameter is given the value "Yes" or "yes" then route filtering + (anti-spoofing) is + enabled on all network interfaces. The default value is "no".
+ + + +

+ /etc/shorewall/modules Configuration

+ + +

The file + /etc/shorewall/modules contains commands for loading the kernel modules + required by Shorewall-defined firewall rules. Shorewall will source this + file during start/restart provided that it exists and that the directory + specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf + above).

+ + +

The file + that is released with Shorewall calls the Shorewall function "loadmodule" + for the set of modules that I load.

+ + +

The loadmodule + function is called as follows:

+ + +
+ + +

loadmodule + <modulename> + [ + <module parameters> ]

+
+ + +

where

+ + +
+ + +

<modulename>                

+ + +
+ + + +

is + the name of the modules without the trailing ".o" (example ip_conntrack).

+
+ + +

+ <module parameters>

+ + +
+ + + +

+ Optional parameters to the insmod utility.

+
+
+ + + +

+ The function determines if the module named by <modulename> + is already loaded and if not then the function determines if the ".o" + file corresponding to the module exists in the moduledirectory; if +so, then the following command is executed:

+ + + +
+ + + +

+ insmod moduledirectory/<modulename>.o <module + parameters>

+
+ + + +

+ If the file doesn't exist, the function determines of the ".o.gz" file + corresponding to the module exists in the moduledirectory. If it + does, the function assumes that the running configuration supports compressed + modules and execute the following command:

+ + + +
+ + + +

+ insmod moduledirectory/<modulename>.o.gz <module + parameters>

+
+ + + +

+ /etc/shorewall/tos Configuration

+ + + +

+ The /etc/shorewall/tos file allows you to set the Type of Service field +in packet headers based on packet source, packet destination, protocol, +source port and destination port. In order for this file to be processed +by Shorewall, you must have mangle support enabled + .

+ + + +

+ Entries in the file have the following columns:

+ + + + + + + + + +
bullet + SOURCE -- The source zone. May be qualified by following the zone name + with a colon (":") and either an IP address, an IP subnet, a MAC address + in Shorewall Format or the + name of an interface. This column may also contain the name of + the firewall + zone to indicate + packets originating on the firewall itself or "all" to indicate any + source.
bullet + DEST -- The destination zone. May be qualified by following the zone + name with a colon (":") and either an IP address or an IP subnet. + Because packets are marked prior to routing, you may not specify the + name of an interface. This column may also contain  "all" to indicate + any destination.
bullet + PROTOCOL -- The name of a protocol in /etc/protocols or the protocol's + number.
bullet + SOURCE PORT(S) -- The source port or a port range. For all ports, place + a hyphen ("-") in this column.
bullet + DEST PORT(S)  -- The destination port or a port range. To indicate + all ports, place a hyphen ("-") in this column.
bullet + TOS -- The type of service. Must be one of the following:
+ +
+ +
+ +

+ Minimize-Delay (16)
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)

+
+
+ +

+ The /etc/shorewall/tos file that is included with Shorewall contains the + following entries.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SOURCEDESTPROTOCOLSOURCE
+ PORT(S)		DEST PORT(S)TOS
allalltcp-ssh16
allalltcpssh-16
allalltcp-ftp16
allalltcpftp-16
allalltcp-ftp-data8
allalltcpftp-data-8
+ +

WARNING: Users have reported that odd routing problems result from adding the ESP and AH protocols to the /etc/shorewall/tos file. +

+ +

/etc/shorewall/blacklist

+ +

Each + line + in + /etc/shorewall/blacklist + contains + an + IP + address, a MAC address in Shorewall Format + or + subnet + address. + Example:

+ + 
      130.252.100.69
+      206.124.146.0/24
+ +

Packets + from + hosts + listed + in + the + blacklist + file + will + be + disposed + of + according + to + the + value + assigned + to + the BLACKLIST_DISPOSITION + and BLACKLIST_LOGLEVEL variables + in + /etc/shorewall/shorewall.conf. + Only + packets + arriving + on + interfaces + that + have + the + 'blacklist' + option + in + /etc/shorewall/interfaces + are + checked + against + the + blacklist. The black list is designed to prevent listed hosts/subnets from accessing services on your network.

+ +

Shorewall also has a dynamic blacklist capability.

+ +

IMPORTANT: The Shorewall blacklist file is NOT designed to police your users' web browsing -- to do that, I suggest that you install and configure Squid (http://www.squid-cache.org).

+ + + +

/etc/shorewall/rfc1918 (Added in Version 1.3.1)

+ + + +

This file lists the subnets affected by the norfc1918 interface option. Columns in the file are:

+ + + + + + +
bulletSUBNET - The subnet using VLSM notation (e.g., 192.168.0.0/16).
bulletTARGET - What to do with packets to/from the SUBNET: + + + +
bulletRETURN - Process the packet normally thru the rules and policies.
bulletDROP - Silently drop the packet.
bulletlogdrop - Log then drop the packet.
+
+ + + +

25. /etc/shorewall/routestopped (Added in Version 1.3.4)

+ + + +

This fine defines the hosts that are accessible from the firewall when the firewall is stopped.  Columns in the file are:

+ + + + + + +
bulletINTERFACE - The firewall interface through which the host(s) comminicate with the firewall.
bulletHOST(S) - (Optional) - A comma-separated list of IP/Subnet addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.
+ + + +

Example: When your firewall is stopped, you want firewall accessibility from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through eth1 and your local hosts through eth2.

+ + + +
+ + + + + + + + + + + + + +
INTERFACEHOST(S)
eth2192.168.1.0/24
eth1-
+
+ + + +

+ Updated 8/6/2002 - Tom +Eastep +

+ + + +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + + + + + + \ No newline at end of file diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm new file mode 100644 index 000000000..3a6ae602f --- /dev/null +++ b/STABLE/documentation/FAQ.htm @@ -0,0 +1,571 @@ + + + + + + + +Shorewall FAQ + + + + + +

Shorewall FAQs

+

About Shorewall

+
+

Why do you call it "Shorewall"?

+

What distributions does it work with?

+

What features does it support?

+

Why isn't there a GUI?

+
+

Filtering

+
+

I'm connected via a cable modem and it has an +internel web server that allows me to configure/monitor it but as expected if I +enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems +web server.

+

Even though it assigns public IP addresses, my +ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my +external interface, my DHCP client cannot renew its lease.

+

I just used an online port scanner to check my +firewall and it shows some ports as 'closed' rather than 'blocked'. Why?

+

I just ran an nmap UDP scan of my firewall and +it showed 100s of ports as open!!!!

+
+

Port Forwarding

+
+

I want to forward UDP port 7777 to my my personal PC with IP +address 192.168.1.5. I've looked everywhere and can't find how to do it.

+

Ok -- I followed those instructions but it +doesn't work.

+

I port forward www requests to www.mydomain.com (IP +130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse +http://www.mydomain.com but internal clients can't.

+

I have a zone "Z" with an RFC1918 subnet and I +use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot +communicate with each other using their external (non-RFC1918 addresses) so they +can't access each other using their DNS names.

+
+

Applications

+
+

I want to use Netmeeting with Shorewall. What do I do?

+
+

Connection Problems

+
+

I've installed Shorewall and now I can't ping through the +firewall

+

My local systems can't see out to the net

+
+

Logging

+
+

Where are the log messages written and  +how do I change the destination?

+

Shorewall is writing log messages all over my +console making it unusable!

+

Are there any log parsers that work with +Shorewall?

+
+

Starting and stopping the firewall

+
+

When I stop Shorewall using 'shorewall stop', +I can't connect to anything. Why doesn't that command work?

+

When I try to start Shorewall on RedHat 7.x, I +get messages about insmod failing -- what's wrong?

+

Why can't Shorewall detect my interfaces +properly?

+
+

Design

+
+

Why does Shorewall only accept IP addresses as +opposed to FQDNs?

+
+

+

1. I want to forward UDP port 7777 to my my personal PC with IP +address 192.168.1.5. I've looked everywhere and can't find how to do it.

+

Answer: The first example in the rules +file documentation shows how to do port forwarding under Shorewall. Assuming +that you have a dynamic external IP address, the format of a port-forwarding +rule to a local system is as follows:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>  
+
+

So to forward UDP port 7777 to internal system 192.168.1.5, the +rule is:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777  
+
+
+
     DNAT net loc:192.168.1.5 udp 7777
+
+

If you want to forward requests directed to a particular +address ( <external IP> ) on your firewall to an internal system:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local IP address>[:<local port>]<protocol><port #>-<external IP>
+
+

1a. Ok -- I followed those instructions but +it doesn't work

+

Answer: That is usually the result of one of two things:

+ + + +
bulletYou are trying to test from inside your firewall (no, that +won't work -- see FAQ #2).
bulletYou have a more basic problem with your local system such as an +incorrect default gateway configured (it should be set to the IP address of your +firewall's internal interface).
+

2. I port forward www requests to www.mydomain.com (IP +130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse +http://www.mydomain.com but internal clients can't.

+

Answer: I have two objections to this setup.

+ + + +
bulletHaving an internet-accessible server in your local network + is like raising foxes in the corner of your hen house. If the server is + compromised, there's nothing between that server and your other internal + systems. For the cost of another NIC and a cross-over cable, you can put + your server in a DMZ such that it is isolated from your local systems - + assuming that the Server can be located near the Firewall, of course :-)
bulletThe accessibility problem is best solved using + Bind Version + 9 "views" (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69 + externally and 192.168.1.5 internally. That's what I do here at + shorewall.net for my local systems that use static NAT.
+

If you insist on an IP solution to the accessibility problem +rather than a DNS solution, then assuming that your external interface is eth0 +and your internal interface is eth1 +and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:

+

a) In /etc/shorewall/interfaces, specify "multi" as an option +for eth1.

+
+

b) In /etc/shorewall/rules, add:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
+
+
+
+
     DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254
+
+
+

That rule only works of course if you have a static external IP +address. If you +have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in +/etc/shorewall/params:

+
+
     ETH0_IP=`find_interface_address eth0`
+
+
+

and make your DNAT rule:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
+
+
+
+

Using this technique, you will want to configure your DHCP/PPPoE +client to automatically restart Shorewall each time that you get a new IP +address.

+

2a. I have a zone "Z" with an RFC1918 subnet and I +use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot +communicate with each other using their external (non-RFC1918 addresses) so they +can't access each other using their DNS names.

+

Answer: This is another problem that is best solved using Bind Version 9 +"views". It allows both external and internal clients to access a +NATed host using the host's DNS name.

+

Another good way to approach this problem is to switch from +static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and +can be accessed externally and internally using the same address. 

+

If you don't like those solutions and prefer routing all Z->Z +traffic through your firewall then:

+

a) Specify "multi" on the entry for Z's interface in +/etc/shorewall/interfaces.
+b) Set the Z->Z policy to ACCEPT.
+c) Masquerade Z to itself.
+
+Example:

+

Zone: dmz
+Interface: eth2
+Subnet: 192.168.2.0/24

+

In /etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255multi
+
+

In /etc/shorewall/policy:

+
+ + + + + + + + + + + + + +
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT 
+
+
+
     dmz    dmz    ACCEPT
+
+

In /etc/shorewall/masq:

+
+ + + + + + + + + + + +
INTERFACE SUBNETADDRESS
eth2192.168.2.0/24 
+
+

3. I want to use Netmeeting with Shorewall. What do I do?

+

Answer: There is an H.323 connection tracking/NAT module that may help. +Also check the Netfilter mailing list archives at http://netfilter.samba.org.

+ +

4. I just used an online port scanner to + check my firewall and it shows some ports as 'closed' rather than 'blocked'. + Why?

+ +

Answer: The common.def included with version 1.3.x always + rejects connection requests on TCP port 113 rather than dropping them. This is + necessary to prevent outgoing connection problems to services that use the + 'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP + ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are + used by Windows (Windows can be configured to use the DCE cell locator + on port 135). Rejecting these connection requests rather than dropping them + cuts down slightly on the amount of Windows chatter on LAN segments connected + to the Firewall.

+ +

If you are seeing port 80 being 'closed', that's probably your + ISP preventing you from running a web server in violation of your Service + Agreement.

+ +

4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!

+ +

Answer: Take a deep breath and read the nmap man page section about + UDP scans. If nmap gets nothing back from your firewall then it reports + the port as open. If you want to see which UDP ports are really open, + temporarily change your net->all policy to REJECT, restart Shorewall and do + the nmap UDP scan again.

+ +

5. I've installed Shorewall and now I can't ping through the +firewall

+

Answer: If you want your firewall to be totally open for +"ping":

+

a) Do NOT specify 'noping' on any interface in +/etc/shorewall/interfaces.
+b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
+c) Add the following to /etc/shorewall/icmpdef:

+
+

run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j +ACCEPT

+
+

6. Where are the log messages written +and  how do I change the destination?

+

Answer: NetFilter uses the kernel's equivalent of syslog (see "man +syslog") to log messages. It always uses the LOG_KERN (kern) facility (see +"man openlog") and you get to choose the log level (again, see +"man syslog") in your policies +and rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man +syslog.conf"). When you have changed /etc/syslog.conf, be sure to restart +syslogd (on a RedHat system, "service syslog restart").

+

By default, older versions of Shorewall ratelimited log messages through +settings +in /etc/shorewall/shorewall.conf -- If you want to log all messages, set:

+
+
     LOGLIMIT=""
+     LOGBURST=""
+
+

6a. Are there any log parsers that work +with Shorewall?

+

Answer: Here are several links that may be helpful:

+
+

+http://www.shorewall.net/pub/shorewall/parsefw/
+http://www.fireparse.com
+http://cert.uni-stuttgart.de/projects/fwlogwatch

+
+

7. When I stop Shorewall using 'shorewall +stop', I can't connect to anything. Why doesn't that command work?

+

The 'stop' command is intended to place your firewall into a +safe state whereby only those interfaces/hosts having the 'routestopped' option +in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want +to totally open up your firewall, you must use the 'shorewall clear' command.

+

8. When I try to start Shorewall on RedHat +7.x, I get messages about insmod failing -- what's wrong?

+

Answer: The output you will see looks something like this:

+
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
+     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
+     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
+     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
+     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
+     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
+     Perhaps iptables or your kernel needs to be upgraded.
+

This is usually cured by the following sequence of commands:

+
+
     service ipchains stop
+     chkconfig --delete ipchains
+     rmmod ipchains
+
+
+

Also, be sure to check the errata for +problems concerning the version of iptables (v1.2.3) shipped with RH7.2.

+

9. Why does Shorewall only accept IP +addresses as opposed to FQDNs?

Answer: FQDNs in iptables rules +aren't nearly as useful as they first appear. When a DNS name appears in a rule, +the iptables utility resolves the name to one or more IP addresses and inserts +those addresses into the rule. So change in the DNS->IP address relationship +that occur after the firewall has started have absolutely no effect on the +firewall's ruleset.

+

I'm also trying to protect +people from themselves. If your firewall rules include FQDN's then:

+ + + + + +
bulletIf your /etc/resolv.conf is wrong then your firewall won't + start.
bulletIf your /etc/nsswitch.conf is wrong then your firewall won't + start.
bulletIf your Name Server(s) is(are) down then your firewall won't + start.
bulletFactors totally outside your control (your ISP's router is + down for example), can prevent your firewall from starting.
+

10. What Distributions does it work + with?

+

Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.

11. What Features does it have?

+

Answer: See the Shorewall Feature + List.

12. Why isn't there a GUI?

+

Answer: Every time I've started to work on one, I find myself doing + other things. I guess I just don't care enough if Shorewall has a GUI to + invest the effort to create one myself. There are several Shorewall GUI + projects underway however and I will publish links to them when the authors + feel that they are ready.

+13. Why do you call it "Shorewall"?

+

Answer: Shorewall is a concatenation of "Shoreline" (the + city where I live) and "Firewall".

+14.  I'm connected via a cable modem and it has an +internal web server that allows me to configure/monitor it but as expected if I +enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks +the cable modems web server.

+

Is there any way it can add a rule before the +rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address +of the modem in/out but still block all other rfc1918 addresses.

+

Answer: If you are running a version of Shorewall earlier than + 1.3.1, create /etc/shorewall/start and in it, place the following:

+ 
     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
+
+
+

If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:

+
+
+ + + + + + + + + +
SUBNET TARGET
192.168.100.1RETURN
+
+
+
+

Be sure that you add the entry ABOVE the entry for + 192.168.0.0/16.

+
+

14a. Even though it assigns public IP + addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 + filtering on my external interface, my DHCP client cannot renew its lease.

+
+
+

The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.

+

15. My local systems can't see out to the +net

+ +

Answer: Every time I read "systems can't see out to the net", I wonder +where the poster bought computers with eyes and what those computers will "see" +when things are working properly. That aside, the most common causes of this +problem are:

+ +
    +

  1. The default gateway on each local system isn't set to the + IP address of the local firewall interface.

    + +
    2. +

  2. The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.

    + +
    3. +

  3. The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't enabled UDP and TCP + port 53 from the firewall to the internet.

    + +
    4. +
+

16. Shorewall is writing log messages all +over my console making it unusable!

+ +

Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup + scripts or place it in /etc/shorewall/start.

+ +

17. Why can't Shorewall detect my + interfaces properly?

+ +

I just installed Shorewall and when I issue the start command, + I see the following:

+ +
+ 
     Processing /etc/shorewall/shorewall.conf ...
+     Processing /etc/shorewall/params ...
+     Starting Shorewall...
+     Loading Modules...
+     Initializing...
+     Determining Zones...
+     Zones: net loc
+     Validating interfaces file...
+     Validating hosts file...
+     Determining Hosts in Zones...
+     Net Zone: eth0:0.0.0.0/0
+     Local Zone: eth1:0.0.0.0/0
+     Deleting user chains...
+     Creating input Chains...
+     ...
+
+
+

Why can't Shorewall detect my interfaces properly?

+
+

Answer: The above output is perfectly normal. The Net + zone is defined as all hosts that are connected through eth0 and the local + zone is defined as all hosts connected through eth1. +

+ +

Last updated +7/31/2002 - Tom +Eastep

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/GnuCopyright.htm b/STABLE/documentation/GnuCopyright.htm new file mode 100644 index 000000000..7d39fb81b --- /dev/null +++ b/STABLE/documentation/GnuCopyright.htm @@ -0,0 +1,277 @@ + + + + + + + +Copyright + + + + + +

GNU Free Documentation License

+

Version 1.1, March 2000

+
Copyright (C) 2000  Free Software Foundation, Inc.
+59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+

0. PREAMBLE

+

The purpose of this License is to make a manual, textbook, or other written +document "free" in the sense of freedom: to assure everyone the effective +freedom to copy and redistribute it, with or without modifying it, either +commercially or noncommercially. Secondarily, this License preserves for the +author and publisher a way to get credit for their work, while not being +considered responsible for modifications made by others.

+

This License is a kind of "copyleft", which means that derivative works of +the document must themselves be free in the same sense. It complements the GNU +General Public License, which is a copyleft license designed for free software. +

+

We have designed this License in order to use it for manuals for free +software, because free software needs free documentation: a free program should +come with manuals providing the same freedoms that the software does. But this +License is not limited to software manuals; it can be used for any textual work, +regardless of subject matter or whether it is published as a printed book. We +recommend this License principally for works whose purpose is instruction or +reference.

+

1. APPLICABILITY AND DEFINITIONS

+

This License applies to any manual or other work that contains a notice +placed by the copyright holder saying it can be distributed under the terms of +this License. The "Document", below, refers to any such manual or work. Any +member of the public is a licensee, and is addressed as "you".

+

A "Modified Version" of the Document means any work containing the Document +or a portion of it, either copied verbatim, or with modifications and/or +translated into another language.

+

A "Secondary Section" is a named appendix or a front-matter section of the +Document that deals exclusively with the relationship of the publishers or +authors of the Document to the Document's overall subject (or to related +matters) and contains nothing that could fall directly within that overall +subject. (For example, if the Document is in part a textbook of mathematics, a +Secondary Section may not explain any mathematics.) The relationship could be a +matter of historical connection with the subject or with related matters, or of +legal, commercial, philosophical, ethical or political position regarding them. +

+

The "Invariant Sections" are certain Secondary Sections whose titles are +designated, as being those of Invariant Sections, in the notice that says that +the Document is released under this License.

+

The "Cover Texts" are certain short passages of text that are listed, as +Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document +is released under this License.

+

A "Transparent" copy of the Document means a machine-readable copy, +represented in a format whose specification is available to the general public, +whose contents can be viewed and edited directly and straightforwardly with +generic text editors or (for images composed of pixels) generic paint programs +or (for drawings) some widely available drawing editor, and that is suitable for +input to text formatters or for automatic translation to a variety of formats +suitable for input to text formatters. A copy made in an otherwise Transparent +file format whose markup has been designed to thwart or discourage subsequent +modification by readers is not Transparent. A copy that is not "Transparent" is +called "Opaque".

+

Examples of suitable formats for Transparent copies include plain ASCII +without markup, Texinfo input format, LaTeX input format, SGML or XML using a +publicly available DTD, and standard-conforming simple HTML designed for human +modification. Opaque formats include PostScript, PDF, proprietary formats that +can be read and edited only by proprietary word processors, SGML or XML for +which the DTD and/or processing tools are not generally available, and the +machine-generated HTML produced by some word processors for output purposes +only.

+

The "Title Page" means, for a printed book, the title page itself, plus such +following pages as are needed to hold, legibly, the material this License +requires to appear in the title page. For works in formats which do not have any +title page as such, "Title Page" means the text near the most prominent +appearance of the work's title, preceding the beginning of the body of the text. +

+

2. VERBATIM COPYING

+

You may copy and distribute the Document in any medium, either commercially +or noncommercially, provided that this License, the copyright notices, and the +license notice saying this License applies to the Document are reproduced in all +copies, and that you add no other conditions whatsoever to those of this +License. You may not use technical measures to obstruct or control the reading +or further copying of the copies you make or distribute. However, you may accept +compensation in exchange for copies. If you distribute a large enough number of +copies you must also follow the conditions in section 3.

+

You may also lend copies, under the same conditions stated above, and you may +publicly display copies.

+

3. COPYING IN QUANTITY

+

If you publish printed copies of the Document numbering more than 100, and +the Document's license notice requires Cover Texts, you must enclose the copies +in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover +Texts on the front cover, and Back-Cover Texts on the back cover. Both covers +must also clearly and legibly identify you as the publisher of these copies. The +front cover must present the full title with all words of the title equally +prominent and visible. You may add other material on the covers in addition. +Copying with changes limited to the covers, as long as they preserve the title +of the Document and satisfy these conditions, can be treated as verbatim copying +in other respects.

+

If the required texts for either cover are too voluminous to fit legibly, you +should put the first ones listed (as many as fit reasonably) on the actual +cover, and continue the rest onto adjacent pages.

+

If you publish or distribute Opaque copies of the Document numbering more +than 100, you must either include a machine-readable Transparent copy along with +each Opaque copy, or state in or with each Opaque copy a publicly-accessible +computer-network location containing a complete Transparent copy of the +Document, free of added material, which the general network-using public has +access to download anonymously at no charge using public-standard network +protocols. If you use the latter option, you must take reasonably prudent steps, +when you begin distribution of Opaque copies in quantity, to ensure that this +Transparent copy will remain thus accessible at the stated location until at +least one year after the last time you distribute an Opaque copy (directly or +through your agents or retailers) of that edition to the public.

+

It is requested, but not required, that you contact the authors of the +Document well before redistributing any large number of copies, to give them a +chance to provide you with an updated version of the Document.

+

4. MODIFICATIONS

+

You may copy and distribute a Modified Version of the Document under the +conditions of sections 2 and 3 above, provided that you release the Modified +Version under precisely this License, with the Modified Version filling the role +of the Document, thus licensing distribution and modification of the Modified +Version to whoever possesses a copy of it. In addition, you must do these things +in the Modified Version:

+

 

+ + + + + + + + + + + + + + + +
bulletA. Use in the Title Page (and on the covers, if any) a + title distinct from that of the Document, and from those of previous versions + (which should, if there were any, be listed in the History section of the + Document). You may use the same title as a previous version if the original + publisher of that version gives permission.
bulletB. List on the Title Page, as authors, one or more + persons or entities responsible for authorship of the modifications in the + Modified Version, together with at least five of the principal authors of the + Document (all of its principal authors, if it has less than five).
bulletC. State on the Title page the name of the publisher of + the Modified Version, as the publisher.
bulletD. Preserve all the copyright notices of the Document. +
bulletE. Add an appropriate copyright notice for your + modifications adjacent to the other copyright notices.
bulletF. Include, immediately after the copyright notices, a + license notice giving the public permission to use the Modified Version under + the terms of this License, in the form shown in the Addendum below.
bulletG. Preserve in that license notice the full lists of + Invariant Sections and required Cover Texts given in the Document's license + notice.
bulletH. Include an unaltered copy of this License.
bulletI. Preserve the section entitled "History", and its + title, and add to it an item stating at least the title, year, new authors, + and publisher of the Modified Version as given on the Title Page. If there is + no section entitled "History" in the Document, create one stating the title, + year, authors, and publisher of the Document as given on its Title Page, then + add an item describing the Modified Version as stated in the previous + sentence.
bulletJ. Preserve the network location, if any, given in the + Document for public access to a Transparent copy of the Document, and likewise + the network locations given in the Document for previous versions it was based + on. These may be placed in the "History" section. You may omit a network + location for a work that was published at least four years before the Document + itself, or if the original publisher of the version it refers to gives + permission.
bulletK. In any section entitled "Acknowledgements" or + "Dedications", preserve the section's title, and preserve in the section all + the substance and tone of each of the contributor acknowledgements and/or + dedications given therein.
bulletL. Preserve all the Invariant Sections of the Document, + unaltered in their text and in their titles. Section numbers or the equivalent + are not considered part of the section titles.
bulletM. Delete any section entitled "Endorsements". Such a + section may not be included in the Modified Version.
bulletN. Do not retitle any existing section as "Endorsements" + or to conflict in title with any Invariant Section.
+

If the Modified Version includes new front-matter sections or appendices that +qualify as Secondary Sections and contain no material copied from the Document, +you may at your option designate some or all of these sections as invariant. To +do this, add their titles to the list of Invariant Sections in the Modified +Version's license notice. These titles must be distinct from any other section +titles.

+

You may add a section entitled "Endorsements", provided it contains nothing +but endorsements of your Modified Version by various parties--for example, +statements of peer review or that the text has been approved by an organization +as the authoritative definition of a standard.

+

You may add a passage of up to five words as a Front-Cover Text, and a +passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover +Texts in the Modified Version. Only one passage of Front-Cover Text and one of +Back-Cover Text may be added by (or through arrangements made by) any one +entity. If the Document already includes a cover text for the same cover, +previously added by you or by arrangement made by the same entity you are acting +on behalf of, you may not add another; but you may replace the old one, on +explicit permission from the previous publisher that added the old one.

+

The author(s) and publisher(s) of the Document do not by this License give +permission to use their names for publicity for or to assert or imply +endorsement of any Modified Version.

+

5. COMBINING DOCUMENTS

+

You may combine the Document with other documents released under this +License, under the terms defined in section 4 above for modified versions, +provided that you include in the combination all of the Invariant Sections of +all of the original documents, unmodified, and list them all as Invariant +Sections of your combined work in its license notice.

+

The combined work need only contain one copy of this License, and multiple +identical Invariant Sections may be replaced with a single copy. If there are +multiple Invariant Sections with the same name but different contents, make the +title of each such section unique by adding at the end of it, in parentheses, +the name of the original author or publisher of that section if known, or else a +unique number. Make the same adjustment to the section titles in the list of +Invariant Sections in the license notice of the combined work.

+

In the combination, you must combine any sections entitled "History" in the +various original documents, forming one section entitled "History"; likewise +combine any sections entitled "Acknowledgements", and any sections entitled +"Dedications". You must delete all sections entitled "Endorsements."

+

6. COLLECTIONS OF DOCUMENTS

+

You may make a collection consisting of the Document and other documents +released under this License, and replace the individual copies of this License +in the various documents with a single copy that is included in the collection, +provided that you follow the rules of this License for verbatim copying of each +of the documents in all other respects.

+

You may extract a single document from such a collection, and distribute it +individually under this License, provided you insert a copy of this License into +the extracted document, and follow this License in all other respects regarding +verbatim copying of that document.

+

7. AGGREGATION WITH INDEPENDENT WORKS

+

A compilation of the Document or its derivatives with other separate and +independent documents or works, in or on a volume of a storage or distribution +medium, does not as a whole count as a Modified Version of the Document, +provided no compilation copyright is claimed for the compilation. Such a +compilation is called an "aggregate", and this License does not apply to the +other self-contained works thus compiled with the Document, on account of their +being thus compiled, if they are not themselves derivative works of the +Document.

+

If the Cover Text requirement of section 3 is applicable to these copies of +the Document, then if the Document is less than one quarter of the entire +aggregate, the Document's Cover Texts may be placed on covers that surround only +the Document within the aggregate. Otherwise they must appear on covers around +the whole aggregate.

+

8. TRANSLATION

+

Translation is considered a kind of modification, so you may distribute +translations of the Document under the terms of section 4. Replacing Invariant +Sections with translations requires special permission from their copyright +holders, but you may include translations of some or all Invariant Sections in +addition to the original versions of these Invariant Sections. You may include a +translation of this License provided that you also include the original English +version of this License. In case of a disagreement between the translation and +the original English version of this License, the original English version will +prevail.

+

9. TERMINATION

+

You may not copy, modify, sublicense, or distribute the Document except as +expressly provided for under this License. Any other attempt to copy, modify, +sublicense or distribute the Document is void, and will automatically terminate +your rights under this License. However, parties who have received copies, or +rights, from you under this License will not have their licenses terminated so +long as such parties remain in full compliance.

+

10. FUTURE REVISIONS OF THIS LICENSE

+

The Free Software Foundation may publish new, revised versions of the GNU +Free Documentation License from time to time. Such new versions will be similar +in spirit to the present version, but may differ in detail to address new +problems or concerns. See http://www.gnu.org/copyleft/.

+

Each version of the License is given a distinguishing version number. If the +Document specifies that a particular numbered version of this License "or any +later version" applies to it, you have the option of following the terms and +conditions either of that specified version or of any later version that has +been published (not as a draft) by the Free Software Foundation. If the Document +does not specify a version number of this License, you may choose any version +ever published (not as a draft) by the Free Software Foundation.

+

 

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/IPIP.htm b/STABLE/documentation/IPIP.htm new file mode 100644 index 000000000..a2b2a84bb --- /dev/null +++ b/STABLE/documentation/IPIP.htm @@ -0,0 +1,172 @@ + + + + +GRE/IPIP Tunnels + + + + + + +

GRE and IPIP Tunnels

+

Warning: GRE and IPIP Tunnels are insecure when used +over the internet; use them at your own risk

+

GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. GRE +tunnels were introduced in shorewall version 1.2.0_Beta2.

+

The simple scripts described in the Linux Advanced Routing +and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel +script for automating tunnel configuration. If you have installed the RPM, the +tunnel script may be found in the Shorewall documentation directory (usually +/usr/share/doc/shorewall-<version>/).

+

Bridging two Masqueraded Networks

+

Suppose that we have the following situation:

+

+

We want systems in the 192.168.1.0/24 subnetwork to be able to +communicate with the systems in the 10.0.0.0/8 network. This is accomplished +through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file +and the /etc/shorewall/tunnel script that is included with Shorewall.

+

The 'tunnel' script is not installed in /etc/shorewall by +default -- If you install using the tarball, the script is included in the +tarball; if you install using the RPM, the file is in your Shorewall +documentation directory (normally /usr/share/doc/shorewall-<version>).

+

In the /etc/shorewall/tunnel script, set the 'tunnel_type' +parameter to the type of tunnel that you want to create.

+

Example:

+
+

tunnel_type=gre

+
+

On system A, the 10.0.0.0/8 will comprise the gw zone. In +/etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
gwtosysb10.255.255.255 
+
+

In /etc/shorewall/tunnels on system A, we need the following:

+
+ + + + + + + + + + + + + +
TYPEZONEGATEWAYGATEWAY ZONE
ipipnet134.28.54.2 
+
+

This entry in /etc/shorewall/tunnels, opens the firewall so that the IP +encapsulation protocol (4) will be accepted to/from the remote gateway.

+

In the tunnel script on system A:

+
+

tunnel=tosysb
+ myrealip=206.161.148.9 (for GRE tunnel only)
+ myip=192.168.1.1
+ hisip=10.0.0.1
+ gateway=134.28.54.2
+ subnet=10.0.0.0/8

+
+

Similarly, On system B the 192.168.1.0/24 subnet will comprise the gw +zone. In /etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
gwtosysa192.168.1.255 
+
+

In /etc/shorewall/tunnels on system B, we have:

+
+ + + + + + + + + + + + + +
TYPEZONEGATEWAYGATEWAY ZONE
ipipnet206.191.148.9 
+
+

And in the tunnel script on system B:

+
+

tunnel=tosysa
+ myrealip=134.28.54.2 (for GRE tunnel only)
+ myip=10.0.0.1
+ hisip=192.168.1.1
+ gateway=206.191.148.9
+ subnet=192.168.1.0/24

+
+

You can rename the modified tunnel scripts if you like; be sure that they are +secured so that root can execute them.

+ +

You will need to allow traffic between the "gw" zone and + the "loc" zone on both systems -- if you simply want to admit all traffic + in both directions, you can use the policy file:

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
SOURCEDESTPOLICYLOG LEVEL
locgwACCEPT 
gwlocACCEPT 
+
+

On both systems, restart Shorewall and +run the modified tunnel script with the "start" argument on each +system. The systems in the two masqueraded subnetworks can now talk to each +other

+

Updated 5/18/2002 - Tom +Eastep

+

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/IPSEC.htm b/STABLE/documentation/IPSEC.htm new file mode 100644 index 000000000..1124ff916 --- /dev/null +++ b/STABLE/documentation/IPSEC.htm @@ -0,0 +1,240 @@ + + + + + + Shorewall IPSec Tunneling + + + + + + + + + +

IPSEC Tunnels

+

Configuring FreeS/Wan

+There is an excellent guide to configuring IPSEC tunnels at + http://jixen.tripod.com +. I highly recommend that you consult that site for information about confuring +FreeS/Wan. 

Warning: Do not use Proxy ARP + and FreeS/Wan on the same system unless you are prepared to suffer the + consequences. If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device + (ipsecX) rather than to the interface that you specify in the INTERFACE column + of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I + can't say if it is a bug in the Kernel or in FreeS/Wan. 

+

You might be able to work around this problem using the following (I + haven't tried it):

+

In /etc/shorewall/init, include:

+

     qt service ipsec stop

+

In /etc/shorewall/start, include:

+

    qt service ipsec start

+

+ +IPSec Gateway +on the Firewall System +

+ +

Suppose that we have the following sutuation:

+ + + +

+ +

+ + + +

We want systems +in the 192.168.1.0/24 sub-network to be able to communicate with systems +in the 10.0.0.0/8 network.

+ +

To make this work, we need to do two things:

+ +

a) Open the firewall so that the IPSEC tunnel can be established +(allow the ESP and AH protocols and UDP Port 500).

+ +

b) Allow traffic through the tunnel.

+ +

Opening the firewall for the IPSEC tunnel is accomplished by +adding an entry to the /etc/shorewall/tunnels file.

+ +

In /etc/shorewall/tunnels +on system A, we need the following 

+ +
+ + + + + + + + + + + + + + + + +
+ TYPE + ZONE + GATEWAY + GATEWAY ZONE
ipsecnet134.28.54.2 
+ +

In /etc/shorewall/tunnels +on system B, we would have:

+ +
+ + + + + + + + + + + + + + + + +
+ TYPE + ZONE + GATEWAY + GATEWAY ZONE
ipsecnet206.161.148.9 
+ +

At both +systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw" +interface:

+ +
+ + + + + + + + + + + + + + + + +
+ ZONE + INTERFACE + BROADCAST + OPTIONS
gwipsec0  
+ +

You will need to allow traffic between the "gw" zone and + the "loc" zone -- if you simply want to admit all traffic in both + directions, you can use the policy file:

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
SOURCEDESTPOLICYLOG LEVEL
locgwACCEPT 
gwlocACCEPT 
+
+ +

Once +you have these entries in place, restart Shorewall (type shorewall restart); +you are now ready to configure the tunnel in + FreeS/WAN + .

+ + +

+ Mobile System (Road Warrior)

+ +

Suppose that you have +a laptop system (B) that you take with you when you travel and you want to +be able to establish a secure connection back to your local network.

+ +

+ +

+ +

In this +instance, the mobile system (B) has IP address 134.28.54.2 but that cannot +be determined in advance. In the /etc/shorewall/tunnels file on system A, +the following entry should be made:

+ +
+ + + + + + + + + + + + + + + + +
+ TYPE + ZONE + GATEWAY + GATEWAY ZONE
ipsecnet0.0.0.0/0gw
+ +

Note that the GATEWAY +ZONE column contains the name of the zone corresponding to peer subnetworks +(gw in the default /etc/shorewall/zones). This indicates that the +gateway system itself comprises the peer subnetwork; in other words, the +remote gateway is a standalone system.

+ + +

You will need to configure /etc/shorewall/interfaces and establish + your "through the tunnel" policy as shown under the first example above.

+ + +

Last +updated 5/18/2002 - + Tom Eastep +

+ + +

+ Copyright © 2001, 2002 Thomas M. Eastep.

+ + + \ No newline at end of file diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm new file mode 100644 index 000000000..3dcf447b4 --- /dev/null +++ b/STABLE/documentation/Install.htm @@ -0,0 +1,165 @@ + + + + +Shorewall Installation + + + + + +

Shorewall Installation

+ +

Install using RPM
+Install +using tarball
+Upgrade using RPM
+Upgrade +using tarball
+Configuring Shorewall
+Uninstall/Fallback

+

To install Shorewall using the RPM:

+

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell +prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 +either from the +RedHat update +site or from the Shorewall Errata page before +attempting to start Shorewall.

+ + + + +
bulletInstall the RPM (rpm -ivh <shorewall rpm>).
+
+ Note: Some SuSE users have encountered a problem whereby rpm reports a + conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this + happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps <shorewall + rpm>).
bulletEdit the configuration files to match your configuration. WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM +AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE +FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO +START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, +ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.
bulletStart the firewall by typing "shorewall start"
+

To + install Shorewall using the tarball and install + script:

+ + + + + + + + + + +
bulletunpack the tarball
bulletcd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-1.1.10").
bulletIf you are using Caldera, RedHat, + Mandrake, Corel, + Slackware or + Debian + then type "./install.sh"
bulletIf you are using SuSe then type + "./install.sh /etc/init.d"
bulletIf your distribution has directory + /etc/rc.d/init.d or /etc/init.d then type + "./install.sh"
bulletFor other distributions, determine where your + distribution installs init scripts and type + "./install.sh <init script directory>
bulletEdit the configuration files to match your configuration.
bulletStart the firewall by typing "shorewall + start"
bulletIf the install script was unable to configure Shorewall to be started automatically at boot, + see these + instructions.
+

If you already have the Shorewall RPM installed and are upgrading to a new +version:

+

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you +have entries in the /etc/shorewall/hosts file then please check your +/etc/shorewall/interfaces file to be sure that it contains an entry for each +interface mentioned in the hosts file. Also, there are certain 1.2 rule forms +that are no longer supported under 1.3 (you must use the new 1.3 syntax). See +the errata for details. You can check your rules and +host file for 1.3 compatibility using the "shorewall check" command after +installing the latest version of 1.3.

+ + + + +
bulletUpgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you + are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, + you must use the "--oldpackage" option to rpm (e.g., "rpm + -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). +

+ Note: Some SuSE users have encountered a problem whereby rpm reports a + conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this + happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall + rpm>).

bulletSee if there are any incompatibilities between your configuration and the + new Shorewall version (type "shorewall check") and correct as necessary.
bulletRestart the firewall (shorewall restart).
+

If you already have Shorewall installed and are upgrading to a new version +using the tarball:

+

If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you +have entries in the /etc/shorewall/hosts file then please check your +/etc/shorewall/interfaces file to be sure that it contains an entry for each +interface mentioned in the hosts file.  Also, there are certain 1.2 rule +forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). +See the errata for details. You can check your rules +and host file for 1.3 compatibility using the "shorewall check" command after +installing the latest version of 1.3.

+ + + + + + + + + +
bulletunpack the tarball
bulletcd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1").
bulletIf you are using Caldera, RedHat, + Mandrake, Corel, + Slackware or + Debian + then type "./install.sh"
bulletIf you are using SuSe then type + "./install.sh /etc/init.d"
bulletIf your distribution has directory + /etc/rc.d/init.d or /etc/init.d then type + "./install.sh"
bulletFor other distributions, determine where your + distribution installs init scripts and type + "./install.sh <init script directory>
bulletSee if there are any incompatibilities between your configuration and the + new Shorewall version (type "shorewall check") and correct as necessary.
bulletRestart the firewall by typing "shorewall restart"
+

Configuring Shorewall

+

You will need to edit some or all of these configuration files to match your +setup. In most cases, the Shorewall +QuickStart Guides contain all of the information you need.

+ + + + + + + + + + + + + + + + + +
bullet/etc/shorewall/shorewall.conf - used to set several firewall + parameters.
bullet/etc/shorewall/params - use this file to set shell variables that you will + expand in other files.
bullet/etc/shorewall/zones - partition the firewall's view of the world + into zones.
bullet/etc/shorewall/policy - establishes firewall high-level policy.
bullet/etc/shorewall/interfaces - describes the interfaces on the + firewall system.
bullet/etc/shorewall/hosts - allows defining zones in terms of individual + hosts and subnetworks.
bullet/etc/shorewall/masq - directs the firewall where to use many-to-one + (dynamic) NAT a.k.a. Masquerading.
bullet/etc/shorewall/modules - directs the firewall to load kernel modules.
bullet/etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy.
bullet/etc/shorewall/nat - defines static NAT rules.
bullet/etc/shorewall/proxyarp - defines use of Proxy ARP.
bullet/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts + accessible when Shorewall is stopped.
bullet/etc/shorewall/tcrules - defines marking of packets for later use by + traffic control/shaping.
bullet/etc/shorewall/tos - defines rules for setting the TOS field in packet + headers.
bullet/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on + the firewall system.
bullet/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
+

Updated 7/31/2002 - Tom +Eastep

+

Copyright2001, 2002 Thomas M. Eastep.

+ + \ No newline at end of file diff --git a/STABLE/documentation/NAT.htm b/STABLE/documentation/NAT.htm new file mode 100644 index 000000000..e3272c554 --- /dev/null +++ b/STABLE/documentation/NAT.htm @@ -0,0 +1,86 @@ + + + + +Shorewall NAT + + + + + + + +
+

Static NAT

+

IMPORTANT: If all you want to do is forward + ports to servers behind your firewall, you do NOT want to use static NAT. + Port forwarding can be accomplished with simple entries in the + rules file.

+

Static NAT is a way to make systems behind a + firewall and configured with private IP addresses (those + reserved for private use in RFC1918) appear to have public IP + addresses.

+

The following figure represents a static NAT + environment.

+

+
+
+

Static NAT can be used to make the systems with the + 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we + assume that the interface to the upper subnet is eth0, then the following + /etc/shorewall/NAT file would make the lower left-hand system appear to have + IP address 130.252.100.18 and the right-hand one to have IP address + 130.252.100.19.

+ + + + + + + + + + + + + + + + + + + + + + +
EXTERNALINTERFACEINTERNALALL INTERFACESLOCAL
130.252.100.18eth010.1.1.2yesyes
130.252.100.19eth010.1.1.3yesyes
+

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above + example) is (are) not included in any specification in /etc/shorewall/masq + or /etc/shorewall/proxyarp.

+

Note 1: The "ALL INTERFACES" column + is used to specify whether access to the external IP from all firewall + interfaces should undergo NAT (Yes or yes) or if only access from the + interface in the INTERFACE column should undergo NAT. If you leave this + column empty, "Yes" is assumed. The ALL INTERFACES column was + added in version 1.1.6.

+

Note 2: Shorewall will automatically add the external address to the + specified interface unless you specify ADD_IP_ALIASES="no" + (or "No") in /etc/shorewall/shorewall.conf; If you do not set + ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

+

Note 3: The contents of the "LOCAL" + column determine whether packets originating on the firewall itself and + destined for the EXTERNAL address are redirected to the internal ADDRESS. If + this column contains "yes" or "Yes" (and the ALL + INTERFACES COLUMN also contains "Yes" or "yes") then + such packets are redirected; otherwise, such packets are not redirected. The + LOCAL column was added in version 1.1.8.

+
+ +
+
+ +

Last updated 3/27/2002 - +Tom +Eastep

+Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm new file mode 100644 index 000000000..3050387e6 --- /dev/null +++ b/STABLE/documentation/News.htm @@ -0,0 +1,988 @@ + + + + +Shorewall News + + + + + + + +

Shorewall News Archive

+ +

8/7/2002 - Shorewall 1.3.6

+ +

This is primarily a bug-fix rollup with a couple of new features:

+ + + + + +
bulletThe latest QuickStart Guides + including the Shorewall Setup Guide.
bulletShorewall will now DROP TCP packets that are not part of or + related to an existing connection and that are not SYN packets. These "New + not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option + in /etc/shorewall/shorewall.conf.
bulletThe processing of "New not SYN" packets may be extended by command in the + new newnotsyn extension script.
+ +

7/30/2002 - Shorewall 1.3.5b Released

+ +

This interim release:

+ + + + + +
bulletCauses the firewall script to remove the lock file if it is killed.
bulletOnce again allows lists in the second column of the + /etc/shorewall/hosts file.
bulletIncludes the latest QuickStart + Guides.
+ +

7/29/2002 - New Shorewall Setup Guide Available

+ +

The first draft of this guide is available at + + http://www.shorewall.net/shorewall_setup_guide.htm. The guide is intended + for use by people who are setting up Shorewall to manage multiple public IP + addresses and by people who want to learn more about Shorewall than is + described in the single-address guides. Feedback on the new guide is welcome.

+ +

7/28/2002 - Shorewall 1.3.5 Debian Package Available

+ +

Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/27/2002 - Shorewall 1.3.5a Released

+ +

This interim release restores correct handling of REDIRECT rules.

+ +

7/26/2002 - Shorewall 1.3.5 Released

+ +

This will be the last Shorewall release for a while. I'm going to be + focusing on rewriting a lot of the documentation.

+ +

 In this version:

+ + + + + + + +
bulletEmpty and invalid source and destination qualifiers are now detected in + the rules file. It is a good idea to use the 'shorewall check' command before + you issue a 'shorewall restart' command be be sure that you don't have any + configuration problems that will prevent a successful restart.
bulletAdded MERGE_HOSTS variable in + shorewall.conf to provide saner behavior of the /etc/shorewall/hosts + file.
bulletThe time that the counters were last reset is now displayed in the + heading of the 'status' and 'show' commands.
bulletA proxyarp option has been added for entries in + /etc/shorewall/interfaces. This + option facilitates Proxy ARP sub-netting as described in the Proxy ARP + subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall to set + /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
bulletThe Samples have been updated to reflect the new capabilities in this + release.
+ +

7/16/2002 - New Mirror in Argentina

+ +

Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!

+ +

7/16/2002 - Shorewall 1.3.4 Released

+ +

In this version:

+ + + + + + + +
bulletA new + /etc/shorewall/routestopped file has been added. This file is intended to + eventually replace the routestopped option in the + /etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes + remote firewall administration easier by allowing any IP or subnet to be + enabled while Shorewall is stopped.
bulletAn /etc/shorewall/stopped extension + script has been added. This script is invoked after Shorewall has + stopped.
bulletA DETECT_DNAT_ADDRS option has been added to + /etc/shoreall/shorewall.conf. When this + option is selected, DNAT rules only apply when the destination address is the + external interface's primary IP address.
bulletThe QuickStart Guide has + been broken into three guides and has been almost entirely rewritten.
bulletThe Samples have been updated to reflect the new capabilities in this + release.
+ +

7/8/2002 - Shorewall 1.3.3 Debian Package Available

+ +

Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/6/2002 - Shorewall 1.3.3 Released

+ +

In this version:

+ + + + + + + + +
bulletEntries in /etc/shorewall/interface that use the wildcard character ("+") + now have the "multi" option assumed.
bulletThe 'rfc1918' chain in the mangle table has been renamed 'man1918' to + make log messages generated from that chain distinguishable from those + generated by the 'rfc1918' chain in the filter table.
bulletInterface names appearing in the hosts file are now validated against the + interfaces file.
bulletThe TARGET column in the rfc1918 file is now checked for correctness.
bulletThe chain structure in the nat table has been changed to reduce the + number of rules that a packet must traverse and to correct problems with + NAT_BEFORE_RULES=No
bulletThe "hits" command has been enhanced.
+ +

6/25/2002 - Samples Updated for 1.3.2

+ +

The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.

+ +

6/25/2002 - Shorewall 1.3.1 Debian Package Available

+ +

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

6/19/2002 - Documentation Available in PDF Format

+ +

Thanks to Mike Martinez, the Shorewall Documentation is now available for + download in Adobe + PDF format.

+ +

6/16/2002 - Shorewall 1.3.2 Released

+ +

In this version:

+ + + + + + +
bulletA logwatch command has been + added to /sbin/shorewall.
bulletA dynamic blacklist facility has + been added.
bulletSupport for the Netfilter multiport + match function has been added.
bulletThe files firewall, functions and version have been moved + from /etc/shorewall to /var/lib/shorewall.
+ +

6/6/2002 - Why CVS Web access is Password Protected

+ +

Last weekend, I installed the CVS Web package to provide brower-based access + to the Shorewall CVS repository. Since then, I have had several instances where + my server was almost unusable due to the high load generated by website copying + tools like HTTrack and WebStripper. These mindless tools:

+ + + + + +
bulletIgnore robot.txt files.
bulletRecursively copy everything that they find.
bulletShould be classified as weapons rather than tools.
+ +

These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated HTML resulting in + 1000s of executions of the cvsweb.cgi script. Yesterday, I spend several hours + implementing measures to block these tools but unfortunately, these measures + resulted in my server OOM-ing under even moderate load.

+ +

Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain Password + Protected.

+ +

6/5/2002 - Shorewall 1.3.1 Debian Package Available

+ +

Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

6/2/2002 - Samples Corrected

+ +

The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have been corrected in the + 1.3.1 samples.

+ +

6/1/2002 - Shorewall 1.3.1 Released

+ +

Hot on the heels of 1.3.0, this release:

+ + + + +
bulletCorrects a serious problem with "all <zone> CONTINUE" policies. + This problem is present in all versions of Shorewall that support the + CONTINUE policy. These previous versions optimized away the "all2<zone>" + chain and replaced it with the "all2all" chain with the usual result that a + policy of REJECT was enforced rather than the intended CONTINUE policy.
bulletAdds an /etc/shorewall/rfc1918 + file for defining the exact behavior of the + 'norfc1918' interface option.
+ +

5/29/2002 - Shorewall 1.3.0 Released

+ +

In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

+ + + +
bulletA 'filterping' interface option that allows ICMP echo-request (ping) + requests addressed to the firewall to be handled by entries in + /etc/shorewall/rules and /etc/shorewall/policy.
+ +

5/23/2002 - Shorewall 1.3 RC1 Available

+ +

In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

+ + + +
bulletSupport for the /etc/shorewall/whitelist file has been withdrawn. If you + need whitelisting, see these + instructions.
+ +

5/19/2002 - Shorewall 1.3 Beta 2 Available

+ +

In addition to the changes in Beta 1, this release which carries the + designation 1.2.91 adds:

+ + + + + + +
bulletThe structure of the firewall is changed markedly. There is now an INPUT + and a FORWARD chain for each interface; this reduces the number of rules that + a packet must traverse, especially in complicated setups.
bulletSub-zones may now be excluded from + DNAT and REDIRECT rules.
bulletThe names of the columns in a number of the configuration files have been + changed to be more consistent and self-explanatory and the documentation has + been updated accordingly.
bulletThe sample configurations have been updated for 1.3.
+ +

5/17/2002 - Shorewall 1.3 Beta 1 Available

+ +

Beta 1 carries the version designation 1.2.90 and implements the following + features:

+ + + + + +
bulletSimplified rule syntax which makes the intent of each rule clearer and + hopefully makes Shorewall easier to learn.
bulletUpward compatibility with 1.2 configuration files has been maintained so + that current users can migrate to the new syntax at their convenience.
bulletWARNING:  Compatibility with the old + parameterized sample configurations has NOT been maintained. Users still + running those configurations should migrate to the new sample configurations + before upgrading to 1.3 Beta 1.
+ +

5/4/2002 - Shorewall 1.2.13 is Available

+ +

In this version:

+ + + + + + +
bulletWhite-listing is supported.
bulletSYN-flood protection is added.
bulletIP addresses added under ADD_IP_ALIASES + and ADD_SNAT_ALIASES now inherit the VLSM and Broadcast Address of the + interface's primary IP address.
bulletThe order in which port forwarding DNAT and Static DNAT + can now be reversed so that port + forwarding rules can override the contents of + /etc/shorewall/nat.
+ +

4/30/2002 - Shorewall Debian News

+ +

Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the + Debian + Testing Branch and the + Debian + Unstable Branch.

+ +

4/20/2002 - Shorewall 1.2.12 is Available

+ + + + +
bulletThe 'try' command works again
bulletThere is now a single RPM that also works with SuSE.
+ +

4/17/2002 - Shorewall Debian News

+ +

Lorenzo Marignoni reports that:

+ + + + +
bulletShorewall 1.2.10 is in the + Debian + Testing Branch
bulletShorewall 1.2.11 is in the + Debian + Unstable Branch
+ +

Thanks, Lorenzo!

+ +

4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

+ +

Thanks to Stefan Mohr, there is + now a Shorewall 1.2.11 + + SuSE RPM available.

+ +

4/13/2002 - Shorewall 1.2.11 Available

+ +

In this version:

+ + + + + + +
bulletThe 'try' command now accepts an optional timeout. If the timeout is + given in the command, the standard configuration will automatically be + restarted after the new configuration has been running for that length of + time. This prevents a remote admin from being locked out of the firewall in + the case where the new configuration starts but prevents access.
bulletKernel route filtering may now be enabled globally using the new + ROUTE_FILTER parameter in + /etc/shorewall/shorewall.conf.
bulletIndividual IP source addresses and/or subnets may now be excluded from + masquerading/SNAT.
bulletSimple "Yes/No" and "On/Off" values are now case-insensitive in + /etc/shorewall/shorewall.conf.
+ +

4/13/2002 - Hamburg Mirror now has FTP

+ +

Stefan now has an FTP mirror at + + ftp://germany.shorewall.net/pub/shorewall.  Thanks Stefan!

+ +

4/12/2002 - New Mirror in Hamburg

+ +

Thanks to Stefan Mohr, there is + now a mirror of the Shorewall website at + + http://germany.shorewall.net.

+ +

4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

+ +

Version 1.1 of the QuickStart Guide + is now available. Thanks to those who have read version 1.0 and offered their + suggestions. Corrections have also been made to the sample scripts.

+ +

4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

+ +

Version 1.0 of the QuickStart Guide + is now available. This Guide and its accompanying sample configurations are + expected to provide a replacement for the recently withdrawn parameterized + samples.

+ +

4/8/2002 - Parameterized Samples Withdrawn

+ +

Although the parameterized + samples have allowed people to get a firewall up and running quickly, they + have unfortunately set the wrong level of expectation among those who have used + them. I am therefore withdrawing support for the samples and I am recommending + that they not be used in new Shorewall installations.

+ +

4/2/2002 - Updated Log Parser

+ +

John Lodge has provided an updated + version of his + CGI-based log parser with corrected date + handling.

+ +

3/30/2002 - Shorewall Website Search Improvements

+ +

The quick search on the home page now excludes the mailing list archives. + The Extended Search allows excluding the + archives or restricting the search to just the archives. An archive search form + is also available on the mailing list information + page.

+ +

3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

+ + + + +
bulletThe 1.2.10 Debian Package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
bulletShorewall 1.2.9 is now in the + Debian + Unstable Distribution.
+ +

3/25/2002 - Log Parser Available

+ +

John Lodge has provided a + CGI-based log parser for Shorewall. Thanks + John.

+ +

3/20/2002 - Shorewall 1.2.10 Released

+ +

In this version:

+ + + + + +
bulletA "shorewall try" command has been added (syntax: shorewall try + <configuration directory>). This command attempts "shorewall -c + <configuration directory> start" and if that results in the firewall + being stopped due to an error, a "shorewall start" command is executed. The + 'try' command allows you to create a new + configuration and attempt to start it; if there is an error that leaves + your firewall in the stopped state, it will automatically be restarted using + the default configuration (in /etc/shorewall).
bulletA new variable ADD_SNAT_ALIASES has been added to + /etc/shorewall/shorewall.conf. If this + variable is set to "Yes", Shorewall will automatically add IP addresses + listed in the third column of the + /etc/shorewall/masq file.
bulletCopyright notices have been added to the documenation.
+ +

3/11/2002 - Shorewall 1.2.9 Released

+ +

In this version:

+ + + + + +
bulletFiltering by MAC address has been added. + MAC addresses may be used as the source address in: + + + + +
bulletFiltering rules (/etc/shorewall/rules)
bulletTraffic Control Classification Rules (/etc/shorewall/tcrules)
bulletTOS Rules (/etc/shorewall/tos)
bulletBlacklist (/etc/shorewall/blacklist)
+
bulletSeveral bugs have been fixed
bulletThe 1.2.9 Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +

3/1/2002 - 1.2.8 Debian Package is Available

+ +

See http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/25/2002 - New Two-interface Sample

+

I've enhanced the two interface sample to allow access from the firewall to +servers in the local zone - + +http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

+ +

2/23/2002 - Shorewall 1.2.8 Released

+ +

Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for any inconvenience my + carelessness may have caused.

+ +

2/22/2002 - Shorewall 1.2.7 Released

+ +

In this version:

+ + + + + +
bulletUPnP probes (UDP destination port 1900) are now silently dropped in the + common chain
bulletRFC 1918 checking in the mangle table has been streamlined to no longer + require packet marking. RFC 1918 checking in the filter table has been + changed to require half as many rules as previously.
bulletA 'shorewall check' command has been added that does a cursory validation + of the zones, interfaces, hosts, rules and policy files.
+ +

2/18/2002 - 1.2.6 Debian Package is Available

+ +

See http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/8/2002 - Shorewall 1.2.6 Released

+ +

In this version:

+ + + + + +
bullet$-variables may now be used anywhere in the configuration files except + /etc/shorewall/zones.
bulletThe interfaces and hosts files now have their contents validated before + any changes are made to the existing Netfilter configuration. The appearance + of a zone name that isn't defined in /etc/shorewall/zones causes "shorewall + start" and "shorewall restart" to abort without changing the Shorewall state. + Unknown options in either file cause a warning to be issued.
bulletA problem occurring when BLACKLIST_LOGLEVEL was not set has been + corrected.
+ +

2/4/2002 - Shorewall 1.2.5 Debian Package Available

+ +

see http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

2/1/2002 - Shorewall 1.2.5 Released

+ +

Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.

+ +

In version 1.2.5:

+ + + + + + +
bulletThe installation problems have been corrected.
bulletSNAT is now supported.
bulletA "shorewall version" command has been added
bulletThe default value of the STATEDIR variable in + /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in + order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.
+ +

1/28/2002 - Shorewall 1.2.4 Released

+ + + + + + +
bulletThe "fw" zone may now be given a + different name.
bulletYou may now place end-of-line comments (preceded by '#') in any of the + configuration files
bulletThere is now protection against against two state changing operations + occuring concurrently. This is implemented using the 'lockfile' utility if + it is available (lockfile is part of procmail); otherwise, a less robust + technique is used. The lockfile is created in the STATEDIR defined in + /etc/shorewall/shorewall.conf and has the name "lock".
bullet"shorewall start" no longer fails if "detect" is + specified in /etc/shorewall/interfaces for an interface with subnet mask 255.255.255.255.
+ +

1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

+ +

1/20/2002 - Corrected firewall script available 

+ +

Corrects a problem with BLACKLIST_LOGLEVEL. See the +errata for details.

+ +

1/19/2002 - Shorewall 1.2.3 Released

+ +

This is a minor feature and bugfix release. The single new feature is:

+ + + +
bulletSupport for TCP MSS Clamp to PMTU -- This support is usually required when + the internet connection is via PPPoE or PPTP and may be enabled using the CLAMPMSS + option in /etc/shorewall/shorewall.conf.
+

The following problems were corrected:

+ + + + +
bulletThe "shorewall status" command no longer hangs.
bulletThe "shorewall monitor" command now displays the icmpdef chain
bulletThe CLIENT PORT(S) column in tcrules is no longer ignored
+

1/18/2002 - Shorewall 1.2.2 packaged with new LEAF +release

+ +

Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution +that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo +for details.

+ +

1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo +Martignoni, a 1.2.2 Shorewall Debian package is now available. There is a +link to Lorenzo's site from the Shorewall download page.

+ +

1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This +corrected version restores the "shorewall status" command to +health.

+ +

1/8/2002 - Shorewall 1.2.2 Released

+ +

In version 1.2.2

+ + + + + +
bulletSupport for IP blacklisting has been added + + + + + + +
bulletYou specify whether you want packets from blacklisted hosts dropped or + rejected using the BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf
bulletYou specify whether you want packets from blacklisted hosts logged and + at what syslog level using the BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf
bulletYou list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
bulletYou specify the interfaces you want checked against the blacklist + using the new "blacklist" + option in /etc/shorewall/interfaces.
bulletThe black list is refreshed from /etc/shorewall/blacklist by the + "shorewall refresh" command.
+
bulletUse of TCP RST replies has been expanded  + + + +
bulletTCP connection requests rejected because of a REJECT policy are now + replied with a TCP RST packet.
bulletTCP connection requests rejected because of a protocol=all rule in + /etc/shorewall/rules are now replied with a TCP RST packet.
+
bulletA LOGFILE specification has been + added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the + /sbin/shorewall program where to look for Shorewall messages.
+ +

1/5/2002 - New Parameterized Samples (version +1.2.0) released. These are minor updates to the previously-released +samples. There are two new rules added:

+ + + + +
bulletUnless you have explicitly enabled Auth connections (tcp port 113) to your + firewall, these connections will be REJECTED rather than DROPPED. This + speeds up connection establishment to some servers.
bulletOrphan DNS replies are now silently dropped.
+

See the README file for upgrade instructions.

+ +

1/1/2002 - Shorewall Mailing List Moving

+ +

The Shorewall mailing list hosted at Sourceforge is moving to Shorewall.net. + If you are a current subscriber to the list at Sourceforge, please see + these instructions. If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

+ +

12/31/2001 - Shorewall 1.2.1 Released

+ +

In version 1.2.1:

+ + + + + +
bulletLogging of Mangled/Invalid + Packets is added. 
bulletThe tunnel script has been corrected.
bullet'shorewall show tc' now correctly handles tunnels.
+ +

12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist + releasing 1.2 on 12/21/2001

+ +

Version 1.2 contains the following new features:

+ + + + + +
bulletSupport for Traffic Control/Shaping
bulletSupport for Filtering of + Mangled/Invalid Packets
bulletSupport for GRE Tunnels
+

For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will not be forced into a + quick upgrade to 1.2.0 just to have access to bug fixes.

+

For those of you who have installed one of the Beta RPMS, you will need to + use the "--oldpackage" option when upgrading to 1.2.0:

+
+

rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

+
+ +

12/19/2001 - Thanks to Steve +Cowles, there is now a Shorewall mirror in Texas. This web site is +mirrored at http://www.infohiiway.com/shorewall +and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

+ +

11/30/2001 - A new set of the parameterized Sample + Configurations has been released. In this version:

+ + + + +
bulletPing is now allowed between the zones.
bulletIn the three-interface configuration, it is now possible to configure the + internet services that are to be available to servers in the DMZ. 
+ +

11/20/2001 - The current version of Shorewall is 1.1.18. 

+ +

In this version:

+ + + + + +
bulletThe spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf + file
bulletThe logic for deleting user-defined chains has been simplified so that it + avoids a bug in the LRP version of the 'cut' utility.
bulletThe /var/lib/lrpkg/shorwall.conf file has been corrected to properly + display the NAT entry in that file.
+ +

11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

+ +

11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:

+ + + + + +
bulletOne Interface -- for a standalone system.
bulletTwo Interfaces -- A masquerading firewall.
bulletThree Interfaces -- A masquerading firewall with DMZ.
+ + +

Samples may be downloaded from + ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions.

+ +

11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall releases.

+ +

In this version:

+ + + +
bulletThe handling of ADD_IP_ALIASES + has been corrected. 
+ +

10/22/2001 - The current version of Shorewall is 1.1.16. In this +version:

+ + + + + +
bulletA new "shorewall show connections" command has been added.
bulletIn the "shorewall monitor" output, the currently tracked + connections are now shown on a separate page.
bulletPrior to this release, Shorewall unconditionally added the external IP + adddress(es) specified in /etc/shorewall/nat. Beginning with version + 1.1.16, a new parameter (ADD_IP_ALIASES) + may be set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's network + configuration tools to be used in static NAT. 
+ +

10/15/2001 - The current version of Shorewall is 1.1.15. In this +version:

+ + + + +
bulletSupport for nested zones has been improved. See + the documentation + for details
bulletShorewall now correctly checks the alternate configuration directory for + the 'zones' file.
+ +

10/4/2001 - The current version of Shorewall is 1.1.14. In this version

+ + + + + + + +
bulletShorewall now supports alternate configuration directories. When an + alternate directory is specified when starting or restarting Shorewall + (e.g., "shorewall -c /etc/testconf restart"), Shorewall will first + look for configuration files in the alternate directory then in + /etc/shorewall. To create an alternate configuration simply:
+ 1. Create a New Directory
+ 2. Copy to that directory any of your configuration files that you want to + change.
+ 3. Modify the copied files as needed.
+ 4. Restart Shorewall specifying the new directory.
bulletThe rules for allowing/disallowing icmp echo-requests (pings) are now + moved after rules created when processing the rules file. This allows you to + add rules that selectively allow/deny ping based on source or destination + address.
bulletRules that specify multiple client ip addresses or subnets no longer cause + startup failures.
bulletZone names in the policy file are now validated against the zones file.
bulletIf you have packet mangling + support enabled, the "norfc1918" + interface option now logs and drops any incoming packets on the interface + that have an RFC 1918 destination address.
+ +

9/12/2001 - The current version of Shorewall is 1.1.13. In this version

+ + + + + +
bulletShell variables can now be used to parameterize Shorewall rules.
bulletThe second column in the hosts file may now contain a comma-separated + list.
+
+ Example:
+     sea    + eth0:130.252.100.0/24,206.191.149.0/24
bulletHandling of multi-zone interfaces has been improved. See the documentation + for the /etc/shorewall/interfaces file.
+ +

8/28/2001 - The current version of Shorewall is 1.1.12. In this version

+ + + + + +
bulletSeveral columns in the rules file may now contain comma-separated lists.
bulletShorewall is now more rigorous in parsing the options in + /etc/shorewall/interfaces.
bulletComplementation using "!" is now supported in rules.
+ +

7/28/2001 - The current version of Shorewall is 1.1.11. In this version

+ + + + + + +
bulletA "shorewall refresh" command has been added to allow for + refreshing the rules associated with the broadcast address on a dynamic + interface. This command should be used in place of "shorewall + restart" when the internet interface's IP address changes.
bulletThe /etc/shorewall/start file (if any) is now processed after all + temporary rules have been deleted. This change prevents the accidental + removal of rules added during the processing of that file.
bulletThe "dhcp" interface option is now applicable to firewall + interfaces used by a DHCP server running on the firewall.
bulletThe RPM can now be built from the .tgz file using "rpm -tb" 
+ +

7/6/2001 - The current version of Shorewall is 1.1.10. In this version

+ + + + + +
bulletShorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding + may be disabled by specifying IP_FORWARD=Off in + /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or + disable packet forwarding, add IP_FORWARDING=Keep to your + /etc/shorewall/shorewall.conf file.
bulletThe "shorewall hits" command no longer lists extraneous service + names in its last report.
bulletErroneous instructions in the comments at the head of the firewall script + have been corrected.
+ +

6/23/2001 - The current version of Shorewall is 1.1.9. In this version

+ + + + + + + + + +
bulletThe "tunnels" file really is in the RPM now.
bulletSNAT can now be applied to port-forwarded connections.
bulletA bug which would cause firewall start failures in some dhcp configurations + has been fixed.
bulletThe firewall script now issues a message if you have the name of an + interface in the second column in an entry in /etc/shorewall/masq and that + interface is not up.
bulletYou can now configure Shorewall so that it doesn't require the NAT and/or + mangle netfilter modules.
bulletThanks to Alex  Polishchuk, the "hits" command + from seawall is now in shorewall.
bulletSupport for IPIP tunnels has been added.
+ +

6/18/2001 - The current version of Shorewall is 1.1.8. In this version

+ + + + + +
bulletA typo in the sample rules file has been corrected.
bulletIt is now possible to restrict masquerading by + destination host or subnet.
bulletIt is now possible to have static NAT rules + applied to packets originating on the firewall itself.
+ +

6/2/2001 - The current version of Shorewall is 1.1.7. In this version

+ + + + + + + +
bulletThe TOS rules are now deleted when the firewall is stopped.
bulletThe .rpm will now install regardless of which version of iptables is + installed.
bulletThe .rpm will now install without iproute2 being installed.
bulletThe documentation has been cleaned up.
bulletThe sample configuration files included in Shorewall have been formatted + to 80 columns for ease of editing on a VGA console.
+ +

5/25/2001 - The current version of Shorewall is 1.1.6. In this version

+ + + + + +
bulletYou may now rate-limit the packet log.
bullet Previous versions of + Shorewall have an implementation of Static NAT which violates the principle + of least surprise.  NAT only occurs for packets arriving at (DNAT) or + send from (SNAT) the interface named in the INTERFACE column of + /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective regardless + of which interface packets come from or are destined to. To get + compatibility with prior versions, I have added a new "ALL "ALL + INTERFACES"  column to /etc/shorewall/nat. By placing + "no" or "No" in the new column, the NAT behavior of + prior versions may be retained. 
bulletThe treatment of IPSEC Tunnels where the remote + gateway is a standalone system has been improved. Previously, it was + necessary to include an additional rule allowing UDP port 500 traffic to + pass through the tunnel. Shorewall will now create this rule automatically + when you place the name of the remote peer's zone in a new GATEWAY ZONE + column in /etc/shorewall/tunnels. 
+ +

5/20/2001 - The current version of Shorewall is 1.1.5. In this version

+ + + + + + +
bulletYou may now pass parameters when loading + netfilter modules and you can specify the modules to load.
bulletCompressed modules are now loaded. This requires that you modutils support + loading compressed modules.
bulletYou may now set the Type of Service (TOS) + field in packets.
bulletCorrected rules generated for port redirection (again).
+ +

5/10/2001 - The current version of Shorewall is 1.1.4. In this version

+ + + + + + +
bullet Accepting RELATED connections is now + optional.
bulletCorrected problem where if "shorewall start" aborted early + (due to kernel configuration errors for example), superfluous 'sed' error + messages were reported.
bulletCorrected rules generated for port redirection.
bulletThe order in which iptables kernel modules are loaded has been + corrected (Thanks to Mark Pavlidis). 
+ +

4/28/2001 - The current version of Shorewall is 1.1.3. In this version

+ + + + + + + + + + +
bulletCorrect message issued when Proxy ARP address added (Thanks to Jason Kirtland).
bullet/tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.
bullet/etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
bulletIn the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.
bulletWhen a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.
bulletA problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message + referring to "common.so" resulted.
bulletPreviously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.
bulletThe first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".
+

4/12/2001 - The current version of Shorewall is 1.1.2. In this version

+ + + + + + +
bulletPort redirection now works again.
bulletThe icmpdef and common chains may + now be user-defined.
bulletThe firewall no longer fails to start if "routefilter" is + specified for an interface that isn't started. A warning message is now + issued in this case.
bulletThe LRP Version is renamed "shorwall" for 8,3 MSDOS file + system compatibility.
bulletA couple of LRP-specific problems were corrected.
+

4/8/2001 - Shorewall is now affiliated with the Leaf + Project +

+

4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

+ + + + + +
bulletThe common chain is traversed from INPUT, OUTPUT and FORWARD before + logging occurs
bulletThe source has been cleaned up dramatically
bulletDHCP DISCOVER packets with RFC1918 source addresses no longer + generate log messages. Linux DHCP clients generate such packets and it's + annoying to see them logged. 
+

3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

+ + + + + + + + + +
bulletLog messages now indicate the packet disposition.
bulletError messages have been improved.
bulletThe ability to define zones consisting of an enumerated set of hosts + and/or subnetworks has been added.
bulletThe zone-to-zone chain matrix is now sparse so that only those chains + that contain meaningful rules are defined.
bullet240.0.0.0/4 and 169.254.0.0/16 have been added to the source + subnetworks whose packets are dropped under the norfc1918 interface + option.
bulletExits are now provided for executing an user-defined script when a + chain is defined, when the firewall is initialized, when the firewall is + started, when the firewall is stopped and when the firewall is cleared.
bulletThe Linux kernel's route filtering facility can now be specified + selectively on network interfaces.
+

3/19/2001 - The current version of Shorewall is 1.0.4. This version:

+ + + + + + +
bulletAllows user-defined zones. Shorewall now has only one pre-defined + zone (fw) with the remaining zones being defined in the new configuration + file /etc/shorewall/zones. The /etc/shorewall/zones file released in this + version provides behavior that is compatible with Shorewall 1.0.3. 
bulletAdds the ability to specify logging in entries in the + /etc/shorewall/rules file.
bulletCorrect handling of the icmp-def chain so that only ICMP packets are + sent through the chain.
bulletCompresses the output of "shorewall monitor" if awk is + installed. Allows the command to work if awk isn't installed (although + it's not pretty).
+

3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.

+ + + + + +
bulletThe PATH variable in the firewall script now includes /usr/local/bin + and /usr/local/sbin.
bulletDMZ-related chains are now correctly deleted if the DMZ is deleted.
bulletThe interface OPTIONS for "gw" interfaces are no longer + ignored.
+

3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports IPSEC + tunnels with end-points on the firewall. There is also a .lrp available now.

+ +

Updated 7/31/2002 - Tom +Eastep

+ +

+ Copyright © 2001, 2002 Thomas M. Eastep.

+ + \ No newline at end of file diff --git a/STABLE/documentation/PPTP.htm b/STABLE/documentation/PPTP.htm new file mode 100644 index 000000000..01cf8da3c --- /dev/null +++ b/STABLE/documentation/PPTP.htm @@ -0,0 +1,731 @@ + + + + + + + +Shorewall PPTP + + + + + +

PPTP

+ +

Shorewall easily supports PPTP in a number of configurations:

+ + + + + +
bullet + PPTP Server running on your Firewall
bullet + PPTP Server running behind your + Firewall.
bullet + PPTP Clients running behind your + Firewall.
bullet + PPTP Client running on your Firewall.
+

1. PPTP Server Running on your Firewall

+

I will try to give you an idea of how to set up a PPTP server +on your firewall system. This isn't a detailed HOWTO but rather an example of +how I have set up a working PPTP server on my own firewall.

+

The steps involved are:

+
    +
  1. Patching and building pppd
    2. +
  2. Patching and building your Kernel
    3. +
  3. Configuring Samba
    4. +
  4. Configuring pppd
    5. +
  5. Configuring pptpd
    6. +
  6. Configuring Shorewall
    7. +
+

Patching and Building pppd

+

To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary +site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

+

You will need the following patches:

+ + + +
bullet + http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz
bullethttp://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz
+

You may also want the following patch if you want to require remote hosts to +use encryption:

+ + +
bulletftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff
+

Un-tar the pppd source and uncompress the patches into one directory (the +patches and the ppp-2.4.1 directory are all in a single parent directory):

+ + + + + + + +
bulletcd ppp-2.4.1
bulletpatch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
bulletpatch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
bullet(Optional) patch -p1 < ../require-mppe.diff
bullet./configure
bulletmake
+

You will need to install the resulting binary on your firewall system. To do +that, I NFS mount my source filesystem and use "make install" from the +ppp-2.4.1 directory.

+

Patching and Building your Kernel

+

You will need one of the following patches depending on your kernel version:

+ + + +
bullet + http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz
bullet + http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz
+

Uncompress the patch into the same directory where your top-level kernel +source is located and:

+ + + +
bulletcd <your GNU/Linux source top-level directory>
bulletpatch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
+

Now configure your kernel. Here is my ppp configuration:

+
+

+
+

Configuring Samba

+

You will need a WINS server (Samba configured to run as a WINS server is +fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:

+
+ 
[global]
+     workgroup = TDM-NSTOP
+     netbios name = WOOKIE
+     server string = GNU/Linux Box
+     encrypt passwords = Yes
+     log file = /var/log/samba/%m.log
+     max log size = 0
+     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+     os level = 65
+     domain master = True
+     preferred master = True
+     dns proxy = No
+     wins support = Yes
+     printing = lprng
+
+[homes]
+     comment = Home Directories
+     valid users = %S
+     read only = No
+     create mask = 0664
+     directory mask = 0775
+
+[printers]
+     comment = All Printers
+     path = /var/spool/samba
+     printable = Yes
+
+

Configuring pppd

+

Here is a copy of my /etc/ppp/options.poptop file:

+
+

ipparam PoPToP
+ lock
+ mtu 1490
+ mru 1490
+ ms-wins 192.168.1.3
+ ms-dns 206.124.146.177
+ multilink
+ proxyarp
+ auth
+ +chap
+ +chapms
+ +chapms-v2
+ ipcp-accept-local
+ ipcp-accept-remote
+ lcp-echo-failure 30
+ lcp-echo-interval 5
+ deflate 0
+ mppe-128
+ mppe-stateless
+ require-mppe
+ require-mppe-stateless

+
+

Notes:

+ + + + +
bulletSince the firewall itself is acting as a WINS server, I have included the + firewall's internal IP as the 'ms-wins' value.
bulletI have pointed the remote clients at my DNS server -- it has external + address 206.124.146.177.
bulletI am requiring 128-bit stateless compression (my kernel is built with the + 'require-mppe.diff' patch mentioned above.
+

Here's my /etc/ppp/chap-secrets:

+
+

Secrets for authentication using CHAP
+ # client        server    secret    + IP addresses
+ CPQTDM\\TEastep *         <shhhhhh> + 192.168.1.7
+ TEastep         *         + <shhhhhh> 192.168.1.7

+
+

I am the only user who connects to the server but I may connect either with +or without a domain being specified. The system I connect from is my laptop so I +give it the same IP address when tunneled in as it has when it is in its docking +station.

+

You will also want the following in /etc/modules.conf:

+
     alias ppp-compress-18 ppp_mppe
+     alias ppp-compress-21 bsd_comp
+     alias ppp-compress-24 ppp_deflate
+     alias ppp-compress-26 ppp_deflate
+

Configuring pptpd

+

PoPTop (pptpd) is available from http://poptop.lineo.com/.

+

Here is a copy of my /etc/pptpd.conf file:

+
+

option /etc/ppp/options.poptop
+ speed 115200
+ localip 192.168.1.254
+ remoteip 192.168.1.33-38

+
+

Notes:

+ + + + +
bulletI specify the /etc/ppp/options.poptop file as my ppp options file (I have + several).
bulletThe local IP is the same as my internal interface's (192.168.1.254).
bulletI have assigned a remote IP range that overlaps my local network. This, + together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote + hosts look like they are part of the local subnetwork.
+

I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:

+
+

#!/bin/sh
+ #
+ # /etc/rc.d/init.d/pptpd
+ #
+ # chkconfig: 5 12 85
+ # description: control pptp server
+ #
+
+ case "$1" in
+ start)
+     echo 1 > /proc/sys/net/ipv4/ip_forward
+     modprobe ppp_async
+     modprobe ppp_generic
+     modprobe ppp_mppe
+     modprobe slhc
+     if /usr/local/sbin/pptpd; then
+         touch /var/lock/subsys/pptpd
+     fi
+     ;;
+ stop)
+     killall pptpd
+     rm -f /var/lock/subsys/pptpd
+     ;;
+ restart)
+     killall pptpd
+     if /usr/local/sbin/pptpd; then
+         touch /var/lock/subsys/pptpd
+     fi
+     ;;
+ status)
+     ifconfig
+     ;;
+ *)
+     echo "Usage: $0 {start|stop|restart|status}"
+     ;;
+ esac

+
+

Configuring Shorewall

+

I consider hosts connected to my PPTP server to be just like local systems. +My key Shorewall entries are:

+

/etc/shorewall/zones:

+
+ + + + + + + + + + + + + + + + +
ZONEDISPLAYCOMMENTS
netInternetThe Internet
locLocalMy Local Network including remote PPTP clients
+
+

/etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
neteth0206.124.146.255noping,norfc1918
loceth2192.168.1.255 
-ppp+  
+
+

/etc/shorewall/hosts:

+
+ + + + + + + + + + + + + + + + +
ZONEHOST(S)OPTIONS
loceth2:192.168.1.0/24routestopped
locppp+:192.168.1.0/24 
+
+

/etc/shorewall/policy:

+
+ + + + + + + + + + + + + +
SOURCEDESTPOLICYLOG LEVEL
loclocACCEPT 
+
+

/etc/shorewall/rules:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTnetfwtcp1723  
ACCEPTnetfw47-  
ACCEPTfwnet47-  
+
+

Note: I have multiple ppp interfaces on my firewall. If you + have a single ppp interface, you probably want:

+

/etc/shorewall/interfaces:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
neteth0206.124.146.255noping,norfc1918
loceth2192.168.1.255 
locppp0  
+
+

and no entries in /etc/shorewall/hosts.

+

2. PPTP Server Running Behind your Firewall

+

If you have a single external IP address, add the following to your + /etc/shorewall/rules file:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetloc:<server address>tcp1723  
DNATnetloc:<server address>47-  
+

If you have multiple external IP address and you want to forward a single <external +address>, add the following to your /etc/shorewall/rules file:

  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetloc:<server address>tcp1723-<external address>
DNATnetloc:<server address>47--<external address>
+

3. PPTP Clients Running Behind your Firewall

+

You shouldn't have to take any special action for this case unless you wish +to connect multiple clients to the same external server. In that case, you will +need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. +I recommend that you also add these two lines to your /etc/shorewall/modules +file: +

+

loadmodule ip_conntrack_pptp
+ loadmodule ip_nat_pptp +

+

4. PPTP Client Running on your Firewall.

+

The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    +Rather than use the configuration script that comes with the client, I built my +own. I also build my own kernel as described above +rather than using the mppe package that is available with the client. My +/etc/ppp/options file is mostly unchanged from what came with the client (see +below).

+

The key elements of this setup are as follows: +

    +
  1. Define a zone for the remote network accessed via PPTP.
    2. +
  2. Associate that zone with a ppp interface.
    3. +
  3. Define rules for PPTP traffic to/from the firewall.
    4. +
  4. Define rules for traffic two and from the remote zone.
    5. +
+

Here are examples from my setup:

+

/etc/shorewall/zones

+
+ + + + + + + + + + + +
ZONEDISPLAYCOMMENTS
cpqCompaqCompaq Intranet
+
+

/etc/shorewall/interfaces

+
+ + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
-ppp+  
+
+

/etc/shorewall/hosts

+
+ + + + + + + + + + + +
ZONEHOST(S)OPTIONS
-ppp+:!192.168.1.0/24 
+
+

/etc/shorewall/rules

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTfwnettcp1723  
ACCEPTfwnet47-  
+
+

I use the combination of interface and hosts file to define the 'cpq' zone +because I also run a PPTP server on my firewall (see above). Using this +technique allows me to distinguish clients of my own PPTP server from arbitrary +hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and +Compaq doesn't use that RFC1918 Class C subnet. +

I use this script in /etc/init.d to control the client. The reason that I +disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet +and reject the initial TCP connection request if I enable ECN :-( +

+

#!/bin/sh
+#
+# /etc/rc.d/init.d/pptp
+#
+# chkconfig: 5 60 85
+# description: PPTP Link Control
+#
+NAME="Tandem"
+ADDRESS=tunnel-tandem.compaq.com
+USER='Tandem\tommy'
+ECN=0
+DEBUG=
+
+start_pptp() {
+    echo $ECN > /proc/sys/net/ipv4/tcp_ecn
+    if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
+        touch /var/lock/subsys/pptp
+        echo "PPTP Connection to $NAME Started"
+    fi
+}
+
+stop_pptp() {
+    if killall /usr/sbin/pptp 2> /dev/null; then
+        echo "Stopped pptp"
+    else
+        rm -f /var/run/pptp/*
+    fi
+
+    # if killall pppd; then
+    # echo "Stopped pppd"
+    # fi
+
+    rm -f /var/lock/subsys/pptp
+
+    echo 1 > /proc/sys/net/ipv4/tcp_ecn
+}
+
+
+case "$1" in
+ start)
+    echo "Starting PPTP Connection to ${NAME}..."
+    start_pptp
+    ;;
+ stop)
+    echo "Stopping $NAME PPTP Connection..."
+    stop_pptp
+    ;;
+ restart)
+    echo "Restarting $NAME PPTP Connection..."
+    stop_pptp
+    start_pptp
+    ;;
+ status)
+    ifconfig
+    ;;
+ *)
+    echo "Usage: $0 {start|stop|restart|status}"
+    ;;
+esac
+ +

+

Here's my /etc/ppp/options file: +

+

#
+# Identify this connection
+#
+ipparam Compaq
+#
+# Lock the port
+#
+lock
+#
+# We don't need the tunnel server to authenticate itself
+#
+noauth
+
++chap
++chapms
++chapms-v2
+
+multilink
+mrru 1614
+#
+# Turn off transmission protocols we know won't be used
+#
+nobsdcomp
+nodeflate
+
+#
+# We want MPPE
+#
+mppe-128
+mppe-stateless
+
+#
+# We want a sane mtu/mru
+#
+mtu 1000
+mru 1000
+
+#
+# Time this thing out of it goes poof
+#
+lcp-echo-failure 10
+lcp-echo-interval 10 +

+

My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq +traffic through the PPTP tunnel: +

+

#/bin/sh
+
+ case $6 in
+ Compaq)
+     route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
+     route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
+     route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
+     ...
+     ;;
+ esac

+

Finally, I run the following script every five minutes under crond to + restart the tunnel if it fails:

     #!/bin/sh
+     restart_pptp() {
+         /sbin/service pptp stop
+         sleep 10
+         if /sbin/service pptp start; then
+             /usr/bin/logger "PPTP Restarted"
+         fi
+     }
+
+     if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
+         exit 0
+     fi
+
+     echo "Attempting to restart PPTP"
+
+     restart_pptp > /dev/null 2>&1 &
+
+

Here's a script + and corresponding ip-up.local from Jerry + Vonau that controls two PPTP connections.

+

Last modified 7/11/2002 - Tom +Eastep

+Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/ProxyARP.htm b/STABLE/documentation/ProxyARP.htm new file mode 100644 index 000000000..0757c9c71 --- /dev/null +++ b/STABLE/documentation/ProxyARP.htm @@ -0,0 +1,65 @@ + + + + +Shorewall Proxy ARP + + + + + + + +

+

Proxy ARP

+

 

+

Proxy ARP allows you to insert a firewall in front of a set of servers + without changing their IP addresses and without having to re-subnet.

+

The following figure represents a Proxy ARP + environment.

+

+
+
+

Proxy ARP can be used to make the systems with addresses + 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) + subnet.  Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries in + /etc/shorewall/proxyarp:

+ + + + + + + + + + + + + + + + + + + +
ADDRESSINTERFACEEXTERNALHAVEROUTE
130.252.100.18eth1eth0no
130.252.100.19eth1eth0no
+

Be sure that the internal systems (130.242.100.18 and 130.252.100.19  + in the above example) are not included in any specification in + /etc/shorewall/masq or /etc/shorewall/nat.

+

Note that I've used an RFC1918 IP address for eth1 - that IP address is + irrelevant.

+

The lower systems (130.252.100.18 and 130.252.100.19) should have their + subnet mask and default gateway configured exactly the same way that the + Firewall system's eth0 is configured.

+
+ +
+
+ +

Last updated 5/16/2002 - +Tom +Eastep

+Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/Shorewall_Banner.htm b/STABLE/documentation/Shorewall_Banner.htm new file mode 100644 index 000000000..4ac2b00e9 --- /dev/null +++ b/STABLE/documentation/Shorewall_Banner.htm @@ -0,0 +1,21 @@ + + + + + + +Shorewall Banner + + + + + +

+The Shorewall Project uses the Services ofSourceForge Logo

+ +

 

+ + + + diff --git a/STABLE/documentation/Shorewall_index_frame.htm b/STABLE/documentation/Shorewall_index_frame.htm new file mode 100644 index 000000000..61975d387 --- /dev/null +++ b/STABLE/documentation/Shorewall_index_frame.htm @@ -0,0 +1,66 @@ + + + + + + + +Shorewall Index + + + + +

 Shorewall

+ + + + + + + + + + + + + + + + + + + + +
bulletHome
bulletShorewall 1.2 Home
bulletFeatures
bulletRequirements
bulletDownload
bulletQuickStart Guides
bulletInstallation/Upgrade
+ /Configuration
bulletDocumentation
bulletReference Manual
bulletFAQs
bulletTroubleshooting
bulletErrata
bulletSupport
bulletMailing Lists
bulletMirrors + + + + +
bulletSlovak Republic
bulletTexas, USA
bulletGermany
bulletArgentina
+
bulletNews Archive
bulletCVS Repository
bulletQuotes from Users
bulletAbout the Author
+ +
+

+ Quick Search
+ + + + + + +

+ +
+ +

Extended Search Forms

+ +

+

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/_themes/radial/aradbck.gif b/STABLE/documentation/_themes/radial/aradbck.gif new file mode 100644 index 000000000..1215e2379 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbck.gif differ diff --git a/STABLE/documentation/_themes/radial/aradbckh.gif b/STABLE/documentation/_themes/radial/aradbckh.gif new file mode 100644 index 000000000..962204988 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbckh.gif differ diff --git a/STABLE/documentation/_themes/radial/aradbnr.gif b/STABLE/documentation/_themes/radial/aradbnr.gif new file mode 100644 index 000000000..110a421f7 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbnr.gif differ diff --git a/STABLE/documentation/_themes/radial/aradbul1.gif b/STABLE/documentation/_themes/radial/aradbul1.gif new file mode 100644 index 000000000..b765debdf Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbul1.gif differ diff --git a/STABLE/documentation/_themes/radial/aradbul2.gif b/STABLE/documentation/_themes/radial/aradbul2.gif new file mode 100644 index 000000000..1bb1e80ef Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbul2.gif differ diff --git a/STABLE/documentation/_themes/radial/aradbul3.gif b/STABLE/documentation/_themes/radial/aradbul3.gif new file mode 100644 index 000000000..a264fabee Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradbul3.gif differ diff --git a/STABLE/documentation/_themes/radial/aradhbtn.gif b/STABLE/documentation/_themes/radial/aradhbtn.gif new file mode 100644 index 000000000..f765f04dd Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradhbtn.gif differ diff --git a/STABLE/documentation/_themes/radial/aradhhov.gif b/STABLE/documentation/_themes/radial/aradhhov.gif new file mode 100644 index 000000000..491d844a7 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradhhov.gif differ diff --git a/STABLE/documentation/_themes/radial/aradhom.gif b/STABLE/documentation/_themes/radial/aradhom.gif new file mode 100644 index 000000000..fc51518fa Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradhom.gif differ diff --git a/STABLE/documentation/_themes/radial/aradhomh.gif b/STABLE/documentation/_themes/radial/aradhomh.gif new file mode 100644 index 000000000..d290dc116 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradhomh.gif differ diff --git a/STABLE/documentation/_themes/radial/aradhsel.gif b/STABLE/documentation/_themes/radial/aradhsel.gif new file mode 100644 index 000000000..7a755d697 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradhsel.gif differ diff --git a/STABLE/documentation/_themes/radial/aradnxt.gif b/STABLE/documentation/_themes/radial/aradnxt.gif new file mode 100644 index 000000000..46c65ec7a Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradnxt.gif differ diff --git a/STABLE/documentation/_themes/radial/aradnxth.gif b/STABLE/documentation/_themes/radial/aradnxth.gif new file mode 100644 index 000000000..0c8e476a8 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradnxth.gif differ diff --git a/STABLE/documentation/_themes/radial/aradrule.gif b/STABLE/documentation/_themes/radial/aradrule.gif new file mode 100644 index 000000000..78bb010c8 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradrule.gif differ diff --git a/STABLE/documentation/_themes/radial/aradup.gif b/STABLE/documentation/_themes/radial/aradup.gif new file mode 100644 index 000000000..07acde731 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradup.gif differ diff --git a/STABLE/documentation/_themes/radial/araduph.gif b/STABLE/documentation/_themes/radial/araduph.gif new file mode 100644 index 000000000..60f4f18dc Binary files /dev/null and b/STABLE/documentation/_themes/radial/araduph.gif differ diff --git a/STABLE/documentation/_themes/radial/aradvbtn.gif b/STABLE/documentation/_themes/radial/aradvbtn.gif new file mode 100644 index 000000000..3ad026d16 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradvbtn.gif differ diff --git a/STABLE/documentation/_themes/radial/aradvhov.gif b/STABLE/documentation/_themes/radial/aradvhov.gif new file mode 100644 index 000000000..8e7710798 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradvhov.gif differ diff --git a/STABLE/documentation/_themes/radial/aradvsel.gif b/STABLE/documentation/_themes/radial/aradvsel.gif new file mode 100644 index 000000000..8e7710798 Binary files /dev/null and b/STABLE/documentation/_themes/radial/aradvsel.gif differ diff --git a/STABLE/documentation/_themes/radial/blank.gif b/STABLE/documentation/_themes/radial/blank.gif new file mode 100644 index 000000000..2ff57bf16 Binary files /dev/null and b/STABLE/documentation/_themes/radial/blank.gif differ diff --git a/STABLE/documentation/_themes/radial/blhomep.gif b/STABLE/documentation/_themes/radial/blhomep.gif new file mode 100644 index 000000000..e1b7aa20a Binary files /dev/null and b/STABLE/documentation/_themes/radial/blhomep.gif differ diff --git a/STABLE/documentation/_themes/radial/blnextp.gif b/STABLE/documentation/_themes/radial/blnextp.gif new file mode 100644 index 000000000..36866a808 Binary files /dev/null and b/STABLE/documentation/_themes/radial/blnextp.gif differ diff --git a/STABLE/documentation/_themes/radial/blprevp.gif b/STABLE/documentation/_themes/radial/blprevp.gif new file mode 100644 index 000000000..92ac1d210 Binary files /dev/null and b/STABLE/documentation/_themes/radial/blprevp.gif differ diff --git a/STABLE/documentation/_themes/radial/bluedot.gif b/STABLE/documentation/_themes/radial/bluedot.gif new file mode 100644 index 000000000..fa696ee07 Binary files /dev/null and b/STABLE/documentation/_themes/radial/bluedot.gif differ diff --git a/STABLE/documentation/_themes/radial/blupp.gif b/STABLE/documentation/_themes/radial/blupp.gif new file mode 100644 index 000000000..09b9bfe53 Binary files /dev/null and b/STABLE/documentation/_themes/radial/blupp.gif differ diff --git a/STABLE/documentation/_themes/radial/color0.css b/STABLE/documentation/_themes/radial/color0.css new file mode 100644 index 000000000..addf001f1 --- /dev/null +++ b/STABLE/documentation/_themes/radial/color0.css @@ -0,0 +1,93 @@ +a:link +{ + color: rgb(102,102,255); +} +a:visited +{ + color: rgb(153,51,51); +} +a:active +{ + color: rgb(102,204,204); +} +body +{ + color: rgb(0,0,0); + background-color: rgb(255,255,255); +} +h1 +{ + color: rgb(102,102,102); +} +h2, marquee +{ + color: rgb(102,102,102); +} +h3 +{ + color: rgb(102,102,102); +} +h4 +{ + color: rgb(102,102,102); +} +h5 +{ + color: rgb(102,102,102); +} +h6 +{ + color: rgb(102,102,102); +} +BUTTON +{ + background-color: rgb(102,102,102); + border-color: rgb(204,204,204); + color: white; +} +LABEL, .MSTHEME-LABEL +{ + color: rgb(0,0,0); +} +TEXTAREA +{ + border-color: rgb(102,102,102); + color: black; +} +FIELDSET +{ + border-color: rgb(102,102,102); + color: black; +} +LEGEND +{ + color: rgb(102,102,102); +} +SELECT +{ + border-color: rgb(102,102,102); + color: black; +} +TABLE +{ + border-color: rgb(102,102,102); + color: rgb(0,0,0); + table-border-color-light: rgb(204,204,204); + table-border-color-dark: rgb(102,102,102); +} +CAPTION +{ + color: rgb(102,102,102); +} +TH +{ + color: rgb(0,0,0); +} +HR +{ + color: rgb(102,102,102); +} +TD +{ + border-color: rgb(102,102,102); +} diff --git a/STABLE/documentation/_themes/radial/color1.css b/STABLE/documentation/_themes/radial/color1.css new file mode 100644 index 000000000..d3eb703e2 --- /dev/null +++ b/STABLE/documentation/_themes/radial/color1.css @@ -0,0 +1,93 @@ +a:link +{ + color: rgb(102,102,204); +} +a:visited +{ + color: rgb(153,102,102); +} +a:active +{ + color: rgb(102,153,153); +} +body +{ + color: rgb(0,0,0); + background-color: rgb(255,255,255); +} +h1 +{ + color: rgb(102,102,204); +} +h2, marquee +{ + color: rgb(102,102,204); +} +h3 +{ + color: rgb(102,102,204); +} +h4 +{ + color: rgb(102,102,204); +} +h5 +{ + color: rgb(102,102,204); +} +h6 +{ + color: rgb(102,102,204); +} +BUTTON +{ + background-color: rgb(102,102,204); + border-color: rgb(153,153,255); + color: white; +} +LABEL, .MSTHEME-LABEL +{ + color: rgb(0,0,0); +} +TEXTAREA +{ + border-color: rgb(51,0,153); + color: black; +} +FIELDSET +{ + border-color: rgb(51,0,153); + color: black; +} +LEGEND +{ + color: rgb(102,102,204); +} +SELECT +{ + border-color: rgb(51,0,153); + color: black; +} +TABLE +{ + border-color: rgb(51,0,153); + color: rgb(0,0,0); + table-border-color-light: rgb(153,153,255); + table-border-color-dark: rgb(51,0,153); +} +CAPTION +{ + color: rgb(102,102,204); +} +TH +{ + color: rgb(0,0,0); +} +HR +{ + color: rgb(102,102,204); +} +TD +{ + border-color: rgb(51,0,153); +} diff --git a/STABLE/documentation/_themes/radial/graph0.css b/STABLE/documentation/_themes/radial/graph0.css new file mode 100644 index 000000000..cb5a443fc --- /dev/null +++ b/STABLE/documentation/_themes/radial/graph0.css @@ -0,0 +1,70 @@ +.mstheme +{ + nav-banner-image: url(radbnr.gif); + separator-image: url(radrule.gif); + list-image-1: url(radbul1.gif); + list-image-2: url(radbul2.gif); + list-image-3: url(radbul3.gif); + navbutton-horiz-pushed: url(radhsel.gif); + navbutton-horiz-normal: url(radhbtn.gif); + navbutton-vert-pushed: url(radvsel.gif); + navbutton-vert-normal: url(radvbtn.gif); + navbutton-home-normal: url(radhom.gif); + navbutton-up-normal: url(radup.gif); + navbutton-prev-normal: url(radbck.gif); + navbutton-next-normal: url(radnxt.gif); +} +.mstheme-bannertxt +{ + font-family: times new roman, Times New Roman, Times; + font-size: 6; + color: rgb(255,255,255); +} +.mstheme-horiz-navtxt +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +.mstheme-vert-navtxt +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +.mstheme-navtxthome +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +.mstheme-navtxtup +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +.mstheme-navtxtprev +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +.mstheme-navtxtnext +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +UL +{ + list-style-image: url(radbul1.gif); +} +UL UL +{ + list-style-image: url(radbul2.gif); +} +UL UL UL +{ + list-style-image: url(radbul3.gif); +} \ No newline at end of file diff --git a/STABLE/documentation/_themes/radial/graph1.css b/STABLE/documentation/_themes/radial/graph1.css new file mode 100644 index 000000000..449732aa3 --- /dev/null +++ b/STABLE/documentation/_themes/radial/graph1.css @@ -0,0 +1,80 @@ +.mstheme +{ + nav-banner-image: url(aradbnr.gif); + separator-image: url(aradrule.gif); + list-image-1: url(aradbul1.gif); + list-image-2: url(aradbul2.gif); + list-image-3: url(aradbul3.gif); + navbutton-horiz-pushed: url(aradhsel.gif); + navbutton-horiz-normal: url(aradhbtn.gif); + navbutton-horiz-hovered: url(aradhhov.gif); + navbutton-vert-pushed: url(aradvsel.gif); + navbutton-vert-normal: url(aradvbtn.gif); + navbutton-vert-hovered: url(aradvhov.gif); + navbutton-home-normal: url(aradhom.gif); + navbutton-home-hovered: url(aradhomh.gif); + navbutton-home-pushed: url(blhomep.gif); + navbutton-up-normal: url(aradup.gif); + navbutton-up-hovered: url(araduph.gif); + navbutton-up-pushed: url(blupp.gif); + navbutton-prev-normal: url(aradbck.gif); + navbutton-prev-hovered: url(aradbckh.gif); + navbutton-prev-pushed: url(blprevp.gif); + navbutton-next-normal: url(aradnxt.gif); + navbutton-next-hovered: url(aradnxth.gif); + navbutton-next-pushed: url(blnextp.gif); +} +.mstheme-bannertxt +{ + font-family: times new roman, Times New Roman, Times; + font-size: 6; + color: rgb(255,255,255); +} +.mstheme-horiz-navtxt +{ + font-family: Arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,204); +} +.mstheme-vert-navtxt +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,204); +} +.mstheme-navtxthome +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,102); +} +.mstheme-navtxtup +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,102); +} +.mstheme-navtxtprev +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,102); +} +.mstheme-navtxtnext +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(102,102,102); +} +UL +{ + list-style-image:url(aradbul1.gif); +} +UL UL +{ + list-style-image:url(aradbul2.gif); +} +UL UL UL +{ + list-style-image:url(aradbul3.gif); +} \ No newline at end of file diff --git a/STABLE/documentation/_themes/radial/radbck.gif b/STABLE/documentation/_themes/radial/radbck.gif new file mode 100644 index 000000000..962204988 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbck.gif differ diff --git a/STABLE/documentation/_themes/radial/radbkgnd.gif b/STABLE/documentation/_themes/radial/radbkgnd.gif new file mode 100644 index 000000000..2defe8451 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbkgnd.gif differ diff --git a/STABLE/documentation/_themes/radial/radbnr.gif b/STABLE/documentation/_themes/radial/radbnr.gif new file mode 100644 index 000000000..e70656668 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbnr.gif differ diff --git a/STABLE/documentation/_themes/radial/radbul1.gif b/STABLE/documentation/_themes/radial/radbul1.gif new file mode 100644 index 000000000..cfc4c42fc Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbul1.gif differ diff --git a/STABLE/documentation/_themes/radial/radbul2.gif b/STABLE/documentation/_themes/radial/radbul2.gif new file mode 100644 index 000000000..1367b257d Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbul2.gif differ diff --git a/STABLE/documentation/_themes/radial/radbul3.gif b/STABLE/documentation/_themes/radial/radbul3.gif new file mode 100644 index 000000000..89b5580d2 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radbul3.gif differ diff --git a/STABLE/documentation/_themes/radial/radglobl.gif b/STABLE/documentation/_themes/radial/radglobl.gif new file mode 100644 index 000000000..dab6cdd9a Binary files /dev/null and b/STABLE/documentation/_themes/radial/radglobl.gif differ diff --git a/STABLE/documentation/_themes/radial/radhbtn.gif b/STABLE/documentation/_themes/radial/radhbtn.gif new file mode 100644 index 000000000..3ad026d16 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radhbtn.gif differ diff --git a/STABLE/documentation/_themes/radial/radhom.gif b/STABLE/documentation/_themes/radial/radhom.gif new file mode 100644 index 000000000..d290dc116 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radhom.gif differ diff --git a/STABLE/documentation/_themes/radial/radhsel.gif b/STABLE/documentation/_themes/radial/radhsel.gif new file mode 100644 index 000000000..8e7710798 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radhsel.gif differ diff --git a/STABLE/documentation/_themes/radial/radial.inf b/STABLE/documentation/_themes/radial/radial.inf new file mode 100644 index 000000000..b4e049988 --- /dev/null +++ b/STABLE/documentation/_themes/radial/radial.inf @@ -0,0 +1,38 @@ +[info] +refcount=2 +version=3.00 +readonly=true +codepage=65001 +format=2.00 +title=Radial +[titles] +1033=Radial +1069=Radyal +1046=Radial +1050=Poluzaobljenja +1029=Oblouky +1030=Radial +1043=Radiaal +1036=Transversal +1035=Säde +1031=Radial +1032=Ακτίνες +1038=Kerekített +2070=Radial +1040=Radiale +1044=Radiell +1045=Wiraże +1048=Radial +1049=Закругление +1051=LúÄe +1060=Zaobljena +3082=Radial +1053=Radie +1055=Radyal +1041=åŠå†† +1042=ìº¡ìŠ êµ¬ì„± +1028=交織如梭 +2052=射线 +1037=מוקדי +1054=เป็นรัศมี +1025=شعاعي diff --git a/STABLE/documentation/_themes/radial/radial.utf8 b/STABLE/documentation/_themes/radial/radial.utf8 new file mode 100644 index 000000000..b4e049988 --- /dev/null +++ b/STABLE/documentation/_themes/radial/radial.utf8 @@ -0,0 +1,38 @@ +[info] +refcount=2 +version=3.00 +readonly=true +codepage=65001 +format=2.00 +title=Radial +[titles] +1033=Radial +1069=Radyal +1046=Radial +1050=Poluzaobljenja +1029=Oblouky +1030=Radial +1043=Radiaal +1036=Transversal +1035=Säde +1031=Radial +1032=Ακτίνες +1038=Kerekített +2070=Radial +1040=Radiale +1044=Radiell +1045=Wiraże +1048=Radial +1049=Закругление +1051=LúÄe +1060=Zaobljena +3082=Radial +1053=Radie +1055=Radyal +1041=åŠå†† +1042=ìº¡ìŠ êµ¬ì„± +1028=交織如梭 +2052=射线 +1037=מוקדי +1054=เป็นรัศมี +1025=شعاعي diff --git a/STABLE/documentation/_themes/radial/radnxt.gif b/STABLE/documentation/_themes/radial/radnxt.gif new file mode 100644 index 000000000..0c8e476a8 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radnxt.gif differ diff --git a/STABLE/documentation/_themes/radial/radrule.gif b/STABLE/documentation/_themes/radial/radrule.gif new file mode 100644 index 000000000..411892816 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radrule.gif differ diff --git a/STABLE/documentation/_themes/radial/radup.gif b/STABLE/documentation/_themes/radial/radup.gif new file mode 100644 index 000000000..60f4f18dc Binary files /dev/null and b/STABLE/documentation/_themes/radial/radup.gif differ diff --git a/STABLE/documentation/_themes/radial/radvbtn.gif b/STABLE/documentation/_themes/radial/radvbtn.gif new file mode 100644 index 000000000..3ad026d16 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radvbtn.gif differ diff --git a/STABLE/documentation/_themes/radial/radvsel.gif b/STABLE/documentation/_themes/radial/radvsel.gif new file mode 100644 index 000000000..8e7710798 Binary files /dev/null and b/STABLE/documentation/_themes/radial/radvsel.gif differ diff --git a/STABLE/documentation/_themes/radial/theme.css b/STABLE/documentation/_themes/radial/theme.css new file mode 100644 index 000000000..158463050 --- /dev/null +++ b/STABLE/documentation/_themes/radial/theme.css @@ -0,0 +1,549 @@ +.mstheme +{ + navbutton-background-color: rgb(255,255,255); + top-bar-button: url(radglobl.gif); +} +.mstheme-topbar-font +{ + font-family: arial, Arial, Helvetica; + font-size: 1; + color: rgb(51,102,102); +} +body +{ + font-family: arial, Arial, Helvetica; + background-image: url(radbkgnd.gif); +} +h1 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 24pt; +} +h2 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 18pt; +} +h3 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 14pt; +} +h4 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 12pt; +} +h5 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 10pt; +} +h6 +{ + font-family: times new roman, Times New Roman, Times; + font-weight: normal; + font-style: normal; + font-size: 8pt; +} +BUTTON +{ + border-style: solid; + border-width: 1pt; + font-size: 8pt; + font-family: arial, Arial, Helvetica; + font-style: normal; +} +LABEL, .MSTHEME-LABEL +{ + font-size: 8pt; + font-family: arial, Arial, Helvetica; + font-style:normal; +} +TEXTAREA +{ + border-style: solid; + border-width: 1pt; + font-size: 8pt; + font-family: arial, Arial, Helvetica; + font-style: normal; +} +FIELDSET +{ + border-style: solid; + border-width: 1pt; + font-size: 8pt; + font-family: arial, Arial, Helvetica; + font-style: normal; +} +LEGEND +{ + font-size: 8pt; + font-family: times new roman, Times New Roman, Times; + font-style: normal; +} +SELECT +{ + border-style: solid; + border-width: 1pt; + font-size: 8pt; + font-family: arial, Arial, Helvetica; + font-style: normal; +} +TABLE +{ + font-family: arial, Arial, Helvetica; + font-style: normal; +} +CAPTION +{ + font-size: 14pt; + font-family: times new roman, Times New Roman, Times; + font-style: normal; +} +TH +{ + font-family: arial, Arial, Helvetica; + font-style: normal; +} +MARQUEE +{ + font-size: 14pt; + font-family: arial, Arial, Helvetica; +} +.ms-main { + border-right: 0 solid #cccccc; +} +.ms-bannerframe { + background-color: #6666cc; +} +.ms-banner { + color: #ffffff; + font-size: 9pt; + font-family: Arial, sans-serif; +} +.ms-banner a:link { + font-family: Arial, sans-serif; + font-size: 9pt; + color: #ffffff; + font-weight: normal; + text-decoration: none; + } +.ms-banner a:visited { + font-family: Arial, sans-serif; + font-size: 9pt; + color: #ffffff; + font-weight: normal; + text-decoration: none; + } +.ms-nav td { + font-family: Arial, sans-serif; + font-size: 9pt; + font-weight: normal; + color: #000000; +} +.ms-nav th { + font-size: 9pt; + font-family: Arial, sans-serif; + font-weight: normal; + text-align: left; + color: #000000; +} +.ms-navframe { + color: #000000; +} +.ms-nav a { + text-decoration: none; + font-family: Arial, sans-serif; + font-size: 9pt; + font-weight: normal; + color: #6666ff; +} +.ms-nav a:link { +} +.ms-nav a:hover { + text-decoration: underline; + color: #66cccc; +} +.ms-nav a:visited { + color: #993333; +} +.ms-verticaldots { + background-image: url(bluedot.gif); + background-position: right; + background-repeat: repeat-y; +} +.ms-viewselect A:link{ + font-size: 9pt; + font-family: Arial, sans-serif; + color: #6666ff; +} +.ms-titlearea { + font-family: Arial, sans-serif; + font-size: 9pt; + color: #000000; +} +.ms-titleareaframe { + color: #000000; +} +.ms-pagetitle { + color: #669999; + font-family: Times New Roman, serif; + font-size: 1.25em; + font-weight: bold; +} +.ms-pagetitle a { + text-decoration:underline; + color: #669999; +} +.ms-pagetitle a:hover { + text-decoration: underline; + color: #669999; +} +.ms-announcementtitle { + font-weight: normal; +} + +.ms-formlabel { + text-align: left; + font-family: Arial, sans-serif; + font-size: 9pt; + font-weight: normal; + color: #000000; +} +.ms-formdescription a { + color: #6666ff; + text-decoration: underline; +} +.ms-formbody { + text-align: left; + font-family: Arial, sans-serif; + font-size: 9pt; +} +.ms-formdescription +{ + font-family: Arial, sans-serif; + font-size: 9pt; + color: #000000; +} +.ms-radiotext { + cursor:default; + text-align: left; + font-family: Arial, sans-serif; + font-size: 10pt; + height: 19px; +} +.ms-searchbox { + width: 100%; +} +.ms-input { + font-size: 9pt; + font-family: Arial, sans-serif; + vertical-align: baseline; +} +.ms-long { + font-size: 9pt; + font-family: Arial, sans-serif; + width: 300px; +} +.ms-wvsel { + color: #3366cc; +} +.ms-selected { + background-color: #6666cc; + color: #ffffff; +} +.ms-selected SPAN { + color: #ffffff; +} +.ms-filedialog TD { + height: 16px; +} +.ms-descriptiontext { + color: #000000; + font-family: Arial, sans-serif; + font-size: 9pt; +} +.ms-descriptiontext a { + color: #6666ff; + font-family: Arial, sans-serif; + font-size: 9pt; +} +.ms-toolbar { + font-family: Arial, sans-serif; + font-size: 9pt; + text-decoration: none; + color: #669999; +} +.ms-separator { + color: #996666; + font-size: 10pt; +} +.ms-authoringcontrols{ + background-color: #f2f2f2; + font-family: Arial, sans-serif; + font-size: 9pt; + color: #000000; +} +.ms-sectionheader{ + color: #669999; + font-family: Times New Roman, serif; + font-size: 12pt; + font-weight: normal; +} +.ms-sectionline +{ + background-color: #6666cc; + height: 1px; +} +.ms-propertysheet { + font-family: Arial, sans-serif; + font-size: 9pt; +} +.ms-propertysheet th { + font-family: Arial, sans-serif; + font-size: 9pt; + color: #000000; + font-weight: normal; +} +.ms-propertysheet a { + text-decoration: none; + color: #6666ff; +} +.ms-propertysheet a:hover { + text-decoration: underline; + color: #66cccc; +} +.ms-propertysheet a:visited { + text-decoration: none; + color: #993333; +} +.ms-propertysheet a:visited:hover { + text-decoration: underline; +} +.ms-itemheader a { + font-size: 10pt; + font-family: Arial, sans-serif; + font-weight: normal; + color: #6666ff; + text-decoration: none; +} +.ms-itemheader a:hover { + text-decoration: underline; + color: #66cccc; +} +.ms-itemheader a:visited { + text-decoration: none; + color: #993333; +} +.ms-itemheader a:visited:hover { + text-decoration: underline; +} +.ms-discussiontitle { + font-size: 12pt; + font-family: Times New Roman, serif; + color: #000000; + font-weight: normal; +} +.ms-vh { + font-family: Arial, sans-serif; + font-size: 9pt; + color: #000000; + text-align: left; + text-decoration: none; + font-weight: normal; +} +.ms-vh a { + color: #6666ff; + text-decoration: none; +} +.ms-vh a:hover { + text-decoration: underline; +} +.ms-vb{ + font-family: Arial, sans-serif; + font-size: 9pt; + height: 18px; + vertical-align: top; +} +.ms-vb a { + color: #6666ff; + text-decoration: none; +} +.ms-vb a:hover { + color: #66cccc; + text-decoration: underline; +} +.ms-vb a:visited { + color: #993333; + text-decoration: none; +} +.ms-vb a:visited:hover { + text-decoration: underline; +} +.ms-homepagetitle { + font-family: Time New Roman, serif; + font-size: 12pt; + color: #000000; + font-weight: bold; + text-decoration: none; +} +.ms-homepagetitle:Hover { + text-decoration: underline; + color: #000000; +} +.ms-addnew { + font-weight: normal; + font-family: Arial, sans-serif; + font-size: .68em; + color: #669999; + text-decoration: none; +} +.ms-cal { + border-collapse:collapse; + table-layout:fixed; + font-family: Arial, sans-serif; + cursor:default; +} +.ms-caltop { + border-top:1px solid black; + border-left:1px solid black; + border-right:1px solid black; + vertical-align:top; + font-size: 10pt; + width: 14%; + height:30px; +} +.ms-calhead { + border:none; + text-align:center; + background-color: #6666cc; + color: #ffffff; + font-size: 16pt; + font-family: Arial, sans-serif; + padding: 2px; +} +.ms-caldow { + border-top:1px solid black; + border-left:1px solid black; + border-right:1px solid black; + vertical-align:top; + text-align:center; + font-weight: bold; + font-size: 10pt; + height:20px; +} +.ms-calmid { + border-left:1px solid black; + border-right:1px solid black; + height:20px; +} +.ms-calspacer { + border-left:1px solid black; + border-right:1px solid black; + height:4px; +} +.ms-calbot { + border-top:none; + border-left:1px solid black; + border-right:1px solid black; + border-bottom:1px solid black; + height:2px; +} +.ms-appt a { + color: #000000; +} +.ms-appt a:hover { + color: red; +} +.ms-appt { + border:2px solid #669999; + text-align:center; + vertical-align: middle; + font-size:8pt; + height:18px; + overflow:hidden; + background-color: #cccccc; + color: black; +} +.ms-caldowdown { + font-family: Arial, sans-serif; + font-weight: bold; + color: #000000; + text-align: center; + vertical-align: middle; +} +.ms-caldown { + font-size: 8pt; + color: #000000; + text-align: left; + vertical-align: top; +} +.ms-datepickeriframe { + position:absolute; + display:none; + background:white; +} +.ms-datepicker { + font-family: Arial, sans-serif; + background-color: #ffffff; + border: 2 outset activeborder; + cursor:default; +} +.ms-dpdow { + border:none; + vertical-align:top; + text-align:center; + font-weight: bold; + font-size: 8pt; + border-bottom:1px solid black; +} +.ms-dpday { + border:none; + font-size: 8pt; + text-align: center; +} +.ms-dpselectedday { + border:none; + background-color:#cccccc; + font-size: 8pt; + text-align: center; +} +.ms-dpnonmonth { + color:gray; + border:none; + font-size: 8pt; + text-align: center; +} +.ms-dphead { + border:none; + text-align:center; + font-weight: bold; + font-size: 8pt; + background-color: #669999; + color: #ffffff; +} +.ms-dpfoot { + text-align:center; + font-size: 8pt; + text-align: center; + font-style: italic; + border-top:1px solid; + border-left:none; + border-bottom:none; + border-right:none; + height:24px; +} +IMG.ms-button { + cursor:hand; +} diff --git a/STABLE/documentation/backup.shorewall_quickstart_guide.htm b/STABLE/documentation/backup.shorewall_quickstart_guide.htm new file mode 100644 index 000000000..35def60b1 --- /dev/null +++ b/STABLE/documentation/backup.shorewall_quickstart_guide.htm @@ -0,0 +1,350 @@ + + + + + + + +Shorewall QuickStart Guide + + + + + +

Shorewall QuickStart Guide
+Version 1.3-2

+ +

Introduction

+

One of the design goals of Shorewall was that "it should be simple to do +simple things". With that in mind, I've written this QuickStart guide to +demonstrate how easy it is to configure common firewall setups.

+

This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in three +common basic configurations. If you don't find what you are looking for in this +Guide, check the Shorewall Documentation.

+

This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:

+
     [root@gateway root]# which ip
+     /sbin/ip
+     [root@gateway root]#
+

After you have installed Shorewall, simply pick the sample +configuration that best fits your needs and copy the files to +/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to +match your setup as described below. If you have servers, you will also need to +modify /etc/shorewall/rules.

+

Available samples include:

+ + + + +
bulletStandalone System
bulletTwo-interface Masquerading Firewall
bulletThree-interface Masquerading Firewall with DMZ
+

All of these samples assume that you have a single external IP address - it +may be static or dynamic. Configuring Shorewall with multiple external IP +addresses is outside of the scope of this guide; see the +Shorewall Documentation.

+

Do not try to install Shorewall on a remote +system -- you will almost certainly end up not being able to communicate with +that system.

+

Shorewall Configuration Concepts

+

The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you will only need to deal with a few of +these as described in this guide. As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.

+

Shorewall views the network where it is running as being composed of a set of +zones. In the sample configurations, the following zone names are used:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameDescriptionOne InterfaceTwo InterfacesThree Interfaces
netThe InternetXXX
locYour Local Network XX
dmzYour demilitarized Zone  X
+

Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw although you can change that name in the +/etc/shorewall/shorewall.conf file. As +shown in the above table, not all zones are available with all sample +configurations.

+

The simplest way to define a zone is to associate the zone with a +network interface on your firewall system. You do that using the +/etc/shorewall/interfaces file. So +for a standalone system, you would associate your single network interface with +net; on a two-interface firewall, you would associate one interface with +net and one with loc; and on a three-interface firewall with DMZ, +you would associate one interface with net, a second with loc and +a third with dmz. The sample interfaces do this as follows:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ZoneInterfaceOne InterfaceTwo InterfacesThree Interfaces
neteth0XXX
loceth1 XX
dmzeth2  X
+

If your configuration doesn't match the sample then you will need to modify +/etc/shorewall/interfaces.

+

Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.

+ + + + +
bulletYou express your default policy for connections from one zone to another + zone in the /etc/shorewall/policy file.
bulletYou define exceptions to those default policies in the + /etc/shorewall/rules file.
bulletThe /etc/shorewall/rules file is also used to define port forwarding.
+

For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If the connection request doesn't match any rule in +that file, the first policy in /etc/shorewall/policy that matches the + +request is then applied. If the policy is DROP or REJECT then the connection +request is passed through the rules in /etc/shorewall/common (the samples supply +that file for you).

+

If you have more than one interface and you have a single external IP address you will need to use +either IP masquerade (if your IP address is dynamic) or Source Network Address +Translation (SNAT). Whichever applies, you will define it in  /etc/shorewall/masq +file. Note: This file is used to describe "many-to-one outbound NAT". +Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend against +one-to-one NAT in most applications unless you are willing to deal with the DNS +issues involved. The two- and three-interface samples assume that you will be +using IP masquerade as follows:

+ + + + + + + + + + + + + + + + + + + +
Traffic coming in on this interfaceWill be masqueraded if it goes out this interfaceTwo InterfacesThree Interfaces
eth1eth0XX
eth2eth0 X
+

/etc/shorewall/interfaces

+

The detailed documentation for this file may be found +here. Entries in this file have four +columns:

+
    +
  1. The name of the zone that this interface connects to - this must be the + name of a zone defined in the /etc/shorewall/zones file.
    2. +
  2. The name of the interface.
    3. +
  3. The broadcast address for the subnet on this interface. If you want + Shorewall to detect this address for you, place 'detect' in that column.
    4. +
  4. A comma-separated list of options that apply to this interface.
    5. +
+

Some examples:

+

Standalone system with ethernet interface to the internet.

+
     net    eth0    detect    norfc1918,routefilter
+

Two interface system with eth0 connected to the local network and eth1 +connected to the internet. eth1 gets its IP address via DHCP.

+
     loc    eth0    detect    routestopped
+     net    eth1    detect    norfc1918,dhcp,routefilter
+

Three interface system with eth0 connected to the internet, eth1 connected to +the DMZ and eth2 connected to the local network. eth0 gets its IP address via +DHCP and the firewall runs a DHCP server for configuring local hosts (those +connected to eth2).

+
     net    eth0	detect	norfc1918,routefilter,dhcp
+     dmz    eth1	detect	routestopped
+     loc    eth2	detect	routestopped,dhcp
+

At this point, please edit /etc/shorewall/interfaces to match your setup.

+

Some other considerations

+

If your primary internet interface uses PPPoE, PPP or PPTP then you will want +to set CLAMPMSS=yes in +/etc/shorewall/shorewall.conf.

+

/etc/shorewall/policy

+

The /etc/shorewall/policy file documentation is +here. I recommend the following (which +are +in the standalone sample):

+

Standalone system:

+
     fw		net	ACCEPT
+     all	all	DROP	info
+

So by default, all connection requests from your firewall to the internet are +accepted (allowed) and all other connection requests (i.e., those from the +internet to your firewall) are dropped (ignored).

+

Two and three interface firewalls:

+
     loc	net	ACCEPT
+     net	all	DROP	info
+     all	all	REJECT	info
+
+

If you want your firewall system to have full access to servers on the +internet, add the following rule before the last rule above (Note -- in the two- +and three-interface samples, the line below is included but commented out).

+
+
     fw		net	ACCEPT
+

The above policy will:

+
    +
  1. allow all connection requests from your local network to the internet
    2. +
  2. drop (ignore) all connection requests from the internet to your firewall + or local network
    3. +
  3. optionally accept all connection requests from the firewall to the + internet (if you uncomment the additional policy)
    4. +
  4. reject all other connection requests.
    5. +
+

At this point, edit your /etc/shorewall/policy and make any changes that you +wish.

+

/etc/shorewall/masq

+

The /etc/shorewall/masq file (documentation +here) describes output many-to-one source Network Address Translation.

+

If you have a static external IP address (assume 206.124.146.176 in these +examples), then:

+
+

Two interface firewall with eth0 interfacing to the internet and eth1 + interfacing to the local network:

+
+
          eth0		eth1	206.124.146.176
+
+

Three interface firewall with eth0 interfacing to the internet, eth1 + interfacing to the DMZ and eth2 interfacing to the local network:

+
+
          eth0		eth1	206.124.146.176
+          eth0		eth2	206.124.146.176
+

If you have a dynamic internet IP address, simply omit the third column! So +for the two interface firewall, your /etc/shorewall/masq file would have:

+
     eth0	eth1
+

If you don't want to use IP masquerade or SNAT (two- and three-interface +samples), simple delete the entry/entries from /etc/shorewall/masq.

At +this point, edit your /etc/shorewall/masq file and change it to match your +configuration.

+

/etc/shorewall/rules

+

The rules file (documentation here) is +probably the most important of the Shorewall configuration files.

+

The general simplified format for an ACCEPT rule that doesn't involve port forwarding +is:

+
     ACCEPT	<source zone>	<dest zone>[:<server IP address>]	<protocol>	<port(s)>
+

Here are some rules that I recommend that everyone use (and that I've +included in the samples):

+
     ACCEPT	fw	net	udp	53	# Accept DNS queries from your firewall to the internet
+     ACCEPT	fw	net	tcp	53	#   "	  "	"      "    "     "  	"   "      "
+

You can omit these rules if your firewall to net policy is +ACCEPT (In other words, if you uncommented the appropriate line in the policy +file as described above).

+

If you have three interfaces with a DMZ, you probably need DNS access to the +net from your DMZ. To permit that, I've included:

+
     ACCEPT	dmz	net	udp	53
+     ACCEPT	dmz	net	tcp	53
+

If you run servers on your firewall system that you want to make accessible +to internet clients, you need to include rules to permit that access (note that +the default policy for net->fw in the policy file above is DROP which causes all +inbound traffic to be ignored by default). For example, if you have a web server +running on your firewall system, you would include the following rule:

+
     ACCEPT	net	fw	tcp	80
+

With multiple local zones, you will probably want to open some ports between +these zones.

+

Example - You have server system 192.168.2.2 in your DMZ and you want to be +able to access its FTP server from your local systems:

+
     ACCEPT	loc	dmz:192.168.2.2	tcp	ftp
+

For FTP to work properly, you will need kernel support for FTP connection +tracking and NAT but all commercial 2.4 kernel's have such support built in.

+

If you don't know which protocol and/or port that one of your applications +uses, try looking here.

+

Port Forwarding

+

When you are using many-to-one network address translation +outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an +internal server (either in your local zone or in your DMZ), then you need to use +port forwarding (also known as Destination Network Address Translation or +DNAT). Inbound connection requests are selective forwarded to internal systems +based on rules that you supply.

+

The general form of a simple port forwarding rule in +/etc/shorewall/rules is:

+
     DNAT	net <server zone>:<server local ip address> <protocol> <port>
+

Example - you run a Web Server on your local zone at 192.168.1.5 and you want +to forward incoming TCP port 80 to that system. You have a single external IP +address:

+
     DNAT	net	loc:192.168.1.5	tcp	80
+

Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you +want to allow access to that server from your local zone:

+
     DNAT	net	dmz:192.168.2.4	tcp	80
+     ACCEPT	loc	dmz:192.168.2.4 tcp	80
+
+

If you have a static IP address (assume 206.124.146.176) +and you want your local clients to be able to access your web server using that +external address, you can use these entries instead:

+
+
     DNAT	net	dmz:192.168.2.4	tcp	80
+     DNAT	loc	dmz:192.168.2.4 tcp	80	-	206.124.146.176
+

Example - You have a static external IP address (206.124.146.176) and you +have DNS set up so that www.yourdomain.com +resolves to that address. You want to run a web server in your local network (I +think that this is a BAD IDEA -- see FAQ 2) on system +192.168.1.4 and you want internet users and your local users to be able to +access www.yourdomain.com. Your +firewall's internal IP address is 192.168.1.254 and is on eth1.

+
     DNAT	net loc:192.168.1.4 	tcp 	80
+     DNAT 	loc loc:192.168.2.4 	tcp 	80 - 206.124.146.176:192.168.1.254
+
+

In addition, you must specify the multi option on eth1 in + /etc/shorewall/interfaces:

+
+
     loc    eth1    detect    routestopped,multi
+

If you have requirements for port forwarding beyond what is shown here (like +forwarding to a different port number or redirecting to a proxy), see the +rules file documentation.

+

At this point, please edit the /etc/shorewall/rules file and make any +additions required by your setup.

You are now ready to start shorewall. If +you encounter problems, see the troubleshooting +information.

+

Starting and Stopping Your Firewall

The firewall is started using the +"shorewall start" command and stopped using "shorewall stop". When the firewall +is stopped, routing is enabled on those interfaces that have the "routestopped" +option specified in /etc/shorewall/interfaces. If you want to totally remove any +trace of Shorewall from your Netfilter configuration, use "shorewall clear".

+

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/blacklisting_support.htm b/STABLE/documentation/blacklisting_support.htm new file mode 100644 index 000000000..46370f176 --- /dev/null +++ b/STABLE/documentation/blacklisting_support.htm @@ -0,0 +1,62 @@ + + + + + + + +Blacklisting Support + + + + + +

Blacklisting Support

+

Shorewall supports two different forms of blacklisting; static and dynamic.

+

Static Blacklisting

+

Shorewall +static blacklisting support has the following configuration parameters:

+ + + + + + +
bulletYou specify whether you want packets from blacklisted hosts dropped or + rejected using the BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf
bulletYou specify whether you want packets from blacklisted hosts logged and at + what syslog level using the BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf
bulletYou list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
bulletYou specify the interfaces whose incoming packets you want checked against + the blacklist using the "blacklist" + option in /etc/shorewall/interfaces.
bulletThe black list is refreshed from /etc/shorewall/blacklist by the "shorewall + refresh" command.
+

Dynamic Blacklisting

+

Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting +doesn't use any configuration parameters but is rather controlled using +/sbin/shorewall commands:

+ + + + + + +
bulletdeny <ip address list> - causes packets from the listed IP + addresses to be silently dropped by the firewall.
bulletreject <ip address list> - causes packets from the listed IP + addresses to be rejected by the firewall.
bulletallow <ip address list> - re-enables receipt of packets from hosts + previously blacklisted by a deny or reject command.
bulletsave - save the dynamic blacklisting configuration so that it will be + automatically restored the next time that the firewall is restarted.
bulletshow dynamic - displays the dynamic blacklisting configuration.
+

Example 1:

+
     shorewall deny 192.0.2.124 192.0.2.125
+

    Drops packets from hosts 192.0.2.124 and 192.0.2.125

+

Example 2:

+
     shorewall allow 192.0.2.125
+

    Reenables access from 192.0.2.125.

+

Last updated 6/16/2002 - Tom +Eastep

+ +

Copyright2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/configuration_file_basics.htm b/STABLE/documentation/configuration_file_basics.htm new file mode 100644 index 000000000..d103c1eb8 --- /dev/null +++ b/STABLE/documentation/configuration_file_basics.htm @@ -0,0 +1,228 @@ + + + + + + + +Configuration File Basics + + + + + +

Configuration Files

+

Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must + run them through + dos2unix before you use them with Shorewall.

+ + +

Files

+ + +

Shorewall's configuration files are in the directory /etc/shorewall.

+ + + + + + + + + + + + + + + + + + + +
bullet/etc/shorewall/shorewall.conf - used to set several firewall + parameters.
bullet/etc/shorewall/params - use this file to set shell variables that you will + expand in other files.
bullet/etc/shorewall/zones - partition the firewall's view of the world + into zones.
bullet/etc/shorewall/policy - establishes firewall high-level policy.
bullet/etc/shorewall/interfaces - describes the interfaces on the + firewall system.
bullet/etc/shorewall/hosts - allows defining zones in terms of individual + hosts and subnetworks.
bullet/etc/shorewall/masq - directs the firewall where to use many-to-one + (dynamic) Network Address Translation (a.k.a. Masquerading) and Source + Network Address Translation (SNAT).
bullet/etc/shorewall/modules - directs the firewall to load kernel modules.
bullet/etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy.
bullet/etc/shorewall/nat - defines static NAT rules.
bullet/etc/shorewall/proxyarp - defines use of Proxy ARP.
bullet/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts + accessible when Shorewall is stopped.
bullet/etc/shorewall/tcrules - defines marking of packets for later use by + traffic control/shaping or policy routing.
bullet/etc/shorewall/tos - defines rules for setting the TOS field in packet + headers.
bullet/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on + the firewall system.
bullet/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
+

Comments

+ + +

You may place comments in configuration files by making the first non-whitespace + character a pound sign ("#"). You may also place comments at the end of any line, again by + delimiting the comment from the rest of the line with a pound sign.

+ + +

Examples:

+ + + 
# This is a comment
ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
+

Line Continuation

+ + +

You may continue lines in the configuration files using the usual backslash ("\") followed + immediately by a new line character.

+ + +

Example:

+ + + 
ACCEPT	net	fw	tcp \
+smtp,www,pop3,imap  #Services running on the firewall
+

Complementing an Address or Subnet

+ +

Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For + example, !192.168.1.4 means "any host but 192.168.1.4".

+ +

Comma-separated Lists

+ +

Comma-separated lists are allowed in a number of contexts within the + configuration files. A comma separated list:

+ + + + + +
bulletMust not have any embedded white space.
+ Valid: routestopped,dhcp,norfc1918
+ Invalid: routestopped,     dhcp,     + norfc1818
bulletIf you use line continuation to break a comma-separated list, the + continuation line(s) must begin in column 1 (or there would be embedded + white space)
bulletEntries in a comma-separated list may appear in any order.
+ +

Port Numbers/Service Names

+ +

Unless otherwise specified, when giving a port number you can use + either an integer or a service name from /etc/services.

+ +

Port Ranges

+ +

If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>.

+ +

Using Shell Variables

+ +

You may use the file /etc/shorewall/params + file to set shell variables that you can then use in some of the other + configuration files.

+ +

It is suggested that variable names begin with an upper case letter + to distinguish them from variables used internally within the +Shorewall programs

+ +

Example:

+ +
+

NET_IF=eth0
+ NET_BCAST=130.252.100.255
+ NET_OPTIONS=noping,norfc1918

+
+ +


+ Example (/etc/shorewall/interfaces record):

+ + + +
+

net $NET_IF $NET_BCAST $NET_OPTIONS

+
+ + + +

The result will be the same as if the record had been written

+ + + +
+

net eth0 130.252.100.255 noping,norfc1918

+
+ + + +

Variables may be used anywhere in the + other configuration files.

+ +

Using MAC Addresses

+ +

Media Access Control (MAC) + addresses can be used to specify packet source in several of the + configuration files. To use this feature, your kernel must have MAC + Address Match support (CONFIG_IP_NF_MATCH_MAC) included.

+

MAC addresses are 48 bits wide and each Ethernet Controller has a + unique MAC address.
+
+ In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers + separated by colons. Example:
+
+     [root@gateway root]# ifconfig eth0
+     eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
+     inet addr:206.124.146.176 Bcast:206.124.146.255 + Mask:255.255.255.0
+     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+     RX packets:2398102 errors:0 dropped:0 overruns:0 + frame:0
+     TX packets:3044698 errors:0 dropped:0 overruns:0 + carrier:0
+     collisions:30394 txqueuelen:100
+     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 + (1582.8 Mb)
+     Interrupt:11 Base address:0x1800
+
+ Because Shorewall uses colons as a separator for address fields, Shorewall requires + MAC addresses to be written in another way. In Shorewall, MAC addresses + begin with a tilde ("~") and consist of 6 hex numbers separated by + hyphens. In Shorewall, the MAC address in the example above would be + written "~02-00-08-E3-FA-55".

+ +

Shorewall Configurations

+

+ Shorewall allows you to have configuration +directories other than /etc/shorewall. The shorewall start +and restart + commands allow you to specify an alternate configuration directory and +Shorewall will use the files in the alternate directory rather than the corresponding + files in /etc/shorewall. The alternate directory need not contain a complete + configuration; those files not in the alternate directory will be read from + /etc/shorewall.

+

+ This facility permits you to easily create a test or temporary configuration +by:

+
    +
  1. + copying the files that need modification from /etc/shorewall to a separate + directory;
    2. +
  2. + modify those files in the separate directory; and
    3. +
  3. + specifying the separate directory in a shorewall start or shorewall +restart command (e.g., shorewall -c /etc/testconfig restart +).
    4. +
+ + + +

+ Updated 8/6/2002 - Tom +Eastep +

+ + + +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + + + + \ No newline at end of file diff --git a/STABLE/documentation/copyright.htm b/STABLE/documentation/copyright.htm new file mode 100644 index 000000000..bb00660e8 --- /dev/null +++ b/STABLE/documentation/copyright.htm @@ -0,0 +1,29 @@ + + + + + + + +Copyright + + + + + +

Copyright

+

Copyright ©  2000, 2001 +Thomas M Eastep

+
+

Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version 1.1 or + any later version published by the Free Software Foundation; with no Invariant + Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the + license is included in the section entitled "GNU Free Documentation License".

+
+ + + + \ No newline at end of file diff --git a/STABLE/documentation/dhcp.htm b/STABLE/documentation/dhcp.htm new file mode 100644 index 000000000..928262e97 --- /dev/null +++ b/STABLE/documentation/dhcp.htm @@ -0,0 +1,55 @@ + + + + + + + +DHCP + + + + + +

DHCP

+

DHCP Server on your firewall

+ + + +
bullet +

Specify the "dhcp" option on each interface to be + served by your server in the /etc/shorewall/interfaces + file.

bullet +

When starting "dhcpd", you need to list those + interfaces on the run line. On a RedHat system, this is done by modifying + /etc/sysconfig/dhcpd.

+

A Firewall Interface gets its IP Address via DHCP

+ + + + + +
bullet +

Specify the "dhcp" option for this interface in + the /etc/shorewall/interfaces + file.

bullet +

If you know that the dynamic address is always going to be + in the same subnet, you can specify the subnet address in the interface's + entry in the /etc/shorewall/interfaces + file.

bullet +

If you don't know the subnet address in advance, you should + specify "detect" for the interface's subnet address in the /etc/shorewall/interfaces + file and start Shorewall after the interface has started.

bullet +

In the event that the subnet address might change while + Shorewall is started, you need to arrange for a "shorewall + refresh" command to be executed when a new dynamic IP address gets + assigned to the interface. Check your DHCP client's documentation.

+

Last updated 1/26/2002 - Tom +Eastep

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm new file mode 100644 index 000000000..72bffc4d3 --- /dev/null +++ b/STABLE/documentation/download.htm @@ -0,0 +1,222 @@ + + + + + + + +Download + + + + + +

Shorewall Download

+ +

I strongly urge you to read and print a copy of the + Shorewall QuickStart Guide + for the configuration that most closely matches your own.

+ +

Once you've done that, download one of the modules:

+ + + + + + +
bulletIf you run a RedHat, SuSE, Mandrake, Linux PPC or + TurboLinux distribution + with a 2.4 kernel, you can use the RPM version (note: the + RPM should also work with other distributions that store +init scripts in /etc/init.d and that include chkconfig or insserv). +If you find that it works in other cases, let + me + know so that I can mention them here. See the + Installation Instructions if you have problems + installing the RPM.
bulletIf you are running LRP, download the .lrp file (you might also want to + download the .tgz so you will have a copy of the documentation).
bulletIf you run Debian and would + like a .deb package, Shorewall is in both the + Debian + Testing Branch and the + Debian + Unstable Branch.
bulletOtherwise, download the shorewall module (.tgz)
+

The documentation in HTML format is included in the .tgz and .rpm files and +there is an documentation .deb that also contains the documentation.

+

Please verify the version that you have + downloaded -- during the release of a new version of Shorewall, the links + below may point to a newer or an older version than is shown below.

+ + + + +
bulletRPM - "rpm -qip LATEST.rpm"
bulletTARBALL - "tar -ztf LATEST.tgz" (the directory + name will contain the version)
bulletLRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar + -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
+

Once you have verified the + version, check the errata + to see if there are updates that apply to the version that you have + downloaded.

+

WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM +AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE +FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO +START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, +ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.

+

Download Latest Version (1.3.6): Remember that updates to the mirrors +occur 1-12 hours after an update to the primary site.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SERVER LOCATIONDOMAINHTTPFTP
Washington State, USAShorewall.netDownload .rpm
+ Download + .tgz 
+ Download + .lrp		 + Download .rpm 
+ Download + .tgz 
+ Download + .lrp
Slovak RepublicShorewall.netDownload .rpm
+ Download + .tgz 
+ Download + .lrp		 + Download .rpm  
+ Download + .tgz 
+ Download + .rpm
Texas, USAInfohiiway.comDownload .rpm
+ Download + .tgz 
+ Download + .lrp		 + Download .rpm  
+ Download + .tgz 
+ Download + .rpm
Hamburg, GermanyShorewall.net + Download .rpm
+ Download + .tgz
+ Download + .lrp		 + + Download .rpm  
+ Download + .tgz 
+ Download + .lrp
Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar + Download .rpm  
+ Download + .tgz 
+ + Download .lrp		 + Download .rpm  
+ Download + .tgz 
+ + Download .lrp
+
+

Browse Download Sites:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SERVER LOCATIONDOMAINHTTPFTP
Washington State, USAShorewall.netBrowseBrowse
Slovak RepublicShorewall.netBrowse + Browse
Texas, USAInfohiiway.comBrowseBrowse
Hamburg, GermanyShorewall.netBrowseBrowse
Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse + + Browse
California, USA (Incomplete)Sourceforge.netBrowseN/A
+
+

CVS:

+ +
+

The +CVS +repository at cvs.shorewall.net contains the latest snapshots of the each +Shorewall component. There's no guarantee that what you find there will work at +all.

+ +
+

Last Updated 8/05/2002 - Tom +Eastep

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm new file mode 100644 index 000000000..40eaa27dc --- /dev/null +++ b/STABLE/documentation/errata.htm @@ -0,0 +1,338 @@ + + + + + + Shorewall 1.3 Errata + + + + + + + + + +

Shorewall Errata

+ +

+ + + IMPORTANT

+ +
    +
  1. + +

    + + If you use a Windows system to download a corrected script, be sure to +run the script through + +dos2unix + after you have moved it to your Linux system.

    + +
    2. +
  2. + +

    + + If you are installing Shorewall for the first time and plan to use the + .tgz and install.sh script, you can untar the archive, replace the + 'firewall' script in the untarred directory with the one you downloaded + below, and then run install.sh.

    + +
    3. +
  3. + +

    + + When the instructions say to install a corrected firewall script in + /etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the + existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall + and /var/lib/shorewall/firewall are symbolic links that point + to the 'shorewall' file used by your system initialization scripts to + start Shorewall during boot. It is that file that must be overwritten + with the corrected script.

    + +
    4. +
+ +

+ +         

+ + + + + + + + +
bullet + + + Problems in Version 1.1
bullet + + Problems in Version 1.2
bullet + + Problems in Version 1.3
bullet + + + Problem with iptables version 1.2.3
bullet + + Problems with kernel 2.4.18 and + RedHat iptables
bulletProblems installing/upgrading RPM on SuSE SMP
+

+ +

Problems in Version 1.3

+ +

Versions >= 1.3.5

+ +

Some forms of pre-1.3.0 rules file syntax are no + longer supported.

+ +

Example 1:

+ +
+ 
	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
+
+ +

Must be replaced with:

+ +
+ 
	DNAT	net	loc:192.168.1.12:22	tcp	11111
+
+
+

Example 2:

+
+ 
	ACCEPT	loc	fw::3128	tcp	80	-	all
+
+
+

Must be replaced with:

+
+ 
	REDIRECT	loc	3128	tcp	80
+
+ +

Version 1.3.5-1.3.5b

+ +

The new 'proxyarp' interface option doesn't work :-( + This is fixed in + + this corrected firewall script which must be installed in + /var/lib/shorewall/ as described above.

+ +

Versions 1.3.4-1.3.5a

+ +

Prior to version 1.3.4, host file entries such as the + following were allowed:

+ +
+ 
	adm	eth0:1.2.4.5,eth0:5.6.7.8
+
+
+

That capability was lost in version 1.3.4 so that it is only + possible to  include a single host specification on each line. This + problem is corrected by + this + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall + as instructed above.

+ +
+

This problem is corrected in version 1.3.5b.

+ +

Version 1.3.5

+ +

REDIRECT rules are broken in this version. Install + + this corrected firewall script in /var/lib/pub/shorewall/firewall + as instructed above. This problem is corrected in version 1.3.5a.

+ +

Version 1.3.n, n < 4

+ +

The "shorewall start" and "shorewall restart" commands + to not verify that the zones named in the /etc/shorewall/policy file + have been previously defined in the /etc/shorewall/zones file. The + "shorewall check" command does perform this verification so it's a + good idea to run that command after you have made configuration + changes.

+ +

Version 1.3.n, n < 3

+ +

If you have upgraded from Shorewall 1.2 and after + "Activating rules..." you see the message: "iptables: No + chains/target/match by that name" then you probably have an entry in + /etc/shorewall/hosts that specifies an interface that you didn't + include in /etc/shorewall/interfaces. To correct this problem, you + must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and + later versions produce a clearer error message in this case.

+ +

Version 1.3.2

+ +

Until approximately 2130 GMT on 17 June 2002, the + download sites contained an incorrect version of the .lrp file. That + file can be identified by its size (56284 bytes). The correct version + has a size of 38126 bytes.

+ + + + +
bulletThe code to detect a duplicate interface entry in + /etc/shorewall/interfaces contained a typo that prevented it from + working correctly.
bullet"NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".
+ +

Both problems are corrected in + + this script which should be installed in /var/lib/shorewall as described above.

+ + + +
bullet + +

The IANA have just announced the allocation of subnet + 221.0.0.0/8. This + + updated rfc1918 file reflects that allocation.

+ +
+ +

Version 1.3.1

+ + + + + + +
bulletTCP SYN packets may be double counted when + LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each + packet is sent through the limit chain twice).
bulletAn unnecessary jump to the policy chain is sometimes + generated for a CONTINUE policy.
bulletWhen an option is given for more than one interface in + /etc/shorewall/interfaces then depending on the option, Shorewall + may ignore all but the first appearence of the option. For example:
+
+ net    eth0    dhcp
+ loc    eth1    dhcp
+
+ Shorewall will ignore the 'dhcp' on eth1.
bulletUpdate 17 June 2002 - The bug described in the prior bullet + affects the following options: dhcp, dropunclean, logunclean, + norfc1918, routefilter, multi, filterping and noping. An additional + bug has been found that affects only the 'routestopped' option.
+
+ Users who downloaded the corrected script prior to 1850 GMT today + should download and install the corrected script again to ensure + that this second problem is corrected.
+ +

These problems are corrected in + + this firewall script which should be installed in + /etc/shorewall/firewall as described above.

+ +

Version 1.3.0

+ + + + +
bulletFolks who downloaded 1.3.0 from the links on the download page + before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than + 1.3.0. The "shorewall version" command will tell you which version + that you have installed.
bulletThe documentation NAT.htm file uses non-existent + wallpaper and bullet graphic files. The + + corrected version is here.
+

+ +

+ Problem with iptables version 1.2.3

+ +
+ +

There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, +RedHat released this buggy iptables in RedHat 7.2. 

+ +

I have built a + corrected 1.2.3 rpm which you can download here  and I have also built + an + iptables-1.2.4 rpm which you can download here. If +you are currently running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.

+ +

Update + 11/9/2001: RedHat has + released an iptables-1.2.4 RPM of their own which you can download from + http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM + on my firewall and it works fine.

+ +

If you + would like to patch iptables 1.2.3 yourself, the patches are available + for download. This patch + which corrects a problem with parsing of the --log-level specification while + this patch + corrects a problem in handling the  TOS target.

+ +

To install one of the above patches:

+ + + +
bulletcd iptables-1.2.3/extensions
bulletpatch -p0 < the-patch-file
+ +
+ +

Problems with kernel 2.4.18 + and RedHat iptables

+
+

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may + experience the following:

+
+ 
# shorewall start
+Processing /etc/shorewall/shorewall.conf ...
+Processing /etc/shorewall/params ...
+Starting Shorewall...
+Loading Modules...
+Initializing...
+Determining Zones...
+Zones: net
+Validating interfaces file...
+Validating hosts file...
+Determining Hosts in Zones...
+Net Zone: eth0:0.0.0.0/0
+iptables: libiptc/libip4tc.c:380: do_check: Assertion
+`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
+Aborted (core dumped)
+iptables: libiptc/libip4tc.c:380: do_check: Assertion
+`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
+Aborted (core dumped)
+
+
+

The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the + Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., + "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

+
+ +

Problems + installing/upgrading RPM on SuSE SMP

+ +

If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.

+ +

Installing: rpm -ivh <shorewall rpm>

+ +

Upgrading: rpm -Uvh <shorewall rpm>

+ +

+ Last updated 8/4/2002 - + Tom Eastep +

+ +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + \ No newline at end of file diff --git a/STABLE/documentation/errata_1.htm b/STABLE/documentation/errata_1.htm new file mode 100644 index 000000000..374972241 --- /dev/null +++ b/STABLE/documentation/errata_1.htm @@ -0,0 +1,210 @@ + + + + + + + +Shorewall Errata for Version 1 + + + + + +

Shorewall Errata for Version 1.1

+ +

To those of you who downloaded the 1.1.13 updated firewall script prior +to Sept 20, 2001:

+ +
+ +

Prior +to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version +of the firewall script. This has now been corrected. I apologize for any confusion +this may have caused.

+
+ +

Version 1.1.18

+ +
+ +

In the original .lrp, /etc/init.d/shorewall was not + secured for execute access. I have replaced the incorrect .lrp + (shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).

+ +
+ +

+ Version 1.1.17

+ +
+ +

In + shorewall.conf, ADD_IP_ALIASES was incorrectly spelled + IP_ADD_ALIASAES. There is a corrected version of the file here.

+ +

This + problem is also corrected in version 1.1.18.

+
+ +

+ Version 1.1.16

+ +
+

+ The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES +in the firewall script. To correct this problem, install the + corrected firewall script + in the location pointed to by the symbolic link /etc/shorewall/firewall.

+ +

+ This problem is also corrected in version 1.1.17.

+
+ +

+ Version 1.1.14-1.1.15

+ +
+

+ There are no corrections for these versions.

+
+ +

+ Version 1.1.13

+ +
+

+ The firewall fails to start if a rule with the following format is given:

+ +

+ <disposition>    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3

+ +

+ To correct this problem, install + this corrected firewall script + in the location pointed to by the symbolic link /etc/shorewall/firewall. 

+
+ +

+ Version 1.1.12

+ +
+

+ The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions +file. This incorrect file results in many error messages of the form:

+ +
+

+ separate_list: not found

+
+ +

+ The correct file may be obtained here + . This problem is also corrected in version 1.1.13.

+
+ +

+ Version 1.1.11

+ +
+

+ There are no known problems with this version.

+
+ +

+ Version 1.1.10

+ +
+

+ If the following conditions were met:
+

+ +
    + +
  1. +

    + A LAN segment attached to the firewall was served by a DHCP server +running on the firewall.

    +
    2. + +
  2. +

    + There were entries in /etc/shorewall/hosts that referred to the +interface to that LAN segment.

    +
    3. + +
+ +

+ then up until now it has been necessary to include entries for 0.0.0.0 +and 255.255.255.255 for that interface in /etc/shorewall/hosts. + This version of the firewall script + makes those additions unnecessary provided that you simply include +"dhcp" in the options for the interface in /etc/shorewall/interfaces. +Install the script into the location pointed to by the symbolic link +/etc/shorewall/firewall.

+ +

+ This problem has also been corrected in version 1.1.11.

+
+ +

+ Version 1.1.9

+ + + +
bulletThe shorewall "hits" command lists extraneous service names in the final +report. + This version of the shorewall script + corrects this problem.
+ + +
+ + +

Version 1.1.8

+ + + +
bulletUnder some circumstances, the "dhcp" option on an interface triggers +a bug in the firewall script that results in a "chain already exists" +error. + This version of the firewall script + corrects this problem. Install it into the location pointed to by +the symbolic link /etc/shorewall/firewall.
+
+ This problem is also corrected in version 1.1.9.
+ + +
+ + +

Version 1.1.7

+ + + +
bulletIf the /etc/shorewall/rules template from version 1.1.7 is used, a warning +message appears during firewall startup:
+
+     Warning: Invalid Target - rule "@ icmp-unreachable packet." +ignored
+
+ This warning may be eliminated by replacing the "@" in column 1 of + line 17 with "#"
+ +
+

+ This problem is also corrected in version 1.1.8

+
+ +

+ Last updated 12/21/2001 - + Tom Eastep +

+ +

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/fallback.htm b/STABLE/documentation/fallback.htm new file mode 100644 index 000000000..6244a2a5e --- /dev/null +++ b/STABLE/documentation/fallback.htm @@ -0,0 +1,67 @@ + + + + +Shorewall Fallback and Uninstall + + + + + + + +

Fallback and Uninstall

+ +

Shorewall includes +a fallback script +and an uninstall script.

+ +

Falling Back to the Previous Version of Shorewall +using the Fallback Script

+ +

If you install Shorewall and discover that +it doesn't work for you, you can fall back to your previously +installed version. To do that:

+ + + + +
bulletcd to the distribution directory for the version + of Seattle Firewall that you are + currently running (NOT the version + that you want to fall back to).
bulletType "./fallback.sh"
+ +

Warning: The fallback script +will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces, +/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of +these files from before the current version was installed. Any +changes to any of these files will be lost.

+ +

Falling Back to the Previous Version of Shorewall using +rpm

+ +

If your previous version of Shorewall was +installed using RPM, you may fall back to that version by typing +"rpm -Uvh --force <old rpm>" at a root shell +prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm" would fall back to the 3.1-0 +version of Shorewall).

+ +

Uninstalling Shorewall

+ +

If you no longer wish to use Shorewall, you +may remove it by:

+ + + + +
bulletcd to the distribution directory for the version + of Shorewall that you have installed.
bullettype "./uninstall.sh"
+ +

If you installed using an rpm, at a root shell prompt +type "rpm -e shorewall".

+ +

Last updated 3/26/2001 - +Tom +Eastep

+Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/gnu_mailman.htm b/STABLE/documentation/gnu_mailman.htm new file mode 100644 index 000000000..a6ac24881 --- /dev/null +++ b/STABLE/documentation/gnu_mailman.htm @@ -0,0 +1,55 @@ + + + + + + + +GNU Mailman + + + + + +

GNU Mailman/Postfix
+the Easy Way

+

The following was posted on the Postfix mailing list on 5/4/2002 by Michael +Tokarev as a suggested addition to the Postfix FAQ.

+

Q: Mailman does not work with Postfix, complaining about GID mismatch
+
+A: Mailman uses a setgid wrapper that is designed to be used in system-wide +aliases file so that rest of mailman's mail handling processes will run with +proper uid/gid. Postfix has an ability to run a command specified in an alias as +owner of that alias, thus mailman's wrapper is not needed here. The best method +to invoke mailman's mail handling via aliases is to use separate alias file +especially for mailman, and made it owned by mailman and group mailman. Like:
+
+alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases
+
+Make sure that /var/mailman/aliases.db is owned by mailman user (this may be +done by executing postalias as mailman userid).
+
+Next, instead of using mailman-suggested aliases entries with wrapper, use the +following:
+
+instead of
+mailinglist: /var/mailman/mail/wrapper post mailinglist
+mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist
+mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist
+...
+
+use
+mailinglist: /var/mailman/scripts/post mailinglist
+mailinglist-admin: /var/mailman/scripts/mailowner mailinglist
+mailinglist-request: /var/mailman/scripts/mailcmd mailinglist
+...

+

The Shorewall mailing lists are currently running Postfix 1.1.7 together +with the stock RedHat Mailman-2.0.8 RPM configured as shown above.

+

Last updated 5/4/2002 - Tom +Eastep

+

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/hosts_file.htm b/STABLE/documentation/hosts_file.htm new file mode 100644 index 000000000..5c8d7905a --- /dev/null +++ b/STABLE/documentation/hosts_file.htm @@ -0,0 +1,21 @@ + + + + + + + +The Hosts File + + + + + +

The Hosts File

+

Since there seems to be a lot of confusion regarding the +/etc/shorewall/hosts file, I have created this page to try to clear the fog.

+

 

+ + + + diff --git a/STABLE/documentation/images/BD21298_.gif b/STABLE/documentation/images/BD21298_.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/STABLE/documentation/images/BD21298_.gif differ diff --git a/STABLE/documentation/images/BD21298_1.gif b/STABLE/documentation/images/BD21298_1.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/STABLE/documentation/images/BD21298_1.gif differ diff --git a/STABLE/documentation/images/BD21298_2.gif b/STABLE/documentation/images/BD21298_2.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/STABLE/documentation/images/BD21298_2.gif differ diff --git a/STABLE/documentation/images/BD21298_3.gif b/STABLE/documentation/images/BD21298_3.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/STABLE/documentation/images/BD21298_3.gif differ diff --git a/STABLE/documentation/images/DMZ.jpg b/STABLE/documentation/images/DMZ.jpg new file mode 100644 index 000000000..5dad01fd0 Binary files /dev/null and b/STABLE/documentation/images/DMZ.jpg differ diff --git a/STABLE/documentation/images/DMZ2.jpg b/STABLE/documentation/images/DMZ2.jpg new file mode 100644 index 000000000..7e5917f28 Binary files /dev/null and b/STABLE/documentation/images/DMZ2.jpg differ diff --git a/STABLE/documentation/images/DMZ3.jpg b/STABLE/documentation/images/DMZ3.jpg new file mode 100644 index 000000000..05c7bbf15 Binary files /dev/null and b/STABLE/documentation/images/DMZ3.jpg differ diff --git a/STABLE/documentation/images/DMZ4.JPG b/STABLE/documentation/images/DMZ4.JPG new file mode 100644 index 000000000..7054b0566 Binary files /dev/null and b/STABLE/documentation/images/DMZ4.JPG differ diff --git a/STABLE/documentation/images/DMZ5.JPG b/STABLE/documentation/images/DMZ5.JPG new file mode 100644 index 000000000..384247221 Binary files /dev/null and b/STABLE/documentation/images/DMZ5.JPG differ diff --git a/STABLE/documentation/images/DMZ6.JPG b/STABLE/documentation/images/DMZ6.JPG new file mode 100644 index 000000000..8894a5e7a Binary files /dev/null and b/STABLE/documentation/images/DMZ6.JPG differ diff --git a/STABLE/documentation/images/Hiking.jpg b/STABLE/documentation/images/Hiking.jpg new file mode 100644 index 000000000..f0d45e1a7 Binary files /dev/null and b/STABLE/documentation/images/Hiking.jpg differ diff --git a/STABLE/documentation/images/Hiking1.jpg b/STABLE/documentation/images/Hiking1.jpg new file mode 100644 index 000000000..0c94246a7 Binary files /dev/null and b/STABLE/documentation/images/Hiking1.jpg differ diff --git a/STABLE/documentation/images/Mobile.jpg b/STABLE/documentation/images/Mobile.jpg new file mode 100644 index 000000000..7c69fe837 Binary files /dev/null and b/STABLE/documentation/images/Mobile.jpg differ diff --git a/STABLE/documentation/images/ORE.jpg b/STABLE/documentation/images/ORE.jpg new file mode 100644 index 000000000..5dad3179f Binary files /dev/null and b/STABLE/documentation/images/ORE.jpg differ diff --git a/STABLE/documentation/images/SY00079.gif b/STABLE/documentation/images/SY00079.gif new file mode 100644 index 000000000..9d567b7ae Binary files /dev/null and b/STABLE/documentation/images/SY00079.gif differ diff --git a/STABLE/documentation/images/Shorewall_Banner.gif b/STABLE/documentation/images/Shorewall_Banner.gif new file mode 100644 index 000000000..6450fe29c Binary files /dev/null and b/STABLE/documentation/images/Shorewall_Banner.gif differ diff --git a/STABLE/documentation/images/TwoNets1.jpg b/STABLE/documentation/images/TwoNets1.jpg new file mode 100644 index 000000000..f7962f377 Binary files /dev/null and b/STABLE/documentation/images/TwoNets1.jpg differ diff --git a/STABLE/documentation/images/apache_pb1.gif b/STABLE/documentation/images/apache_pb1.gif new file mode 100644 index 000000000..e27b7fb74 Binary files /dev/null and b/STABLE/documentation/images/apache_pb1.gif differ diff --git a/STABLE/documentation/images/basics.jpg b/STABLE/documentation/images/basics.jpg new file mode 100644 index 000000000..b04001249 Binary files /dev/null and b/STABLE/documentation/images/basics.jpg differ diff --git a/STABLE/documentation/images/basics1.jpg b/STABLE/documentation/images/basics1.jpg new file mode 100644 index 000000000..1883f93ae Binary files /dev/null and b/STABLE/documentation/images/basics1.jpg differ diff --git a/STABLE/documentation/images/but3.png b/STABLE/documentation/images/but3.png new file mode 100644 index 000000000..e6d39edfc Binary files /dev/null and b/STABLE/documentation/images/but3.png differ diff --git a/STABLE/documentation/images/compaq.gif b/STABLE/documentation/images/compaq.gif new file mode 100644 index 000000000..11f8674ee Binary files /dev/null and b/STABLE/documentation/images/compaq.gif differ diff --git a/STABLE/documentation/images/dyndns_anim2.gif b/STABLE/documentation/images/dyndns_anim2.gif new file mode 100644 index 000000000..07def3a1e Binary files /dev/null and b/STABLE/documentation/images/dyndns_anim2.gif differ diff --git a/STABLE/documentation/images/j0213519.gif b/STABLE/documentation/images/j0213519.gif new file mode 100644 index 000000000..818e79c18 Binary files /dev/null and b/STABLE/documentation/images/j0213519.gif differ diff --git a/STABLE/documentation/images/leaflogo.gif b/STABLE/documentation/images/leaflogo.gif new file mode 100644 index 000000000..ac6fbec2f Binary files /dev/null and b/STABLE/documentation/images/leaflogo.gif differ diff --git a/STABLE/documentation/images/leaflogo.jpg b/STABLE/documentation/images/leaflogo.jpg new file mode 100644 index 000000000..b810b420d Binary files /dev/null and b/STABLE/documentation/images/leaflogo.jpg differ diff --git a/STABLE/documentation/images/linux_powered.gif b/STABLE/documentation/images/linux_powered.gif new file mode 100644 index 000000000..3a7ddf192 Binary files /dev/null and b/STABLE/documentation/images/linux_powered.gif differ diff --git a/STABLE/documentation/images/logo-sm.jpg b/STABLE/documentation/images/logo-sm.jpg new file mode 100644 index 000000000..c81c74d04 Binary files /dev/null and b/STABLE/documentation/images/logo-sm.jpg differ diff --git a/STABLE/documentation/images/menuconfig.jpg b/STABLE/documentation/images/menuconfig.jpg new file mode 100644 index 000000000..835996728 Binary files /dev/null and b/STABLE/documentation/images/menuconfig.jpg differ diff --git a/STABLE/documentation/images/menuconfig1.jpg b/STABLE/documentation/images/menuconfig1.jpg new file mode 100644 index 000000000..fb23469e0 Binary files /dev/null and b/STABLE/documentation/images/menuconfig1.jpg differ diff --git a/STABLE/documentation/images/netopts.jpg b/STABLE/documentation/images/netopts.jpg new file mode 100644 index 000000000..d50c3022d Binary files /dev/null and b/STABLE/documentation/images/netopts.jpg differ diff --git a/STABLE/documentation/images/network.jpg b/STABLE/documentation/images/network.jpg new file mode 100644 index 000000000..94be8ae5d Binary files /dev/null and b/STABLE/documentation/images/network.jpg differ diff --git a/STABLE/documentation/images/network.xpm b/STABLE/documentation/images/network.xpm new file mode 100644 index 000000000..98549c4ad --- /dev/null +++ b/STABLE/documentation/images/network.xpm @@ -0,0 +1,438 @@ +/* XPM */ +static char * network_xpm[] = { +"493 432 3 1", +" c None", +". c #FFFFFF", +"+ c #000000", +"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+++++.....++++...+..........+.+..+.......+.............+..................+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+....+...+....+..+..........+.+..++.....++.............+..................+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+..+.......+..........+.+..++.....++...+++....++.+...+++...+.+..+...+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+...++.....+...............+.+...+.+..+...+..+..++..+...+..++.++.+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+.....++...+...............+.+...+.+..+...+..+...+..+...+..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+.......+..+...............+..+.+..+..+...+..+...+..+++++..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+..+....+..+...............+..+.+..+..+...+..+...+..+......+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+....+...+....+..+...............+...+...+..+...+..+..++..+...+..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+++++.....++++...+++++...........+...+...+...+++....++.+...+++...+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+..................+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.........+....+++++...+++..........+.....+++....+++..........................+.......................................................................................................................", +"............................................................................................................................................................................................+.................+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+......+++........+..+...+.......+++....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+.....................+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+............+.......+...+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+....................+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+.++.........+.......+....+++..........+.....+++...+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+...................+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....++..+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+..................+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+........+......+....+...+.++++....+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+.................+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+.................+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+........+.....+.....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++....+....+.....+......+++..........+.....+++....+++..........................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+...............................................................................................................+........................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+..............................................................................................................+.........................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++++..........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+.........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+........+++...+.+.+...+...+++...+.+...........................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++.....+...+..++..+...+..+...+..++............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+............++...+...+..+...+...+..+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..............+..+++++..+....+.+...+++++..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+..+......+....+.+...+......+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+..+...+..+.....+....+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++++....+++...+.....+.....+++...+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++..+++++....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+......+....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.............+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+......+.....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+............+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+......+.....................................+..................................................+.........+.....+++....+++........+.....+++....+++.......+++........+....................++++++..+.............................+..+......................................................+.......................................................................................................................", +"+...........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+......+......................................+..................................................+.......+++....+...+..+...+.....+++....+...+..+...+.....+...+.....+++....................+.....................................+..+......................................................+.......................................................................................................................", +"+..........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+......+......................................+..................................................+.........+....+...+......+.......+....+......+...+.........+.......+....................+.......+..+.+..+++..+...+...+..+++...+..+......................................................+.......................................................................................................................", +"+.........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+......+......................................+..................................................+.........+....+...+.....+........+....+.++....+++.........+........+....................+.......+..++..+...+.+...+...+.+...+..+..+......................................................+.......................................................................................................................", +"+.........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+......+.......................................+..................................................+.........+.....++++....+.........+....++..+..+...+.......+.........+....................+++++...+..+...+...+..+..+..+......+..+..+......................................................+.......................................................................................................................", +"+.........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+.......................................+..................................................+.........+........+...+..........+....+...+..+...+......+..........+....................+.......+..+...+++++..+..+..+...++++..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++.+.........+........+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+......+.+.+.+..+...+..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.........+....+...+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+...+...+...+...+...+..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.........+.....+++...+++++..+....+.....+++....+++...+..+++++..+....+....................+.......+..+....+++....+...+....+++.+.+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....+++....+++........+.....+++....+++........+........+++...+++++.....+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+...............................................+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+..+........++.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+......+.......+....+......+...+.......+...........+..+.......+.+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+.....+........+....+.++....+++........+..........+...++++....+.+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....++++....+.........+....++..+..+...+.......+.........+........+..+..+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+........+...+..........+....+...+..+...+.......+........+.........+.+...+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+........+..+...........+....+...+..+...+.......+.......+......+...+.++++++............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+..+...........+....+...+..+...+.......+.......+......+...+.....+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....+++...+++++..+....+.....+++....+++...+....+....+..+++++...+++......+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++++............+..+.........+.....................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+..............+.........+.....................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+......+...+...+.+.+++..+++...+.++..................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++....+...+...+.+..+..+...+..++..+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+............................++...+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..............................+..+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+..+.+.+.+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+...+...+...+..+..+...+..+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++++....+...+...+..++..+++...+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................................+..................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".............................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...........................................................+.........................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++", +".....................+.........................................................................................................+............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+.+..++....+++................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..++..+..+..+...+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+...+.........+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+....++....++++...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+......+..+...+...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+..++..+...+..+..+...+...............................................................................+............+.....+++..+++...+.+.+.+.+...+.............................................................................+.............+............................+................+....+.............................................................+.........+...........................................................................................................+", +".....................+.....++.+..+....++....+++.+..............................................................................+............+......+..+...+..++..++..+...+.............................................................................+.............+............................+................+..+++.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+......+..+...+...+...+.............................................................................+.............+.........+++....+++....++..+++..+++...+.++..+++...+.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+...++++..+...+...+..+..............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+...+......+..+.....+..+...+..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+", +".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+++++...++++...++...+..+++++..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+", +".....................+.........................................................................................................+............+......++..+++.+.+...+.....+...............................................................................+.............+........+......+...+.....+..+..+......+...+..+....+.............................................................+.........+.........++...+.++...+...+..+..+...++....+++...+.++........................................................+", +".....................+.........................................................................................................+............+..........................+...............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+........+..+..++..+..+...+..+.+...+..+..+...+..++..+.......................................................+", +".....................+.....+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+.....+............+.........................+................................................................................+.............+.........+++....+++.+..++...++..+++...+.++...++...+.............................................................+.........+........+.....+...+..+...+..++....+.........+..+...+.......................................................+", +".....................+....+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+.....+............+........................+.................................................................................+.............+......................................+.........................................................................+.........+.........++...+...+..+...+..++.....++....++++..+...+.......................................................+", +".....................+........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+...........+..+...+..+...+..+.+......+..+...+..+...+.......................................................+", +".....................+.......+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+....+++....+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+........+..+..+...+..+..++..+..+..+..+..+...+..+...+.......................................................+", +".....................+......+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....+...+..+.......+............+..........................................................................................................+.............+................................................................................................................+.........+.........++...+...+...++.+..+...+..++....+++.+.+...+.......................................................+", +".....................+.....+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+..+.......+............+.......+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+....+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+..+.......+............+......+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+....+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+........+............+..........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+.....+.............+.........+++....+++....+++........+.....+++......+........+.......+....+++........+.....+++....+++.....+........+.........+...........................................................................................................+", +".....................+....+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+........+............+.........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+...+...+.....+.............+........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++....+...+..+...+....+........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+.....++++..+......+.............+............+..+...+..+...........+........+...+.+........+.....+.+...+...........+....+...+..+...+...+.........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+.......+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+........+..+......+.............+...........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.....+++...+...+...+.........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+........+..+......+.............+..........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+....+...+..+...+..+..........+.........+..........+.....+++....+++........+.....+++....+++........+........+++.....................................+", +".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+.......+.............+.........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+....+...+..+...+..+..........+.........+........+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+....................................+", +".....................+.........................................................................................................+............+......+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+.......+.............+........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+....+...+..+...+..+..........+.........+..........+....+...+......+.......+....+......+...+.......+.......+...+....................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+....+...+..+...+.+...........+.........+..........+....+...+.....+........+....+.++....+++........+........+++.....................................+", +".....................+......+.....+++....+++........+.....+++....+++........+.......+++++......................................+............+..........................................................................................................+.............+........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+++....+++..+...........+.........+..........+.....++++....+.........+....++..+..+...+.......+.......+...+....................................+", +".....................+....+++....+...+..+...+.....+++....+...+..+...+.....+++.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+...+..........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+....+...+......+.......+....+......+...+.......+.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+..+...........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+....+...+.....+........+....+.++....+++........+.......++++.......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+....+...+..+...........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+.....++++....+.........+....++..+..+...+.......+...........+......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.....................................+", +".....................+......+........+...+..........+....+...+..+...+.......+...........+......................................+............+........+.....+++....+++........+.....+++....+++........+..........+......................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+......+........+..+...........+....+...+..+...+.......+.......+...+......................................+............+......+++....+...+..+...+.....+++....+...+..+...+.....+++.........++......................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+......+....+...+..+...........+....+...+..+...+.......+.......+...+......................................+............+........+....+...+......+.......+....+......+...+.......+........+.+......................................+.............+..........+.....+++....+++........+.....+++....+++........+.......+++++.........................................+.........+...........................................................................................................+", +".....................+......+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.......................................+............+........+....+...+.....+........+....+.++....+++........+........+.+......................................+.............+........+++....+...+..+...+.....+++....+...+..+...+.....+++...........+.........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+.....++++....+.........+....++..+..+...+.......+.......+..+......................................+.............+..........+....+...+......+.......+....+......+...+.......+..........+..........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+........+...+..........+....+...+..+...+.......+......+...+......................................+.............+..........+....+...+.....+........+....+.++....+++........+..........+..........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+........+..+...........+....+...+..+...+.......+......++++++.....................................+.............+..........+.....++++....+.........+....++..+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+....+...+..+...........+....+...+..+...+.......+..........+......................................+.............+..........+........+...+..........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+.....+++...+++++..+....+.....+++....+++...+....+....+.....+......................................+.............+..........+........+..+...........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+....+...+..+...........+....+...+..+...+.......+........+............................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+............................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++", +".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++............+..........................................................................................................+.............+................................................................................................................+......................................................................................................................", +"............................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++......................................................................................................................"}; diff --git a/STABLE/documentation/images/new10.gif b/STABLE/documentation/images/new10.gif new file mode 100644 index 000000000..ab20bf61e Binary files /dev/null and b/STABLE/documentation/images/new10.gif differ diff --git a/STABLE/documentation/images/ol600_01mic.png b/STABLE/documentation/images/ol600_01mic.png new file mode 100644 index 000000000..2207d1114 Binary files /dev/null and b/STABLE/documentation/images/ol600_01mic.png differ diff --git a/STABLE/documentation/images/penguin_in_red_compaq_racer.gif b/STABLE/documentation/images/penguin_in_red_compaq_racer.gif new file mode 100644 index 000000000..20a321a72 Binary files /dev/null and b/STABLE/documentation/images/penguin_in_red_compaq_racer.gif differ diff --git a/STABLE/documentation/images/poweredby.png b/STABLE/documentation/images/poweredby.png new file mode 100644 index 000000000..5a744d0be Binary files /dev/null and b/STABLE/documentation/images/poweredby.png differ diff --git a/STABLE/documentation/images/poweredbycompaqlog0.gif b/STABLE/documentation/images/poweredbycompaqlog0.gif new file mode 100644 index 000000000..63a4ce79c Binary files /dev/null and b/STABLE/documentation/images/poweredbycompaqlog0.gif differ diff --git a/STABLE/documentation/images/ppp.jpg b/STABLE/documentation/images/ppp.jpg new file mode 100644 index 000000000..8131a8cac Binary files /dev/null and b/STABLE/documentation/images/ppp.jpg differ diff --git a/STABLE/documentation/images/proxyarp.jpg b/STABLE/documentation/images/proxyarp.jpg new file mode 100644 index 000000000..2255acc9f Binary files /dev/null and b/STABLE/documentation/images/proxyarp.jpg differ diff --git a/STABLE/documentation/images/pure.jpg b/STABLE/documentation/images/pure.jpg new file mode 100644 index 000000000..7c2a64f7b Binary files /dev/null and b/STABLE/documentation/images/pure.jpg differ diff --git a/STABLE/documentation/images/pureftp-d.jpg b/STABLE/documentation/images/pureftp-d.jpg new file mode 100644 index 000000000..c49908e12 Binary files /dev/null and b/STABLE/documentation/images/pureftp-d.jpg differ diff --git a/STABLE/documentation/images/sf_logo_metal2.jpg b/STABLE/documentation/images/sf_logo_metal2.jpg new file mode 100644 index 000000000..07064dbf2 Binary files /dev/null and b/STABLE/documentation/images/sf_logo_metal2.jpg differ diff --git a/STABLE/documentation/images/sflogo.png b/STABLE/documentation/images/sflogo.png new file mode 100644 index 000000000..f5c0a256d Binary files /dev/null and b/STABLE/documentation/images/sflogo.png differ diff --git a/STABLE/documentation/images/sflogo2-steel.gif b/STABLE/documentation/images/sflogo2-steel.gif new file mode 100644 index 000000000..7533ec759 Binary files /dev/null and b/STABLE/documentation/images/sflogo2-steel.gif differ diff --git a/STABLE/documentation/images/shorewall.jpg b/STABLE/documentation/images/shorewall.jpg new file mode 100644 index 000000000..d8f2a1c09 Binary files /dev/null and b/STABLE/documentation/images/shorewall.jpg differ diff --git a/STABLE/documentation/images/shorewall1.gif b/STABLE/documentation/images/shorewall1.gif new file mode 100644 index 000000000..6a4b1408d Binary files /dev/null and b/STABLE/documentation/images/shorewall1.gif differ diff --git a/STABLE/documentation/images/small-picture.gif b/STABLE/documentation/images/small-picture.gif new file mode 100644 index 000000000..a6006b13a Binary files /dev/null and b/STABLE/documentation/images/small-picture.gif differ diff --git a/STABLE/documentation/images/staticnat.jpg b/STABLE/documentation/images/staticnat.jpg new file mode 100644 index 000000000..0ab312803 Binary files /dev/null and b/STABLE/documentation/images/staticnat.jpg differ diff --git a/STABLE/documentation/images/updated.gif b/STABLE/documentation/images/updated.gif new file mode 100644 index 000000000..83882574d Binary files /dev/null and b/STABLE/documentation/images/updated.gif differ diff --git a/STABLE/documentation/images/washington.jpg b/STABLE/documentation/images/washington.jpg new file mode 100644 index 000000000..d356e2dd2 Binary files /dev/null and b/STABLE/documentation/images/washington.jpg differ diff --git a/STABLE/documentation/index.htm b/STABLE/documentation/index.htm new file mode 100644 index 000000000..bc8538fc9 --- /dev/null +++ b/STABLE/documentation/index.htm @@ -0,0 +1,23 @@ + + + + +Shoreline Firewall + + + + + + + + + + <body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"> + + <p>This page uses frames, but your browser doesn't support them.</p> + + <!--mstheme--></font></body> + + + + \ No newline at end of file diff --git a/STABLE/documentation/kernel.htm b/STABLE/documentation/kernel.htm new file mode 100644 index 000000000..904ba1067 --- /dev/null +++ b/STABLE/documentation/kernel.htm @@ -0,0 +1,141 @@ + + + + +Shorewall Kernel Configuration + + + + + + +

Kernel Configuration

+

For information regarding configuring and building GNU/Linux kernels, see http://www.kernelnewbies.org.

+

Here's a screen shot of my Network Options Configuration:

+
+

 

+
+

While not all of the options that I've selected are required, they should be +sufficient for most applications. Here's an excerpt from the corresponding .config +file (Note: If you are running a kernel older than 2.4.17, be sure to select +CONFIG_NETLINK and CONFIG_RTNETLINK):

+ +
+ +

#
+ # Networking options
+ #
+ CONFIG_PACKET=y
+ # CONFIG_PACKET_MMAP is not set
+ # CONFIG_NETLINK_DEV is not set
+ CONFIG_NETFILTER=y
+ CONFIG_NETFILTER_DEBUG=y
+ CONFIG_FILTER=y
+ CONFIG_UNIX=y
+ CONFIG_INET=y
+ CONFIG_IP_MULTICAST=y
+ CONFIG_IP_ADVANCED_ROUTER=y
+ CONFIG_IP_MULTIPLE_TABLES=y
+ CONFIG_IP_ROUTE_FWMARK=y
+ CONFIG_IP_ROUTE_NAT=y
+ CONFIG_IP_ROUTE_MULTIPATH=y
+ CONFIG_IP_ROUTE_TOS=y
+ CONFIG_IP_ROUTE_VERBOSE=y
+ # CONFIG_IP_ROUTE_LARGE_TABLES is not set
+ # CONFIG_IP_PNP is not set
+ CONFIG_NET_IPIP=m
+ CONFIG_NET_IPGRE=m
+ # CONFIG_NET_IPGRE_GROADCAST is not set
+ # CONFIG_IP_MROUTE is not set
+ # CONFIG_ARPD is not set
+ CONFIG_INET_ECN=y
+ CONFIG_SYN_COOKIES=y

+ +
+ +

Here's a screen shot of my Netfilter configuration:

+
+ +

+
+ +

Here's an excerpt from the corresponding .config file.

+
+

#
+ # IP: Netfilter Configuration
+ #
+ CONFIG_IP_NF_CONNTRACK=y
+ CONFIG_IP_NF_FTP=m
+ # CONFIG_IP_NF_QUEUE is not set
+ CONFIG_IP_NF_IPTABLES=y
+ CONFIG_IP_NF_MATCH_LIMIT=y
+ CONFIG_IP_NF_MATCH_MAC=y
+ CONFIG_IP_NF_MATCH_MARK=y
+ CONFIG_IP_NF_MATCH_MULTIPORT=y
+ CONFIG_IP_NF_MATCH_TOS=y
+ # CONFIG_IP_NF_MATCH_TCPMSS is not set
+ CONFIG_IP_NF_MATCH_STATE=y
+ # CONFIG_IP_NF_MATCH_UNCLEAN is not set
+ # CONFIG_IP_NF_MATCH_OWNER is not set
+ CONFIG_IP_NF_FILTER=y
+ CONFIG_IP_NF_TARGET_REJECT=y
+ # CONFIG_IP_NF_TARGET_MIRROR is not set
+ CONFIG_IP_NF_NAT=y
+ CONFIG_IP_NF_NAT_NEEDED=y
+ CONFIG_IP_NF_TARGET_MASQUERADE=y
+ CONFIG_IP_NF_TARGET_REDIRECT=y
+ CONFIG_IP_NF_NAT_FTP=m
+ CONFIG_IP_NF_MANGLE=y
+ CONFIG_IP_NF_TARGET_TOS=y
+ CONFIG_IP_NF_TARGET_MARK=y
+ CONFIG_IP_NF_TARGET_LOG=y
+ CONFIG_IP_NF_TARGET_TCPMSS=y
+ # CONFIG_IPV6 is not set
+

+
+

Note that I have built everything I need into the kernel except for the FTP +connection tracking and NAT modules. I have also run successfully with all of +the options selected above built as modules:

+ +
+

+ +

#
+ # IP: Netfilter Configuration
+ #
+ CONFIG_IP_NF_CONNTRACK=m
+ CONFIG_IP_NF_FTP=m
+ # CONFIG_IP_NF_QUEUE is not set
+ CONFIG_IP_NF_IPTABLES=m
+ CONFIG_IP_NF_MATCH_LIMIT=m
+ CONFIG_IP_NF_MATCH_MAC=m
+ CONFIG_IP_NF_MATCH_MARK=m
+ CONFIG_IP_NF_MATCH_MULTIPORT=m
+ CONFIG_IP_NF_MATCH_TOS=m
+ # CONFIG_IP_NF_MATCH_TCPMSS is not set
+ CONFIG_IP_NF_MATCH_STATE=m
+ # CONFIG_IP_NF_MATCH_UNCLEAN is not set
+ # CONFIG_IP_NF_MATCH_OWNER is not set
+ CONFIG_IP_NF_FILTER=m
+ CONFIG_IP_NF_TARGET_REJECT=m
+ # CONFIG_IP_NF_TARGET_MIRROR is not set
+ CONFIG_IP_NF_NAT=m
+ CONFIG_IP_NF_NAT_NEEDED=m
+ CONFIG_IP_NF_TARGET_MASQUERADE=m
+ CONFIG_IP_NF_TARGET_REDIRECT=m
+ CONFIG_IP_NF_NAT_FTP=m
+ CONFIG_IP_NF_MANGLE=m
+ CONFIG_IP_NF_TARGET_TOS=m
+ CONFIG_IP_NF_TARGET_MARK=m
+ CONFIG_IP_NF_TARGET_LOG=m
+ CONFIG_IP_NF_TARGET_TCPMSS=m
+ # CONFIG_IPV6 is not set
+

+ +
+ +

Last updated 3/10/2002 - +Tom +Eastep

+Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/mailing_list.htm b/STABLE/documentation/mailing_list.htm new file mode 100644 index 000000000..f7f8174f5 --- /dev/null +++ b/STABLE/documentation/mailing_list.htm @@ -0,0 +1,132 @@ + + + + + + + +Shorewall Mailing Lists + + + + + +

+Shorewall Mailing Lists

+ +

 

+ +

 

+ +

+Note: The list server limits posts to 120kb.

+ +

Not getting List Mail? -- Check +Here

+ +

If you experience problems with any of these lists, please +let me know

+ +

Not able to Post Mail to shorewall.net?

+ +

You can report such problems by sending mail to tom dot eastep +at hp dot com.

+ +

A Word about SPAM Filters + +

+ +

Before subscribing please read my policy + about list traffic that bounces. Also please note that the mail server + at shorewall.net checks the sender of incoming mail against the open relay + databases at ordb.org and at + osirusoft.com.

+ +

Search the Mailing List Archives

+ +
+

+ +Match: +Format: +Sort by: + + + + +
+Search: + +

+
+ +

Shorewall Users Mailing List

+

The Shorewall Users Mailing list provides a way for users to get +answers to questions and to report problems. +Information of general interest to the Shorewall user community is also posted +to this list.

+

Before posting a problem report to this list, please see the +problem reporting guidelines.

+

To subscribe to the mailing list, go to https://www.shorewall.net/mailman/listinfo/shorewall-users.

+

To post to the list, post to shorewall-users@shorewall.net.

+

The list archives are at http://www.shorewall.net/pipermail/shorewall-users.

+

Note that prior to 1/1/2002, the mailing list was hosted at Sourceforge. +The archives from that list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

+

Shorewall Announce Mailing List

+

This list is for announcements of general interest to the +Shorewall community. To subscribe, go to https://www.shorewall.net/mailman/listinfo/shorewall-announce.

+

The list archives are at http://www.shorewall.net/pipermail/shorewall-announce.

+

Shorewall Development Mailing List

+

The Shorewall Development Mailing list provides a forum for the +exchange of ideas about the future of Shorewall and for coordinating ongoing +Shorewall Development.

+

To subscribe to the mailing list, go to https://www.shorewall.net/mailman/listinfo/shorewall-devel.

+

To post to the list, post to shorewall-devel@shorewall.net

+

The list archives are at http://www.shorewall.net/pipermail/shorewall-devel.

+

How to Unsubscribe from one of the +Mailing Lists

+

There seems to be near-universal confusion about unsubscribing +from Mailman-managed lists. To unsubscribe:

+ + + + +
bullet +

Follow the same link above that you used to subscribe to the +list.

+
bullet +

Down at the bottom of that page is the following text: "To +change your subscription (set options like digest and delivery modes, get a +reminder of your password, or unsubscribe from <name of list>), enter +your subscription email address:". Enter your email address in the box and click +on the "Edit Options" button.

+
bullet +

There will now be a box where you can enter your password and +click on "Unsubscribe"; if you have forgotten your password, there is another +button that will cause your password to be emailed to you.

+
+

+

Frustrated by having to Rebuild Mailman to use it with Postfix?

+

Check out these instructions

+

Last updated 7/26/2002 - Tom +Eastep

+

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/mailing_list_problems.htm b/STABLE/documentation/mailing_list_problems.htm new file mode 100644 index 000000000..a6d9766d1 --- /dev/null +++ b/STABLE/documentation/mailing_list_problems.htm @@ -0,0 +1,52 @@ + + + + + + + +Mailing List Problems + + + + + +

Mailing List Problems

+ +

Shorewall.net is currently experiencing mail delivery problems +to at least one address in each of the following domains:

+ +
+
+ 
2020ca - delivery to this domain has been disabled (cause unknown)
+excite.com - delivery to this domain has been disabled (cause unknown)
+epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
+gmx.net - delivery to this domain has been disabled (cause unknown)
+hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
+intercom.net - delivery to this domain has been disabled (cause unknown)
+initialcs.com - delivery to this domain has been disabled (cause unknown)
+intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
+khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
+kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
+opermail.net - delivery to this domain has been disabled (cause unknown)
+penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
+scip-online.de - delivery to this domain has been disabled (cause unknown)
+spctnet.com - connection timed out - delivery to this domain has been disabled
+telusplanet.net - delivery to this domain has been disabled (cause unknown)
+yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
+
+
+ +

Last updated 7/26/2002 19:39 GMT - +Tom +Eastep

+ +

+ +Copyright © 2002 Thomas M. Eastep.

+ +

 

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/myfiles.htm b/STABLE/documentation/myfiles.htm new file mode 100644 index 000000000..ffb4b2b36 --- /dev/null +++ b/STABLE/documentation/myfiles.htm @@ -0,0 +1,293 @@ + + + + + + My Shorewall Configuration + + + + + + + + + +

About My Network

+ +
+ +

My Current Network

+ +
+

+I have DSL service and have 5 static IP addresses (206.124.146.176-180). +My DSL "modem" (Fujitsu Speedport) is connected to eth0. I have +a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected +to eth1 (192.168.2.0/24). 

+

+I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry) +and the Wireless Access Point (wap) which are +masqueraded through the primary gateway address (206.124.146.176).

+

+The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.

+

+My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa) +is 192.168.1.5. Wookie +runs Samba and acts as the a WINS server.  Wookie is in its own 'whitelist' zone +called 'me'.

+

+My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own +Sygate firewall software and is managed by Proxy ARP.

+

+The single system in the DMZ (address 206.124.146.177) runs postfix, Courier +IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server +(Pure-ftpd). The system also runs fetchmail to fetch our email from our +old and current ISPs. That server is managed through Proxy ARP.

+

+The firewall system itself runs a DHCP server that serves the local network.

+

+All administration and publishing is done using ssh/scp.

+

+I run an SNMP server on my firewall to serve +MRTG running in the DMZ.

+

+

+

 

+

The ethernet interface in the Server is configured + with IP address 206.124.146.177, netmask + 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same + default gateway used by the firewall itself). On the firewall, + Shorewall automatically adds a host route to + 206.124.146.177 through eth1 (192.168.2.1) because of + the entry in /etc/shorewall/proxyarp (see below).

+

A similar setup is used on eth3 (192.168.3.1) which + interfaces to my laptop (206.124.146.180).

+

+ Note: My files use features not available before + Shorewall version 1.3.4.

+
+

Shorewall.conf

+ + 
	SUBSYSLOCK=/var/lock/subsys/shorewall
+	STATEDIR=/var/state/shorewall
+
+	LOGRATE=
+	LOGBURST=
+
+	ADD_IP_ALIASES="Yes"
+
+	CLAMPMSS=Yes
+
+	MULTIPORT=Yes
+

Zones File:

+ 
	#ZONE 	DISPLAY 	COMMENTS
+	net	Internet	Internet
+	me	Eastep		My Workstation
+	loc	Local		Local networks
+	dmz	DMZ		Demilitarized zone
+	tx	Texas		Peer Network in Dallas Texas
+	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+

Interfaces File:

+ +
+

+This is set up so that I can start the firewall before bringing up my Ethernet +interfaces.

+ +
+ + 
	#ZONE    INTERFACE	BROADCAST 	OPTIONS
+	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping
+	-	eth2 		192.168.1.255	dhcp
+	dmz	eth1 		206.124.146.255	-
+	loc	eth3		206.124.146.255 -
+	tx	texas 		-
+	loc	ppp+
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+

Hosts File:

+ + 
	#ZONE 		HOST(S)			OPTIONS
+	me		eth2:192.168.1.3
+	loc		eth2:0.0.0.0/0
+	loc		ppp+:192.168.1.0/24
+	loc		eth3:206.124.146.180
+	tx 		texas:192.168.9.0/24
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
+ +

Routestopped File:

+ + 
	#INTERFACE	HOST(S)
+	eth1		206.124.146.177
+	eth2 		-
+	eth3 		206.124.146.180
+

Common File:

+ 
	. /etc/shorewall/common.def
+	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+	run_iptables -A common -p tcp --dport 113 -j REJECT
+ +

Policy File:

+ + 

+	#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
+	me	all	ACCEPT
+	tx	me	ACCEPT		#Give Texas access to my personal system
+	all	me	CONTINUE	#WARNING: You must be running Shorewall 1.3.1 or later for
+					#	  this policy to work as expected!!!	
+	loc 	loc 	ACCEPT
+	loc 	net	ACCEPT
+	$FW	loc	ACCEPT
+	$FW	tx	ACCEPT
+	loc	tx	ACCEPT
+	loc	fw	REJECT
+	net	all	DROP	info		10/sec:40
+	all	all	REJECT	info
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
+

Masq File:

+ +
+

+Although most of our internal systems use static NAT, my wife's system +(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.

+
+ + 
	#INTERFACE 	SUBNET		ADDRESS
+	eth0 		192.168.1.0/24	206.124.146.176
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+

NAT File:

+ 
	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL
+	206.124.146.178 eth0 		192.168.1.5 	No 	No
+	206.124.146.179 eth0 		192.168.1.3 	No 	No
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+ +

Proxy ARP File:

+ 
     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE
+	206.124.146.177 eth1 		eth0 		No
+	206.124.146.180	eth3		eth0		No
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+ +

Rules File (The shell variables + are set in /etc/shorewall/params):

+ + 
     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL
+	#                       				PORT(S) PORT(S)	PORT(S)	DEST
+	#
+	# Local Network to Internet - Reject attempts by Trojans to call home
+	#
+	REJECT:info 	loc 		net 			tcp	6667
+	#
+	# Local Network to Firewall 
+	#
+	ACCEPT		loc		fw 			tcp 	ssh
+	ACCEPT		loc		fw			tcp	time
+	#
+	# Local Network to DMZ 
+	#
+	ACCEPT 		loc 		dmz 			udp	domain
+	ACCEPT		loc		dmz			tcp	smtp
+	ACCEPT		loc		dmz			tcp	domain
+	ACCEPT		loc		dmz			tcp	ssh
+	ACCEPT		loc		dmz			tcp	auth
+	ACCEPT		loc		dmz			tcp	imap
+	ACCEPT		loc		dmz			tcp	https
+	ACCEPT		loc		dmz			tcp	imaps
+	ACCEPT		loc		dmz			tcp	cvspserver
+	ACCEPT 		loc 		dmz 			tcp 	www
+	ACCEPT		loc		dmz			tcp	ftp
+	ACCEPT		loc		dmz			tcp	pop3
+	ACCEPT		loc		dmz			icmp	echo-request
+	#
+	# Internet to DMZ 
+	#
+	ACCEPT		net		dmz 			tcp	www
+	ACCEPT		net		dmz			tcp	smtp
+	ACCEPT		net		dmz			tcp	ftp
+	ACCEPT		net		dmz			tcp	auth
+	ACCEPT		net		dmz			tcp	https
+	ACCEPT		net		dmz			tcp	imaps
+	ACCEPT		net		dmz			tcp	domain
+	ACCEPT		net		dmz			tcp	cvspserver
+	ACCEPT		net		dmz			udp	domain
+	ACCEPT		net		dmz			icmp	echo-request
+	ACCEPT 		net:$MIRRORS	dmz			tcp	rsync
+	#
+	# Net to Me (ICQ chat and file transfers) 
+	#
+	ACCEPT		net		me			tcp	4000:4100
+	#
+	# Net to Local 
+	#
+	ACCEPT		net		loc:206.124.146.180	#Runs its own firewall software
+	ACCEPT		net		loc			tcp	auth
+	REJECT		net		loc			tcp	www
+	#
+	# DMZ to Internet
+	#
+	ACCEPT		dmz		net			icmp	echo-request
+	ACCEPT		dmz		net			tcp	smtp
+	ACCEPT		dmz		net			tcp	auth
+	ACCEPT		dmz		net			tcp	domain
+	ACCEPT		dmz		net			tcp	www
+	ACCEPT		dmz		net			tcp	https
+	ACCEPT		dmz		net			tcp	whois
+	ACCEPT		dmz		net			tcp	echo
+	ACCEPT		dmz		net			udp	domain
+	ACCEPT		dmz 		net:$NTPSERVERS		udp	ntp
+	ACCEPT 		dmz 		net:$POPSERVERS		tcp	pop3
+	#
+	# The following compensates for a bug, either in some FTP clients or in the
+	# Netfilter connection tracking code that occasionally denies active mode
+	# FTP clients
+	#
+	ACCEPT:info 	dmz 		net			tcp	1024:	20
+	#
+	# DMZ to Firewall -- snmp
+	#
+	ACCEPT 		dmz 		fw 			tcp	snmp
+	ACCEPT		dmz		fw			udp	snmp
+	#
+	# DMZ to Local Network 
+	#
+	ACCEPT 		dmz 		loc			tcp	smtp
+	ACCEPT		dmz		loc			tcp	auth
+	ACCEPT		dmz		loc			icmp	echo-request
+	# Internet to Firewall
+	#
+	ACCEPT		net		fw			tcp	1723
+	ACCEPT		net		fw			gre
+	REJECT 		net		fw			tcp	www
+	#
+	# Firewall to Internet
+	#
+	ACCEPT 		fw 		net:$NTPSERVERS		udp	ntp
+	ACCEPT		fw		net			udp	domain
+	ACCEPT		fw		net			tcp	domain
+	ACCEPT		fw		net			tcp	www
+	ACCEPT		fw		net			tcp	https
+	ACCEPT		fw		net			tcp	ssh
+	ACCEPT		fw		net			tcp	whois
+	ACCEPT		fw		net 			icmp	echo-request
+	#
+	# Firewall to DMZ
+	#
+	ACCEPT 		fw 		dmz 			tcp 	www
+	ACCEPT 		fw 		dmz 			tcp 	ftp
+	ACCEPT 		fw 		dmz 			tcp 	ssh
+	ACCEPT 		fw 		dmz 			tcp 	smtp
+	ACCEPT 		fw 		dmz 			udp 	domain
+	#
+	# Let Texas Ping
+	#
+	ACCEPT 		tx 		fw 			icmp 	echo-request
+	ACCEPT		tx 		loc 			icmp 	echo-request
+
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+ +

+Last updated 8/4/2002 + - + Tom Eastep +

+ Copyright + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/netfilter_overview.htm b/STABLE/documentation/netfilter_overview.htm new file mode 100644 index 000000000..8ec6ad1f1 --- /dev/null +++ b/STABLE/documentation/netfilter_overview.htm @@ -0,0 +1,140 @@ + + + + + + + +Netfilter Overview + + + + + +

Netfilter Overview

+
+

 

+

1.0 Tables

+ +

Chains of rules are organized into Tables. +Netfilter currently has three tables.

+ +
    +
  1. +

    Mangle Table - This allows the contents of the packet to be +changed. Shorewall uses rules in this table to mark packets for traffic +shaping/control (/etc/shorewall/tcrules file) and for setting the Type of +Service (TOS) for the packet (/etc/shorewall/tos).

    + +
    2. +
  2. +

    NAT Table - Allows modification of the source and destination IP +and port.

    + +
    3. +
  3. +

    Filter Table - This is where most ACCEPT/DROP/REJECT decisions +are made in Shorewall.

    + +
    4. +
+

Each table has a number of pre-defined chains as shown in +the table that follows. Packets flow through the chains in the order of that +table.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OrdinalTableChainShorewall UsageComments
1ManglePREROUTING +
    +
  1. RFC 1918 Destination Rejections
    2. +
  2. Marking Packets for Traffic Control
    3. +
  3. TOS
    4. +
+ 		 
2NATPREROUTING +
    +
  1. DNAT Rules
    2. +
  2. Static NAT DNAT mapping
    3. +
+ 		Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table.
3FilterINPUT<zone>2fw filtering 
3FilterFORWARD<zone>2<zone> filtering 
3FilterOUTPUTfw2<zone> filtering 
4ManglePOSTROUTINGTOS 
5NATOUTPUTDNAT rules where the source zone is fwOnly connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table.
5NATPOSTROUTING +
    +
  1. Masquerading (/etc/shoreawll/masq)
    2. +
  2. SNAT (/etc/shorewall/masq)
    3. +
  3. Static NAT SNAT Mapping
    4. +
+ 		Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table.
+
+

The connection tracking table can be displayed using the +"shorewall show connections" command.

+ + + + diff --git a/STABLE/documentation/ports.htm b/STABLE/documentation/ports.htm new file mode 100644 index 000000000..081136136 --- /dev/null +++ b/STABLE/documentation/ports.htm @@ -0,0 +1,110 @@ + + + + +Shorewall Port Information + + + + + +

Ports required for Various Services/Applications

+ +

In addition to those applications described in the +/etc/shorewall/rules documentation, here are some other +services/applications that you may need to configure your firewall to accommodate.

+ +

NTP (Network Time Protocol)

+
+

UDP Port 123

+
+

rdate

+
+

TCP Port 37

+
+

UseNet (NNTP)

+
+

TCP Port 119

+
+

DNS

+
+

UDP Port 53. If you are configuring a DNS client, you will probably want to + open TCP Port 53 as well.
+ If you are configuring a server, only open TCP Port 53 if you will return long + replies to queries or if you need to enable ZONE transfers. In the latter + case, be sure that your server is properly configured.

+
+

ICQ   

+
+

UDP Port 4000. You will also need to open a range of TCP ports which you + can specify to your ICQ client. By default, clients use 4000-4100.

+
+

PPTP

+
+

Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more + information here).

+
+

IPSEC

+
+

Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. + These should be opened in both directions.

+
+

SMTP

+
+

 TCP Port 25.

+
+

POP3

+
+

TCP Port 110.

+
+

TELNET

+
+

TCP Port 23.

+
+

SSH

+
+

TCP Port 22.

+
+

Auth (identd)

+
+

TCP Port 113

+
+ +

Web Access

+
+

TCP Ports 80 and 443.

+
+

FTP

+
+

Server configuration is covered on in the + /etc/shorewall/rules documentation,

+

For a client, you must open outbound TCP port 21 and be sure that your + kernel is compiled to support FTP connection tracking. If you build this + support as a module, Shorewall will automatically load the module from + /var/lib/<kernel version>/kernel/net/ipv4/netfilter. 

+
+ +

SMB/NMB (Samba/Windows Browsing/File Sharing)

+
+

TCP Ports 137, 139 and 445.
+ UDP Ports 137-139.
+
+ Also, see this page.

+
+ +

Traceroute

+
+

UDP ports 33434 through 33434+<max number of hops>-1

+
+

Didn't find what you are looking for -- have you looked in your own + /etc/services file?

+ +

Still looking? Try + + http://www.networkice.com/advice/Exploits/Ports

+ +

Last updated 7/30/2002 - +Tom +Eastep

+Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/quotes.htm b/STABLE/documentation/quotes.htm new file mode 100644 index 000000000..2b0afcdf5 --- /dev/null +++ b/STABLE/documentation/quotes.htm @@ -0,0 +1,91 @@ + + + + + + + +Quotes from Shorewall Users + + + + + +

Quotes from Shorewall Users

+ + +

"I just installed Shorewall after weeks of messing with + ipchains/iptables and I had it up and running in under 20 minutes!" + -- JL, Ohio +

+ + +

"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 + without any problems. Your documentation is great and I really appreciate + your network configuration info. That really helped me out alot. + THANKS!!!" -- MM. +

+ + +

"[Shorewall is a] great, great project. I've used/tested may + firewall scripts but this one is till now the best." -- B.R, + Netherlands +

+ + +

"Never in my +12 year career as a sys admin have I witnessed + someone so relentless in developing a secure, state of the art, save and + useful product as the Shorewall firewall package for no cost or obligation + involved." -- Mario Kericki, Toronto +

+ + +

"one time more to report, that your great shorewall in the latest + release + 1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up + and running with shorewall on several versions - starting with 1.2.2 up to + the new 1.2.9 and I never have encountered any problems!" -- SM, Germany

+ + +

"You have the best support of any other package I've ever + used." -- SE, US +

+ +

"Because our company has information which has been classified by the +national government as secret, our security doesn't stop by putting a fence +around our company. Information security is a hot issue. We also make use of +checkpoint firewalls, but not all of the internet servers are guarded by +checkpoint, some of them are running....Shorewall." -- Name withheld by request, +Europe

+ +

"thanx for all your efforts you put into shorewall - this product stands out +against a lot of commercial stuff i´ve been working with in terms of +flexibillity, quality & support" -- RM, Austria

+ +

"I have never seen such a complete firewall package that is so easy to +configure. I searched the Debian package system for firewall scripts and +Shorewall won hands down." -- RG, Toronto

+ +

"My respects... I've just found and installed Shorewall 1.3.3-1 and it is a +wonderful piece of software. I've just sent out an email to about 30 people +recommending it. :-)
+While I had previously taken the time (maybe 40 hours) to really understand +ipchains, then spent at least an hour per server customizing and carefully +scrutinizing firewall rules, I've got shorewall running on my home firewall, +with rulesets and policies that I know make sense, in under 20 minutes." -- RP, +Guatamala
+

+ +

Updated +7/9/2002 - Tom Eastep + + +

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/samba.htm b/STABLE/documentation/samba.htm new file mode 100644 index 000000000..48cbd73e9 --- /dev/null +++ b/STABLE/documentation/samba.htm @@ -0,0 +1,93 @@ + + + + + + + +Samba + + + + + +

Samba

+

If you wish to run Samba on your firewall and access shares between the +firewall and local hosts, you need the following rules:

+

/etc/shorewall/rules:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST + PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTfwlocudp137:139  
ACCEPTfwloctcp137,139  
ACCEPTfwlocudp1024:137 
ACCEPTlocfwudp137:139  
ACCEPTlocfwtcp137,139  
ACCEPTlocfwudp1024:137 
+
+

Last modified 5/29/2002 - Tom +Eastep

+Copyright © 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm new file mode 100644 index 000000000..4edeb0109 --- /dev/null +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -0,0 +1,205 @@ + + + + + + Shoreline Firewall (Shorewall) 1.3 + + + + + + + + + + + +

Shorewall 1.3 - "iptables made easy"

+ +

Shorewall 1.2 Site is + Here

+ +

 

+ +

What is it?

+ +

The Shoreline Firewall, more commonly known as "Shorewall",  is a + Netfilter (iptables) + based firewall that can be used on a dedicated firewall system, a + multi-function gateway/router/server or on a standalone GNU/Linux system.

+ +

This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU General Public License + as published by the Free Software Foundation.
+
+ This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + for more details.
+
+ You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 675 Mass Ave, Cambridge, MA 02139, USA

+ +

Copyright 2001, 2002 Thomas M. Eastep

+ + +

Want a Copy of this Site?

+ +

The Shorewall .tgz and .rpm files contain a copy of this site -- + download Shorewall and you get a copy of the + Shorewall portion of this site for the same low price (Free!).

+ + +

News

+ +

8/7/2002 - Shorewall 1.3.6 +

+ +

This is primarily a bug-fix rollup with a couple of new features:

+ + + + + +
bulletThe latest QuickStart Guides + including the Shorewall Setup Guide.
bulletShorewall will now DROP TCP packets that are not part of or + related to an existing connection and that are not SYN packets. These "New + not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option + in /etc/shorewall/shorewall.conf.
bulletThe processing of "New not SYN" packets may be extended by command in the + new newnotsyn extension script.
+ +

7/30/2002 - Shorewall 1.3.5b Released

+ +

This interim release:

+ + + + + +
bulletCauses the firewall script to remove the lock file if it is killed.
bulletOnce again allows lists in the second column of the + /etc/shorewall/hosts file.
bulletIncludes the latest QuickStart + Guides.
+ +

7/29/2002 - New Shorewall Setup Guide Available

+ +

The first draft of this guide is available at + + http://www.shorewall.net/shorewall_setup_guide.htm. The guide is intended + for use by people who are setting up Shorewall to manage multiple public IP + addresses and by people who want to learn more about Shorewall than is + described in the single-address guides. Feedback on the new guide is welcome.

+ +

7/28/2002 - Shorewall 1.3.5 Debian Package Available

+ +

Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/27/2002 - Shorewall 1.3.5a Released

+ +

This interim release restores correct handling of REDIRECT rules.

+ +

7/26/2002 - Shorewall 1.3.5 Released

+ +

This will be the last Shorewall release for a while. I'm going to be + focusing on rewriting a lot of the documentation.

+ +

 In this version:

+ + + + + + + +
bulletEmpty and invalid source and destination qualifiers are now detected in + the rules file. It is a good idea to use the 'shorewall check' command before + you issue a 'shorewall restart' command be be sure that you don't have any + configuration problems that will prevent a successful restart.
bulletAdded MERGE_HOSTS variable in shorewall.conf to provide saner behavior of + the /etc/shorewall/hosts file.
bulletThe time that the counters were last reset is now displayed in the + heading of the 'status' and 'show' commands.
bulletA proxyarp option has been added for entries in + /etc/shorewall/interfaces. This + option facilitates Proxy ARP sub-netting as described in the Proxy ARP + subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes Shorewall to set + /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
bulletThe Samples have been updated to reflect the new capabilities in this + release.
+ +

7/16/2002 - New Mirror in Argentina

+ +

Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall + mirror in Argentina. Thanks Buanzo!!!

+ +

7/16/2002 - Shorewall 1.3.4 Released

+ +

In this version:

+ + + + + + + +
bulletA new + /etc/shorewall/routestopped file has been added. This file is intended to + eventually replace the routestopped option in the + /etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes + remote firewall administration easier by allowing any IP or subnet to be + enabled while Shorewall is stopped.
bulletAn /etc/shorewall/stopped extension + script has been added. This script is invoked after Shorewall has + stopped.
bulletA DETECT_DNAT_ADDRS option has been added to + /etc/shoreall/shorewall.conf. When this + option is selected, DNAT rules only apply when the destination address is the + external interface's primary IP address.
bulletThe QuickStart Guide has + been broken into three guides and has been almost entirely rewritten.
bulletThe Samples have been updated + to reflect the new capabilities in this release. 
+ +

7/8/2002 - Shorewall 1.3.3 Debian Package Available

+ +

Lorenzo Martignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

7/6/2002 - Shorewall 1.3.3 Released

+ +

In this version:

+ + + + + + + + +
bulletEntries in /etc/shorewall/interface that use the wildcard character ("+") + now have the "multi" option assumed.
bulletThe 'rfc1918' chain in the mangle table has been renamed 'man1918' to + make log messages generated from that chain distinguishable from those + generated by the 'rfc1918' chain in the filter table.
bulletInterface names appearing in the hosts file are now validated against the + interfaces file.
bulletThe TARGET column in the rfc1918 file is now checked for correctness.
bulletThe chain structure in the nat table has been changed to reduce the + number of rules that a packet must traverse and to correct problems with + NAT_BEFORE_RULES=No.
bulletThe 'hits' command has been enhanced.
+ + +

More News

+ + +

SourceForge LogoThe + Shorewall Project uses facilities provided by SourceForge.

+ + +

+ + Jacques Nilo and Eric Wolzak have a LEAF distribution called Bering + that features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: + http://leaf.sourceforge.net/devel/jnilo

+ + +

Updated + 7/29/2002 - Tom Eastep + + + + +

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm new file mode 100644 index 000000000..75e9dd4f8 --- /dev/null +++ b/STABLE/documentation/shoreline.htm @@ -0,0 +1,100 @@ + + + + + + About the Shorewall Author + + + + + + + + + + + + +

Tom Eastep

+ + + +

+ Tom on the PCT - 1991

+ + + +

Tom on the Pacific Crest Trail north of Stevens Pass, + Washington  -- Sept + 1991.
+ Photo + by Ken Mazawa

+ + + + + + + + + +
bulletBorn 1945 in Washington +State +.
bulletBA Mathematics from Washington State +University + 1967
bulletMA Mathematics from University +of Washington 1969
bulletBurroughs Corporation (now Unisys +) 1969 - 1980
bulletTandem Computers, Incorporated + (now part of the The New HP) 1980 - present
bulletMarried 1969 - no children.
+ +

I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.

+ +

I became interested in Internet Security +when I established a home office in 1999 and had DSL service installed in our + home. I investigated +ipchains and developed the scripts which are now collectively known as Seattle + Firewall. Expanding on what I learned from Seattle Firewall, I then + designed and wrote Shorewall.

+ +

I telework from our home in Shoreline, +Washington + where I live with my wife Tarry.

+ +

Our current home network consists of:

+ + + + + + + + +
bullet1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs + and LNE100TX (Tulip) NIC - My personal Windows system. This system also has + RH7.3 installed.
bulletPII/266, RH7.3, 320MB RAM, 20GB HD, LNE100TX(Tulip) NIC - My personal + GNU/Linux System which runs Samba configured as a WINS server.
bulletK6-2/350, RH7.3, 256MB RAM, 8GB IDE HD, EEPRO100 NIC  +- Mail (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server + (Bind).
bulletPII/233, RH7.3 with 2.4.19 kernel, 128MB MB RAM, 2GB SCSI HD - 3 + LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.4 and a DHCP + server.  Also runs PoPToP for road warrior access.
bulletDuron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.
bulletPII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 +in expansion base - My main work system.
+

For more about our network see my Shorewall + Configuration.

+ +

The PII/266 is made by Dell. All of our + other systems are made by Compaq (part + of the new HP).. All of our Tulip NICs are Netgear + FA310TXs.

+ + +

+

+ + +

Last updated 8/4/2002 - + Tom Eastep +

+ Copyright + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/shorewall_extension_scripts.htm b/STABLE/documentation/shorewall_extension_scripts.htm new file mode 100644 index 000000000..9615a9add --- /dev/null +++ b/STABLE/documentation/shorewall_extension_scripts.htm @@ -0,0 +1,108 @@ + + + + + + + +Shorewall Extension Scripts + + + + + +

Extension Scripts

+ +

+ Extension scripts are user-provided + scripts that are invoked at various points during firewall start, restart, + stop and clear. The scripts are placed in /etc/shorewall and are processed + using the Bourne shell "source" mechanism. The following scripts can be + supplied:

+ + + + + + + + +
bulletinit -- invoked early in "shorewall start" and "shorewall restart"
bulletstart -- invoked after the firewall has been started or restarted.
bulletstop -- invoked as a first step when the firewall is being stopped.
bulletstopped -- invoked after the firewall has been stopped.
bulletclear -- invoked after the firewall has been cleared.
bulletrefresh -- invoked while the firewall is being refreshed but before the + common and/or blacklst chains have been rebuilt.
bulletnewnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain + has been created but before any rules have been added to it.
+ + + +

+ You can also supply a script with the same name as any of the filter +chains in the firewall and the script will be invoked after the /etc/shorewall/rules + file has been processed but before the /etc/shorewall/policy file has +been processed.

+ + + +

The following two files receive +special treatment:

+ + + + +
bullet/etc/shorewall/common -- If this file is present, the rules that it + defines will totally replace the default rules in the common chain. These + default rules are contained in the file /etc/shorewall/common.def which + may be used as a starting point for making your own customized file.
bullet/etc/shorewall/icmpdef -- If this file is present, the rules that it + defines will totally replace the default rules in the icmpdef chain. +These default rules are contained in the file /etc/shorewall/icmp.def +which may be used as a starting point for making your own customized +file.
+ + + +

+ Rather than running iptables directly, you should run it using the function + run_iptables. Similarly, rather than running "ip" directly, you should +use run_ip. These functions accept the same arguments as the underlying +command but cause the firewall to be stopped if an error occurs during +processing of the command.

+ + + +

+ If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it + is a good idea to use the following technique (common file shown but the same + technique applies to icmpdef).

+ + + +

+ /etc/shorewall/common:

+ + + +
+ 
source /etc/shorewall/common.def
+<add your rules here>
+
+

If you need to supercede a rule in the released common.def file, you can add + the superceding rule before the 'source' command. Using this technique allows + you to add new rules while still getting the benefit of the latest common.def + file.

+ + + +

Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules + that are only applied if the applicable policy is DROP or REJECT. These rules + are NOT applied if the policy is ACCEPT or CONTINUE.
+

+ + + +

Last updated +8/5/2002 - Tom +Eastep

+ +

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_features.htm b/STABLE/documentation/shorewall_features.htm new file mode 100644 index 000000000..a4ce1dc32 --- /dev/null +++ b/STABLE/documentation/shorewall_features.htm @@ -0,0 +1,86 @@ + + + + + + + +Shorewall Features + + + + + +

Shorewall Features

+ + + + + + + + + + + +
bulletUses Netfilter's connection tracking facilities for stateful packet + filtering.
bulletCan be used in a wide range of router/firewall/gateway applications. + + + + + + +
bulletCompletely customizable using configuration files.
bulletNo limit on the number of network interfaces.
bulletAllows you to partitions the network into zones + and gives you complete control over the connections permitted between + each pair of zones.
bulletMultiple interfaces per zone and multiple zones per interface + permitted.
bulletSupports nested and overlapping zones.
+
bullet QuickStart Guides to help + get your first firewall up and running quickly
bulletExtensive documentation + included in the .tgz and .rpm downloads.
bulletFlexible address management/routing support (and you can use all + types in the same firewall): + + + + + + +
bulletMasquerading/SNAT
bulletPort Forwarding (DNAT).
bullet + Static NAT.
bullet + Proxy ARP.
bulletSimple host/subnet Routing
+
bulletBlacklisting of individual + IP addresses and subnetworks is supported.
bulletOperational support: + + + + +
bulletCommands to start, stop and clear the firewall
bulletSupports status monitoring + with an audible alarm when an "interesting" packet is detected.
bulletWide variety of informational commands.
+
bulletVPN Support + + + +
bulletIPSEC, GRE and IPIP + Tunnels.
bulletPPTP clients and Servers.
+
bulletSupport for Traffic Control/Shaping + integration.
bulletWide support for different GNU/Linux Distributions. + + + + +
bulletRPM and Debian + packages available.
bulletIncludes automated install, upgrade, fallback + and uninstall facilities for users who can't use or choose not + to use the RPM or Debian packages.
bulletCompatible with 2.4-kernel based versions of + LEAF + + .
+
+

Last updated 7/14/2002 - Tom +Eastep

+

+Copyright © 2001,2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_firewall_structure.htm b/STABLE/documentation/shorewall_firewall_structure.htm new file mode 100644 index 000000000..b8ebbf90a --- /dev/null +++ b/STABLE/documentation/shorewall_firewall_structure.htm @@ -0,0 +1,136 @@ + + + + + + + +Shorewall Firewall Structure + + + + + +

Firewall Structure

+

+ Shorewall views the network in which it is running as a set of disjoint + zones. Shorewall itself defines exactly one zone called "fw" +which refers to the firewall system itself . The /etc/shorewall/zones file +is used to define additional zones and the example file provided with Shorewall +defines the zones:

+
    +
  1. + net -- the (untrusted) internet.
    2. +
  2. + dmz - systems that must be accessible from the internet and from the +local network.  These systems cannot be trusted completely since their servers +may have been compromised through a security exploit.
    3. +
  3. + loc - systems in your local network(s). These systems must be protected +from the internet and from the DMZ and in some cases, from each other.
    4. +
+

Note: You can specify the name of the firewall zone. + For ease of description in this documentation, it is assumed + that the firewall zone is named "fw".

+

It can't be stressed enough that + with the exception of the firewall zone, Shorewall itself attaches no meaning to + zone names. Zone names are simply labels used to refer to a collection of + network hosts.

+

+ Traffic entering the + firewall is sent to an input chain. If the traffic is destined for the + firewall itself, the name of the input chain is formed by appending "_in" to + the interface name. So traffic on eth0 destined for the firewall will enter a + chain called eth0_in. The input chain for traffic that will be routed to + another system is formed by appending "_fwd" to the interface name. So traffic + from eth1 that is going to be forwarded enters a chain called eth1_fwd. + Interfaces described with the wild-card character ("+") in + /etc/shorewall/interfaces, share input chains. if ppp+ appears in + /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share + the input chains ppp_in and ppp_fwd. In other words, "+" is + deleted from the name before forming the input chain names.

+

+ While the use of input chains may seem wasteful in simple environments, in + complex setups it substantially reduces the number of rules that each packet + must traverse. 

+

+ Traffic directed from a zone to the firewall itself is sent through a +chain named <zone name>2fw. For example, traffic inbound from +the internet and addressed to the firewall is sent through a chain named +net2fw. Similarly, traffic originating in the firewall and being sent to +a host in a given zone is sent through a chain named fw2<zone name>. + For example, traffic originating in the firewall and destined +for a host in the local network is sent through a chain named fw2loc. + +  

+

+ Traffic being forwarded between two zones (or from one interface to a +zone to another interface to that zone) is sent through a chain named +<source zone>2 <destination zone>. So for example, +traffic originating in a local system and destined for a remote web server +is sent through chain loc2net. This chain is referred to +as the canonical chain from <source zone> to <destination +zone>. Any destination NAT will have occurred before the packet +traverses one of these chains so rules in /etc/shorewall/rules should be +expressed in terms of the destination system's real IP address as opposed +to its apparent external address. Similarly, source NAT will occur after + the packet has traversed the appropriate forwarding chain so the rules +again will be expressed using the source system's real IP address.

+

+ For each record in the /etc/shorewall/policy file, a chain is created. Policies +in that file are expressed in terms of a source zone and destination zone +where these zones may be a zone defined in /etc/shorewall/zones, "fw" or +"all". Policies specifying the pseudo-zone "all" matches all defined zones +and "fw". These chains are referred to as Policy Chains. Notice that +for an ordered pair of zones (za,zb), the canonical chain (za2zb) may also +be the policy chain for the pair or the policy chain may be a different +chain (za2all, for example). Packets from one zone to another will traverse +chains as follows:

+
    +
  1. + If the canonical chain exists, packets first traverse that chain.
    2. +
  2. + If the canonical chain and policy chain are different and the packet + does not match a rule in the canonical chain, it then is sent to the + policy chain.
    3. +
  3. + If the canonical chain does not exist, packets are sent immediately + to the policy chain.
    4. +
+

+ The canonical chain from zone za to zone zb will be created only if there +are exception rules defined in /etc/shorewall/rules for packets going from +za to zb.

+

+ Shorewall is built on top of the Netfilter kernel facility. Netfilter +implements connection tracking function that allow what is often referred +to as "statefull inspection" of packets. This statefull property allows + firewall rules to be defined in terms of "connections" rather than in +terms of "packets". With Shorewall, you:

+
    +
  1. + Identify the client's zone.
    2. +
  2. + Identify the server's zone.
    3. +
  3. + If the POLICY from the client's zone to the server's zone is what you + want for this client/server pair, you need do nothing further.
    4. +
  4. + If the POLICY is not what you want, then you must add a rule. That rule + is expressed in terms of the client's zone and the server's zone.
    5. +
+

+ Just because connections of a particular type are allowed between zone A + and the firewall and are also allowed between the firewall and zone B + DOES NOT mean that these connections are allowed between zone A and zone + B. It rather means that you can have a proxy running on +the firewall that accepts a connection from zone A and then establishes +its own separate connection from the firewall to zone B.

+

+ If you adopt the default policy of ACCEPT from the local zone to the internet +zone and you are having problems connecting from a local client to an internet +server, adding a rule won't help + (see point 3 above).

+

Last modified 7/26/2002 - Tom +Eastep

+Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/shorewall_index.htm b/STABLE/documentation/shorewall_index.htm new file mode 100644 index 000000000..24fcf92ac --- /dev/null +++ b/STABLE/documentation/shorewall_index.htm @@ -0,0 +1,25 @@ + + + + +Shoreline Firewall + + + + + + + + + + + + + + <body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"> + + <p>This page uses frames, but your browser doesn't support them.<!--mstheme--></font></body> + + + + diff --git a/STABLE/documentation/shorewall_mailing_list_migration.htm b/STABLE/documentation/shorewall_mailing_list_migration.htm new file mode 100644 index 000000000..3b90157f2 --- /dev/null +++ b/STABLE/documentation/shorewall_mailing_list_migration.htm @@ -0,0 +1,37 @@ + + + + + + + +Shorewall Mailing List Migration + + + + + +

Shorewall Mailing List Migration

+

If you are a current subscriber to the Shorewall mailing list at +Sourceforge, please do the following:

+
    +
  1. +

    Subscribe to the new mailing list at http://www.shorewall.net/mailman/listinfo/shorewall-users

    2. +
  2. +

    Once you have successfully subscribed to the new list, go to + http://lists.sourceforge.net/lists/listinfo/shorewall-users + and at the bottom of the page, enter your subscription email address and + click the "Edit Options" button. You will be taken to a page where + you can enter your password and unsubscribe. If you have forgotten your + password, there is a place on the page where you can request that it be + emailed to you.

    3. +
+

Last updated 1/1/2002 - Tom +Eastep

+ +

+Copyright © 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_mirrors.htm b/STABLE/documentation/shorewall_mirrors.htm new file mode 100644 index 000000000..0856d7064 --- /dev/null +++ b/STABLE/documentation/shorewall_mirrors.htm @@ -0,0 +1,57 @@ + + + + + + + +Shorewall Mirrors + + + + + +

Shorewall Mirrors

+ +

Remember that updates to the mirrors are often delayed for +6-12 hours after an update to the primary site.

+ +

The main Shorewall Web Site is http://www.shorewall.net +and is located in Washington State, USA. +It is mirrored at:

+ + + + + + +
bullet + http://slovakia.shorewall.net + (Slovak Republic).
bullet + + http://shorewall.infohiiway.com + (Texas, USA).
bullet + http://germany.shorewall.net (Hamburg, Germany)
bullethttp://shorewall.correofuego.com.ar (Martinez (Zona Norte - GBA), Argentina)
+

The main Shorewall FTP Site is ftp://ftp.shorewall.net/pub/shorewall/ +and is located in Washington State, USA.  +It is mirrored at:

+ + + + + +
bulletftp://slovakia.shorewall.net/mirror/shorewall + (Slovak Republic).
bullet + ftp://ftp.infohiiway.com/pub/shorewall + (Texas, USA).
bullet + ftp://germany.shorewall.net/pub/shorewall (Hamburg, Germany)
bullet + ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall (Martinez (Zona Norte - GBA), Argentina)
+

Last Updated 7/16/2002 - Tom +Eastep

+ +

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_prerequisites.htm b/STABLE/documentation/shorewall_prerequisites.htm new file mode 100644 index 000000000..594808b50 --- /dev/null +++ b/STABLE/documentation/shorewall_prerequisites.htm @@ -0,0 +1,51 @@ + + + + + + + +Shorewall Prerequisites + + + + + +

Shorewall Requirements

+

 

+ + + + + + +
bulletA kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. + Check here for kernel configuration information. + If you are looking for a firewall for use with 2.2 kernels, + see the Seattle Firewall site + .
bulletiptables 1.2 or later but beware version 1.2.3 -- see the Errata. + WARNING: The buggy iptables version 1.2.3 + is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to + installing Shorewall. Version 1.2.4 is available + from RedHat + and in the Shorewall Errata. If you are going to be + running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM + will work -- again, see the Shorewall Errata.
bulletSome features require iproute ("ip" utility). The iproute package is + included with most distributions but may not be installed by default. The + official download site is +ftp://ftp.inr.ac.ru/ip-routing. + +
bulletA Bourne shell or derivative such as bash or ash. Must have correct + support for variable expansion formats ${variable%pattern + }, ${variable%%pattern}, ${variable#pattern + } and ${variable##pattern}.
bulletThe firewall monitoring display is greatly improved if you have awk + (gawk) installed.
+

Last updated 8/4/2002 - Tom +Eastep

+ +

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm new file mode 100644 index 000000000..556a0d581 --- /dev/null +++ b/STABLE/documentation/shorewall_quickstart_guide.htm @@ -0,0 +1,143 @@ + + + + + + + +Shorewall QuickStart Guide + + + + + +

Shorewall QuickStart Guides
+Version 3.0

+ +

With thanks to Richard who reminded me once again that we must +all first walk before we can run.

+ +

The Guides

+

These guides provide step-by-step instructions for configuring Shorewall in +common firewall setups.

+

The following guides are for firewalls with a single external IP address:

+ + + + +
bulletStandalone Linux System
bulletTwo-interface Linux System acting as a + firewall/router for a small local network
bulletThree-interface Linux System acting as a + firewall/router for a small local network and a DMZ.
+

The above guides are designed to get your first firewall up and running +quickly in the three most common Shorewall configurations.

+

The Shorewall Setup Guide outlines +the steps necessary to set up a firewall where there are multiple public IP +addresses involved or if you want to learn more about Shorewall than is +explained in the single-address guides above.

+ + + + + + + + +
bullet1.0 Introduction
bullet2.0 Shorewall Concepts
bullet3.0 Network Interfaces
bullet4.0 Addressing, Subnets and Routing + + + + +
bullet4.1 IP Addresses
bullet4.2 Subnets
bullet4.3 Routing
bullet4.4 Address Resolution Protocol
+ + +
bullet4.5 RFC 1918
+
bullet5.0 Setting up your Network + +
bullet5.1 Routed
+ + + + +
bullet5.2 Non-routed + + + + +
bullet5.2.1 SNAT
bullet5.2.2 DNAT
bullet5.2.3 Proxy ARP
bullet5.2.4 Static NAT
+
bullet5.3 Rules
bullet5.4 Odds and Ends
+
bullet6.0 DNS
bullet7.0 Starting and + Stopping the Firewall
+

Additional Documentation

+

The following documentation covers a variety of topics and supplements the +QuickStart Guides described above.

+ + + + + + + + + + + + + + + + + +
bulletBlacklisting + + +
bulletStatic Blacklisting using /etc/shorewall/blacklist
bulletDynamic Blacklisting using /sbin/shorewall
+
bulletCommon configuration file features + + + + + + + + +
bulletComments in configuration files
bulletLine Continuation
bulletPort Numbers/Service Names
bulletPort Ranges
bulletUsing Shell Variables
bulletComplementing an IP address or Subnet
bulletShorewall Configurations (making a test configuration)
bulletUsing MAC Addresses in Shorewall
+
bulletConfiguration File Reference Manual + + + + + + + + + + + + + + + + + + +
bullet + params
bulletzones
bulletinterfaces
bullethosts
bulletpolicy
bulletrules
bulletcommon
bulletmasq
bulletproxyarp
bulletnat
bullettunnels
bullettcrules
bulletshorewall.conf
bulletmodules
bullettos
bulletblacklist
bulletrfc1918
bulletroutestopped
+
bulletDHCP
bulletExtension Scripts + (How to extend Shorewall without modifying Shorewall code)
bulletFallback/Uninstall
bulletFirewall Structure
bulletKernel Configuration
bulletMy + Configuration Files (How I personally use Shorewall)
bulletPort Information + + +
bulletWhich applications use which ports
bulletPorts used by Trojans
+
bulletProxy ARP
bulletSamba
bulletStarting/stopping the Firewall
bulletStatic NAT
bulletTunnels + + + +
bulletIPSEC
bulletGRE and IPIP
bulletPPTP
+
bulletWhite List Creation
+

If you use one of these guides and have a suggestion for improvement +please let me know.

+

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_setup_guide.htm b/STABLE/documentation/shorewall_setup_guide.htm new file mode 100644 index 000000000..3ffd11b9e --- /dev/null +++ b/STABLE/documentation/shorewall_setup_guide.htm @@ -0,0 +1,2322 @@ + + + + + + + +Shorewall Setup Guide + + + + + +

Shorewall Setup Guide

+

1.0 Introduction
+2.0 Shorewall Concepts
+3.0 Network Interfaces
+4.0 Addressing, Subnets and Routing

+
+

4.1 IP Addresses
+4.2 Subnets
+4.3 Routing
+4.4 Address Resolution Protocol
+4.5 RFC 1918

+
+

5.0 Setting up your Network

+
+

5.1 Routed
+5.2 Non-routed

+
+

5.2.1 SNAT
+5.2.2 DNAT
+5.2.3 Proxy ARP
+5.2.4 Static NAT

+
+

5.3 Rules
+5.4 Odds and Ends

+
+

6.0 DNS
+7.0 Starting and Stopping the Firewall

+

1.0 Introduction

+

This guide is intended for users who are setting up Shorewall in an +environment where a set of public IP addresses must be managed or who want to +know more about Shorewall than is contained in the +single-address +guides. Because the +range of possible applications is so broad, the Guide will give you general +guidelines and will point you to other resources as necessary.

+

This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:

+
     [root@gateway root]# which ip
+     /sbin/ip
+     [root@gateway root]#

I recommend that you first read through the +guide to familiarize yourself with what's involved then go back through it again +making your configuration changes. Points at which configuration changes are +recommended are flagged with .

+

    +If you edit your configuration files on a Windows system, you must save them as +Unix files if your editor supports that option or you must run them through +dos2unix before trying to use them. Similarly, if you copy a configuration file +from your Windows hard drive to a floppy disk, you must run dos2unix against the +copy before using it with Shorewall.

+ + + +
bulletWindows Version of + dos2unix
bulletLinux Version of + dos2unix
+

2.0 Shorewall Concepts

+

The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for most setups, you will only need to deal with a few of +these as described in this guide. Skeleton files are created during the +Shorewall Installation Process.

+

As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and some contain default entries.

+

Shorewall views the network where it is running as being composed of a set of +zones. In the default installation, the following zone names are used:

+ + + + + + + + + + + + + + + + + +
NameDescription
netThe Internet
locYour Local Network
dmzDemilitarized Zone
+

Zones are defined in the +/etc/shorewall/zones file.

+

Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw but that may be changed in the +/etc/shorewall/shorewall.conf file. In +this guide, the default name (fw) will be used.

+

With the exception of fw, Shorewall attaches absolutely no meaning to +zone names. Zones are entirely what YOU make of them. That means that you should +not expect Shorewall to do something special "because this is the internet zone" +or "because that is the DMZ".

+

    Edit the +/etc/shorewall/zones file and make any changes necessary.

+

Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.

+ + + +
bulletYou express your default policy for connections from one zone to another + zone in the /etc/shorewall/policy file.
bulletYou define exceptions to those default policies in the + /etc/shorewall/rules file.
+

+ Shorewall is built on top of the Netfilter kernel facility. Netfilter +implements a connection tracking function that allow what is often referred +to as statefull inspection of packets. This statefull property allows + firewall rules to be defined in terms of connections rather than in +terms of packets. With Shorewall, you:

+
    +
  1. + Identify the source zone.
    2. +
  2. + Identify the destination zone.
    3. +
  3. + If the POLICY from the client's zone to the server's zone is what you + want for this client/server pair, you need do nothing further.
    4. +
  4. + If the POLICY is not what you want, then you must add a rule. That rule + is expressed in terms of the client's zone and the server's zone.
    5. +
+

+ Just because connections of a particular type are allowed between zone A + and the firewall and are also allowed between the firewall and zone B + DOES NOT mean that these connections are allowed between zone A and zone + B. It rather means that you can have a proxy running on +the firewall that accepts a connection from zone A and then establishes +its own separate connection from the firewall to zone B.

+

For each connection request entering the firewall, the request is first +checked against the /etc/shorewall/rules file. If no rule in that file matches +the connection request then the first policy in /etc/shorewall/policy that +matches the request is applied. If that policy is REJECT or DROP  the +request is first checked against the rules in /etc/shorewall/common.def.

+

The default /etc/shorewall/policy file has the +following policies:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
+
+

The above policy will:

+
    +
  1. allow all connection requests from your local network to the internet
    2. +
  2. drop (ignore) all connection requests from the internet to your firewall + or local network and log a message at the info level (see "man syslog").
    3. +
  3. reject all other connection requests and log a message at the info + level. When a request is rejected, the firewall will return an RST (if the + protocol is TCP) or an ICMP port-unreachable packet for other protocols.
    4. +
+

    At this point, edit your /etc/shorewall/policy and make any changes that you +wish.

+

3.0 Network Interfaces

+

For the remainder of this guide, we'll refer to the following +diagram. While it may not look like your own network, it can be used to +illustrate the important aspects of Shorewall configuration.

+

In this diagram:

+ + + + +
bullet +

The DMZ Zone consists of systems DMZ 1 and DMZ 2.

+
bullet +

The Local Zone consists of systems Local 1, Local 2 and Local 3.

+
bullet +

All systems from the ISP outward comprise the Internet Zone.

+
+

+

The simplest way to define zones is to simply associate the zone +name (previously defined in /etc/shorewall/zones) with a network interface. This +is done in the /etc/shorewall/interfaces +file.

+

The firewall illustrated above has three network interfaces. +Where Internet connectivity is through a cable or DSL "Modem", the External +Interface will be the Ethernet adapter that is connected to that "Modem" +(e.g., eth0)  +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, you external +interface will be ippp0.

+

    If +your external interface is ppp0 or ippp0 then you will want to set +CLAMPMSS=yes in +/etc/shorewall/shorewall.conf.

+

Your Local Interface will be an Ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your local computers +will be connected to the same switch (note: If you have only a single local system, +you can connect the firewall directly to the computer using a cross-over +cable).

+

Your DMZ Interface will also be an Ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will +be connected to the same switch (note: If you have only a single DMZ system, +you can connect the firewall directly to the computer using a cross-over +cable).

+

+Do not connect more than one interface +to the same hub or switch (even for testing). It won't work the way that you +expect it to and you will end up confused and +believing that Shorewall doesn't work at all.

+

For the remainder of this Guide, we will assume that:

+ + + + +
bullet +

The external interface is eth0.

+
bullet +

The Local interface is eth1.

+
bullet +

The DMZ interface is eth2.

+
+

The Shorewall default configuration does not define the contents +of any zone. To define the above configuration using the +/etc/shorewall/interfaces file, that file would might contain:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZoneInterfaceBroadcastOptions
neteth0detectnorfc1918
loceth1detect 
dmzeth2detect 
+
+

    +Edit the /etc/shorewall/interfaces file and define the network interfaces on +your firewall and associate each interface with a zone. If you have a zone that +is interfaced through more than one interface, simply include one entry for each +interface and repeat the zone name as many times as necessary.

+

Example:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZoneInterfaceBroadcastOptions
neteth0detectnorfc1918
loceth1detect 
loceth2detectdhcp
+
+
+

When you have more than one interface to a zone, you will + usually want a policy that permits intra-zone traffic:

+
+
+ + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
loclocACCEPT  
+
+
+

    +You may define more complicated zones using the +/etc/shorewall/hosts file but in most +cases, that isn't necessary.

+

4.0 Addressing, Subnets and Routing

+

Normally, your ISP will assign you a set of +Public IP addresses. You will configure your firewall's external interface to use +one of those addresses permanently and you will then have to decide how you are +going to use the rest of your addresses. Before we tackle that question though, some +background is in order.

+

If you are thoroughly familiar with IP addressing and routing, +you may go to the next section.

+

The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about +this subject, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.

+

4.1 IP Addresses

+

IP version 4 (IPv4) addresses are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value "w", the next +byte has value "x", etc. If we take the address 192.0.2.14 and express it in +hexadecimal, +we get:

+
+

C0.00.02.0E

+
+

or looking at it as a 32-bit integer

+
+

C000020E

+
+

4.2 Subnets

+

You will still hear the terms "Class A network", "Class B +network" and "Class C network". In the early days of IP, networks only came +in three sizes:

+
+

Class A - netmask 255.0.0.0, size = 2 ** 24

+

Class B - netmask 255.255.0.0, size = 2 ** 16

+

Class C - netmask 255.255.255.0, size = 256

+
+

The class of a network was uniquely determined by the value of the high +order byte of its address so you could look at an IP address and immediately +determine the associated netmask. The netmask is a number that when +logically ANDed with an address isolates the network number; the +remainder of the address is the host number. For example, in the Class C +address 192.0.2.14, the network number is hex C00002 and the host number is hex +0E.

+

As the internet grew, it became clear that such a gross +partitioning of the 32-bit address space was going to be very limiting (early +on, large corporations and universities were assigned their own class A +network!). After some false starts, the current technique of subnetting +these networks into smaller subnetworks evolved -- today, any system that +you are likely to work with will understand subnetting and Class-based networking is largely a +thing of the past.

+

A subnetwork (often referred to as a subnet) is + a contiguous set of IP addresses such that:

+
    +
  1. +

    The number of addresses in the set is a power of 2; and

    +
    2. +
  2. +

    The first address in the set is a multiple of the set size.

    +
    3. +
  3. +

    The first address in the subnet is reserved and is referred to as the + subnet address.

    +
    4. +
  4. +

    The last address in the subnet is reserved as the subnet's broadcast + address.

    +
    5. +
+

As you can see by this definition, in each subnet of size n + there are (n - 2) usable addresses (addresses that can be assigned to + hosts). The first and last address in the subnet are used for the subnet + address and subnet broadcast address respectively.

+

Since n is a power of two, we can easily calculate the + Natural Logarithm (log2) of n. For the more common subnet sizes, the size and its natural logarithm are given in the + following table:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
nllog2 n(32 - log2 n)
8329
16428
32527
64626
128725
256824
512923
10241022
20481121
40961220
81921319
163841418
327681517
655361616
+
+

You will notice that the above table also contains a column + for (32 - log2 n). That number is the Variable Length Subnet Mask for a network of size n. From the above table, we can + extract the following one which is a little easier to use.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Size of SubnetVLSMSubnet Mask
8/29255.255.255.248
16/28255.255.255.240
32/27255.255.255.224
64/26255.255.255.192
128/25255.255.255.128
256/24255.255.255.0
512/23255.255.254.0
1024/22255.255.252.0
2048/21255.255.248.0
4096/20255.255.240.0
8192/19255.255.224.0
16384/18255.255.192.0
32768/17255.255.128.0
65536/16255.255.0.0
2 ** 24/8255.0.0.0
+
+

Notice that the VLSM is written with a slash ("/") -- you will + often hear a subnet of size 64 referred to as a "slash 26" subnet and one of + size 8 referred to as a "slash 29".

+

The subnet's mask (also referred to as its netmask) is simply a 32-bit number with the first "VLSM" + bits set to one and the remaining bits set to zero. For example, for a subnet + of size 64, the subnet mask has 26 leading one bits:

+
+

11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = + 255.255.255.192

+
+

The subnet mask has the property that if you logically AND the + subnet mask with an address in the subnet, the result is the subnet address. + Just as important, if you logically AND the subnet mask with an address + outside the subnet, the result is NOT the subnet address.

+

For a subnetwork whose address is a.b.c.d and whose + Variable Length Subnet Mask is /v, we denote the subnetwork as "a.b.c.d/v" + using VLSM Notation

+

Example:

+
+ + + + + + + + + + + + + + + + + + + + + +
Subnet:10.10.10.0 - 10.10.10.127
Subnet Size:128
Subnet Address:10.10.10.0
Broadcast Address:10.10.10.127
VLSM Notation:10.10.10.0/25
+
+

There are two degenerate subnets that need mentioning; namely, the +subnet with one member and the subnet with 2 ** 32 members.

+
+ + + + + + + + + + + + + + + + + + + +
Size of SubnetworkVLSM LengthSubnet MaskVLSM Notation
132255.255.255.255a.b.c.d/32
2 ** 3200.0.0.00.0.0.0/0
+
+

So any address a.b.c.d may also be written +a.b.c.d/32 and the set of all possible IP addresses is written 0.0.0.0/0.

+

Later in this guide, you will see the notation a.b.c.d/v +used to describe the ip configuration of a network interface (the 'ip' utility +also uses this syntax). This simply means that the interface is configured with +ip address a.b.c.d and with the netmask that corresponds to VLSM /v.

+

Example: 192.0.2.65/29

+

    The interface is configured with IP address +192.0.2.65 and netmask 255.255.255.248.

+

4.3 Routing

+

One of the purposes of subnetting is that it forms the basis +for routing. Here's the routing table on my firewall:

+
+
+ 
[root@gateway root]# netstat -nr
+Kernel IP routing table
+Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
+192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas
+206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1
+206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3
+192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3
+192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1
+192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
+206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0
+192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas
+127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo
+0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0
+[root@gateway root]#
+
+
+

The device texas is a GRE tunnel to a peer site in the +Dallas, Texas area.
+
+The first three routes are host routes since they indicate how to get to +a single host. In the 'netstat' output this can be seen by the "Genmask" (Subnet +Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder are 'net' routes since they tell the +kernel how to route packets to a subnetwork. The last route is the default +route and the gateway mentioned in that route is called the default +gateway.

+

When the kernel is trying to send a packet to IP address A, +it starts at the top of the routing table and:

+ + + + + +
bullet +

A is logically ANDed with the 'Genmask' value in the +table entry.

+
bullet +

The result is compared with the 'Destination' value in the table +entry.

+
bullet +

If the result and the 'Destination' value are the same, then:

+ + + +
bullet +

If the 'Gateway' column is non-zero, the packet is sent to the +gateway over the interface named in the 'Iface' column.

+
bullet +

Otherwise, the packet is sent directly to A over the +interface named in the 'iface' column.

+
+
bullet +

Otherwise, the above steps are repeated on the next entry in the +table.

+
+

Since the default route matches any IP address (A land +0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table +entries are sent to the default gateway which is usually a router at your +ISP.

+

Lets take an example. Suppose that we want to route a packet to +192.168.1.5. That address clearly doesn't match any of the host routes in the +table but if we logically and that address with 255.255.255.0, the result is +192.168.1.0 which matches this routing table entry:

+
+
+ 
192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
+
+

So to route a packet to 192.168.1.5, the packet is sent directly over eth2.

+

4.4 Address Resolution Protocol

+

When sending packets over Ethernet, IP addresses aren't used. +Rather Ethernet addressing is based on Media Access Control (MAC) +addresses. Each Ethernet device has it's own unique  MAC address which is +burned into a PROM on the device during manufacture. You can obtain the MAC of +an Ethernet device using the 'ip' utility:

+
+
+ 
[root@gateway root]# ip addr show eth0
+2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
+link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
+inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
+inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
+inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
+[root@gateway root]#
+
+
+
+

As you can see from the above output, the MAC is 6 bytes (48 + bits) wide. A card's MAC is usually also printed on a label attached to the card + itself. +

+
+

Because IP uses IP addresses and Ethernet uses MAC addresses, + a mechanism is required to translate an IP address into a MAC address; that is + the purpose of the Address Resolution Protocol (ARP). Here is ARP in + action:

+
+
+
+ 
[root@gateway root]# tcpdump -nei eth2 arp
+tcpdump: listening on eth2
+09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
+09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0
+
+2 packets received by filter
+0 packets dropped by kernel
+[root@gateway root]#
+
+
+
+
+

In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants to +know the MAC of the device with IP address 192.168.1.19. The system having that +IP address is responding that the MAC address of the device with IP address +192.168.1.19 is 0:6:25:aa:8a:f0.

+

In order to avoid having to exchange ARP information each time +that an IP packet is to be sent, systems maintain an ARP cache of +IP<->MAC correspondences. You can see the ARP cache on your system (including +your Windows system) using the 'arp' command:

+
+
+ 
[root@gateway root]# arp -na
+? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
+? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
+? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
+? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
+? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
+
+
+

The leading question marks are a result of my having specified +the 'n' option (Windows 'arp' doesn't allow that option) which causes the 'arp' +program to forego IP->DNS name translation. Had I not given that option, the +question marks would have been replaced with the FQDN corresponding to each IP +address. Notice that the last entry in the table records the information we saw +using tcpdump above.

+

4.5 RFC 1918

+

IP addresses are allocated by the +Internet Assigned Number Authority (IANA) +who delegates allocations on a geographic basis to Regional Internet +Registries (RIRs). For example, allocation for the Americas and for +sub-Sahara Africa is delegated to the American +Registry for Internet Numbers (ARIN). These RIRs may in turn delegate to +national registrys. Most of us don't deal with these registrars but rather get +our IP addresses from our ISP.

+

It's a fact of life that most of us can't afford as many Public +IP addresses as we have devices to assign them to so we end up making use of +Private IP addresses. RFC 1918 reserves several IP address ranges for this +purpose:

+
+ 
     10.0.0.0    - 10.255.255.255
+     172.16.0.0  - 172.31.255.255
+     192.168.0.0 - 192.168.255.255
+
+
+

The addresses reserved by RFC 1918 are sometimes referred to + as non-routable because the Internet backbone routers don't forward + packets which have an RFC-1918 destination address. This is understandable + given that anyone can select any of these addresses for their private use.

+
+

When selecting addresses from these ranges, there's a couple + of things to keep in mind:

+
+ + + +
bullet

As the IPv4 address space becomes depleted, more and more + organizations (including ISPs) are beginning to use RFC 1918 addresses in + their infrastructure.

bullet

You don't want to use addresses that are being used by + your ISP or by another organization with whom you want to establish a VPN + relationship.

+
+
+

So it's a good idea to check with your ISP to see if they are + using (or are planning to use) private addresses before you decide the + addresses that you are going to use.

+
+

5.0 Setting up your Network

+
+
+

The choice of how to set up your network depends primarily on + how many Public IP addresses you have vs. how many addressable entities you + have in your network. Regardless of how many addresses you have, your ISP will + handle that set of addresses in one of two ways:

+
+
    +
  1. +

    Routed - Traffic to any of your addresses will be + routed through a single gateway address. This will generally only be + done if your ISP has assigned you a complete subnet (/29 or larger). In this + case, you will assign the gateway address as the IP address of your + firewall/router's external interface.

    2. +
  2. +

    Non-routed - Your ISP will send traffic to each of your + addresses directly.

    3. +
+
+
+

In the subsections that follow, we'll look at each of these + separately.

+
+

5.1 Routed

+
+
+

Let's assume that your ISP has assigned you the subnet + 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses + 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is + 192.0.2.65. Your ISP has also told you that you should use a netmask of + 255.255.255.0 (so your /28 is part of a larger /24). With this many IP + addresses, you are able to subnet your /28 into two /29's and set up your + network as shown in the following diagram.

+
+

+
+

Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local + network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be + configured to 192.0.2.66 and the default gateway for hosts in the local + network would be 192.0.2.73.

+
+

Notice that this arrangement is rather wasteful of public IP + addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses, + 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66 and + 168.0.2.73 for internal addresses on the firewall/router. Nevertheless, it + shows how subnetting can work and if we were dealing with a /24 rather than a + /28 network, the use of 6 IP addresses out of 256 would be justified because + of the simplicity of the setup.

+
+

The astute reader may have noticed that the Firewall/Router's + external interface is actually part of the DMZ subnet (192.0.2.64/29). What if + DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing table on + DMZ 1 will look like this:

+
+
+ 
Kernel IP routing table
+Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
+192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0
+0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0
+
+
+
+

This means that DMZ 1 will send an ARP "who-has 192.0.2.65" + request and no device on the DMZ Ethernet segment has that IP address. Oddly + enough, the firewall will respond to the request with the MAC address of its + DMZ Interface!! DMZ 1 can then send Ethernet frames addressed to that + MAC address and the frames will be received (correctly) by the firewall/router.

+
+

It is this rather unexpected ARP behavior on the part of the + Linux Kernel that prompts the warning earlier in this guide regarding the + connecting of multiple firewall/router interfaces to the same hub or switch. + When an ARP request for one of the firewall/router's IP addresses is sent by + another system connected to the hub/switch, all + of the firewall's interfaces that connect to the hub/switch can respond! It + is then a race as to which "here-is" response reaches the sender first.

+
+

5.2 Non-routed

+
+
+

If you have the above situation but it is + non-routed, you can configure your network exactly as described above with one + additional twist; simply specify the "proxyarp" option on all three firewall + interfaces in the /etc/shorewall/interfaces file.

+
+

Most of us don't have the luxury of having enough public IP + addresses to set up our networks as shown in the preceding example (even if + the setup is routed).

+
+

For the remainder of this section, assume that your ISP has + assigned you IP addresses 192.0.2.176-180 and has told you to use netmask + 255.255.255.0 and default gateway 192.0.2.254.

+
+

Clearly, that set of addresses doesn't comprise a subnetwork + and there aren't enough addresses for all of the network interfaces. There are + four different techniques that can be used to work around this problem.

+
+ + + + + +
bullet +

Source Network Address Translation (SNAT).

bullet +

Destination Network Address Translation (DNAT) also + known as Port Forwarding.

bullet +

Proxy ARP.

bullet +

Network Address Translation (NAT) also referred to as + Static NAT.

+
+
+

Often a combination of these techniques is used. Each of these + will be discussed in the sections that follow.

+
+

 5.2.1 SNAT

+
+
+

With SNAT, an internal LAN segment is configured using RFC 1918 + addresses. When a host A on this internal segment initiates a + connection to host B on the internet, the firewall/router rewrites the + IP header in the request to use one of your public IP addresses as the source + address. When B responds and the response is received by the firewall, + the firewall changes the destination address back to the RFC 1918 address of + A and forwards the response back to A.

+
+

Let's suppose that you decide to use SNAT on your local zone + and use public address 192.0.2.176 as both your firewall's external IP address + and the source IP address of internet requests sent from that zone.

+
+

+
+
+ The local zone has been subnetted as 192.168.201.0/29 (netmask + 255.255.255.248).
+
+  
+
+     The systems in + the local zone would be configured with a default gateway of 192.168.201.1 + (the IP address of the firewall's local interface).
+
+  
+
+     SNAT is + configured in Shorewall using the + /etc/shorewall/masq file.
+
+
+ + + + + + + + + + + +
INTERFACESUBNETADDRESS
eth0192.168.201.0/29192.0.2.176
+
+
+
+

This example used the normal technique of assigning the same + public IP address for the firewall external interface and for SNAT. If you + wanted to use a different IP address, you would either have to use your + distributions network configuration tools to add that IP address to the + external interface or you could set ADD_SNAT_ALIASES=Yes in + /etc/shorewall/shorewall.conf and Shorewall will add the address for you.

+
+

5.2.2 DNAT

+
+
+

When SNAT is used, it is impossible for hosts on the internet + to initiate a connection to one of the internal systems since those systems do + not have a public IP address. DNAT provides a way to allow selected + connections from the internet.

+
+

     + Suppose that your daughter wants to run a web server on her system "Local 3". You + could allow connections to the internet to her server by adding the following + entry in /etc/shorewall/rules:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
DNATnetloc:192.168.201.4tcpwww-192.0.2.176
+
+
+
+

If one of your daughter's friends at address A wants to + access your daughter's server, she can connect to + http://192.0.2.176 (the firewall's external IP address) and the firewall + will rewrite the destination IP address to 192.168.201.4 (your daughter's system) + and forward the request. When your daughter's server responds, the firewall will + rewrite the source address back to 192.0.2.176 and send the response back to + A.

+
+

This example used the firewall's external IP address for DNAT. + You can use another of your public IP addresses but Shorewall will not add + that address to the firewall's external interface for you.

+
+

5.2.3 Proxy ARP

+
+
+

The idea behind proxy ARP is that:

+
+ + + + +
bullet +

A host H behind your firewall is assigned one of your + public IP addresses (A) and is assigned the same netmask (M) as + the firewall's external interface.

bullet +

The firewall responds to ARP "who has" requests for A.

bullet +

When H issues an ARP "who has" request for an address + in the subnetwork defined by A and M, the firewall will respond + (with the MAC if the firewall interface to H).

+
+
+

Let suppose that we decide to use Proxy ARP on the DMZ in our + example network.

+
+

+
+ Here, we've assigned the IP addresses 192.0.2.177 to system DMZ 1 and + 192.0.2.178 to DMZ 2. Notice that we've just assigned an arbitrary RFC 1918 IP + address and subnet mask to the DMZ interface on the firewall. That address and + netmask isn't relevant - just be sure it doesn't overlap another subnet that + you've defined.
+
+  
+
+     The Shorewall + configuration of Proxy ARP is done using the + /etc/shorewall/proxyarp file.
+
+
+ + + + + + + + + + + + + + + + + + + +
ADDRESSINTERFACEEXTERNALHAVE ROUTE
192.0.2.177eth2eth0No
192.0.2.178eth2eth0No
+
+
+
+

Because the HAVE ROUTE column contains No, Shorewall will add + host routes thru eth2 to 192.0.2.177 and 192.0.2.178.

+
+

5.2.4 Static NAT

+
+
+

With static NAT, you assign local systems RFC 1918 addresses + then establish a one-to-one mapping between those addresses and public IP + addresses. For outgoing connections SNAT occurs and on incoming connections + DNAT occurs. Let's go back to our earlier example involving your daughter's web + server running on system Local 3.

+
+

+
+

Recall that in this setup, the local network is using SNAT and + is sharing the firewall external IP (192.0.2.176) for outbound connections. + This is done with the following entry in /etc/shorewall/masq:

+
+
+ + + + + + + + + + + +
INTERFACESUBNETADDRESS
eth0192.168.201.0/29192.0.2.176
+
+
+
+

    + Suppose now that you have decided to give your daughter her own IP address + (192.0.2.179) for both inbound and outbound connections. You would do that by + adding an entry in /etc/shorewall/nat.

+
+
+ + + + + + + + + + + + + + + +
EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
192.0.2.179eth0192.168.201.4NoNo
+
+
+
+

With this entry in place, you daughter has her own IP address + and the other two local systems share the firewall's IP address.

+
+

    + Once the relationship between 192.0.2.179 and 192.168.201.4 is established by + the nat file entry above, it is no longer + appropriate to use a DNAT rule for you daughter's web server -- you would + rather just use an ACCEPT rule:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
ACCEPTnetloc:192.168.201.4tcpwww  
+
+
+
+

5.3 Rules

+
+
+

    + With the default policies, your local systems (Local 1-3) can access any + servers on the internet and the DMZ can't access any other host (including the + firewall). With the exception of DNAT rules which cause + address translation and allow the translated connection request to pass + through the firewall, the way to allow connection requests through your + firewall is to use ACCEPT rules.

+
+

NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't + used in this section, they won't be shown

+
+

You probably want to allow ping between your zones:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORT
ACCEPTnetdmzicmpecho-request
ACCEPTnetlocicmpecho-request
ACCEPTdmzlocicmpecho-request
ACCEPTlocdmzicmpecho-request
+
+
+
+

Let's suppose that you run mail and pop3 servers on DMZ 2 and + a Web Server on DMZ 1. The rules that you would need are:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
+
+
+
+

If you run a public DNS server on 192.0.2.177, you would need + to add the following rules:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
+
+
+
+

You probably want some way to communicate with your firewall + and DMZ systems from the local network -- I recommend SSH which through its + scp utility can also do publishing and software update distribution.

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
ACCEPTlocdmztcpssh# SSH to the DMZ
ACCEPTlocfwtcpssh# SSH to the Firewall
+
+
+
+

5.4 Odds and Ends

+
+
+

The above discussion reflects my personal preference for using + Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer + to use NAT only in cases where a system that is part of an RFC 1918 subnet + needs to have it's own public IP. 

+
+

    + If you haven't already, it would be a good idea to browse through + /etc/shorewall/shorewall.conf just to see + if there is anything there that might be of interest. You might also want to + look at the other configuration files that you haven't touched yet just to get + a feel for the other things that Shorewall can do.

+
+

In case you haven't been keeping score, here's the final set + of configuration files for our sample network. Only those that were modified + from the original installation are shown.

+
+

/etc/shorewall/interfaces (The "options" will be very + site-specific).

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZoneInterfaceBroadcastOptions
neteth0detectnorfc1918,routefilter
loceth1detect 
dmzeth2detect 
+
+
+
+

The setup described here requires that your network interfaces + be brought up before Shorewall can start. This opens a short window during + which you have no firewall protection. If you replace 'detect' with the actual + broadcast addresses in the entries above, you can bring up Shorewall before + you bring up your network interfaces.

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZoneInterfaceBroadcastOptions
neteth0192.0.2.255norfc1918,routefilter
loceth1192.168.201.7 
dmzeth2192.168.202.7 
+
+
+
+

/etc/shorewall/masq - Local subnet

+
+
+ + + + + + + + + + + +
INTERFACESUBNETADDRESS
eth0192.168.201.0/29192.0.2.176
+
+
+
+

/etc/shorewall/proxyarp - DMZ

+
+
+ + + + + + + + + + + + + + + + + + + +
ADDRESSINTERFACEEXTERNALHAVE ROUTE
192.0.2.177eth2eth0No
192.0.2.178eth2eth0No
+
+
+
+

/etc/shorewall/nat- Daughter's System

+
+
+ + + + + + + + + + + + + + + +
EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
192.0.2.179eth0192.168.201.4NoNo
+
+
+
+

/etc/shorewall/rules

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
ACCEPTnetdmzicmpecho-request# Ping
ACCEPTnetlocicmpecho-request#  "
ACCEPTdmzlocicmpecho-request# "
ACCEPTlocdmzicmpecho-request# "
ACCEPTlocdmztcpssh# SSH to the DMZ
ACCEPTlocfwtcpssh# SSH to the Firewall
+
+
+
+

6.0 DNS

+
+
+

Given the collection of RFC 1918 and public addresses in this + setup, it only makes sense to have separate internal and external DNS servers. + You can combine the two into a single BIND 9 server using Views. + + If you are not interested in Bind 9 views, you can + go to the next section.

+
+

Suppose that your domain is foobar.net and you want the two + DMZ systems named www.foobar.net and mail.foobar.net and you want the three + local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net. + You want your firewall to be known as firewall.foobar.net externally and it's + interface to the local network to be know as gateway.foobar.net and its + interface to the dmz as dmz.foobar.net. Let's have the DNS server on + 192.0.2.177 which will also be known by the name ns1.foobar.net.

+
+

The /etc/named.conf file would look like this:

+
+
+
+ 
options {
+	directory "/var/named";
+	listen-on { 127.0.0.1 ; 192.0.2.177; };
+};
+
+logging {
+	channel xfer-log {
+		file "/var/log/named/bind-xfer.log";
+		print-category yes;
+		print-severity yes;
+		print-time yes;
+		severity info;
+	};
+	category xfer-in { xfer-log; };
+	category xfer-out { xfer-log; };
+	category notify { xfer-log; };
+};
+
+
+ 
#
+# This is the view presented to our internal systems
+#
+
+view "internal" {
+	#
+	# These are the clients that see this view
+	#
+	match-clients { 192.168.201.0/29;
+			192.168.202.0/29;
+			127.0.0/24;
+			192.0.2.176/32; 
+			192.0.2.178/32;
+			192.0.2.179/32;
+			192.0.2.180/32; };
+	#
+	# If this server can't complete the request, it should use outside
+	# servers to do so
+	#
+	recursion yes;
+
+	zone "." in {
+		type hint;
+		file "int/root.cache";
+	};
+
+	zone "foobar.net" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "int/db.foobar";
+	};
+
+	zone "0.0.127.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "int/db.127.0.0";	
+	};
+
+	zone "201.168.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "int/db.192.168.201";
+	};
+
+	zone "202.168.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "int/db.192.168.202";
+	};
+
+	zone "176.2.0.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "db.192.0.2.176";
+	};
+
+	zone "177.2.0.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "db.192.0.2.177";
+	};
+
+	zone "178.2.0.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "db.192.0.2.178";
+	};
+
+	zone "179.2.0.192.in-addr.arpa" in {
+		type master;
+		notify no;
+		allow-update { none; };
+		file "db.206.124.146.179";
+	};
+
+};
+#
+# This is the view that we present to the outside world
+#
+view "external" {
+	match-clients { any; };
+	#
+	# If we can't answer the query, we tell the client so
+	#
+	recursion no;
+
+	zone "foobar.net" in {
+		type master;
+		notify yes;
+		allow-update {none; };
+		allow-transfer { <secondary NS IP>; };
+		file "ext/db.foobar";
+	};
+
+	zone "176.2.0.192.in-addr.arpa" in {
+ 		type master;
+		notify yes;
+		allow-update { none; };
+		allow-transfer { <secondary NS IP>; };
+		file "db.192.0.2.176";
+	};
+
+	zone "177.2.0.192.in-addr.arpa" in {
+		type master;
+		notify yes;
+		allow-update { none; };
+		allow-transfer { <secondary NS IP>; };
+		file "db.192.0.2.177";
+	};
+
+	zone "178.2.0.192.in-addr.arpa" in {
+		type master;
+		notify yes;
+		allow-update { none; };
+		allow-transfer { <secondary NS IP>; };
+		file "db.192.0.2.178";
+	};
+
+	zone "179.2.0.192.in-addr.arpa" in {
+		type master;
+		notify yes;
+		allow-update { none; };
+		allow-transfer { <secondary NS IP>; };
+		file "db.192.0.2.179";
+	};
+};
+
+
+
+
+

Here are the files in /var/named (those not shown are usually + included in your bind disbribution).

db.192.0.2.176 - This is + the reverse zone for the firewall's external interface

+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
+; Filename: db.192.0.2.176
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2001102303 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ) ; minimum (1 day)
+;
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800	IN NS	ns1.foobar.net.
+@	604800	IN NS	<name of secondary ns>.
+;
+; ############################################################
+; Iverse Address Arpa Records (PTR's) 
+; ############################################################
+176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
+
+
+
+
+
+ db.192.0.2.177 - This is the reverse zone for the www/DNS server
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
+; Filename: db.192.0.2.177
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2001102303 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ) ; minimum (1 day)
+;
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800	IN NS	ns1.foobar.net.
+@	604800	IN NS	<name of secondary ns>.
+;
+; ############################################################
+; Iverse Address Arpa Records (PTR's) 
+; ############################################################
+177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
+
+
+
+
+
+
+ db.192.0.2.178 - This is the reverse zone for the mail server
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
+; Filename: db.192.0.2.178
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2001102303 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ) ; minimum (1 day)
+;
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800	IN NS	ns1.foobar.net.
+@	604800	IN NS	<name of secondary ns>.
+;
+; ############################################################
+; Iverse Address Arpa Records (PTR's) 
+; ############################################################
+178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
+
+
+
+
+
+
+ db.192.0.2.179 - This is the reverse zone for daughter's web server's public + IP
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
+; Filename: db.192.0.2.179
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2001102303 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ) ; minimum (1 day)
+;
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800	IN NS	ns1.foobar.net.
+@	604800	IN NS	<name of secondary ns>.
+;
+; ############################################################
+; Iverse Address Arpa Records (PTR's) 
+; ############################################################
+179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
+
+
+
+
+
+

int/db.127.0.0 - The reverse zone for localhost

+
+
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
+; Filename: db.127.0.0
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+				2001092901 ; serial
+				10800 ; refresh (3 hour)
+				3600 ; retry (1 hour)
+				604800 ; expire (7 days)
+				86400 ) ; minimum (1 day)
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800		IN NS	ns1.foobar.net.
+
+; ############################################################
+; Iverse Address Arpa Records (PTR's)
+; ############################################################
+1	86400		IN PTR	localhost.foobar.net.
+
+
+
+

int/db.192.168.201 - Reverse zone for the local net. This is + only shown to internal clients

+
+
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
+; Filename: db.192.168.201
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
+				2002032501 ; serial
+				10800 ; refresh (3 hour)
+				3600 ; retry (1 hour)
+				604800 ; expire (7 days)
+				86400 ) ; minimum (1 day)
+
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@	604800		IN NS	ns1.foobar.net.
+
+; ############################################################
+; Iverse Address Arpa Records (PTR's)
+; ############################################################
+1	86400		IN PTR 	gateway.foobar.net.
+2	86400		IN PTR	winken.foobar.net.
+3	86400		IN PTR	blinken.foobar.net.
+4	86400		IN PTR	nod.foobar.net.
+
+
+
+

int/db.192.168.202 - Reverse zone for the firewall's DMZ + interface

+
+
+
+ 
; ############################################################
+; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
+; Filename: db.192.168.202
+; ############################################################
+@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
+				2002032501 ; serial
+				10800 ; refresh (3 hour)
+				3600 ; retry (1 hour)
+				604800 ; expire (7 days)
+				86400 ) ; minimum (1 day)
+
+; ############################################################
+; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
+; ############################################################
+@		604800	IN NS	ns1.foobar.net.
+
+; ############################################################
+; Iverse Address Arpa Records (PTR's)
+; ############################################################
+1 		86400 IN PTR	dmz.foobar.net.
+
+
+
+
+

int/db.foobar - Forward zone for use by internal clients.

+
+
+ 
;##############################################################
+; Start of Authority for foobar.net.
+; Filename: db.foobar
+;##############################################################
+@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2002071501 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ); minimum (1 day)
+;############################################################
+; foobar.net Nameserver Records (NS)
+;############################################################
+@ 		604800	IN NS	ns1.foobar.net.
+
+;############################################################
+; Foobar.net Office Records (ADDRESS)
+;############################################################
+localhost	86400 	IN A 	127.0.0.1
+
+firewall	86400	IN A	192.0.2.176
+www		86400	IN A	192.0.2.177
+ns1 		86400	IN A 	192.0.2.177
+www		86400	IN A	192.0.2.177
+
+gateway		86400	IN A 	192.168.201.1
+winken		86400	IN A 	192.168.201.2
+blinken		86400	IN A	192.168.201.3
+nod		86400	IN A	192.168.201.4
+
+
+
+

ext/db.foobar - Forward zone for external clients

+
+
+
+ 
;##############################################################
+; Start of Authority for foobar.net.
+; Filename: db.foobar
+;##############################################################
+@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
+			2002052901 ; serial
+			10800 ; refresh (3 hour)
+			3600 ; retry (1 hour)
+			604800 ; expire (7 days)
+			86400 ); minimum (1 day)
+;############################################################
+; Foobar.net Nameserver Records (NS)
+;############################################################
+@		86400	IN NS	ns1.foobar.net.
+@		86400	IN NS	<secondary NS>.
+;############################################################
+; Foobar.net 	Foobar Wa Office Records (ADDRESS)
+;############################################################
+localhost	86400	IN A	127.0.0.1
+;
+; The firewall itself
+;
+firewall	86400	IN A	192.0.2.176
+;
+; The DMZ
+;
+ns1		86400	IN A	192.0.2.177
+www		86400	IN A	192.0.2.177
+mail		86400	IN A	192.0.2.178
+;
+; The Local Network
+;
+nod		86400	IN A	192.0.2.179
+
+;############################################################
+; Current Aliases for foobar.net (CNAME)
+;############################################################
+
+;############################################################
+; foobar.net MX Records (MAIL EXCHANGER)
+;############################################################
+foobar.net.	86400	IN A	192.0.2.177
+		86400 	IN MX 0 mail.foobar.net.
+		86400	IN MX 1 <backup MX>.
+
+
+
+
+

7.0 Starting and Stopping Your Firewall

+
+
+

The installation procedure + configures your system to start Shorewall at system boot.

+
+

The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

+
+

    + Edit the /etc/shorewall/routestopped file and configure those systems that you + want to be able to access the firewall when it is stopped.

+
+

WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.

+ +

Last updated +8/2/2002 - Tom +Eastep

+ +

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/spam_filters.htm b/STABLE/documentation/spam_filters.htm new file mode 100644 index 000000000..2efd8f1d2 --- /dev/null +++ b/STABLE/documentation/spam_filters.htm @@ -0,0 +1,37 @@ + + + + + + + +SPAM Filters + + + + + +

SPAM Filters
+ +

+

Like all of you, I'm concerned about the increasing volume of Unsolicited +Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who +are installing SPAM filters on your mail servers. A couple of recent incidents +involving mis-configured filters have prompted me to establish this page to spell +out what I will do when these filters bounce list postings.

+

When your SPAM filter bounces/rejects list mail, I will:

+
    +
  1. immediately turn off delivery to you from all Shorewall lists to +which you subscribe.
    2. +
  2. try to send you an email from a source other than shorewall.net
    3. +
+

When you have corrected the problem, please let me know and I will re-enable +delivery (or you can reenable delivery yourself).

+

Last Updated 3/21/2002 - Tom Eastep

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/standalone.htm b/STABLE/documentation/standalone.htm new file mode 100644 index 000000000..9347d4a8d --- /dev/null +++ b/STABLE/documentation/standalone.htm @@ -0,0 +1,313 @@ + + + + + + + +Standalone Firewall + + + + + +

Standalone Firewall

+ +

Version 2.0.1

+

Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the +documentation.

+

This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in one +of its +most common configurations:

+ + + + +
bulletLinux system
bulletSingle external IP address
bulletConnection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...
+

This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:

+
     [root@gateway root]# which ip
+     /sbin/ip
+     [root@gateway root]#

I recommend that you read through the guide +first to familiarize yourself with what's involved then go back through it again +making your configuration changes.  Points at which configuration changes +are recommended are flagged with .

+

    +If you edit your configuration files on a Windows system, you must save them as +Unix files if your editor supports that option or you must run them through +dos2unix before trying to use them. Similarly, if you copy a configuration file +from your Windows hard drive to a floppy disk, you must run dos2unix against the +copy before using it with Shorewall.

+ + + +
bulletWindows Version of + dos2unix
bulletLinux Version of + dos2unix
+

Shorewall Concepts

+

The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the one-interface sample, un-tar it +(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall +(they will replace files with the same names that were placed in /etc/shorewall +during Shorewall installation).

+

As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.

+

Shorewall views the network where it is running as being composed of a set of +zones. In the one-interface sample configuration, only one zone is +defined:

+ + + + + + + + + +
NameDescription
netThe Internet
+

Shorewall zones are defined in +/etc/shorewall/zones.

+

Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.

+

Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.

+ + + +
bulletYou express your default policy for connections from one zone to another + zone in the /etc/shorewall/policy file.
bulletYou define exceptions to those default policies in the + /etc/shorewall/rules file.
+

For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP  the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).

+

The /etc/shorewall/policy file included with the one-interface sample has the +following policies:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SOURCE ZONEDESTINATION ZONEPOLICYLOG LEVELLIMIT:BURST
fwnetACCEPT  
netnetDROPinfo 
allallREJECTinfo 
+
+
     fw		net	ACCEPT
+     net	all	DROP	info
+     all	all	REJECT	info
+

The above policy will:

+
    +
  1. allow all connection requests from the firewall to the internet
    2. +
  2. drop (ignore) all connection requests from the internet to your firewall
    3. +
  3. reject all other connection requests (Shorewall requires this catchall + policy).
    4. +
+

At this point, edit your /etc/shorewall/policy and make any changes that you +wish.

+

External Interface

+

The firewall has a single network interface. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter (eth0) that is connected to that "Modem"  +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp0. If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, your external +interface will be ippp0.

+

    The Shorewall one-interface sample configuration assumes that +the external interface is eth0. +If your configuration is different, you will have to modify the sample +/etc/shorewall/interfaces file accordingly. While you are there, you may wish to +review the list of options that are specified for the interface. Some hints:

+ + + +
bullet +

If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".

bullet +

If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.

+
+

IP Addresses

+
+
+

RFC 1918 reserves several Private IP address ranges for +use in private networks:

+
+ 
     10.0.0.0    - 10.255.255.255
+     172.16.0.0  - 172.31.255.255
+     192.168.0.0 - 192.168.255.255
+
+

These addresses are sometimes referred to as non-routable + because the Internet backbone routers will not forward a packet whose + destination address is reserved by RFC 1918. In some cases though, ISPs are + assigning these addresses then using Network Address Translation to + rewrite packet headers when forwarding to/from the internet.

+

     + Before starting Shorewall, you should look at the IP address of your external + interface and if it is one of the above ranges, you should remove the + 'norfc1918' option from the entry in /etc/shorewall/interfaces.

+
+

Enabling other Connections

+
+
+

If you wish to enable connections from the internet to your firewall, the general format is:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfw<protocol><port>  
+
+
+
+

Example - You want to run a Web Server and a POP3 Server on your firewall + system:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp80  
ACCEPTnetfwtcp110  
+
+
+
+

If you don't know what port and protocol a particular + application uses, see here.

+
+

Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp22  
+
+
+
+ 
     ACCEPT	net	fw	tcp	22
+
+
+

    At this point, edit + /etc/shorewall/rules to add other connections as desired.

+
+

Starting and Stopping Your Firewall

+
+
+

The installation procedure + configures your system to start Shorewall at system boot.

+
+

The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

+
+

WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.

+

Last updated +7/23/2002 - Tom +Eastep

+ +

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/starting_and_stopping_shorewall.htm b/STABLE/documentation/starting_and_stopping_shorewall.htm new file mode 100644 index 000000000..6d82fd67e --- /dev/null +++ b/STABLE/documentation/starting_and_stopping_shorewall.htm @@ -0,0 +1,138 @@ + + + + + + + +Starting and Stopping Shorewall + + + + + + + +

Starting/Stopping and Monitoring the Firewall

+ + + +

+ If you have a permanent internet connection such as DSL or Cable, I +recommend that you start the firewall automatically at boot. Once you +have installed "firewall" in your init.d directory, simply type "chkconfig +--add firewall". This will start the firewall in run levels 2-5 and stop +it in run levels 1 and 6. If you want to configure your firewall differently +from this default, you can use the "--level" option in chkconfig +(see "man chkconfig") or using your favorite graphical run-level editor.

+ + + +

+ + Important Note:

+ + + +

+ If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local + script. I recommend just placing "shorewall restart" in that script. + +

+ + + +

+ You can manually start and stop Shoreline Firewall using the "shorewall" + shell program:

+ + + + + + + + +
bulletshorewall start - starts the firewall
bulletshorewall stop - stops the firewall
bulletshorewall restart - stops the firewall (if it's running) and + then starts it again
bulletshorewall reset - reset the packet and byte counters in the +firewall
bulletshorewall clear - remove all rules and chains installed by +Shoreline Firewall
bulletshorewall refresh - refresh the rules involving the broadcast addresses + of firewall interfaces and the black and white lists.
+ + + +

+ The "shorewall" program may also be used to monitor the firewall.

+ + + + + + + + + + + + + + + + +
bulletshorewall status - produce a verbose report about the firewall + (iptables -L -n -v)
bulletshorewall show chain - produce a verbose report about chain + (iptables -L chain -n -v)
bulletshorewall show nat - produce a verbose report about the nat table + (iptables -t nat -L -n -v)
bulletshorewall show tos - produce a verbose report about the mangle table + (iptables -t mangle -L -n -v)
bulletshorewall show log - display the last 20 packet log entries.
bulletshorewall show connections - displays the IP connections currently being + tracked by the firewall.
bulletshorewall + show + tc + - displays information about the traffic control/shaping configuration.
bulletshorewall monitor [ delay ] - Continuously display the firewall + status, last 20 log entries and nat. When the log entry display + changes, an audible alarm is sounded.
bulletshorewall hits - Produces several reports about the Shorewall packet log + messages in the current /var/log/messages file.
bulletshorewall version - Displays the installed + version number.
bulletshorewall check - Performs a cursory validation + of the zones, interfaces, hosts, rules and policy files.
bulletshorewall try configuration-directory [ timeout ] - Restart shorewall using the + specified configuration and if an error occurs or if the timeout + option is given and the new configuration has been up for that many seconds + then shorewall is restarted using the standard configuration.
bulletshorewall deny, shorewall reject, shorewall accept and shorewall save + implement dynamic blacklisting.
bulletshorewall logwatch (added in version 1.3.2) - Monitors the + LOGFILE and produces an audible alarm when new Shorewall + messages are logged.
+ +

+ The shorewall start and + + shorewall restart commands allow you to specify which + Shorewall configuration + to use:

+ +
+ +

+ shorewall [ -c configuration-directory ] {start|restart}

+
+ +

+ If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the configuration-directory + . If the file is present in the configuration-directory, that file + will be used; otherwise, the file in /etc/shorewall will be used.

+ + + +

+ Updated 7/26/2002 - Tom +Eastep +

+ + + +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + + + + diff --git a/STABLE/documentation/subnet_masks.htm b/STABLE/documentation/subnet_masks.htm new file mode 100644 index 000000000..2067d5f9a --- /dev/null +++ b/STABLE/documentation/subnet_masks.htm @@ -0,0 +1,73 @@ + + + + + + + +Subnet Masks + + + + + +

Subnet Masks/VLSM Notation

+

IP addresses and subnet masks are 32-bit numbers. The notation +w.x.y.z refers to an address where the high-order byte has value "w", the next +byte has value "x", etc. If we take 255.255.255.0 and express it in +hexadecimal, +we get:

+
+

FF.FF.FF.00

+
+

or looking at it as a 32-bit integer

+
+

FFFFFF00

+
+

Each "F" represents the bit pattern "1111" so if we look at the +number in binary, we have:

+
+

11111111111111111111111100000000

+
+

Counting the leading "1" bits, we see that there are 24 -- /24 +in VLSM notation.

+

It is handy to remember that the size of the subnet can be +obtained by subtracting the number of consecutive leading "1" bits from 32 and +raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256 +addresses. Remember that the number of usable addresses is two less than that +(254) because the first and last address in the subnet are reserved as the +sub-network and broadcast addresses respectively.

+

The size of a subnet can be any power of two so long as the +address of the subnet is a multiple of it's size. For example, if you want a +subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29). +The subnet mask would be:

+
+

11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.

+
+

This subnet would have 6 usable addresses: 192.168.12.9 - +192.168.12.14.

+

You will still hear the terms "Class A network", "Class B +network" and "Class C network". In the early days of IP, sub-networks only came +in three sizes:

+
+

Class A - Subnet mask 255.0.0.0, size = 2 ** 24

+

Class B - Subnet mask 255.255.0.0, size = 2 ** 16

+

Class C - Subnet mask 255.255.255.0, size = 256

+
+

The class of a network was determined by the value of the high +order byte of its address so you could look at an IP address and immediately +determine the associated subnet mask.

+

As the internet grew, it became clear that such a gross +partitioning of the 32-bit address space was going to be very limiting (early +on, large corporations and universities were assigned their own class A +network!). It was then that VLSM was devised -- today, any system that you are +likely to work with understands VLSM and Class-based subnetworking is largely a +thing of the past.

+

Last updated +7/15/2002 - Tom +Eastep

+

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm new file mode 100644 index 000000000..dd68ca30e --- /dev/null +++ b/STABLE/documentation/support.htm @@ -0,0 +1,118 @@ + + + + + + + +Support + + + + + +

Shorewall Support

+ +

Before Reporting a Problem

+
+ +

+"It is easier to post a problem than to use your own brain" -- +Weitse Venema (creator of Postfix)

+
+

There are a number of sources for problem solution information.

+ + + + + +
bulletThe Troubleshooting Information contains a + number of tips to help you solve common problems.
bulletThe Errata has links to download updated + components.
bulletThe FAQ has solutions to common problems.
bulletThe Mailing List Archives are a useful source of problem solving + information.
+
+

The archives from the mailing List are at http://www.shorewall.net/pipermail/shorewall-users.

+ +

Search the Mailing List Archives at Shorewall.net

+ +
+

+ +Match: +Format: +Sort by: + + + + +
+Search: + +

+
+ +
+ +

Problem Reporting Guidelines

+ + + + + + + + + +
bulletWhen reporting a problem, give as much information as you can. Reports +that say "I tried XYZ and it didn't work" are not at all helpful.
bulletPlease don't describe your environment and then ask us to send you + custom configuration files. We're here to answer your questions but we + can't do your job for you.
bulletDo you see any "Shorewall" messages in /var/log/messages when you exercise +the function that is giving you problems?
bulletHave you looked at the packet flow with a tool like tcpdump to try to +understand what is going on?
bulletHave you tried using the diagnostic capabilities of the application that +isn't working? For example, if "ssh" isn't able to connect, using the +"-v" option gives you a lot of valuable diagnostic information.
bulletPlease include any of the Shorewall configuration files (especially the + /etc/shorewall/hosts file if you have modified that file) that you think are + relevant. If an error occurs when you try to "shorewall start", include a + trace (See the Troubleshooting section for + instructions).
bulletThe list server limits posts to 120kb so don't post GIFs of your + network layout, etc to the Mailing List -- your post will be rejected.
+

Where to Send your Problem +Report or to Ask for Help

+

Please post your question or problem to the +Shorewall users mailing list; +there are lots of folks there who are willing to help you. Your question/problem +description and their responses will be placed in the mailing list archives to +help people who have a similar question or problem in the future.

+
+

"It irks me when people believe that free software + comes at no cost. The cost is incredibly high." - + Weitse Venema

+
+

I do not answer questions or work on problems sent to me personally but I try +to respond promptly to mailing list posts.   -Tom

+

To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users + .

+ +

Last Updated 8/5/2002 - Tom +Eastep

+ +

+Copyright © 2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/three-interface.htm b/STABLE/documentation/three-interface.htm new file mode 100644 index 000000000..61619bb2b --- /dev/null +++ b/STABLE/documentation/three-interface.htm @@ -0,0 +1,848 @@ + + + + + + + +Three-Interface Firewall + + + + + +

Three-Interface Firewall

+ +

Version 2.0.1

+

Setting up a Linux system as a firewall for a small network with +DMZ is a +fairly straight-forward task if you understand the basics and follow the +documentation.

+

This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in one +of its more popular configurations:

+ + + + + +
bulletLinux system used as a firewall/router for a small local network.
bulletSingle external IP address.
bulletDMZ connected to a separate ethernet interface.
bulletConnection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...
+

Here is a schematic of a typical installation.

+

+

This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:

+
     [root@gateway root]# which ip
+     /sbin/ip
+     [root@gateway root]#

I recommend that you first read through the guide + +to familiarize yourself with what's involved then go back through it again +making your configuration changes. Points at which configuration changes are +recommended are flagged with

+

    +If you edit your configuration files on a Windows system, you must save them as +Unix files if your editor supports that option or you must run them through +dos2unix before trying to use them. Similarly, if you copy a configuration file +from your Windows hard drive to a floppy disk, you must run dos2unix against the +copy before using it with Shorewall.

+ + + +
bulletWindows Version of + dos2unix
bulletLinux Version of + dos2unix
+

Shorewall Concepts

+

The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you will only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the three-interface sample, un-tar it +(tar -zxvf three-interfaces.tgz) and and copy the files to /etc/shorewall +(the files will replace files with the same names that were placed in +/etc/shorewall when Shorewall was installed).

+

As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.

+

Shorewall views the network where it is running as being composed of a set of +zones. In the three-interface sample configuration, the following zone names are used:

+ + + + + + + + + + + + + + + + + +
NameDescription
netThe Internet
locYour Local Network
dmzDemilitarized Zone
+

Zone names are defined in +/etc/shorewall/zones.

+

Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.

+

Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.

+ + + +
bulletYou express your default policy for connections from one zone to another + zone in the /etc/shorewall/policy file.
bulletYou define exceptions to those default policies in the + /etc/shorewall/rules file.
+

For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP  the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).

+

The /etc/shorewall/policy file included with the three-interface sample has the +following policies:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
+
+
+

In the three-interface sample, the line below is included but commented out. If +you want your firewall system to have full access to servers on the internet, +uncomment that line.

+ + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
fwnetACCEPT  
+
+

The above policy will:

+
    +
  1. allow all connection requests from your local network to the internet
    2. +
  2. drop (ignore) all connection requests from the internet to your firewall + or local network
    3. +
  3. optionally accept all connection requests from the firewall to the + internet (if you uncomment the additional policy)
    4. +
  4. reject all other connection requests.
    5. +
+

    At this point, edit your /etc/shorewall/policy +file and make any changes that you +wish.

+

Network Interfaces

+

+

The firewall has three network interfaces. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, you external +interface will be ippp0.

+

    If your external interface is ppp0 +or ippp0 then you will want to +set CLAMPMSS=yes in +/etc/shorewall/shorewall.conf.

+

Your Local Interface will be an ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your local computers +will be connected to the same switch (note: If you have only a single local system, +you can connect the firewall directly to the computer using a cross-over +cable).

+

Your DMZ Interface will also be an ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will +be connected to the same switch (note: If you have only a single DMZ system, +you can connect the firewall directly to the computer using a cross-over +cable).

+

+Do not connect more than one interface +to the same hub or switch (even for testing). It won't work the way that you +expect it to and you will end up confused and +believing that Shorewall doesn't work at all.

+

    The Shorewall three-interface sample configuration assumes that +the external interface is eth0, the local interface is eth1 and +the DMZ interface is +eth2. +If your configuration is different, you will have to modify the sample +/etc/shorewall/interfaces file accordingly. While you are there, you may wish to +review the list of options that are specified for the interfaces. Some hints:

+ + + +
bullet +

If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".

bullet +

If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.

+

IP Addresses

+

Before going further, we should say a few words about Internet +Protocol (IP) addresses. Normally, your ISP will assign you a single +Public IP address. This address may be assigned via the Dynamic Host +Configuration Protocol (DHCP) or as part of establishing your connection +when you dial in (standard modem) or establish your PPP connection. In rare +cases, your ISP may assign you a static IP address; that means that you +configure your firewall's external interface to use that address permanently. +Regardless of how the address is assigned, it will be shared by all of your +systems when you access the Internet. You will have to assign your own addresses +for your internal network (the local and DMZ Interfaces on your firewall plus your other +computers). RFC 1918 reserves several Private IP address ranges for this +purpose:

+
+ 
     10.0.0.0    - 10.255.255.255
+     172.16.0.0  - 172.31.255.255
+     192.168.0.0 - 192.168.255.255
+
+
+

    + Before starting Shorewall, you should look at the IP address of your external + interface and if it is one of the above ranges, you should remove the + 'norfc1918' option from the external interface's entry in + /etc/shorewall/interfaces.

+
+

You will want to assign your local addresses from one + sub-network or subnet and your DMZ addresses from another subnet. For our purposes, we can consider a subnet + to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will + have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as + the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast + Address. In Shorewall, a subnet is described using + Variable-Length + Subnet Mask (VLSM) notation with consists of the subnet address followed + by "/24". The "24" refers to the number of + consecutive "1" bits from the left of the subnet mask. +

+
+

Example sub-network:

+
+
+ + + + + + + + + + + + + + + + + +
Range:10.10.10.0 - 10.10.10.255
Subnet Address:10.10.10.0
Broadcast Address:10.10.10.255
VLSM Notation:10.10.10.0/24
+
+
+
+

It is conventional to assign the internal interface either the + first usable address in the subnet (10.10.10.1 in the above example) or the + last usable address (10.10.10.254).

+
+

One of the purposes of subnetting is to allow all computers in the + subnet to understand which other computers can be communicated with directly. + To communicate with systems outside of the subnetwork, systems send packets + through a  gateway  (router).

+
+

    Your local computers + (Local Computers 1 & 2) should be configured with their + default gateway set to the IP address of the firewall's internal interface + and your DMZ computers ( DMZ Computers 1 & 2) should be configured with their + default gateway set to the IP address of the firewall's DMZ interface.   +

+

The foregoing short discussion barely scratches the surface +regarding subnetting and routing. If you are interested in learning more about +IP addressing and routing, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.

+

The remainder of this quide will assume that you have configured +your network as shown here:

+

+

The default gateway for the DMZ computers would be 10.10.10.254 +and the default gateway for the Local computers would be 10.10.10.254.

+

IP Masquerading (SNAT)

+

The addresses reserved by RFC 1918 are sometimes referred to as +non-routable because the Internet backbone routers don't forward packets +which have an RFC-1918 destination address. When one of your local systems +(let's assume local computer 1) sends a connection request to an internet host, the +firewall must perform Network Address Translation (NAT). The firewall +rewrites the source address in the packet to be the address of the firewall's +external interface; in other words, the firewall makes it look as if the firewall +itself is initiating the connection.  This is necessary so that the +destination host will be able to route return packets back to the firewall +(remember that packets whose destination address is reserved by RFC 1918 can't +be routed accross the internet). When the firewall receives a return packet, it +rewrites the destination address back to 10.10.10.1 and +forwards the packet on to local computer 1.

+

On Linux systems, the above process is often referred to as +IP Masquerading and you will also see the term Source Network Address +Translation (SNAT) used. Shorewall follows the convention used with +Netfilter:

+ + + +
bullet +

Masquerade describes the case where you let your + firewall system automatically detect the external interface address.

bullet +

SNAT refers to the case when you explicitly specify the + source address that you want outbound packets from your local network to use. +

+

In Shorewall, both Masquerading and SNAT are configured with +entries in the /etc/shorewall/masq file.

+

    If your external firewall interface is eth0, your local +interface eth1 and your DMZ interface is eth2 then you do not +need to modify the file provided with the sample. Otherwise, edit +/etc/shorewall/masq and change it to match your configuration.

+

    If your external IP +is static, you can enter it in the third column in the /etc/shorewall/masq entry +if you like although your firewall will work fine if you leave that column +empty. Entering your static IP in column 3 makes processing outgoing packets a +little more efficient.

+

Port Forwarding (DNAT)

+

One of your goals will be to run one or more servers on your DMZ computers. Because these computers have RFC-1918 addresses, it is not +possible for clients on the internet to connect directly to them. It is rather +necessary for those clients to address their connection requests to your firewall +who rewrites the destination address to the address of your server and forwards +the packet to that server. When your server responds, the firewall automatically +performs SNAT to rewrite the source address in the response.

+

The above process is called Port Forwarding or +Destination Network Address Translation (DNAT). You configure port +forwarding using DNAT rules in the /etc/shorewall/rules file.

+

The general form of a simple port forwarding rule in +/etc/shorewall/rules is:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetdmz:<server local ip address> [:<server port>]<protocol><port>  
+
+

If you don't specify the <server port>, it is assumed to be the same +as <port>.

+

Example - you run a Web Server on DMZ 2 and you want to forward incoming +TCP port 80 to that system:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetdmz:10.10.11.2tcp80# Forward port 80from the internet
ACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local network
+
+

A +couple of important points +to keep in mind:

+ + + +
bulletWhen you are connecting to your server from your local systems, you must + use the server's internal IP address (10.10.11.2).
bulletMany ISPs block incoming connection requests to port 80. If you have + problems connecting to your web server, try the following rule and try + connecting to port 5000 (e.g., connect to + http://w.x.y.z:5000 where w.x.y.z is your external IP).
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetdmz:10.10.11.2:80tcp5000  
+
+

If you want to be able +to access your server from the local network using your external address, then +if you have a static external IP you can replace the loc->dmz rule above with:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetdmz:10.10.11.2:80tcp80-<external IP>
+
+

If you have a dynamic ip then you must ensure that your external interface is +up before starting Shorewall and you must take steps as follows (assume that +your external interface is eth0):

+
    +
  1. Include the following in /etc/shorewall/params:
    +
    + ETH0_IP=`find_interface_address eth0`
    2. +
  2. Make your loc->dmz rule:
    3. +
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetdmz:10.10.11.2:80tcp80-$ETH0_IP
+
+

If you want to access your server from the DMZ using your external IP +address, see FAQ 2a.

+

    At this point, add the DNAT and +ACCEPT rules for your servers.

+

Domain Name Server (DNS)

+

Normally, when you connect to your ISP, as part of getting an IP +address your firewall's Domain Name Service (DNS) resolver will be +automatically configured (e.g., the /etc/resolv.conf file will be written). +Alternatively, your ISP may have given you the IP address of a pair of DNS +name servers for you to manually configure as your primary and secondary +name servers. It is your responsibility to configure the resolver in your +internal systems. You can take one of two approaches:

+ + + +
bullet +

You can configure your internal systems to use your ISP's name + servers. If you ISP gave you the addresses of their servers or if those + addresses are available on their web site, you can configure your internal + systems to use those addresses. If that information isn't available, look in + /etc/resolv.conf on your firewall system -- the name servers are given in + "nameserver" records in that file.

bullet +

    You can configure a Caching Name Server on your + firewall or in your DMZ. Red Hat has an RPM for a caching name server (which also + requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you + take this approach, you configure your internal systems to use the caching + name server as their primary (and only) name server. You use the internal IP + address of the firewall (10.10.10.254 in the example above) for the name + server address if you choose to run the name server on your firewall. To allow your local systems to talk to your caching name + server, you must open port 53 (both UDP and TCP) from the local network to the + server; you do that by adding the rules in /etc/shorewall/rules.

+
+

If you run the name server on the firewall: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTlocfwtcp53  
ACCEPTlocfwudp53  
ACCEPTdmzfwtcp53  
ACCEPTdmzfwudp53  
+

+
+
+

Run name server on DMZ computer 1

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTlocdmz:10.10.11.1tcp53  
ACCEPTlocdmz:10.10.11.1udp53  
ACCEPTfwdmz:10.10.10.1tcp53  
ACCEPTfwdmz:10.10.10.1udp53  
+
+
+
+

Other Connections

+
+
+

The three-interface sample includes the following rules:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTfwnetudp53  
ACCEPTfwnettcp53  
+
+
+
+

Those rules allow DNS access from your firewall and may be + removed if you commented out the line in /etc/shorewall/policy allowing all + connections from the firewall to the internet.

+
+

The sample also includes:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTlocfwtcp22  
ACCEPTlocdmztcp22  
+
+
+
+

That rule allows you to run an SSH server on your firewall and + in each of your DMZ systems and + to connect to those servers from your local systems.

+
+

If you wish to enable other connections between your systems, the general format is:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPT<source zone><destination zone><protocol><port>  
+
+
+
+

Example - You want to run a publicly-available DNS server on your firewall + system:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp53#Allow DNS accessfrom the internet
ACCEPTnetfwtcp53#Allow DNS accessfrom the internet
+
+
+
+

Those two rules would of course be in addition to the rules + listed above under "If you run the name server on your firewall".

+
+

If you don't know what port and protocol a particular + application uses, look here.

+
+

Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp22  
+
+
+
+

    Now modify + /etc/shorewall/rules to add or remove other connections as required.

+
+

Starting and Stopping Your Firewall

+
+
+

The installation procedure + configures your system to start Shorewall at system boot.

+
+

The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

+
+

    The three-interface sample assumes that you want to enable + routing to/from eth1 (your local network) and eth2 (DMZ) when Shorewall is stopped. + If these two interfaces don't connect to your local network and DMZ or if you + want to enable a different set of hosts, modify /etc/shorewall/routestopped + accordingly.

+
+

WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.

+

Last updated +7/27/2002 - Tom +Eastep

+ +

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm new file mode 100644 index 000000000..3c4b7e5b8 --- /dev/null +++ b/STABLE/documentation/traffic_shaping.htm @@ -0,0 +1,206 @@ + + + + + + + +Traffic Shaping + + + + + +

Traffic Shaping/Control

+

Beginning with version 1.2.0, Shorewall has limited support for traffic +shaping/control. In order to use traffic shaping under Shorewall, it is +essential that you get a copy of the Linux Advanced Routing +and Shaping HOWTO, version 0.3.0 or later. You must also install +the iproute (iproute2) package to provide the "ip" and "tc" +utilities.

+ +

Shorewall traffic shaping support consists of the following:

+ + + + + + +
bulletA new TC_ENABLED parameter in /etc/shorewall.conf. Traffic + Shaping also requires that you enable packet mangling.
+
bullet/etc/shorewall/tcrules - A file where you can specify + firewall marking of packets. The firewall mark value may be used to classify + packets for traffic shaping/control.
+
bullet/etc/shorewall/tcstart - A user-supplied file that is + sourced by Shorewall during "shorewall start" and which you can + use to define your traffic shaping disciplines and classes. I have provided + a sample that does + table-driven CBQ shaping but if you read the traffic shaping sections of the + HOWTO mentioned above, you can probably code your own faster than you can + learn how to use my sample. I personally use HTB + (see below). HTB + support may eventually become an integral part of Shorewall since HTB is a + lot simpler and better-documented than CBQ. HTB is currently not a standard + part of either the kernel or iproute2 so both must be patched in order to + use it.
+
+ In tcstart, when you want to run the 'tc' utility, use the run_tc function + supplied by shorewall.
+
bullet/etc/shorewall/tcclear - A user-supplied file that is + sourced by Shorewall when it is clearing traffic shaping. This file is + normally not required as Shorewall's method of clearing qdisc and filter + definitions is pretty general.
+

/etc/shorewall/tcrules

+

The fwmark classifier provides a convenient way to classify +packets for traffic shaping. The /etc/shorewall/tcrules file provides a means +for specifying these marks in a tabular fashion.

+

Columns in the file are as follows:

+ + + + + + + +
bulletMARK - Specifies the mark value is to be assigned in case of + a match. This is an integer in the range 1-255.
+
+ Example - 5
+
bulletSOURCE - The source of the packet. If the packet originates + on the firewall, place "fw" in this column. Otherwise, this is a + comma-separated list of interface names, IP addresses, MAC addresses in + Shorewall Format and/or Subnets.
+
+ Examples
+     eth0
+     192.168.2.4,192.168.1.0/24
+
bulletDEST -- Destination of the packet. Comma-separated list of + IP addresses and/or subnets.
+
bulletPROTO - Protocol - Must be the name of a protocol from + /etc/protocol, a number or "all"
+
bulletPORT(S) - Destination Ports. A comma-separated list of Port + names (from /etc/services), port numbers or port ranges (e.g., 21:22); if + the protocol is "icmp", this column is interpreted as the + destination icmp type(s).
+
bulletCLIENT PORT(S) - (Optional) Port(s) used by the client. If + omitted, any source port is acceptable. Specified as a comma-separate list + of port names, port numbers or port ranges.
+

Example 1 - All packets arriving on eth1 should be marked with +1. All packets arriving on eth2 should be marked with 2. All packets originating +on the firewall itself should be marked with 3.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
1eth10.0.0.0/0all  
2eth20.0.0.0/0all  
3fw0.0.0.0/0all  
+

Example 2 - All GRE (protocol 47) packets not originating on the +firewall and destined for 155.186.235.151 should be marked with 12.

+ + + + + + + + + + + + + + + + + +
MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
120.0.0.0/0155.186.235.15147  
+

Example 3 - All SSH packets originating in 192.168.1.0/24 and +destined for 155.186.235.151 should be marked with 22.

+ + + + + + + + + + + + + + + + + +
MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
22192.168.1.0/24155.186.235.151tcp22 
+

Hierarchical Token Bucket

+

I personally use HTB. I have found a couple of things that may be of +use to others.

+ + + +
bulletThe gzipped tc binary at the HTB + website didn't work for me -- I had to download the lastest version of + the iproute2 sources and patch + them for HTB.
bulletThe HTB example in the HOWTO seems to be full of errors. I'm currently + running with this set of shaping rules in my tcstart file so I know that it works.
+
+

run_tc qdisc add dev eth0 root handle 1: htb default 30
+
+ run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k
+
+ run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k
+ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k
+ run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil   + 10mbit burst 15k
+
+ run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
+ run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
+ run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10
+
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30 +

+

My tcrules file is shown in Example 1 above. You can look at my network + configuration to get an idea of why I want these particular rules.
+

+
+

Last Updated 6/18/2002 - Tom +Eastep

+ +

Copyright2001, 2002 Thomas M. Eastep.

+ + + + \ No newline at end of file diff --git a/STABLE/documentation/troubleshoot.htm b/STABLE/documentation/troubleshoot.htm new file mode 100644 index 000000000..bf3acfb6a --- /dev/null +++ b/STABLE/documentation/troubleshoot.htm @@ -0,0 +1,189 @@ + + + + + + Shorewall Troubleshooting + + + + + + + + + + + + +

Shorewall Troubleshooting

+ + + +

Check the Errata

+ +

Check the Shorewall Errata + to be sure that there isn't an update that you are missing for your version +of the firewall.

+ +

Check the FAQs

+ +

Check the FAQs for solutions to common problems.

+ + + +

If the firewall fails to start

+ + If you +receive an error message when starting or restarting the firewall and you +can't determine the cause, then do the following: + + + + +
bulletshorewall debug start 2> /tmp/trace
bulletLook at the /tmp/trace file and see if that helps you determine what +the problem is.
bulletIf you still can't determine what's wrong then see the + support page.
+

Your test environment

+

Many times when people have problems with Shorewall, the problem is + actually an ill-conceived test setup. Here are several popular snafus:

+ + + + +
bulletPort + Forwarding where client and server are in the same subnet. See FAQ + 2.
bulletChanging the IP address of a local system to be in the external subnet, + thinking that Shorewall will suddenly believe that the system is in the + 'net' zone.
bulletMultiple interfaces connected to the same HUB or Switch. Given the way + that the Linux kernel respond to ARP "who-has" requests, this type of setup + does NOT work the way that you expect it to.
+ +

If you are having +connection problems:

+ +

If the appropriate policy for the connection that you +are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING +TO MAKE IT WORK. Such additional rules will NEVER make it work, they add +clutter to your rule set and they represent a big security hole in the event +that you forget to remove them later.

+ +

I also recommend against setting all of your policies to + ACCEPT in an effort to make something work. That robs you of one of your + best diagnostic tools - the "Shorewall" messages that Netfilter will + generate when you try to connect in a way that isn't permitted by your + rule set.

+ +

Check your log. If you don't see Shorewall messages, +then your problem is probably NOT a Shorewall problem. If you DO see packet +messages, it is an indication that you are missing one or more rules.

+ +

While you are troubleshooting, it is a good idea to clear + two variables in /etc/shorewall/shorewall.conf:

+ +

LOGRATE=""
+ LOGBURST=""

+ +

This way, you will see all of the log messages being + generated (be sure to restart shorewall after clearing these variables).

+ +

Example:

+ + + +

Jun 27 15:37:56 gateway kernel: + Shorewall:all2all:REJECT:IN=eth2 +OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 +ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

+ + + +

Let's look at the important parts of this message:

+ + + + + + + + + +
bulletall2all:REJECT - the packet was rejected under the "all"->"all" REJECT +policy
bulletIN=eth2 - the packet entered the firewall via eth2
bulletOUT=eth1 - if accepted, the packet would be sent on eth1
bulletSRC=192.168.2.2 - the packet was sent by 192.168.2.2
bulletDST=192.168.1.3 - the packet is destined for 192.168.1.3
bulletPROTO=UDP - UDP Protocol
bulletDPT=53 - DNS
+ +

In this case, 192.168.2.2 was in the "dmz" zone and +192.168.1.3 is in the "loc" zone. I was missing the rule:

+ +

ACCEPT    dmz    loc    udp    53

+ + + +

Other Gotchas

+ + + + + + + + + + +
bulletRemember that Shorewall doesn't automatically allow ICMP type 8 ("ping") +requests to be sent between zones. If you want pings to be allowed between +zones, you need a rule of the form:
+
+     ACCEPT    <source zone>    <destination zone>    +icmp    echo-request
+
+ The ramifications of this can be subtle. For example, if you have the + following in /etc/shorewall/nat:
+
+     10.1.1.2    eth0    130.252.100.18
+
+ and you ping 130.252.100.18, unless you have allowed icmp type 8 between +the zone containing the system you are pinging from and the zone containing + 10.1.1.2, the ping requests will be dropped. This is true even if you +have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.
bulletIf you specify "routefilter" for an interface, that interface must be +up prior to starting the firewall.
bulletIs your routing correct? For example, internal systems usually need to + be configured with their default gateway set to the IP address of their + nearest firewall interface. One often overlooked aspect of routing is that + in order for two hosts to communicate, the routing between them must be set + up in both directions. So when setting up routing between A + and B, be sure to verify that the route from B back to A + is defined.
bulletSome versions of LRP (EigerStein2Beta for example) have a shell with +broken variable expansion. +You can get a corrected shell from the Shorewall Errata download site. +
bulletDo you have your kernel properly configured? Click + here to see my kernel configuration.
bulletSome features require the "ip" program. That program is generally included +in the "iproute" package which should be included with your distribution +(though many distributions don't install iproute by default). You +may also download the latest source tarball from +ftp://ftp.inr.ac.ru/ip-routing +.
bulletIf you have any entry for a zone in /etc/shorewall/hosts then the +zone must be entirely defined in /etc/shorewall/hosts unless you have + specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if +a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts +then hosts attached to the other interface will not be considered +part of the zone.
bulletProblems with NAT? Be sure that you let Shorewall add all external addresses +to be use with NAT unless you have set +ADD_IP_ALIASES +=No in /etc/shorewall/shorewall.conf.
+

Still Having Problems?

+

See the support page.

+ + + +
+ + + +

Last updated 7/27/2002 - +Tom Eastep +

+ +

Copyright + © 2001, 2002 Thomas M. Eastep.

+ + + \ No newline at end of file diff --git a/STABLE/documentation/two-interface.htm b/STABLE/documentation/two-interface.htm new file mode 100644 index 000000000..5cf52718b --- /dev/null +++ b/STABLE/documentation/two-interface.htm @@ -0,0 +1,683 @@ + + + + + + + +Two-Interface Firewall + + + + + +

Basic Two-Interface Firewall

+

Setting up a Linux system as a firewall for a small network is a +fairly straight-forward task if you understand the basics and follow the +documentation.

+

This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in its +most common configuration:

+ + + + +
bulletLinux system used as a firewall/router for a small local network.
bulletSingle external IP address.
bulletInternet connection through cable modem, DSL, ISDN, Frame Relay, dial-up + ...
+

Here is a schematic of a typical installation.

+

+

This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:

+
     [root@gateway root]# which ip
+     /sbin/ip
+     [root@gateway root]#

I recommend that you first read through the +guide to familiarize yourself with what's involved then go back through it again +making your configuration changes. Points at which configuration changes are +recommended are flagged with .

+

    +If you edit your configuration files on a Windows system, you must save them as +Unix files if your editor supports that option or you must run them through +dos2unix before trying to use them. Similarly, if you copy a configuration file +from your Windows hard drive to a floppy disk, you must run dos2unix against the +copy before using it with Shorewall.

+ + + +
bulletWindows Version of + dos2unix
bulletLinux Version of + dos2unix
+

Shorewall Concepts

+

The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you will only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the +two-interface sample, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall +(these files will replace files with the same name).

+

As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.

+

Shorewall views the network where it is running as being composed of a set of +zones. In the two-interface sample configuration, the following zone names are used:

+ + + + + + + + + + + + + +
NameDescription
netThe Internet
locYour Local Network
+

Zones are defined in the +/etc/shorewall/zones file.

+

Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.

+

Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.

+ + + +
bulletYou express your default policy for connections from one zone to another + zone in the /etc/shorewall/policy file.
bulletYou define exceptions to those default policies in the + /etc/shorewall/rules file.
+

For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP  the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).

+

The /etc/shorewall/policy file included with the two-interface sample has the +following policies:

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
+
+
+

In the two-interface sample, the line below is included but commented out. If +you want your firewall system to have full access to servers on the internet, +uncomment that line.

+ + + + + + + + + + + + + + + +
Source ZoneDestination ZonePolicyLog LevelLimit:Burst
fwnetACCEPT  
+
+

The above policy will:

+
    +
  1. allow all connection requests from your local network to the internet
    2. +
  2. drop (ignore) all connection requests from the internet to your firewall + or local network
    3. +
  3. optionally accept all connection requests from the firewall to the + internet (if you uncomment the additional policy)
    4. +
  4. reject all other connection requests.
    5. +
+

    At this point, edit your /etc/shorewall/policy and make any changes that you +wish.

+

Network Interfaces

+

+

The firewall has two network interfaces. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect via ISDN, your external +interface will be ippp0.

+

    If your external interface is ppp0 +or ippp0  then you will want to +set CLAMPMSS=yes in +/etc/shorewall/shorewall.conf.

+

Your Internal Interface will be an ethernet adapter (eth1 +or eth0) and will be connected to a hub or switch. Your other computers will be +connected to the same hub/switch (note: If you have only a single internal system, +you can connect the firewall directly to the computer using a cross-over +cable).

+

+Do not connect the internal and external interface +to the same hub or switch (even for testing). It won't work the way that you think that it will and you will end up confused and +believing that Shorewall doesn't work at all.

+

    The Shorewall two-interface sample configuration assumes that +the external interface is eth0 and the internal interface is eth1. +If your configuration is different, you will have to modify the sample +/etc/shorewall/interfaces file accordingly. While you are there, you may wish to +review the list of options that are specified for the interfaces. Some hints:

+ + + +
bullet +

If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".

bullet +

If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.

+

IP Addresses

+

Before going further, we should say a few words about Internet +Protocol (IP) addresses. Normally, your ISP will assign you a single +Public IP address. This address may be assigned via the Dynamic Host +Configuration Protocol (DHCP) or as part of establishing your connection +when you dial in (standard modem) or establish your PPP connection. In rare +cases, your ISP may assign you a static IP address; that means that you +configure your firewall's external interface to use that address permanently. +However your external address is assigned, it will be shared by all of your systems when you access the +Internet. You will have to assign your own addresses in your +internal network (the Internal Interface on your firewall plus your other +computers). RFC 1918 reserves several Private IP address ranges for this +purpose:

+
+ 
     10.0.0.0    - 10.255.255.255
+     172.16.0.0  - 172.31.255.255
+     192.168.0.0 - 192.168.255.255
+
+
+

    + Before starting Shorewall, you should look at the IP address of your external + interface and if it is one of the above ranges, you should remove the + 'norfc1918' option from the external interface's entry in + /etc/shorewall/interfaces.

+
+

You will want to assign your addresses from the same + sub-network (subnet).  For our purposes, we can consider a subnet + to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will + have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as + the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast + Address. In Shorewall, a subnet is described using + Variable-Length + Subnet Mask (VLSM) notation with consists of the subnet address followed + by "/24". The "24" refers to the number of + consecutive leading "1" bits from the left of the subnet mask. +

+
+

Example sub-network:

+
+
+ + + + + + + + + + + + + + + + + +
Range:10.10.10.0 - 10.10.10.255
Subnet Address:10.10.10.0
Broadcast Address:10.10.10.255
VLSM Notation:10.10.10.0/24
+
+
+
+

It is conventional to assign the internal interface either the + first usable address in the subnet (10.10.10.1 in the above example) or the + last usable address (10.10.10.254).

+
+

One of the purposes of subnetting is to allow all computers in the + subnet to understand which other computers can be communicated with directly. + To communicate with systems outside of the subnetwork, systems send packets + through a  gateway  (router).

+
+

    Your local computers (computer + 1 and computer 2 in the above diagram) should be configured with their + default gateway to be the IP address of the firewall's internal + interface.      +

+

The foregoing short discussion barely scratches the surface +regarding subnetting and routing. If you are interested in learning more about +IP addressing and routing, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.

+

The remainder of this quide will assume that you have configured +your network as shown here:

+

+

The default gateway for computer's 1 & 2 would be 10.10.10.254.

+

IP Masquerading (SNAT)

+

The addresses reserved by RFC 1918 are sometimes referred to as +non-routable because the Internet backbone routers don't forward packets +which have an RFC-1918 destination address. When one of your local systems +(let's assume computer 1) sends a connection request to an internet host, the +firewall must perform Network Address Translation (NAT). The firewall +rewrites the source address in the packet to be the address of the firewall's +external interface; in other words, the firewall makes it look as if the firewall +itself is initiating the connection.  This is necessary so that the +destination host will be able to route return packets back to the firewall +(remember that packets whose destination address is reserved by RFC 1918 can't +be routed across the internet so the remote host can't address its response to +computer 1). When the firewall receives a return packet, it +rewrites the destination address back to 10.10.10.1 and +forwards the packet on to computer 1.

+

On Linux systems, the above process is often referred to as +IP Masquerading but you will also see the term Source Network Address +Translation (SNAT) used. Shorewall follows the convention used with +Netfilter:

+ + + +
bullet +

Masquerade describes the case where you let your + firewall system automatically detect the external interface address.

bullet +

SNAT refers to the case when you explicitly specify the + source address that you want outbound packets from your local network to use. +

+

In Shorewall, both Masquerading and SNAT are configured with +entries in the /etc/shorewall/masq file. You will normally use Masquerading if +your external IP is dynamic and SNAT if the IP is static.

+

    If your external firewall interface is eth0, you do not +need to modify the file provided with the sample. Otherwise, edit +/etc/shorewall/masq and change the first column to the name of your external +interface and the second column to the name of your internal interface.

+

    If your external IP is +static, you can enter it in the third column in the /etc/shorewall/masq entry if +you like although your firewall will work fine if you leave that column empty. +Entering your static IP in column 3 makes processing outgoing packets a little +more efficient.

+

Port Forwarding (DNAT)

+

One of your goals may be to run one or more servers on your +local computers. Because these computers have RFC-1918 addresses, it is not +possible for clients on the internet to connect directly to them. It is rather +necessary for those clients to address their connection requests to the firewall +who rewrites the destination address to the address of your server and forwards +the packet to that server. When your server responds, the firewall automatically +performs SNAT to rewrite the source address in the response.

+

The above process is called Port Forwarding or +Destination Network Address Translation (DNAT). You configure port +forwarding using DNAT rules in the /etc/shorewall/rules file.

+

The general form of a simple port forwarding rule in +/etc/shorewall/rules is:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetloc:<server local ip address> [:<server port>]<protocol><port>  
+
+

Example - you run a Web Server on computer 2 and you want to forward incoming +TCP port 80 to that system:

+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetloc:10.10.10.2tcp80  
+
+

A couple of important points +to keep in mind:

+ + + +
bulletYou must test the above rule from a client outside of your local network + (i.e., don't test from a browser running on computers 1 or 2 or on the + firewall). If you want to be able to access your web server using the IP + address of your external interface, see Shorewall FAQ + #2.
bulletMany ISPs block incoming connection requests to port 80. If you have + problems connecting to your web server, try the following rule and try + connecting to port 5000.
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
DNATnetloc:10.10.10.2:80tcp5000  
+
+

+    At this point, modify +/etc/shorewall/rules to add any DNAT rules that you require.

+

Domain Name Server (DNS)

+

Normally, when you connect to your ISP, as part of getting an IP +address your firewall's Domain Name Service (DNS) resolver will be +automatically configured (e.g., the /etc/resolv.conf file will be written). +Alternatively, your ISP may have given you the IP address of a pair of DNS +name servers for you to manually configure as your primary and secondary +name servers. Regardless of how DNS gets configured on your firewall, it is your responsibility to configure the resolver in your +internal systems. You can take one of two approaches:

+ + + +
bullet +

You can configure your internal systems to use your ISP's name + servers. If you ISP gave you the addresses of their servers or if those + addresses are available on their web site, you can configure your internal + systems to use those addresses. If that information isn't available, look in + /etc/resolv.conf on your firewall system -- the name servers are given in + "nameserver" records in that file.

bullet +

    You can configure a Caching Name Server on your + firewall. Red Hat has an RPM for a caching name server (the RPM also + requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you + take this approach, you configure your internal systems to use the firewall + itself as their primary (and only) name server. You use the internal IP + address of the firewall (10.10.10.254 in the example above) for the name + server address. To allow your local systems to talk to your caching name + server, you must open port 53 (both UDP and TCP) from the local network to the + firewall; you do that by adding the following rules in /etc/shorewall/rules.

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTlocfwtcp53  
ACCEPTlocfwudp53  
+
+
+

Other Connections

+
+
+

The two-interface sample includes the following rules:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTfwnettcp53  
ACCEPTfwnetudp53  
+
+
+
+

Those rules allow DNS access from your firewall and may be + removed if you commented out the line in /etc/shorewall/policy allowing all + connections from the firewall to the internet.

+
+

The sample also includes:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTlocfwtcp22  
+
+
+
+

That rule allows you to run an SSH server on your firewall and + connect to that server from your local systems.

+
+

If you wish to enable other connections between your firewall + and other systems, the general format is:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPT<source zone><destination zone><protocol><port>  
+
+
+
+

Example - You want to run a Web Server on your firewall + system:

+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp80#Allow web accessfrom the internet
ACCEPTlocfwtcp80#Allow web accessfrom the local network
+
+
+
+

Those two rules would of course be in addition to the rules + listed above under "You can configure a Caching Name Server on your firewall"

+
+

If you don't know what port and protocol a particular + application uses, look here.

+
+

Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:

+
+
+ + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
ACCEPTnetfwtcp22  
+
+
+
+

    Now edit your + /etc/shorewall/rules file to add or delete other connections as required.

+
+

Starting and Stopping Your Firewall

+
+
+

The installation procedure + configures your system to start Shorewall at system boot.

+
+

The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

+
+

    The two-interface sample assumes that you want to enable + routing to/from eth1 (the local network) when Shorewall is stopped. If + your local network isn't connected to eth1 or if you wish to enable + access to/from other hosts, change /etc/shorewall/routestopped accordingly.

+
+

WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.

+

Last updated +7/26/2002 - Tom +Eastep

+ +

Copyright 2002 Thomas M. Eastep

+ + + + \ No newline at end of file diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh new file mode 100755 index 000000000..61b89b7e7 --- /dev/null +++ b/STABLE/fallback.sh @@ -0,0 +1,122 @@ +#!/bin/sh +# +# Script to back out the installation of Shoreline Firewall and to restore the previous version of +# the program +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://seattlefirewall.dyndns.org +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to back out the installation of the version +# shown below. Simply run this script to revert to your prior version of +# Shoreline Firewall. + +VERSION=1.3.6 + +usage() # $1 = exit status +{ + echo "usage: `basename $0`" + exit $1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-${VERSION}.bkout ]; then + if (mv -f ${1}-${VERSION}.bkout $1); then + echo + echo "$1 restored" + else + echo "ERROR: Could not restore $1" + exit 1 + fi + fi +} + +if [ ! -f /var/lib/shorewall/version-${VERSION}.bkout -a \ + ! -f /etc/shorewall/version-${VERSION}.bkout ]; then + echo "Shorewall Version $VERSION is not installed" + exit 1 +fi + +echo "Backing Out Installation of Shorewall $VERSION" + +if [ -L /var/lib/shorewall/firewall ]; then + FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` + restore_file $FIREWALL +fi + +restore_file /sbin/shorewall + +[ -f /etc/shorewall.conf.$VERSION ] && rm -f /etc/shorewall.conf.$VERSION + +restore_file /etc/shorewall/shorewall.conf + +restore_file /etc/shorewall/functions +restore_file /var/lib/shorewall/functions + +restore_file /etc/shorewall/common.def + +restore_file /etc/shorewall/icmp.def + +restore_file /etc/shorewall/zones + +restore_file /etc/shorewall/policy + +restore_file /etc/shorewall/interfaces + +restore_file /etc/shorewall/hosts + +restore_file /etc/shorewall/rules + +restore_file /etc/shorewall/nat + +restore_file /etc/shorewall/params + +restore_file /etc/shorewall/proxyarp + +restore_file /etc/shorewall/routestopped + +restore_file /etc/shorewall/masq + +restore_file /etc/shorewall/modules + +restore_file /etc/shorewall/tcrules + +restore_file /etc/shorewall/tos + +restore_file /etc/shorewall/tunnels + +restore_file /etc/shorewall/blacklist + +restore_file /etc/shorewall/whitelist + +restore_file /etc/shorewall/rfc1918 + +if [ -f /var/lib/shorewall/version-${VERSION}.bkout ]; then + restore_file /var/shorewall/version + oldversion="`cat /var/lib/shorewall/version`" +else + restore_file /etc/shorewall/version + oldversion="`cat /etc/shorewall/version`" +fi + +echo "Shorewall Restored to Version $oldversion" + + diff --git a/STABLE/firewall b/STABLE/firewall new file mode 100755 index 000000000..9c18802d7 --- /dev/null +++ b/STABLE/firewall @@ -0,0 +1,3589 @@ +#!/bin/sh +RCDLINKS="2,S41 3,S41 6,K41" +# +# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V1.3 6/14/2002 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# On most distributions, this file should be called: +# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall +# +# Complete documentation is available at http://shorewall.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall status Displays firewall status +# shorewall reset Resets iptabless packet and +# byte counts +# shorewall clear Remove all Shorewall chains +# and rules/policies. +# shorewall refresh . Rebuild the common chain +# shorewall check Verify the more heavily-used +# configuration files. + +#### BEGIN INIT INFO +# Provides: shorewall +# Required-Start: $network +# Required-Stop: +# Default-Start: 2 3 5 +# Default-Stop: 0 1 6 +# Description: starts and stops the shorewall firewall +### END INIT INFO + +# chkconfig: 2345 25 90 +# description: Packet filtering firewall +# + +############################################################################### +# Search a list looking for a match -- returns zero if a match found # +# 1 otherwise # +############################################################################### +list_search() # $1 = element to search for , $2-$n = list +{ + local e=$1 + + while [ $# -gt 1 ]; do + shift + [ "x$e" = "x$1" ] && return 0 + done + + return 1 +} + +############################################################################### +# Mutual exclusion -- These functions are jackets for the mutual exclusion # +# routines in /var/lib/shorewall/functions. They invoke # +# the corresponding function in that file if the user did # +# not specify "nolock" on the runline. # +############################################################################### +my_mutex_on() { + [ -n "$nolock" ] || { mutex_on; have_mutex=Yes; } +} + +my_mutex_off() { + [ -n "$have_mutex" ] && { mutex_off; have_mutex=; } +} + +############################################################################### +# Message to stderr # +############################################################################### +error_message() # $* = Error Message +{ + echo " $@" >&2 +} + +############################################################################### +# Fatal error -- stops the firewall after issuing the error message # +############################################################################### +fatal_error() # $* = Error Message +{ + echo " $@" >&2 + stop_firewall + exit 2 +} + +############################################################################### +# Fatal error during startup -- generate an error message and abend with # +# altering the state of the firewall # +############################################################################### +startup_error() # $* = Error Message +{ + echo " $@" >&2 + my_mutex_off + [ -n "$TMP_DIR" ] && rm -rf $TMP_DIR + kill $$ + exit 2 +} + +############################################################################### +# Send a message to STDOUT and the System Log # +############################################################################### +report () { # $* = message + echo "$@" + logger "$@" +} + +############################################################################### +# Perform variable substitution on the passed argument and echo the result # +############################################################################### +expand() # $1 = contents of variable which may be the name of another variable +{ + eval echo \"$1\" +} + +############################################################################### +# Perform variable substitition on the values of the passed list of variables # +############################################################################### +expandv() # $* = list of variable names +{ + local varval + + while [ $# -gt 0 ]; do + eval varval=\$${1} + eval $1=\"$varval\" + shift + done +} + +################################################################################ +# Run iptables and if an error occurs, stop the firewall and quit # +################################################################################ +run_iptables() { + if ! iptables `echo $@ | sed 's/!/! /g'`; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +################################################################################ +# Run ip and if an error occurs, stop the firewall and quit # +################################################################################ +run_ip() { + if ! ip $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +################################################################################ +# Run arp and if an error occurs, stop the firewall and quit # +################################################################################ +run_arp() { + if ! arp $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +################################################################################ +# Run tc and if an error occurs, stop the firewall and quit # +################################################################################ +run_tc() { + if ! tc $@ ; then + [ -z "$stopping" ] && { stop_firewall; exit 2; } + fi +} + +################################################################################ +# Create a filter chain # +# # +# If the chain isn't one of the common chains then add a rule to the chain # +# allowing packets that are part of an established connection. Create a # +# variable ${1}_exists and set its value to Yes to indicate that the chain now # +# exists. # +################################################################################ +createchain() # $1 = chain name, $2 = If non-null, don't create default rules +{ + local target + + run_iptables -N $1 + + if [ $# -eq 1 ]; then + state="ESTABLISHED" + [ -n "$ALLOWRELATED" ] && state="$state,RELATED" + run_iptables -A $1 -m state --state $state -j ACCEPT + run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn + fi + + eval ${1}_exists=Yes +} + +################################################################################ +# Determine if a chain exists # +# # +# When we create a chain "chain", we create a variable named chain_exists and # +# set its value to Yes. This function tests for the "_exists" variable # +# corresponding to the passed chain having the value of "Yes". # +################################################################################ +havechain() # $1 = name of chain +{ + eval test \"\$${1}_exists\" = Yes +} + +################################################################################ +# Ensure that a chain exists (create it if it doesn't) # +################################################################################ +ensurechain() # $1 = chain name +{ + havechain $1 || createchain $1 +} + +################################################################################ +# Add a rule to a chain creating the chain if necessary # +################################################################################ +addrule() # $1 = chain name, remainder of arguments specify the rule +{ + ensurechain $1 + run_iptables -A $@ +} + +################################################################################ +# Create a nat chain # +# # +# Create a variable ${1}_nat_exists and set its value to Yes to indicate that # +# the chain now exists. # +################################################################################ +createnatchain() # $1 = chain name +{ + run_iptables -t nat -N $1 + + eval ${1}_nat_exists=Yes +} + +################################################################################ +# Determine if a nat chain exists # +# # +# When we create a chain "chain", we create a variable named chain_nat_exists # +# and set its value to Yes. This function tests for the "_exists" variable # +# corresponding to the passed chain having the value of "Yes". # +################################################################################ +havenatchain() # $1 = name of chain +{ + eval test \"\$${1}_nat_exists\" = Yes +} + +################################################################################ +# Ensure that a chain exists (create it if it doesn't) # +################################################################################ +ensurenatchain() # $1 = chain name +{ + havenatchain $1 || createnatchain $1 +} + +################################################################################ +# Add a rule to a nat chain creating the chain if necessary # +################################################################################ +addnatrule() # $1 = chain name, remainder of arguments specify the rule +{ + ensurenatchain $1 + run_iptables -t nat -A $@ +} + +################################################################################ +# Delete a chain if it exists # +################################################################################ +deletechain() # $1 = name of chain +{ + qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 +} + +################################################################################ +# Set a standard chain's policy # +################################################################################ +setpolicy() # $1 = name of chain, $2 = policy +{ + run_iptables -P $1 $2 +} + +################################################################################ +# Set a standard chain to enable established connections # +################################################################################ +setcontinue() # $1 = name of chain +{ + run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT +} + +################################################################################ +# Flush one of the NAT table chains # +################################################################################ +flushnat() # $1 = name of chain +{ + run_iptables -t nat -F $1 +} + +################################################################################ +# Find interfaces to a given zone # +# # +# Read the interfaces file and for each record matching the passed ZONE, # +# echo the expanded contents of the "INTERFACE" column # +################################################################################ +find_interfaces() # $1 = interface zone +{ + local zne=$1 + + while read z interface subnet options; do + [ "x`expand $z`" = "x$zne" ] && echo `expand $interface` + done < $TMP_DIR/interfaces +} + +################################################################################ +# Chain name base for an interface # +################################################################################ +chain_base() #$1 = interface +{ + local c=${1%%+*} + + echo ${c:=common} +} + +################################################################################ +# Forward Chain for an interface # +################################################################################ +forward_chain() # $1 = interface +{ + echo `chain_base $1`_fwd +} + +################################################################################ +# Input Chain for an interface # +################################################################################ +input_chain() # $1 = interface +{ + echo `chain_base $1`_in +} + +################################################################################ +# Output Chain for an interface # +################################################################################ +output_chain() # $1 = interface +{ + echo `chain_base $1`_out +} + +################################################################################ +# Masquerade Chain for an interface # +################################################################################ +masq_chain() # $1 = interface +{ + echo `chain_base $1`_masq +} + +################################################################################ +# DNAT Chain from a zone # +################################################################################ +dnat_chain() # $1 = zone +{ + echo ${1}_dnat +} + +################################################################################ +# SNAT Chain to a zone # +################################################################################ +snat_chain() # $1 = zone +{ + echo ${1}_snat +} + +################################################################################ +# First chains for an interface # +################################################################################ +first_chains() #$1 = interface +{ + local c=`chain_base $1` + + echo ${c}_fwd ${c}_in +} + +################################################################################ +# Find hosts in a given zone # +# # +# Read hosts file and for each record matching the passed ZONE, # +# echo the expanded contents of the "HOST(S)" column # +################################################################################ +find_hosts() # $1 = host zone +{ + local hosts + + while read z hosts options; do + [ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts` + done < $TMP_DIR/hosts +} + +################################################################################ +# Determine the interfaces on the firewall # +# # +# For each zone, create a variable called ${zone}_interfaces. This # +# variable contains a space-separated list of interfaces to the zone # +################################################################################ +determine_interfaces() { + for zone in $zones; do + interfaces=`find_interfaces $zone` + interfaces=`echo $interfaces` # Remove extra trash + eval ${zone}_interfaces="\$interfaces" + done +} + +################################################################################ +# Determine the defined hosts in each zone and generate report # +################################################################################ +determine_hosts() { + do_a_zone() + { + eval interfaces=\$${zone}_interfaces + + for interface in $interfaces; do + if [ -z "$hosts" ]; then + hosts=$interface:0.0.0.0/0 + else + hosts="$hosts $interface:0.0.0.0/0" + fi + done + } + + recalculate_interfaces() + { + interfaces= + + for host in $hosts; do + interface=${host%:*} + if ! list_search $interface $interfaces; then + if [ -z "$interfaces" ]; then + interfaces=$interface + else + interfaces="$interfaces $interface" + fi + fi + done + + eval ${zone}_interfaces="\$interfaces" + } + + for zone in $zones; do + hosts=`find_hosts $zone` + hosts=`echo $hosts` # Remove extra trash + + if [ -n "MERGE_HOSTS" ]; then + #################################################################### + # Zone will be the union of its host and interface definitions + # + do_a_zone + recalculate_interfaces + elif [ -n "$hosts" ]; then + #################################################################### + # Zone is defined in terms of hosts -- derive the interface list + # from the host list + # + recalculate_interfacess + else + #################################################################### + # If no hosts are defined for a zone then the zone consists of any + # host that can send us messages via the interfaces to the zone + # + do_a_zone + fi + + eval ${zone}_hosts="\$hosts" + + if [ -n "$hosts" ]; then + eval display=\$${zone}_display + display_list "$display Zone:" $hosts + else + error_message "Warning: Zone $zone is empty" + fi + done +} + +################################################################################ +# Ensure that the passed zone is defined in the zones file or is the firewall # +################################################################################ +validate_zone() # $1 = zone +{ + list_search $1 $zones $FW +} + +################################################################################ +# Validate the zone names and options in the interfaces file # +################################################################################ +validate_interfaces_file() { + while read z interface subnet options; do + expandv z interface subnet options + r="$z $interface $subnet $options" + [ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + + list_search $interface $all_interfaces && \ + startup_error "Error: Duplicate Interface $interface" + + all_interfaces="$all_interfaces $interface" + + for option in `separate_list $options`; do + case $option in + dhcp|noping|filterping|routestopped|norfc1918|multi) + ;; + routefilter|dropunclean|logunclean|blacklist|proxyarp|-) + ;; + *) + error_message "Warning: Invalid option ($option) in record \"$r\"" + ;; + esac + done + + [ -z "$all_interfaces" ] && startup_error "Error: No Interfaces Defined" + + done < $TMP_DIR/interfaces +} + +################################################################################ +# Validate the zone names and options in the hosts file # +################################################################################ +validate_hosts_file() { + while read z hosts options; do + expandv z hosts options + r="$z $hosts $options" + validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + + for host in `separate_list $hosts`; do + interface=${host%:*} + + list_search $interface $all_interfaces || \ + startup_error "Unknown interface ($interface) in record \"$r\"" + + for option in `separate_list $options`; do + case $option in + routestopped|-) + ;; + *) + error_message "Warning: Invalid option ($option) in record \"$r\"" + ;; + esac + done + done + done < $TMP_DIR/hosts +} + +################################################################################ +# Format a match by the passed MAC address # +# The passed address begins with "~" and uses "-" as a separator between bytes # +# Example: ~01-02-03-04-05-06 # +################################################################################ +mac_match() # $1 = MAC address formated as described above +{ + echo "--match mac --mac-source `echo $1 | sed 's/~//;s/-/:/g'`" +} + +################################################################################ +# validate a record from the rules file # +# # +# The caller has loaded the column contents from the record into the following # +# variables: # +# # +# target clients servers protocol ports cports address # +# # +# and has loaded a space-separated list of their values in "rule". # +################################################################################ +validate_rule() { + ############################################################################ + # Ensure that the passed comma-separated list has 15 or fewer elements + # + validate_list() { + local temp=`separate_list $1` + + [ `echo $temp | wc -w` -le 15 ] + } + + ############################################################################ + # validate one rule + # + validate_a_rule() { + ######################################################################## + # Determine the format of the client + # + cli= + + [ -n "$client" ] && case "$client" in + -) + ;; + ~*) + cli=`mac_match $client` + ;; + [0-9]*|![0-9]*) + # + # IP Address, address or subnet + # + cli="-s $client" + ;; + *) + # + # Assume that this is a device name + # + cli="-i $client" + ;; + esac + + dest_interface= + + [ -n "$server" ] && case "$server" in + -) + serv= + ;; + [0-9]*|![0-9]*) + serv=$server + ;; + ~*) + fatal_error "Error: Rule \"$rule\" - Server may not be specified by MAC Address" + ;; + *) + dest_interface="-o $server" + serv= + ;; + esac + ################################################################ + # Setup PROTOCOL, PORT and STATE variables + # + sports="" + dports="" + state="-m state --state NEW" + proto=$protocol + addr=$address + servport=$serverport + + case $proto in + tcp|udp|TCP|UDP|6|17) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + dports="--dport $port" + [ -n "$cport" ] && [ "x${cport}" != "x-" ] && \ + sports="--sport $cport" + ;; + icmp|ICMP|0) + [ -n "$port" ] && dports="--icmp-type $port" + state="" + ;; + related|RELATED) + proto= + state="-m state --state RELATED" + ;; + *) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + startup_error "Port number not allowed with protocol " \ + "\"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + case "$logtarget" in + REJECT) + target=reject + [ -n "$servport" ] && \ + startup_error "Error: server port may not be specified in a REJECT rule;"\ + "rule: \"$rule\"" + ;; + ACCEPT) + [ -n "$servport" ] && \ + startup_error "Error: server port may not be specified in an ACCEPT rule;"\ + "rule: \"$rule\"" + ;; + REDIRECT) + [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + " specify a server IP; rule: \"$rule\"" + servport=${servport:=$port} + ;; + DNAT) + [ -n "$serv" ] || startup_error "Error: DNAT rules require a" \ + " server address; rule: \"$rule\"" + ;; + esac + + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" + fi + + if [ -n "${serv}${servport}" ]; then + ################################################################## + # Destination is a Specific Server or we're redirecting a port + # + if [ -n "$addr" -a "$addr" != "$serv" ]; then + ############################################################## + # Must use Prerouting DNAT + # + if [ -z "$NAT_ENABLED" ]; then + startup_error \ + "Error - Rule \"$rule\" requires NAT which is disabled" + fi + + if [ "$target" != "ACCEPT" ]; then + startup_error "Error - Only ACCEPT rules may specify " \ + "port mapping; rule \"$rule\"" + fi + fi + else + [ -n "$addr" ] && startup_error \ + "Error: An ADDRESS ($addr) is only allowed in" \ + " a DNAT or REDIRECT rule: \"$rule\"" + fi + } + ############################################################################ + # V a l i d a t e _ R u l e S t a r t s H e r e + ############################################################################ + # Parse the Target and Clients columns + # + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + + logtarget="$target" + # + # DNAT and REDIRECT targets were implemented in version 1.3 to replace + # an older syntax. We simply map the new syntax into the old and proceed; + # that way, people who have files with the old syntax don't need to + # convert right away. + # + case $target in + DNAT) + target=ACCEPT + address=${address:=detect} + ;; + REDIRECT) + target=ACCEPT + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="fw::$servers" + fi + ;; + ACCEPT|DROP|REJECT) + ;; + *) + startup_error "Error: Invalid target;" \ + " rule: \"$rule\"" + + esac + + if [ "$clients" = "${clients%:*}" ]; then + clientzone="$clients" + clients= + else + clientzone="${clients%:*}" + clients="${clients#*:}" + [ -z "$clientzone" -o -z "$clients" ] && \ + startup_error "Error: Empty source zone or qualifier: rule \"$rule\"" + fi + + if [ "$clientzone" = "${clientzone%\!*}" ]; then + excludezones= + else + excludezones="${clientzone#*\!}" + clientzone="${clientzone%\!*}" + + [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ + startup_error "Error: Exclude list only allowed with DNAT or REDIRECT" + fi + ############################################################################ + # Validate the Source Zone + + if ! validate_zone $clientzone; then + startup_error "Error: Undefined Client Zone in rule \"$rule\"" + fi + + source=$clientzone + + [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" + + ############################################################################ + # Parse the servers column + # + if [ "$servers" = "${servers%:*}" ] ; then + serverzone="$servers" + servers= + serverport= + else + serverzone="${servers%%:*}" + servers="${servers#*:}" + if [ "$servers" != "${servers%:*}" ] ; then + serverport="${servers#*:}" + servers="${servers%:*}" + [ -z "$serverzone" -o -z "$serverport" ] && \ + startup_error "Error: Empty destination zone or server port: rule \"$rule\"" + else + serverport= + [ -z "$serverzone" -o -z "$servers" ] && \ + startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" + fi + fi + ############################################################################ + # Validate the destination zone + # + if ! validate_zone $serverzone; then + startup_error "Error: Undefined Server Zone in rule \"$rule\"" + fi + + dest=$serverzone + ############################################################################ + # Check length of port lists if MULTIPORT set + # + if [ -n "$MULTIPORT" ]; then + validate_list $ports || + error_message "Warning: Too many destination ports: Rule \"$rule\"" + validate_list $cports || + error_message "Warning: Too many source ports: Rule \"$rule\"" + fi + + ############################################################################ + # Iterate through the various lists validating individual rules + # + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + validate_a_rule + done + done + done + done + + echo " Rule \"$rule\" validated." +} + +################################################################################ +# validate the rules file # +################################################################################ +validate_rules() # $1 = name of rules file +{ + strip_file rules + + while read target clients servers protocol ports cports address; do + expandv clients servers protocol ports cports address + case "$target" in + + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) + rule="`echo $target $clients $servers $protocol $ports $cports $address`" + validate_rule + ;; + *) + rule="`echo $target $clients $servers $protocol $ports $cports $address`" + startup_error "Error: Invalid Target - rule \"$rule\" ignored" + ;; + esac + done < $TMP_DIR/rules +} + +################################################################################ +# validate the policy file # +################################################################################ +validate_policy() +{ + strip_file policy $policy + + while read client server policy loglevel synparams; do + expandv client server policy loglevel synparams + case "$client" in + all|ALL) + ;; + *) + if ! validate_zone $client; then + startup_error "Error: Undefined zone $client" + fi + esac + + case "$server" in + all|ALL) + ;; + *) + if ! validate_zone $server; then + startup_error "Error: Undefined zone $server" + fi + esac + + case $policy in + ACCEPT|REJECT|DROP|CONTINUE) + ;; + *) + startup_error "Error: Invalid policy $policy" + ;; + esac + + done < $TMP_DIR/policy +} + +################################################################################ +# Find broadcast addresses # +################################################################################ +find_broadcasts() { + while read z interface bcast options; do + expandv interface bcast + if [ "x$bcast" = "xdetect" ]; then + addr="`ip addr show $interface 2> /dev/null`" + if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then + addr="`echo "$addr" | \ + grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" + echo $addr | cut -d' ' -f 1 + fi + elif [ "x${bcast}" != "x-" ]; then + echo `separate_list $bcast` + fi + done < $TMP_DIR/interfaces +} + +################################################################################ +# Find interface address--returns the first IP address assigned to the passed # +# device # +################################################################################ +find_interface_address() # $1 = interface +{ + # + # get the line of output containing the first IP address + # + addr=`ip addr show $1 2> /dev/null | grep inet | head -n1` + # + # If there wasn't one, bail out now + # + [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" + # + # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) + # along with everything else on the line + # + echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' +} + +################################################################################ +# Find interfaces that have the passed option specified # +################################################################################ +find_interfaces_by_option() # $1 = option +{ + while read ignore interface subnet options; do + expandv options + list_search $1 `separate_list $options` && \ + echo `expand $interface` + done < $TMP_DIR/interfaces +} + +################################################################################ +# Find hosts with the passed option # +################################################################################ +find_hosts_by_option() # $1 = option +{ + while read ignore hosts options; do + expandv options + list_search $1 `separate_list $options` && \ + echo `expand $hosts` + done < $TMP_DIR/hosts + + while read ignore interface ignore1 options; do + expandv options + list_search $1 `separate_list $options` && \ + echo `expand $interface`:0.0.0.0/0 + done < $TMP_DIR/interfaces +} + +################################################################################ +# Determine if there are interfaces of the given zone and option # +# # +# Returns zero if any such interfaces are found and returns one otherwise. # +################################################################################ +have_interfaces_in_zone_with_option() # $1 = zone, $2 = option +{ + local zne=$1 + + while read z interface broadcast options; do + [ "x`expand $z`" = "x$zne" ] && expandv options && \ + list_search $1 `separate_list $options` && \ + return 0 + done < $TMP_DIR/interfaces + return 1 +} + +################################################################################ +# Flush and delete all user-defined chains in the filter table # +################################################################################ +deleteallchains() { + run_iptables -F + run_iptables -X +} + +################################################################################ +# Source a user exit file if it exists # +################################################################################ +run_user_exit() # $1 = file name +{ + local user_exit=`find_file $1` + + if [ -f $user_exit ]; then + echo "Processing $user_exit ..." + . $user_exit + fi +} + +################################################################################ +# Stop the Firewall - # +################################################################################ +stop_firewall() { + stopping="Yes" + + deletechain shorewall + + run_user_exit stop + + [ -n "$MANGLE_ENABLED" ] && \ + run_iptables -t mangle -F && \ + run_iptables -t mangle -X + + [ -n "$NAT_ENABLED" ] && delete_nat + delete_proxy_arp + [ -n "$TC_ENABLED" ] && delete_tc + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + hosts="`find_hosts_by_option routestopped`" + + strip_file routestopped + + while read interface host; do + expandv interface host + [ "x$host" = "x-" ] && host= + hosts="$hosts $interface:${host:-0.0.0.0/0}" + done < $TMP_DIR/routestopped + + for host in $hosts; do + interface=${host%:*} + subnet=${host#*:} + iptables -A INPUT -i $interface -s $subnet -j ACCEPT + iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT + + for host1 in $hosts; do + [ "$host" != "$host1" ] && \ + iptables -A FORWARD -i $interface -s $subnet \ + -o ${host1%:*} -d ${host1#*:} -j ACCEPT + done + done + + iptables -A INPUT -i lo -j ACCEPT + iptables -A OUTPUT -o lo -j ACCEPT + + + for interface in `find_interfaces_by_option dhcp`; do + iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT + iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT + done + + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + ;; + esac + + run_user_exit stopped + + logger "Shorewall Stopped" + + rm -rf $TMP_DIR + + case $command in + stop|clear) + ;; + *) + # + # The firewall is being stopped when we were trying to do something + # else. Remove the lock file and Kill the shell in case we're in a + # subshell + # + my_mutex_off + kill $$ + ;; + esac +} + +################################################################################ +# Remove all rules and remove all user-defined chains # +################################################################################ +clear_firewall() { + stop_firewall + + run_iptables -F + + echo 1 > /proc/sys/net/ipv4/ip_forward + + setpolicy INPUT ACCEPT + setpolicy FORWARD ACCEPT + setpolicy OUTPUT ACCEPT + + run_user_exit clear + + logger "Shorewall Cleared" +} + +################################################################################ +# Set up ipsec tunnels # +################################################################################ +setup_tunnels() # $1 = name of tunnels file +{ + local inchain + local outchain + + setup_one_ipsec() # $1 = gateway $2 = gateway zone + { + options="-m state --state NEW -j ACCEPT" + addrule $inchain -p 50 -s $1 $options + addrule $outchain -p 50 -d $1 $options + run_iptables -A $inchain -p 51 -s $1 $options + run_iptables -A $outchain -p 51 -d $1 $options + run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options + run_iptables -A $outchain -p udp -d $1 --dport 500 --sport 500 $options + + if [ -n "$2" ]; then + if validate_zone $2; then + addrule ${FW}2${2} -p udp --sport 500 --dport 500 $options + else + error_message "Warning: Invalid gateway zone ($2)" \ + " -- Tunnel \"$tunnel\" may encounter keying problems" + fi + fi + + echo " IPSEC tunnel to $gateway defined." + } + + setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol + { + options="-m state --state NEW -j ACCEPT" + addrule $inchain -p $3 -s $2 $options + addrule $outchain -p $3 -d $2 $options + + echo " $1 tunnel to $gateway defined." + } + + strip_file tunnels $1 + + while read kind z gateway z1; do + expandv kind z gateway z1 + tunnel="`echo $kind $z $gateway $z1`" + if validate_zone $z; then + inchain=${z}2${FW} + outchain=${FW}2${z} + case $kind in + ipsec|IPSEC) + setup_one_ipsec $gateway $z1 + ;; + ipip|IPIP) + setup_one_other IPIP $gateway 4 + ;; + gre|GRE) + setup_one_other GRE $gateway 47 + ;; + *) + error_message "Tunnels of type $kind are not supported:" \ + "Tunnel \"$tunnel\" Ignored" + ;; + esac + else + error_message "Invalid gateway zone ($z)" \ + " -- Tunnel \"$tunnel\" Ignored" + fi + done < $TMP_DIR/tunnels +} + +################################################################################ +# Setup Proxy ARP # +################################################################################ +setup_proxy_arp() { + + print_error() { + error_message "Invalid value for HAVEROUTE - ($haveroute)" + error_message "Entry \"$address $interface $external $haveroute\" ignored" + } + + setup_one_proxy_arp() { + case $haveroute in + [Nn][Oo]) + haveroute= + ;; + [Yy][Ee][Ss]) + ;; + *) + if [ -n "$haveroute" ]; then + print_error + return + fi + ;; + esac + + [ -z "$haveroute" ] && run_ip route add $address dev $interface + + run_arp -Ds $address $external pub + + echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp + echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp + + echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp + + echo " Host $address connected to $interface added to ARP on $external" + } + + > ${STATEDIR}/proxyarp + + strip_file proxyarp + + while read address interface external haveroute; do + expandv address interface external haveroute + setup_one_proxy_arp + done < $TMP_DIR/proxyarp + + interfaces=`find_interfaces_by_option proxyarp` + + for interface in $interfaces; do + if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then + echo " Enabled proxy ARP on $interface" + else + error_message "Warning: Unable to enable proxy ARP on $interface" + fi + done +} + +############################################################################### +# Set up SYN flood protection # +############################################################################### +setup_syn_flood_chain () + # $1 = policy chain + # $2 = synparams +{ + local chain=$1 + local limit=${2%:*} + local limit_burst=${2#*:} + + run_iptables -N @$chain + run_iptables -A @$chain \ + -m limit --limit $limit --limit-burst $limit_burst \ + -j RETURN + run_iptables -A @$chain -j DROP +} + +################################################################################ +# Enable SYN flood protection on a chain # +# -----------------------------------------------------------------------------# +# Insert a jump rule to the protection chain from the first chain. Inserted # +# as the second rule and restrict the jump to SYN packets # +################################################################################ +enable_syn_flood_protection() # $1 = chain, $2 = protection chain +{ + run_iptables -I $1 2 -p tcp --syn -j @$2 + echo " Enabled SYN flood protection" +} + +################################################################################ +# Delete existing Proxy ARP # +################################################################################ +delete_proxy_arp() { + if [ -f ${STATEDIR}/proxyarp ]; then + while read address interface external haveroute; do + qt arp -i $external -d $address pub + [ -z "$haveroute" ] && qt ip route del $address dev $interface + done < ${STATEDIR}/proxyarp + + rm -f ${STATEDIR}/proxyarp + fi + + [ -d ${STATEDIR} ] && touch ${STATEDIR}/proxyarp + + for f in `ls /proc/sys/net/ipv4/conf/*/proxy_arp`; do + echo 0 > $f + done +} + +################################################################################ +# Setup Static Network Address Translation (NAT) # +################################################################################ +setup_nat() { + local allints + # + # At this point, we're just interested in the network translation + # + > ${STATEDIR}/nat + + strip_file nat + + echo "Setting up NAT..." + + while read external interface internal allints localnat; do + expandv external interface internal allints localnat + if [ -n "$ADD_IP_ALIASES" ]; then + qt ip addr del $external dev $interface + fi + + if [ -z "$allints" -o "$allints" = "Yes" \ + -o "$allints" = "yes" ] + then + addnatrule nat_in -d $external -j DNAT --to-destination $internal + addnatrule nat_out -s $internal -j SNAT --to-source $external + + if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then + run_iptables -t nat -A OUTPUT -d $external \ + -j DNAT --to-destination $internal + fi + else + addnatrule `input_chain $interface` \ + -d $external -j DNAT --to-destination $internal + addnatrule `output_chain $interface` \ + -s $internal -j SNAT --to-source $external + fi + + if [ -n "$ADD_IP_ALIASES" ]; then + list_search $external $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $interface" + fi + + echo " Host $internal NAT $external on $interface" + done < $TMP_DIR/nat +} + +################################################################################ +# Delete existing Static NAT # +################################################################################ +delete_nat() { + run_iptables -t nat -F + run_iptables -t nat -X + + if [ -f ${STATEDIR}/nat ]; then + while read external interface; do + qt ip addr del $external dev $interface + done < ${STATEDIR}/nat + + rm -f {$STATEDIR}/nat + fi + + [ -d ${STATEDIR} ] && touch ${STATEDIR}/nat +} + +################################################################################ +# Process TC Rule # +################################################################################ +process_tc_rule() +{ + add_a_tc_rule() { + r= + chain=tcpre + + if [ "x$source" != "x-" ]; then + case $source in + [0-9]*) + r="-s $source " + ;; + ~*) + r=`mac_match $source` + ;; + $FW) + chain=tcout + ;; + *) + r="-i $source " + ;; + esac + fi + [ "x$dest" = "x-" ] || r="${r}-d $dest " + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}--dport $port " + [ "x$sport" = "x-" ] || r="${r}--sport $sport " + + run_iptables -t mangle -A $chain $r -j MARK --set-mark $mark + + } + + for source in `separate_list ${sources:=-}`; do + for dest in `separate_list ${dests:=-}`; do + for port in `separate_list ${ports:=-}`; do + for sport in `separate_list ${sports:=-}`; do + add_a_tc_rule + done + done + done + done + + echo " TC Rule \"$rule\" added" +} + +################################################################################ +# Setup queuing and classes # +################################################################################ +setup_tc() { + + echo "Setting up Traffic Control Rules..." + + # + # Create the TC mangle chains + # + run_iptables -t mangle -N tcpre + run_iptables -t mangle -N tcout + # + # Process the TC Rules File + # + strip_file tcrules + + while read mark sources dests proto ports sports; do + expandv mark sources dests proto ports sports + rule=`echo "$mark $sources $dests $proto $ports $sports"` + process_tc_rule + done < $TMP_DIR/tcrules + # + # Link to the TC mangle chains from the main chains + # + run_iptables -t mangle -A PREROUTING -j tcpre + run_iptables -t mangle -A OUTPUT -j tcout + + run_user_exit tcstart + +} + +################################################################################ +# Clear Traffic Shaping # +################################################################################ +delete_tc() +{ + clear_one_tc() { + tc qdisc del dev $1 root 2> /dev/null + tc qdisc del dev $1 ingress 2> /dev/null + } + + run_user_exit tcclear + + run_ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; + esac + done +} + +################################################################################ +# Add a NAT rule - Helper function for the rules file processor # +#------------------------------------------------------------------------------# +# The caller has established the following variables: # +# cli = Source IP, interface or MAC Specification # +# serv = Destination IP Specification # +# servport = Port the server is listening on # +# dest_interface = Destination Interface Specification # +# proto = Protocol Specification # +# addr = Original Destination Address # +# dports = Destination Port Specification. 'dports' may be changed # +# by this function # +# cport = Source Port Specification # +# multiport = String to invoke multiport match if appropriate # +################################################################################ +add_nat_rule() { + local chain + + # Be sure NAT is enabled + + if [ -z "$NAT_ENABLED" ]; then + fatal_error \ + "Error - Rule \"$rule\" requires NAT which is disabled" + fi + + # Onle ACCEPT (plus DNAT and REDIRECT) may result in NAT + + if [ "$target" != "ACCEPT" ]; then + fatal_error "Error - Only DNAT and REDIRECT rules may specify " \ + "port mapping; rule \"$rule\"" + fi + + # Parse SNAT address if any + + if [ "$addr" != "${addr%:*}" ]; then + snat="${addr#*:}" + addr="${addr%:*}" + else + snat="" + fi + + # Set original destination address + + case $addr in + all) + addr= + ;; + detect) + addr= + if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then + eval interfaces=\$${source}_interfaces + for interface in $interfaces; do + addr="`find_interface_address $interface` $addr" + done + fi + ;; + esac + + addr=${addr:-0.0.0.0/0} + + # Select target + + if [ -n "$serv" ]; then + servport="${servport:+:$servport}" + target1="DNAT --to-destination ${serv}${servport}" + else + target1="REDIRECT --to-port $servport" + fi + + # Generate nat table rules + + if [ "$source" = "$FW" ]; then + run_iptables -t nat -A OUTPUT $proto $sports -d addr + $multiport $dports -j $target1 + else + chain=`dnat_chain $source` + + if [ -n "$excludezones" ]; then + chain=nonat${nonat_seq} + nonat_seq=$(($nonat_seq + 1)) + createnatchain $chain + addnatrule `dnat_chain $source` -j $chain + for z in $excludezones; do + eval hosts=\$${z}_hosts + for host in $hosts; do + for adr in $addr; do + addnatrule $chain $proto -s ${host#*:} \ + $multiport $sports -d $adr $dports -j RETURN + done + done + done + fi + + for adr in $addr; do + addnatrule $chain $proto $cli $sports \ + -d $adr $multiport $dports -j $target1 + done + fi + + # Replace destination port by the new destination port + + [ -n "$servport" ] && dports="--dport ${servport#*:}" + + # Handle SNAT + + if [ -n "$snat" ]; then + if [ -n "$cli" ]; then + addnatrule `snat_chain $dest` $proto $cli $multiport \ + $sports -d $serv $dports -j SNAT --to-source $snat + else + for source_host in $source_hosts; do + [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ + error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" + + addnatrule `snat_chain $dest` \ + -s ${source_host#*:} $proto $sports $multiport \ + -d $serv $dports -j SNAT --to-source $snat + done + fi + fi +} + +################################################################################ +# Add one Filter Rule -- Helper function for the rules file processor # +#------------------------------------------------------------------------------# +# The caller has established the following variables: # +# client = SOURCE IP or MAC # +# server = DESTINATION IP or interface # +# protocol = Protocol # +# address = Original Destination Address # +# port = Destination Port # +# cport = Source Port # +# multioption = String to invoke multiport match if appropriate # +# servport = Port the server listens on # +# chain = The canonical chain for this rule # +################################################################################ +add_a_rule() +{ + # Set source variables + + cli= + + [ -n "$client" ] && case "$client" in + -) + ;; + [0-9]*|![0-9]*) + cli="-s $client" + ;; + ~*) + cli=`mac_match $client` + ;; + *) + cli="-i $client" + ;; + esac + + # Set destination variables + + dest_interface= + + [ -n "$server" ] && case "$server" in + -) + serv= + ;; + [0-9]*|![0-9]*) + serv=$server + ;; + *) + dest_interface="-o $server" + serv= + ;; + esac + + # Setup protocol and port variables + + sports= + dports= + state="-m state --state NEW" + proto=$protocol + addr=$address + servport=$serverport + multiport= + + case $proto in + tcp|udp|TCP|UDP|6|17) + if [ -n "$port" -a "x${port}" != "x-" ]; then + [ -n "$multioption" ] && \ + [ "$port" != "${port%,*}" ] && \ + multiport="$multioption" + dports="--dport $port" + fi + + if [ -n "$cport" -a "x${cport}" != "x-" ]; then + [ -n "$multioption" ] && \ + [ -z "$multiport" ] && \ + [ "$cport" != "${cport%,*}" ] && \ + multiport="$multioption" + sports="--sport $cport" + fi + ;; + icmp|ICMP|1) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + dports="--icmp-type $port" + state= + ;; + all|ALL) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + fatal_error "Port number not allowed with \"all\";" \ + " rule: \"$rule\"" + proto= + ;; + related|RELATED) + proto= + state="-m state --state RELATED" + ;; + *) + [ -n "$port" ] && [ "x${port}" != "x-" ] && \ + fatal_error "Port number not allowed with protocol " \ + "\"$proto\"; rule: \"$rule\"" + ;; + esac + + proto="${proto:+-p $proto}" + + # Some misc. setup + + case "$logtarget" in + REJECT) + target=reject + [ -n "$servport" ] && \ + fatal_error "Error: server port may not be specified in a REJECT rule;"\ + "rule: \"$rule\"" + ;; + REDIRECT) + [ -n "$serv" ] && startup_error "Error: REDIRECT rules cannot"\ + " specify a server IP; rule: \"$rule\"" + servport=${servport:=$port} + ;; + DNAT) + [ -n "$serv" ] || fatal_error "Error: DNAT rules require a" \ + " server address; rule: \"$rule\"" + ;; + esac + + # Complain if the rule is really a policy + + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then + error_message "Warning -- Rule \"$rule\" is a POLICY" + error_message " -- and should be moved to the policy file" + fi + + if [ -n "${serv}${servport}" ]; then + + # A specific server or server port given + + [ -n "$addr" -a "$addr" != "$serv" ] && add_nat_rule + + serv="${serv:+-d $serv}" + + [ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \ + $state $cli $sports $serv $dports -j LOG $LOGPARMS \ + --log-prefix "Shorewall:$chain:$logtarget:" \ + --log-level $loglevel + run_iptables -A $chain $proto $multiport $state $cli $sports \ + $serv $dports -j $target + else + + # Destination is a simple zone + + [ -n "$addr" ] && fatal_error \ + "Error: An ADDRESS ($addr) is only allowed in" \ + " a DNAT or REDIRECT: \"$rule\"" + + [ -n "$loglevel" ] && run_iptables -A $chain $proto $multiport \ + $dest_interface $state $cli $sports $dports -j LOG \ + $LOGPARMS --log-prefix "Shorewall:$chain:$logtarget:" \ + --log-level $loglevel + + run_iptables -A $chain $proto $multiport $dest_interface $state \ + $cli $sports $dports -j $target + fi +} + +################################################################################ +# Process a record from the rules file # +# # +# The caller has loaded the column contents from the record into the following # +# variables: # +# # +# target clients servers protocol ports cports address # +# # +# and has loaded a space-separated list of their values in "rule". # +# # +# The 'multioption' variable has also been loaded appropriately to reflect # +# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf # +################################################################################ +process_rule() { + + # Function to count list elements + + list_count() { + local temp=`separate_list $1` + + echo $temp | wc -w + } + + # Function Body -- isolate log level + + if [ "$target" = "${target%:*}" ]; then + loglevel= + else + loglevel="${target#*:}" + target="${target%:*}" + expandv loglevel + fi + + logtarget="$target" + + # Convert 1.3 Rule formats to 1.2 format + + case $target in + DNAT) + target=ACCEPT + address=${address:=detect} + ;; + REDIRECT) + target=ACCEPT + address=${address:=all} + if [ "x-" = "x$servers" ]; then + servers=$FW + else + servers="$FW::$servers" + fi + ;; + esac + + # Parse and validate source + + if [ "$clients" = "${clients%:*}" ]; then + clientzone="$clients" + clients= + else + clientzone="${clients%:*}" + clients="${clients#*:}" + [ -z "$clientzone" -o -z "$clients" ] && \ + fatal_error "Error: Empty source zone or qualifier: rule \"$rule\"" + fi + + if [ "$clientzone" = "${clientzone%\!*}" ]; then + excludezones= + else + excludezones="${clientzone#*\!}" + clientzone="${clientzone%\!*}" + + [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ + fatal_error "Error: Exclude list only allowed with DNAT or REDIRECT" + fi + + if ! validate_zone $clientzone; then + fatal_error "Error: Undefined Client Zone in rule \"$rule\"" + fi + + # Parse and validate destination + + source=$clientzone + + [ $source = $FW ] && source_hosts= || eval source_hosts=\"\$${source}_hosts\" + + if [ "$servers" = "${servers%:*}" ] ; then + serverzone="$servers" + servers= + serverport= + else + serverzone="${servers%%:*}" + servers="${servers#*:}" + if [ "$servers" != "${servers%:*}" ] ; then + serverport="${servers#*:}" + servers="${servers%:*}" + [ -z "$serverzone" -o -z "$serverport" ] && \ + fatal_error "Error: Empty destination zone or server port: rule \"$rule\"" + else + serverport= + [ -z "$serverzone" -o -z "$servers" ] && \ + startup_error "Error: Empty destination zone or qualifier: rule \"$rule\"" + fi + fi + + if ! validate_zone $serverzone; then + fatal_error "Error: Undefined Server Zone in rule \"$rule\"" + fi + + dest=$serverzone + + # Create canonical chain if necessary + + chain=${source}2${dest} + ensurechain $chain + + # Generate Netfilter rule(s) + + if [ -n "$MULTIPORT" -a \ + "$ports" = "${ports%:*}" -a \ + "$cports" = "${cports%:*}" -a \ + `list_count $ports` -le 15 -a \ + `list_count $cports` -le 15 ] + then + multioption="-m multiport" + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + done + else + multioption= + for client in `separate_list ${clients:=-}`; do + for server in `separate_list ${servers:=-}`; do + for port in `separate_list ${ports:=-}`; do + for cport in `separate_list ${cports:=-}`; do + add_a_rule + done + done + done + done + fi + + echo " Rule \"$rule\" added." +} + +################################################################################ +# Process the rules file # +################################################################################ +process_rules() # $1 = name of rules file +{ + strip_file rules + + while read target clients servers protocol ports cports address; do + case "$target" in + + ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) + expandv clients servers protocol ports cports address + rule="`echo $target $clients $servers $protocol $ports $cports $address`" + process_rule + ;; + *) + rule="`echo $target $clients $servers $protocol $ports $cports $address`" + fatal_error "Error: Invalid Target in rule \"$rule\"" + ;; + esac + done < $TMP_DIR/rules +} + +################################################################################ +# Process a record from the tos file # +# # +# The caller has loaded the column contents from the record into the following # +# variables: # +# # +# src dst protocol sport dport tos # +# # +# and has loaded a space-separated list of their values in "rule". # +################################################################################ +process_tos_rule() { + ############################################################################ + # Parse the contents of the 'src' variable + # + if [ "$src" = "${src%:*}" ]; then + srczone="$src" + src= + else + srczone="${src%:*}" + src="${src#*:}" + fi + + source= + # + # Validate the source zone + # + if validate_zone $srczone; then + source=$srczone + elif [ "$srczone" = "all" ]; then + source="all" + else + error_message "Warning: Undefined Source Zone - rule \"$rule\" ignored" + return + fi + + [ -n "$src" ] && case "$src" in + [0-9]*|![0-9]*) + # + # IP Address or subnet + # + src="-s $src" + ;; + ~*) + src=`mac_match $src` + ;; + *) + # + # Assume that this is a device name + # + src="-i $src" + ;; + esac + + ############################################################################ + # Parse the contents of the 'dst' variable + # + if [ "$dst" = "${dst%:*}" ]; then + dstzone="$dst" + dst= + else + dstzone="${dst%:*}" + dst="${dst#*:}" + fi + + dest= + # + # Validate the destination zone + # + if validate_zone $dstzone; then + dest=$dstzone + elif [ "$dstzone" = "all" ]; then + dest="all" + else + error_message \ + "Warning: Undefined Destination Zone - rule \"$rule\" ignored" + return + fi + + [ -n "$dst" ] && case "$dst" in + [0-9]*|![0-9]*) + # + # IP Address or subnet + # + ;; + *) + # + # Assume that this is a device name + # + error_message \ + "Warning: Invalid Destination - rule \"$rule\" ignored" + return + ;; + esac + + ############################################################################ + # Setup PROTOCOL and PORT variables + # + sports="" + dports="" + + case $protocol in + tcp|udp|TCP|UDP|6|17) + [ -n "$sport" ] && [ "x${sport}" != "x-" ] && \ + sports="--sport $sport" + [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ + dports="--dport $dport" + ;; + icmp|ICMP|0) + [ -n "$dport" ] && [ "x${dport}" != "x-" ] && \ + dports="--icmp-type $dport" + ;; + all|ALL) + protocol= + ;; + *) + ;; + esac + + protocol="${protocol:+-p $protocol}" + + tos="-j TOS --set-tos $tos" + + case "$dstzone" in + all|ALL) + dst=0.0.0.0/0 + ;; + *) + [ -z "$dst" ] && eval dst=\$${dstzone}_hosts + ;; + esac + + for dest in $dst; do + dest="-d $dest" + + case $srczone in + $FW) + run_iptables -t mangle -A outtos \ + $protocol $dest $dports $sports $tos + ;; + all|ALL) + run_iptables -t mangle -A outtos \ + $protocol $dest $dports $sports $tos + run_iptables -t mangle -A pretos \ + $protocol $dest $dports $sports $tos + ;; + *) + if [ -n "$src" ]; then + run_iptables -t mangle -A pretos $src \ + $protocol $dest $dports $sports $tos + else + eval interfaces=\$${srczone}_interfaces + + for interface in $interfaces; do + run_iptables -t mangle -A pretos -i $interface \ + $protocol $dest $dports $sports $tos + done + fi + ;; + esac + done + + echo " Rule \"$rule\" added." +} + +################################################################################ +# Process the tos file # +################################################################################ +process_tos() # $1 = name of tos file +{ + echo "Processing $1..." + + run_iptables -t mangle -N pretos + run_iptables -t mangle -N outtos + + strip_file tos $1 + + while read src dst protocol sport dport tos; do + expandv src dst protocol sport dport tos + rule="`echo $src $dst $protocol $sport $dport $tos`" + process_tos_rule + done < $TMP_DIR/tos + + run_iptables -t mangle -A PREROUTING -j pretos + run_iptables -t mangle -A OUTPUT -j outtos +} + +################################################################################ +# Load a Kernel Module # +################################################################################ +loadmodule() # $1 = module name, $2 - * arguments +{ + local modulename=$1 + local modulefile + + if [ -z "`lsmod | grep $modulename`" ]; then + shift + modulefile=$MODULESDIR/${modulename}.o + + if [ -f $modulefile ]; then + insmod $modulefile $* + return + fi + # + # If the modules directory contains compressed modules then we'll + # assume that insmod can load them + # + modulefile=${modulefile}.gz + + if [ -f $modulefile ]; then + insmod $modulefile $* + fi + fi +} + +################################################################################ +# Display elements of a list with leading white space # +################################################################################ +display_list() # $1 = List Title, rest of $* = list to display +{ + [ $# -gt 1 ] && echo " $*" +} + +################################################################################ +# Add rules to the "common" chain to silently drop packets addressed to any of # +# the passed addresses # +################################################################################ +drop_broadcasts() # $* = broadcast addresses +{ + while [ $# -gt 0 ]; do + run_iptables -A common -d $1 -j DROP + shift + done +} + +################################################################################ +# Add policy rule ( and possibly logging rule) to the passed chain # +################################################################################ +policy_rules() # $1 = chain to add rules to + # $2 = policy + # $3 = loglevel +{ + local target="$2" + + case "$target" in + ACCEPT) + ;; + + DROP) + run_iptables -A $1 -j common + ;; + REJECT) + run_iptables -A $1 -j common + target=reject + ;; + CONTINUE) + target= + ;; + *) + fatal_error "Invalid policy ($policy) for $1" + ;; + + esac + + [ $# -eq 3 ] && [ "x${3}" != "x-" ] && run_iptables -A $1 -j LOG $LOGPARMS \ + --log-prefix "Shorewall:${1}:${2}:" --log-level $3 + [ -n "$target" ] && run_iptables -A $1 -j $target +} + +################################################################################ +# Generate default policy & log level rules for the passed client & server # +# zones # +#------------------------------------------------------------------------------# +# This function is only called when the canonical chain for this client/server # +# pair is known to exist. If the default policy for this pair specifies the # +# same chain then we add the policy (and logging) rule to the canonical chain; # +# otherwise add a rule to the canonical chain to jump to the appropriate # +# policy chain. # +################################################################################ +default_policy() # $1 = client $2 = server +{ + local chain="${1}2${2}" + local policy= + local loglevel= + local chain1 + + jump_to_policy_chain() { + ######################################################################## + # Add a jump to from the canonical chain to the policy chain. On return, + # $chain is set to the name of the policy chain + # + run_iptables -A $chain -j $chain1 + chain=$chain1 + } + + apply_default() + { + ######################################################################## + # Add the appropriate rules to the canonical chain ($chain) to enforce + # the specified policy + #----------------------------------------------------------------------- + # Construct policy chain name + # + chain1=${client}2${server} + + if [ "$chain" = "$chain1" ]; then + #################################################################### + # The policy chain is the canonical chain; add policy rule to it + # The syn flood jump has already been added if required. + # + policy_rules $chain $policy $loglevel + else + #################################################################### + # The policy chain is different from the canonical chain -- approach + # depends on the policy + # + case $policy in + ACCEPT) + if [ -n "$synparams" ]; then + ############################################################ + # To avoid double-counting SYN packets, enforce the policy + # in this chain. + # + enable_syn_flood_protection $chain $chain1 + policy_rules $chain $policy $loglevel + else + ############################################################ + # No problem with double-counting so just jump to the + # policy chain. + # + jump_to_policy_chain + fi + ;; + CONTINUE) + ################################################################ + # Silly to jump to the policy chain -- add any logging + # rules and enable SYN flood protection if requested + # + [ -n "$synparams" ] && \ + enable_syn_flood_protection $chain $chain1 + policy_rules $chain $policy $loglevel + ;; + *) + ################################################################ + # DROP or REJECT policy -- enforce in the policy chain and + # enable SYN flood protection if requested. + # + [ -n "$synparams" ] && \ + enable_syn_flood_protection $chain $chain1 + jump_to_policy_chain + ;; + esac + fi + + echo " Policy $policy for $1 to $2 using chain $chain" + } + + while read client server policy loglevel synparams; do + expandv client server policy loglevel synparams + case "$client" in + all|ALL) + if [ "$server" = "$2" -o "$server" = "all" ]; then + apply_default $1 $2 + return + fi + ;; + *) + if [ "$client" = "$1" ] && \ + [ "$server" = "all" -o "$server" = "$2" ] + then + apply_default $1 $2 + return + fi + ;; + esac + done < $TMP_DIR/policy + + fatal_error "Error: No default policy for zone $1 to zone $2" +} + +################################################################################ +# Complete a standard chain +# +# - run any supplied user exit +# - search the policy file for an applicable policy and add rules as +# appropriate +# - If no applicable policy is found, add rules for an assummed +# policy of DROP INFO +################################################################################ +complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone +{ + local policy= + local loglevel= + + run_user_exit $1 + + while read client server policy loglevel synparams; do + expandv client server policy loglevelsynparams + + [ "x$loglevel" = "x-" ] && loglevel= + + case "$client" in + all|ALL) + if [ "$server" = "$3" -o "$server" = "all" ]; then + policy_rules $1 $policy $loglevel + return + fi + ;; + *) + if [ "$client" = "$2" ] && \ + [ "$server" = "all" -o "$server" = "$3" ] + then + policy_rules $1 $policy $loglevel + return + fi + ;; + esac + done < $TMP_DIR/policy + + policy_rules $1 DROP INFO +} + +################################################################################ +# Find the appropriate chain to pass packets from a source zone to a # +# destination zone # +# # +# If the canonical chain for this zone pair exists, echo it's name; otherwise # +# locate and echo the name of the appropriate policy chain # +################################################################################ +rules_chain() # $1 = source zone, $2 = destination zone +{ + local chain=${1}2${2} + + havechain $chain && { echo $chain; return; } + + while read client server policy loglevel ; do + expandv client server policy loglevel + case "$client" in + all|ALL) + if [ "$server" = "$2" -o "$server" = "all" ]; then + echo all2${server} + return + fi + ;; + *) + if [ "$client" = "$1" -a "$server" = "all" ]; then + echo ${client}2${server} + return + fi + ;; + esac + done < $TMP_DIR/policy + + fatal_error "Error: No appropriate chain for zone $1 to zone $2" +} + +################################################################################ +# Set up Source NAT (including masquerading) # +################################################################################ +setup_masq() +{ + setup_one() { + local using + + if [ "$interface" = "${interface%:*}" ]; then + destnet="0.0.0.0/0" + else + destnet="${interface#*:}" + interface="${interface%:*}" + fi + + if [ "$subnet" = "${subnet%!*}" ]; then + nomasq= + else + nomasq="${subnet#*!}" + subnet="${subnet%!*}" + fi + + chain=`masq_chain $interface` + iface= + + case $subnet in + [0-9]*|![0-9]*) + source="$subnet" + subnet="-s $subnet" + ;; + -) + # + # Note: This only works if you have the LOCAL NAT patches in the + # kernel and in the iptables utility + # + chain=OUTPUT + subnet= + source=$FW + iface="-o $interface" + ;; + *) + ipaddr="`run_ip addr show $subnet | grep 'inet '`" + source="$subnet" + if [ -z "$ipaddr" ]; then + fatal_error \ + "Interface $subnet must be up before Shorewall starts" + fi + + subnet="`echo $ipaddr | sed s/" "// | cut -d' ' -f2`" + [ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32" + subnet="-s $subnet" + ;; + esac + + if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then + list_search $address $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $address" + fi + + destination=$destnet + + if [ -n "$nomasq" ]; then + newchain=masq${masq_seq} + run_iptables -t nat -N $newchain + addnatrule $chain -d $destnet $iface $subnet -j $newchain + masq_seq=$(($masq_seq + 1)) + chain=$newchain + subnet= + iface= + destnet= + + for addr in `separate_list $nomasq`; do + addnatrule $chain -s $addr -j RETURN + done + else + destnet="-d $destnet" + fi + + if [ -n "$address" ]; then + addnatrule $chain $subnet $destnet $iface \ + -j SNAT --to-source $address + using=" using $address" + else + addnatrule $chain $subnet $destnet $iface -j MASQUERADE + using= + fi + + [ -n "$nomasq" ] && source="$source except $nomasq" + echo " To $destination from $source through ${interface}${using}" + } + + strip_file masq $1 + + [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:" + + while read interface subnet address; do + expandv interface subnet address + [ -n "$NAT_ENABLED" ] && setup_one || \ + error_message "Warning: NAT disabled; masq rule ignored" + done < $TMP_DIR/masq +} + +################################################################################ +# Setup Intrazone chain if appropriate # +################################################################################ +setup_intrazone() # $1 = zone +{ + eval hosts=\$${1}_hosts + + if [ "$hosts" != "${hosts% *}" ] || \ + have_interfaces_in_zone_with_option $1 multi + then + ensurechain ${1}2${1} + fi +} + +############################################################################### +# Process a record from the blacklist file # +# # +# $subnet = address/subnet # +############################################################################### +process_blacklist_rec() { + local source + local addr + + for addr in `separate_list $subnet`; do + case $addr in + ~*) + addr=`echo $addr | sed 's/~//;s/-/:/g'` + source="--match mac --mac-source $addr" + ;; + *) + source="-s $addr" + ;; + esac + + [ -n "$BLACKLIST_LOGLEVEL" ] && \ + run_iptables -A blacklst $source -j LOG $LOGPARMS --log-prefix \ + "Shorewall:blacklst:$BLACKLIST_DISPOSITION:" \ + --log-level $BLACKLIST_LOGLEVEL + run_iptables -A blacklst $source -j $disposition + + echo " $addr added to Black List" + done +} + +############################################################################### +# Setup the Black List # +############################################################################### +setup_blacklist() { + local interfaces=`find_interfaces_by_option blacklist` + local f=`find_file blacklist` + local disposition=$BLACKLIST_DISPOSITION + + if [ -n "$interfaces" -a -f $f ]; then + echo "Setting up Blacklisting..." + + strip_file blacklist $f + + createchain blacklst no + + for interface in $interfaces; do + for chain in `first_chains $interface`; do + run_iptables -A $chain -j blacklst + done + + echo " Blacklisting enabled on $interface" + done + + [ "$disposition" = REJECT ] && disposition=reject + + while read subnet; do + expandv subnet + process_blacklist_rec + done < $TMP_DIR/blacklist + + fi +} + +############################################################################### +# Refresh the Black List # +############################################################################### +refresh_blacklist() { + local f=`find_file blacklist` + local disposition=$BLACKLIST_DISPOSITION + + if qt iptables -L blacklst -n ; then + echo "Refreshing Black List..." + + strip_file blacklist $f + + [ "$disposition" = REJECT ] && disposition=reject + + run_iptables -F blacklst + + while read subnet; do + expandv subnet + process_blacklist_rec + done < $TMP_DIR/blacklist + fi +} + +############################################################################### +# Verify that kernel has netfilter support # +############################################################################### +verify_os_version() { + + osversion=`uname -r` + + case $osversion in + 2.4.*|2.5.*) + ;; + *) + startup_error "Shorewall version $version does not work with kernel version $osversion" + ;; + esac +} + +################################################################################ +# Add IP Aliases # +################################################################################ +add_ip_aliases() +{ + do_one() + { + # + # Folks feel uneasy if they don't see all of the same + # decoration on these IP addresses that they see when their + # distro's net config tool adds them. In an attempt to reduce + # the anxiety level, we have the following code which sets + # the VLSM and BRD from the primary address + # + # Get all of the lines that contain inet addresses with broadcast + # + val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null + + if [ -n "$val" ] ; then + # + # Hack off the leading 'inet ' (actually cut off the + # "/" as well but add it back in). + # + val="/${val#*/}" + # + # Now get the VLSM, "brd" and the broadcast address + # + val=${val%% scope*} + fi + + run_ip addr add ${external}${val} dev $interface + echo "$external $interface" >> ${STATEDIR}/nat + echo " IP Address $external added to interface $interface" + } + + set -- $aliases_to_add + + while [ $# -gt 0 ]; do + external=$1 + interface=$2 + shift;shift + do_one + done +} + +################################################################################ +# Load kernel modules required for Shorewall # +################################################################################ +load_kernel_modules() { + + [ -z "$MODULESDIR" ] && + MODULESDIR=/lib/modules/$osversion/kernel/net/ipv4/netfilter + + modules=`find_file modules` + + if [ -f $modules -a -d $MODULESDIR ]; then + echo "Loading Modules..." + . $modules + fi +} + +################################################################################ +# Perform Initialization # +# - Delete all old rules # +# - Delete all user chains # +# - Set the POLICY on all standard chains and add a rule to allow packets# +# that are part of established connections. # +# - Determine the zones +################################################################################ +initialize_netfilter () { + + echo "Determining Zones..." + + determine_zones + + [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + + display_list "Zones:" $zones + + echo "Validating interfaces file..." + + validate_interfaces_file + + echo "Validating hosts file..." + + validate_hosts_file + + echo "Validating Policy file..." + + validate_policy + + echo "Determining Hosts in Zones..." + + determine_interfaces + determine_hosts + + deletechain shorewall + + [ -n "$NAT_ENABLED" ] && delete_nat + + delete_proxy_arp + + [ -n "$MANGLE_ENABLED" ] && \ + run_iptables -t mangle -F && \ + run_iptables -t mangle -X + + [ -n "$TC_ENABLED" ] && delete_tc + + run_user_exit init + + echo "Deleting user chains..." + + setpolicy INPUT DROP + setpolicy OUTPUT DROP + setpolicy FORWARD DROP + + deleteallchains + + setcontinue FORWARD + setcontinue INPUT + setcontinue OUTPUT + + [ -n "$CLAMPMSS" ] && \ + run_iptables -A FORWARD -p tcp \ + --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + + + createchain newnotsyn no + run_user_exit newnotsyn + [ -n "$LOGNEWNOTSYN" ] && \ + run_iptables -A newnotsyn -j LOG \ + --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN + run_iptables -A newnotsyn -j DROP + + createchain icmpdef no + createchain common no + createchain reject no + createchain dynamic no + + if [ -f /var/lib/shorewall/save ]; then + echo "Restoring dynamic rules..." + + while read target ignore1 ignore2 address rest; do + case $target in + DROP|reject) + run_iptables -A dynamic -s $address -j $target + ;; + *) + ;; + esac + done < /var/lib/shorewall/save + fi + + echo "Creating input Chains..." + + for interface in $all_interfaces; do + createchain `forward_chain $interface` no + run_iptables -A `forward_chain $interface` -j dynamic + createchain `input_chain $interface` no + run_iptables -A `input_chain $interface` -j dynamic + done +} + +################################################################################ +# Construct zone-independent rules # +################################################################################ +add_common_rules() { + logdisp() # $1 = Chain Name + { + echo "LOG --log-prefix "Shorewall:${1}:DROP:" --log-level info" + } + ############################################################################ + # Reject Rules + # + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset + run_iptables -A reject -j REJECT + ############################################################################ + # dropunclean rules + # + interfaces="`find_interfaces_by_option dropunclean`" + + if [ -n "$interfaces" ]; then + createchain badpkt no + + if [ -n "$LOGUNCLEAN" ]; then + logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" + logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" + run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options + run_iptables -A badpkt -p !tcp -j LOG $logoptions + fi + + run_iptables -A badpkt -j DROP + echo "Mangled/Invalid Packet filtering enabled on:" + + for interface in $interfaces; do + for chain in `first_chains $interface`; do + run_iptables -A $chain --match unclean -j badpkt + done + echo " $interface" + done + fi + ############################################################################ + # logunclean rules + # + interfaces="`find_interfaces_by_option logunclean`" + + if [ -n "$interfaces" ]; then + createchain logpkt no + + [ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info + logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" + logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" + run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options + run_iptables -A logpkt -p !tcp -j LOG $logoptions + + echo "Mangled/Invalid Packet Logging enabled on:" + + for interface in $interfaces; do + for chain in `first_chains $interface`; do + run_iptables -A $chain --match unclean -j logpkt + done + echo " $interface" + done + fi + ############################################################################ + # Common ICMP rules + # + icmpdef=`find_file icmpdef` + + if [ -f $icmpdef ]; then + . $icmpdef + else + . `find_file icmp.def` + fi + ############################################################################ + # Common rules in each chain + # + common=`find_file common` + + if [ -f $common ]; then + . $common + else + . `find_file common.def` + fi + ########################################################################### + # BROADCASTS + # + drop_broadcasts `find_broadcasts` + + ########################################################################### + # RFC 1918 + # + norfc1918_interfaces="`find_interfaces_by_option norfc1918`" + + if [ -n "$norfc1918_interfaces" ]; then + echo "Enabling RFC1918 Filtering" + + strip_file rfc1918 + + createchain rfc1918 no + + createchain logdrop no + run_iptables -A logdrop -j `logdisp rfc1918` + run_iptables -A logdrop -j DROP + + if [ -n "$MANGLE_ENABLED" ]; then + #################################################################### + # Mangling is enabled -- create a chain in the mangle table to + # filter RFC1918 destination addresses. This must be done in the + # mangle table before we apply any DNAT rules in the nat table + # + # Also add a chain to log and drop any RFC1918 packets that we find + # + run_iptables -t mangle -N man1918 + run_iptables -t mangle -N logdrop + run_iptables -t mangle -A logdrop -j `logdisp man1918` + run_iptables -t mangle -A logdrop -j DROP + fi + + while read subnet target; do + case $target in + logdrop|DROP|RETURN) + ;; + *) + fatal_error " Error:Illegal target ($target) for $subnet" + ;; + esac + + run_iptables -A rfc1918 -s $subnet -j $target + #################################################################### + # If packet mangling is enabled, trap packets with an + # RFC1918 destination + # + if [ -n "$MANGLE_ENABLED" ]; then + run_iptables -t mangle -A man1918 -d $subnet -j $target + fi + done < $TMP_DIR/rfc1918 + + for interface in $norfc1918_interfaces; do + for chain in `first_chains $interface`; do + run_iptables -A $chain -j rfc1918 + done + + [ -n "$MANGLE_ENABLED" ] && \ + run_iptables -t mangle -A PREROUTING -i $interface -j man1918 + done + + fi + ############################################################################ + # Process Black List + # + setup_blacklist + + ############################################################################ + # Enable the Loopback interface + # + run_iptables -A INPUT -i lo -j ACCEPT + run_iptables -A OUTPUT -o lo -j ACCEPT + ############################################################################ + # Enable icmp output + # + run_iptables -A OUTPUT -m state --state ! INVALID -p icmp -j ACCEPT + ############################################################################ + # Route Filtering + # + for f in /proc/sys/net/ipv4/conf/*/rp_filter; do + echo 0 > $f + done + + interfaces="`find_interfaces_by_option routefilter`" + + if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then + echo "Setting up Kernel Route Filtering..." + + if [ -n "$ROUTE_FILTER" ]; then + echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter + else + echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/rp_filter + if [ -f $file ]; then + echo 1 > $file + else + error_message \ + "Warning: Cannot set route filtering on $interface" + fi + done + fi + fi + ############################################################################ + # IP Forwarding + # + case "$IP_FORWARDING" in + [Oo][Nn]) + echo 1 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Enabled" + ;; + [Oo][Ff][Ff]) + echo 0 > /proc/sys/net/ipv4/ip_forward + echo "IP Forwarding Disabled!" + ;; + esac +} + +################################################################################ +# Scan the policy file defining the necessary chains # +# Add the appropriate policy rule(s) to the end of each canonical chain # +################################################################################ +apply_policy_rules() { + ############################################################################ + # Create policy chains + # + while read client server policy loglevel synparams; do + expandv client server policy loglevel synparams + + chain=${client}2${server} + + [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams + + if havechain $chain; then + [ -n "$synparams" ] && \ + run_iptables -I $chain 2 -p tcp --syn -j @$chain + else + # + # A wild-card rule. Create the chain and add policy + # rules + # + # We must include the ESTABLISHED and RELATED state + # rule here to account for replys and reverse + # related sessions associated with sessions going + # in the other direction + # + createchain $chain + + [ "$client" = "all" -o "$server" = "all" ] && \ + policy_rules $chain $policy $loglevel + + [ -n "$synparams" ] && \ + [ $policy = ACCEPT -o $policy = CONTINUE ] && \ + run_iptables -I $chain 2 -p tcp --syn -j @$chain + fi + + done < $TMP_DIR/policy + ############################################################################ + # Add policy rules to canonical chains + # + for zone in $FW $zones; do + setup_intrazone $zone + for zone1 in $FW $zones; do + chain=${zone}2${zone1} + if havechain $chain; then + run_user_exit $chain + default_policy $zone $zone1 + fi + done + done +} + +################################################################################ +# Activate the rules # +################################################################################ +activate_rules() +{ + local PREROUTING_rule=1 + local POSTROUTING_rule=1 + ############################################################################ + # Jump to a NAT chain from one of the builtin nat chains + # + addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments + { + local sourcechain=$1 destchain=$2 + shift + shift + + havenatchain $destchain && \ + run_iptables -t nat -A $sourcechain $@ -j $destchain + } + + ############################################################################ + # Jump to a RULES chain from one of the builtin nat chains + #--------------------------------------------------------------------------- + # If NAT_BEFORE_RULES then append the rule to the chain; otherwise, insert + # the jump near the front of the builtin chain + # + addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments + { + local sourcechain=$1 destchain=$2 + shift + shift + + if havenatchain $destchain; then + if [ -n "$NAT_BEFORE_RULES" ]; then + run_iptables -t nat -A $sourcechain $@ -j $destchain + else + eval run_iptables -t nat -I $sourcechain \ + \$${sourcechain}_rule $@ -j $destchain + eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) + fi + fi + } + + # + # Add jumps from the builtin chains to the nat chains + # + addnatjump PREROUTING nat_in + addnatjump POSTROUTING nat_out + + for interface in $all_interfaces; do + addnatjump PREROUTING `input_chain $interface` -i $interface + addnatjump POSTROUTING `output_chain $interface` -o $interface + done + + multi_interfaces=`find_interfaces_by_option multi` + + for zone in $zones; do + eval source_hosts=\$${zone}_hosts + + for host in $source_hosts; do + interface=${host%:*} + subnet=${host#*:} + + run_iptables -A OUTPUT -o \ + $interface -d $subnet -j `rules_chain $FW $zone` + # + # Add jumps from the builtin chains for DNAT and SNAT rules + # + addrulejump PREROUTING `dnat_chain $zone` -i $interface -s $subnet + addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet + + run_iptables -A `input_chain $interface` -s $subnet \ + -j `rules_chain $zone $FW` + done + + for zone1 in $zones; do + eval dest_hosts=\$${zone1}_hosts + + chain="`rules_chain $zone $zone1`" + + for host in $source_hosts; do + interface=${host%:*} + subnet=${host#*:} + chain1=`forward_chain $interface` + + case $interface in + *+*) + multi=yes + ;; + *) + list_search $interface $multi_interfaces && multi=yes || multi= + ;; + esac + + for host1 in $dest_hosts; do + interface1=${host1%:*} + subnet1=${host1#*:} + + if [ $interface != $interface1 -o -n "$multi" ]; then + run_iptables -A $chain1 -s $subnet \ + -o $interface1 -d $subnet1 -j $chain + fi + done + done + done + done + + for interface in $all_interfaces; do + run_iptables -A FORWARD -i $interface -j `forward_chain $interface` + run_iptables -A INPUT -i $interface -j `input_chain $interface` + addnatjump POSTROUTING `masq_chain $interface` -o $interface + done + + complete_standard_chain INPUT all $FW + complete_standard_chain OUTPUT $FW all + complete_standard_chain FORWARD all all + + run_iptables -D INPUT 1 + run_iptables -D OUTPUT 1 + run_iptables -D FORWARD 1 +} + +################################################################################ +# Start/Restart the Firewall # +################################################################################ +define_firewall() # $1 = Command (Start or Restart) +{ + echo "${1}ing Shorewall..." + + verify_os_version + + load_kernel_modules + + echo "Initializing..." + + initialize_netfilter + + echo "Configuring Proxy ARP" + + setup_proxy_arp + + setup_nat + + echo "Adding Common Rules" + + add_common_rules + + tunnels=`find_file tunnels` + + [ -f $tunnels ] && \ + echo "Processing $tunnels..." && setup_tunnels $tunnels + + rules=`find_file rules` + + echo "Processing $rules..." + + process_rules $rules + + echo "Adding rules for DHCP" + + for interface in `find_interfaces_by_option dhcp`; do + run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT + run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT + done + + echo "Setting up ICMP Echo handling..." + + filterping_interfaces="`find_interfaces_by_option filterping`" + noping_interfaces="`find_interfaces_by_option noping`" + + for interface in $all_interfaces; do + if ! list_search $interface $filterping_interfaces; then + if list_search $interface $noping_interfaces; then + target=DROP + else + target=ACCEPT + fi + + run_iptables -A `input_chain $interface` \ + -p icmp --icmp-type echo-request -j $target + fi + done + + policy=`find_file policy` + + echo "Processing $policy..." + + apply_policy_rules + + masq=`find_file masq` + + [ -f $masq ] && setup_masq $masq + + tos=`find_file tos` + + [ -f $tos ] && [ -n "$MANGLE_ENABLED" ] && process_tos $tos + + [ -n "$TC_ENABLED" ] && setup_tc + + echo "Activating Rules..." + + activate_rules + + [ -n "$aliases_to_add" ] && \ + echo "Adding IP Addresses..." && \ + add_ip_aliases + + run_user_exit start + + createchain shorewall no + + date > /var/lib/shorewall/restarted + + report "Shorewall ${1}ed" + + rm -rf $TMP_DIR +} + +################################################################################ +# Check the configuration # +################################################################################ +check_config() { + echo "Verifying Configuration..." + + verify_os_version + + load_kernel_modules + + echo "Determining Zones..." + + determine_zones + + [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + + display_list "Zones:" $zones + + echo "Validating interfaces file..." + + validate_interfaces_file + + echo "Validating hosts file..." + + validate_hosts_file + + echo "Determining Hosts in Zones..." + + determine_interfaces + determine_hosts + + echo "Validating rules file..." + + validate_rules + + echo "Validating policy file..." + + validate_policy + + rm -rf $TMP_DIR + + echo "Configuration Validated" +} + +################################################################################ +# Rebuild the common chain # +################################################################################ +refresh_firewall() +{ + echo "Refreshing Shorewall..." + + echo "Determining Zones and Interfaces..." + + determine_zones + + [ -z "$zones" ] && startup_error "ERROR: No Zones Defined" + + determine_interfaces + + run_user_exit refresh + + run_iptables -F common + + echo "Adding Common Rules" + ############################################################################ + # Common rules in each chain + # + common=`find_file common` + + if [ -f $common ]; then + . $common + else + . `find_file common.def` + fi + ########################################################################### + # BROADCASTS + # + drop_broadcasts `find_broadcasts` + + ########################################################################### + # Blacklist + # + refresh_blacklist + + report "Shorewall Refreshed" + + rm -rf $TMP_DIR +} + +################################################################################ +# Determine the value for a parameter that defaults to Yes # +################################################################################ +added_param_value_yes() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "Yes" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +################################################################################ +# Determine the value for a parameter that defaults to No # +################################################################################ +added_param_value_no() # $1 = Parameter Name, $2 = Parameter value +{ + local val="$2" + + if [ -z "$val" ]; then + echo "" + else case $val in + [Yy][Ee][Ss]) + echo "Yes" + ;; + [Nn][Oo]) + echo "" + ;; + *) + startup_error "Invalid value ($val) for $1" + ;; + esac + fi +} + +################################################################################ +# Initialize this program # +################################################################################ +do_initialize() { + # Run all utility programs using the C locale + # + # Thanks to Vincent Planchenault for this tip # + + export LC_ALL=C + + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + ############################################################################ + # Clear all configuration variables + # + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED= + LOGRATE= + LOGBURST= + LOGPARMS= + NAT_ENABLED= + MANGLE_ENABLED= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + MULTIPORT= + DETECT_DNAT_IPADDRS= + MERGE_HOSTS= + MUTEX_TIMEOUT= + LOGNEWNOTSYN= + stopping= + have_mutex= + masq_seq=1 + nonat_seq=1 + aliases_to_add= + + TMP_DIR=/tmp/shorewall-$$ + rm -rf $TMP_DIR + mkdir -p $TMP_DIR && chmod 700 $TMP_DIR || \ + startup_error "Can't create $TMP_DIR" + + trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 + + functions=/var/lib/shorewall/functions + + if [ -f $functions ]; then + . $functions + else + startup_error "$functions does not exist!" + fi + + version_file=/var/lib/shorewall/version + + [ -f $version_file ] && version=`cat $version_file` + # + # Strip the files that we use often + # + strip_file interfaces + strip_file hosts + + run_user_exit shorewall.conf + run_user_exit params + + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall + + [ -d $STATEDIR ] || mkdir -p $STATEDIR + + [ -z "$FW" ] && FW=fw + + ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" + NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`" + MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`" + ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" + TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" + + if [ -n "${LOGRATE}${LOGBURST}" ]; then + LOGPARMS="--match limit" + [ -n "$LOGRATE" ] && LOGPARMS="$LOGPARMS --limit $LOGRATE" + [ -n "$LOGBURST" ] && LOGPARMS="$LOGPARMS --limit-burst $LOGBURST" + fi + + if [ -n "$IP_FORWARDING" ]; then + case "$IP_FORWARDING" in + [Oo][Nn]|[Oo][Ff][Ff]|[Kk][Ee][Ee][Pp]) + ;; + *) + startup_error "Invalid value ($IP_FORWARDING) for IP_FORWARDING" + ;; + esac + else + IP_FORWARDING=On + fi + + if [ -n "$TC_ENABLED" -a -z "$MANGLE_ENABLED" ]; then + startup_error "Traffic Control requires Mangle" + fi + + [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP + + CLAMPMSS=`added_param_value_no CLAMPMSS $CLAMPMSS` + ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` + ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` + NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` + MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` + DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` + MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` +} + +################################################################################ +# Give Usage Information # +################################################################################ +usage() { + echo "Usage: $0 [debug] {start|stop|reset|restart|status|refresh|clear]}" + exit 1 +} + +################################################################################ +# E X E C U T I O N B E G I N S H E R E # +################################################################################ +# +# Start trace if first arg is "debug" +# +[ $# -gt 1 ] && [ "$1" = "debug" ] && { set -x ; shift ; } + +nolock= + +[ $# -gt 1 ] && [ "$1" = "nolock" ] && { nolock=Yes; shift ; } + +[ $# -ne 1 ] && usage + +trap "my_mutex_off; exit 2" 1 2 3 4 5 6 9 + +command="$1" + +case "$command" in + stop) + do_initialize + my_mutex_on + echo -n "Stopping Shorewall..." + determine_zones + stop_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + echo "done." + my_mutex_off + ;; + + start) + do_initialize + my_mutex_on + if qt iptables -L shorewall -n ; then + [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + echo "Shorewall Already Started" + my_mutex_off + exit 0; + fi + define_firewall "Start" && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + my_mutex_off + ;; + + restart) + do_initialize + my_mutex_on + if qt iptables -L shorewall -n ; then + define_firewall "Restart" + else + echo "Shorewall Not Currently Running" + define_firewall "Start" + fi + + [ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + my_mutex_off + ;; + + status) + echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" + iptables -L -n -v + ;; + + reset) + iptables -L -n -Z -v + report "Shorewall Counters Reset" + date > /var/lib/shorewall/restarted + ;; + + refresh) + do_initialize + my_mutex_on + if ! qt iptables -L shorewall -n ; then + echo "Shorewall Not Started" + my_mutex_off + exit 2; + fi + refresh_firewall; + my_mutex_off + ;; + + clear) + do_initialize + my_mutex_on + echo -n "Clearing Shorewall..." + determine_zones + clear_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + echo "done." + my_mutex_off + ;; + + check) + do_initialize + check_config + ;; + + *) + usage + ;; + +esac diff --git a/STABLE/functions b/STABLE/functions new file mode 100644 index 000000000..acb07f38f --- /dev/null +++ b/STABLE/functions @@ -0,0 +1,171 @@ +#!/bin/sh +# +# Shorewall 1.3 -- /var/lib/shorewall/functions + +# +# Suppress all output for a command +# +qt() +{ + "$@" >/dev/null 2>&1 +} + +# +# Find a File -- Look first in $SHOREWALL_DIR then in /etc/shorewall +# +find_file() +{ + if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then + echo $SHOREWALL_DIR/$1 + else + echo /etc/shorewall/$1 + fi +} + +# +# Replace commas with spaces and echo the result +# +separate_list() +{ + echo $1 | sed 's/,/ /g' +} + +# +# Find the zones +# +find_zones() # $1 = name of the zone file +{ + while read zone display comments; do + [ -n "$zone" ] && case "$zone" in + \#*) + ;; + $FW|multi) + echo "Reserved zone name \"$zone\" in zones file ignored" >&2 + ;; + *) + echo $zone + ;; + esac + done < $1 +} + +find_display() # $1 = zone, $2 = name of the zone file +{ + grep ^$1 $2 | while read z display comments; do + [ "x$1" = "x$z" ] && echo $display + done +} + +determine_zones() +{ + local zonefile=`find_file zones` + + multi_display=Multi-zone + + if [ -f $zonefile ]; then + zones=`find_zones $zonefile` + zones=`echo $zones` # Remove extra trash + + for zone in $zones; do + dsply=`find_display $zone $zonefile` + eval ${zone}_display=\$dsply + done + else + zones="net local dmz gw" + net_display=Net + local_display=Local + dmz_display=DMZ + gw_display=Gateway + fi + +} + +############################################################################### +# The following functions may be used by apps that wish to ensure that +# the state of Shorewall isn't changing +#------------------------------------------------------------------------------ +# This function loads the STATEDIR variable (directory where Shorewall is to +# store state files). If your application supports alternate Shorewall +# configurations then the name of the alternate configuration directory should +# be in $SHOREWALL_DIR at the time of the call. +# +# If the shorewall.conf file does not exist, this function does not return +############################################################################### +get_statedir() +{ + MUTEX_TIMEOUT= + + local config=`find_file shorewall.conf` + + if [ -f $config ]; then + . $config + else + echo "/etc/shorewall/shorewall.conf does not exist!" >&2 + exit 2 + fi + + [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall +} + +############################################################################### +# Call this function to assert MUTEX with Shorewall. If you invoke the +# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as +# the first argument. Example "shorewall nolock refresh" +# +# This function uses the lockfile utility from procmail if it exists. +# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the +# behavior of lockfile. +############################################################################### +mutex_on() +{ + local try=0 + local lockf=$STATEDIR/lock + + MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60} + + if [ $MUTEX_TIMEOUT -gt 0 ]; then + + [ -d $STATEDIR ] || mkdir -p $STATEDIR + + if qt which lockfile; then + lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} + else + while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do + sleep 1 + try=$((${try} + 1)) + done + + if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then + # Create the lockfile + echo $$ > ${lockf} + else + echo "Giving up on lock file ${lockf}" >&2 + fi + fi + fi +} + +############################################################################### +# Call this function to release MUTEX +############################################################################### +mutex_off() +{ + rm -f $STATEDIR/lock +} + +############################################################################### +# Strip comments and blank lines from a file and place the result in the # +# temporary directory # +############################################################################### +strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional) +{ + local fname + + [ $# = 1 ] && fname=`find_file $1` || fname=$2 + + if [ -f $fname ]; then + cut -d'#' -f1 $fname | grep -v '^[[:space:]]*$' > $TMP_DIR/$1 + else + > $TMP_DIR/$1 + fi +} diff --git a/STABLE/hosts b/STABLE/hosts new file mode 100644 index 000000000..6158a3571 --- /dev/null +++ b/STABLE/hosts @@ -0,0 +1,41 @@ +# +# Shorewall 1.3 - /etc/shorewall/hosts +# +# WARNING: 90% of Shorewall users don't need to add entries to this +# file and 80% of those who try to add such entries get it +# wrong. Unless you are ABSOLUTELY SURE that you need entries +# in this file, don't touch it! +# +# This file is used to define zones in terms of subnets and/or +# individual IP addresses. Most simple setups don't need to +# (should not) place anything in this file. +# +# ZONE - The name of a zone defined in /etc/shorewall/zones +# +# HOST(S) - The name of an interface followed by a colon (":") and +# either: +# +# a) The IP address of a host +# b) A subnetwork in the form +# / +# +# The interface must be defined in the +# /etc/shorewall/interfaces file. +# +# Examples: +# +# eth1:192.168.1.3 +# eth2:192.168.2.0/24 +# +# OPTIONS - A comma-separated list of options. Currently-defined +# options are: +# +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# route messages to and from this +# member when the firewall is in the +# stopped state +# +# +#ZONE HOST(S) OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/STABLE/icmp.def b/STABLE/icmp.def new file mode 100644 index 000000000..629b724d9 --- /dev/null +++ b/STABLE/icmp.def @@ -0,0 +1,22 @@ +############################################################################## +# Shorewall 1.3 /etc/shorewall/icmp.def +# +# This file defines the default rules for accepting ICMP packets. +# +# Do not modify this file -- if you wish to change these rules, create +# /etc/shorewall/icmpdef to replace it. It is suggested that you include +# the command "source /etc/shorewall/icmp.def" in your +# /etc/shorewall/icmpdef file so that you will continue to get the +# advantage of new releases of this file. +# +# For example, if you want to accept 'ping' everywhere then create +# /etc/shorewall/icmpdef with the following two lines: +# +# source /etc/shorewall/icmp.def +# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT +# +run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT diff --git a/STABLE/install.sh b/STABLE/install.sh new file mode 100755 index 000000000..710e06109 --- /dev/null +++ b/STABLE/install.sh @@ -0,0 +1,494 @@ +#!/bin/sh +# +# Script to install Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# Seawall documentation is available at http://seawall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# If you are running a distribution that has a directory called /etc/rc.d/init.d or one +# called /etc/init.d or you are running Slackware then simply cd to the directory +# containing this script and run it. +# +# ./install.sh +# +# If you don't have either of those directories, you will need to determine where the +# SysVInit scripts are kept on your system and pass the name of that directory. +# +# ./install.sh /etc/rc.d/scripts +# +# The default is that the firewall will be started in run levels 2-5 starting at +# position 15 and stopping at position 90. This is correct RedHat/Mandrake, Debian, +# Caldera and Corel. +# +# If you wish to change that, you can pass -r "". +# +# Example 1: You wish to start your firewall in runlevels 2 and three, start at position +# 15 and stop at position 90 +# +# ./install.sh -r "23 15 90" +# +# Example 2: You wish to start your firewall only in run level 3, start at position 5 +# and stop at position 95. +# +# ./install.sh -r "3 5 95" /etc/rc.d/scripts +# +# For distributions that don't include chkconfig (Slackware, for example), the +# /etc/rc.d/rc.local file is modified to start the firewall. +# + +VERSION=1.3.6 + +usage() # $1 = exit status +{ + ME=`basename $0` + echo "usage: $ME [ -r \"\" ] [ ]" + echo " $ME [ -v ]" + echo " $ME [ -h ]" + exit $1 +} + +run_install() +{ + if ! install $*; then + echo -e "\nERROR: Failed to install $*" + exit 1 + fi +} + +cant_autostart() +{ + echo -e "\nWARNING: Unable to configure Shorewall to start" +echo " automatically at boot" +} + +backup_file() # $1 = file to backup +{ + if [ -z "$PREFIX" -a -f $1 -a ! -f ${1}-${VERSION}.bkout ]; then + if (cp $1 ${1}-${VERSION}.bkout); then + echo + echo "$1 saved to ${1}-${VERSION}.bkout" + else + exit 1 + fi + fi +} + +modify_rclocal() +{ + if [ -f /etc/rc.d/rc.local ]; then + if [ -z "`grep shorewall /etc/rc.d/rc.local`" ]; then + cp -f /etc/rc.d/rc.local /etc/rc.d/rc.local-shorewall.bkout + echo >> /etc/rc.d/rc.local + echo "/sbin/shorewall start" >> /etc/rc.d/rc.local + echo "/etc/rc.d/rc.local modified to start Shorewall" + fi + else + cant_autostart + fi +} + +install_file_with_backup() # $1 = source $2 = target $3 = mode +{ + backup_file $2 + run_install -o $OWNER -g $GROUP -m $3 $1 ${2} +} + +# +# Parse the run line +# +# DEST is the SysVInit script directory +# RUNLEVELS is the chkconfig parmeters for firewall +# ARGS is "yes" if we've already parsed an argument +# +DEST="" +RUNLEVELS="" +ARGS="" + +if [ -z "$OWNER" ] ; then + OWNER=root +fi + +if [ -z "$GROUP" ] ; then + GROUP=root +fi + +while [ $# -gt 0 ] ; do + case "$1" in + -h|help|?) + if [ -n "$ARGS" ]; then + usage 1 + fi + + usage 0 + ;; + -r) + if [ -n "$RUNLEVELS" -o $# -eq 1 ]; then + usage 1 + fi + + RUNLEVELS="$2"; + shift + ;; + -v) + if [ -n "$ARGS" ]; then + usage 1 + fi + + echo "Shorewall Firewall Installer Version $VERSION" + exit 0 + ;; + *) + if [ -n "$DEST" ]; then + usage 1 + fi + + DEST="$1" + ;; + esac + shift + ARGS="yes" +done + +# +# Determine where to install the firewall script +# +if [ -n "$PREFIX" ]; then + install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}/sbin + install -d -o $OWNER -g $GROUP -m 755 ${PREFIX}${DEST} +fi + +FIREWALL="shorewall" + +if [ -z "$DEST" ]; then + # + # We make this first test so that on RedHat systems that have Seawall installed, + # we can still use PREFIX (the code that reads the existing symbolic link + # fails dreadfully if the link is relative and PREFIX is non-null). + # + if [ -x /etc/rc.d/init.d/firewall ]; then + DEST=/etc/rc.d/init.d + elif [ -L /etc/shorewall/firewall ]; then + TEMP=`ls -l /etc/shorewall/firewall | sed 's/^.*> //'` + DEST=`dirname $TEMP` + FIREWALL=`basename $TEMP` + elif [ -d /etc/rc.d/init.d ]; then + DEST=/etc/rc.d/init.d + elif [ -d /etc/init.d ]; then + DEST=/etc/init.d + elif [ -f /etc/rc.d/rc.local ]; then + DEST=/etc/rc.d + FIREWALL="rc.shorewall" + else + echo "ERROR: Can't determine where to install the firewall script" + echo " Rerun $0 passing the name of the SysVInit script directory" + echo " on your system" + exit 1 + fi +fi + +# +# Change to the directory containing this script +# +cd "`dirname $0`" + +echo "Installing Shorewall Version $VERSION" + +# +# Check for /etc/shorewall +# +if [ -d ${PREFIX}/etc/shorewall ]; then + first_install="" +else + first_install="Yes" +fi + +install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 + +echo -e "\nShorewall control program installed in ${PREFIX}/sbin/shorewall" + +# +# Install the Firewall Script +# +if [ -n "$RUNLEVELS" ]; then + # + # User specified chkconfig parameters -- build an awk script to install them + # in the firewall script + # + echo "/# chkconfig/ { print \"# chkconfig: $RUNLEVELS\" ; next }" > awk.temp + echo "{ print }" >> awk.temp + + awk -f awk.temp firewall > firewall.temp + + if [ $? -ne 0 ]; then + echo -e "\nERROR: Error running awk." + echo " You must run `basename $0` without the "-r" option then edit" + echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')" + exit 1 + fi + + install_file_with_backup firewall.temp ${PREFIX}${DEST}/$FIREWALL 0544 + + rm -f firewall.temp awk.tmp +else + install_file_with_backup firewall ${PREFIX}${DEST}/$FIREWALL 0544 +fi + +echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL" + +# +# Create /etc/shorewall and /var/shorewall if needed +# +mkdir -p ${PREFIX}/etc/shorewall +mkdir -p ${PREFIX}/var/lib/shorewall +# +# Install the config file +# +if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then + backup_file /etc/shorewall/shorewall.conf +else + run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf + echo -e "\nConfig file installed as ${PREFIX}/etc/shorewall/shorewall.conf" +fi +# +# Install the zones file +# +if [ -f ${PREFIX}/etc/shorewall/zones ]; then + backup_file /etc/shorewall/zones +else + run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones + echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones" +fi + +# +# Install the functions file +# +install_file_with_backup functions ${PREFIX}/var/lib/shorewall/functions 0444 + +echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions" +# +# Install the common.def file +# +install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444 + +echo -e "\nCommon rules installed in ${PREFIX}/etc/shorewall/common.def" +# +# Install the icmp.def file +# +install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444 + +echo -e "\nCommon ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def" + +# +# Install the policy file +# +if [ -f ${PREFIX}/etc/shorewall/policy ]; then + backup_file /etc/shorewall/policy +else + run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy + echo -e "\nPolicy file installed as ${PREFIX}/etc/shorewall/policy" +fi +# +# Install the interfaces file +# +if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then + backup_file /etc/shorewall/interfaces +else + run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces + echo -e "\nInterfaces file installed as ${PREFIX}/etc/shorewall/interfaces" +fi +# +# Install the hosts file +# +if [ -f ${PREFIX}/etc/shorewall/hosts ]; then + backup_file /etc/shorewall/hosts +else + run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts + echo -e "\nHosts file installed as ${PREFIX}/etc/shorewall/hosts" +fi +# +# Install the rules file +# +if [ -f ${PREFIX}/etc/shorewall/rules ]; then + backup_file /etc/shorewall/rules +else + run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules + echo -e "\nRules file installed as ${PREFIX}/etc/shorewall/rules" +fi +# +# Install the NAT file +# +if [ -f ${PREFIX}/etc/shorewall/nat ]; then + backup_file /etc/shorewall/nat +else + run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat + echo -e "\nNAT file installed as ${PREFIX}/etc/shorewall/nat" +fi +# +# Install the Parameters file +# +if [ -f ${PREFIX}/etc/shorewall/params ]; then + backup_file /etc/shorewall/params +else + run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params + echo -e "\nParameter file installed as ${PREFIX}/etc/shorewall/params" +fi +# +# Install the proxy ARP file +# +if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then + backup_file /etc/shorewall/proxyarp +else + run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp + echo -e "\nProxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" +fi +# +# Install the Stopped Routing file +# +if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then + backup_file /etc/shorewall/routestopped +else + run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped + echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" +fi +# +# Install the Masq file +# +if [ -f ${PREFIX}/etc/shorewall/masq ]; then + backup_file /etc/shorewall/masq +else + run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq + echo -e "\nMasquerade file installed as ${PREFIX}/etc/shorewall/masq" +fi +# +# Install the Modules file +# +if [ -f ${PREFIX}/etc/shorewall/modules ]; then + backup_file /etc/shorewall/modules +else + run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules + echo -e "\nModules file installed as ${PREFIX}/etc/shorewall/modules" +fi +# +# Install the TC Rules file +# +if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then + backup_file /etc/shorewall/tcrules +else + run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules + echo -e "\nTC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" +fi + +# +# Install the TOS file +# +if [ -f ${PREFIX}/etc/shorewall/tos ]; then + backup_file /etc/shorewall/tos +else + run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos + echo -e "\nTOS file installed as ${PREFIX}/etc/shorewall/tos" +fi +# +# Install the Tunnels file +# +if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then + backup_file /etc/shorewall/tunnels +else + run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels + echo -e "\nTunnels file installed as ${PREFIX}/etc/shorewall/tunnels" +fi +# +# Install the blacklist file +# +if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then + backup_file /etc/shorewall/blacklist +else + run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist + echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist" +fi +# +# Backup and remove the whitelist file +# +if [ -f ${PREFIX}/etc/shorewall/whitelist ]; then + backup_file /etc/shorewall/whitelist + rm -f ${PREFIX}/etc/shorewall/whitelist +fi +# +# Install the rfc1918 file +# +if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then + backup_file /etc/shorewall/rfc1918 +else + run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918 + echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" +fi +# +# Backup the version file +# +if [ -z "$PREFIX" ]; then + if [ -f /var/lib/shorewall/version ]; then + backup_file /var/lib/shorewall/version + elif [ -n "$oldversion" ]; then + echo $oldversion > /var/lib/shorewall/version-${VERSION}.bkout + else + echo "Unknown" > /var/lib/shorewall/version-${VERSION}.bkout + fi +fi +# +# Create the version file +# +echo "$VERSION" > ${PREFIX}/var/lib/shorewall/version +chmod 644 ${PREFIX}/var/lib/shorewall/version +# +# Remove and create the symbolic link to the firewall script +# + +if [ -z "$PREFIX" ]; then + rm -f /etc/shorewall/firewall + rm -f /var/lib/shorewall/firewall + ln -s ${DEST}/${FIREWALL} /var/lib/shorewall/firewall +else + pushd ${PREFIX}/var/lib/shorewall/ >> /dev/null && ln -s ../../..${DEST}/${FIREWALL} firewall && popd >> /dev/null +fi + +echo -e "\n${PREFIX}/var/lib/shorewall/firewall linked to ${PREFIX}$DEST/$FIREWALL" + +if [ -z "$PREFIX" -a -n "$first_install" ]; then + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + if insserv /etc/init.d/shorewall ; then + echo -e "\nFirewall will start automatically at boot" + else + cant_autostart + fi + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + if chkconfig --add $FIREWALL ; then + echo -e "\nFirewall will automatically start in run levels as follows:" + chkconfig --list $FIREWALL + else + cant_autostart + fi + else + modify_rclocal + fi +fi +# +# Report Success +# +echo -e "\nShorewall Version $VERSION Installed" diff --git a/STABLE/interfaces b/STABLE/interfaces new file mode 100644 index 000000000..fb99fcf4e --- /dev/null +++ b/STABLE/interfaces @@ -0,0 +1,123 @@ +# +# Shorewall 1.3 -- Interfaces File +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the short name +# of a zone defined in /etc/shorewall/zones. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you may +# place "-" in this column. +# +# INTERFACE Name of interface +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left black. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started and you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. +# noping - icmp echo-request (ping) packets +# addressed to the firewall should +# be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. +# routestopped - (Deprecated -- use +# /etc/shorewall/routestopped) +# When the firewall is stopped, allow +# and route traffic to and from this +# interface. +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# multi - This interface has multiple IP +# addresses and you want to be able to +# route between them. +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# dropunclean - Logs and drops mangled/invalid packets +# +# logunclean - Logs mangled/invalid packets but does +# not drop them. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27 and you want pings from the internet +# to be ignored. You interface a DMZ with subnet +# 192.168.2.0/24 using eth2. You want to be able to +# access the firewall from the local network when the +# firewall is stopped. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 noping,dhcp +# local eth1 192.168.1.255 routestopped +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect noping,dhcp +# loc eth1 detect routestopped +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections and you want to ignore ping requests. +# +# net ppp0 - noping +############################################################################## +#ZONE INTERFACE BROADCAST OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/masq b/STABLE/masq new file mode 100644 index 000000000..69894ddbb --- /dev/null +++ b/STABLE/masq @@ -0,0 +1,84 @@ +# +# Shorewall 1.3 - Masquerade file +# +# /etc/shorewall/masq +# +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). +# +# Columns are: +# +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. This may be qualified by adding the character +# ":" followed by a destination host or subnet. +# +# +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. +# +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if +# the address given in this column is the primary +# IP address for the interface in the INTERFACE +# column. +# +# Example 1: +# +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. +# +# Your entry in the file can be either: +# +# eth0 eth1 +# +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: +# +# ipsec0:10.1.1.0/24 196.168.1.0/24 +# +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176. +# +# eth0 192.168.1.0/24 206.124.146.176 +# +# This would normally be done when you have a static external +# IP address since it makes the processing of outgoing +# packets somewhat faster. +############################################################################## +#INTERFACE SUBNET ADDRESS +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE/modules b/STABLE/modules new file mode 100644 index 000000000..5bc6278dd --- /dev/null +++ b/STABLE/modules @@ -0,0 +1,14 @@ +############################################################################## +# Shorewall 1.3 /etc/shorewall/modules +# +# This file loads the modules needed by the firewall. + + loadmodule ip_tables + loadmodule iptable_filter + loadmodule ip_conntrack + loadmodule ip_conntrack_ftp + loadmodule ip_conntrack_irc + loadmodule iptable_nat + loadmodule ip_nat_ftp + loadmodule ip_nat_irc + diff --git a/STABLE/nat b/STABLE/nat new file mode 100644 index 000000000..db85e4114 --- /dev/null +++ b/STABLE/nat @@ -0,0 +1,30 @@ +############################################################################## +# +# Shorewall 1.3 -- Network Address Translation Table +# +# /etc/shorewall/nat +# +# This file is used to define static Network Address Translation (NAT). +# +# WARNING: If all you want to do is simple port forwarding, do NOT use this +# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most +# cases, Proxy ARP is a better solution that static NAT. +# +# Columns must be separated by white space and are: +# +# EXTERNAL External IP Address - this should NOT be the primary +# IP address of the interface named in the next +# column. +# INTERFACE Interface that we want to EXTERNAL address to appear +# on +# INTERNAL Internal Address +# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective +# from all hosts. If No or no then NAT will be effective +# only through the interface named in the INTERFACE +# column +# LOCAL If Yes or yes and the ALL INTERFACES column contains +# Yes or yes, NAT will be effective from the firewall +# system +############################################################################## +#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE/params b/STABLE/params new file mode 100644 index 000000000..fbea82388 --- /dev/null +++ b/STABLE/params @@ -0,0 +1,43 @@ +# +# Shorewall 1.3 /etc/shorewall/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs +# +# Example: +# +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=noping,norfc1918 +# +# Example (/etc/shorewall/interfaces record): +# +# net $NET_IF $NET_BCAST $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 130.252.100.255 noping,norfc1918 +# +# Variables can be used in the following places in the other configuration +# files: +# +# /etc/shorewall/interfaces: +# /etc/shorewall/hosts +# +# All except the first column. +# +# /etc/shorewall/rules +# +# First column after ":". +# All remaining columns +# +# /etc/shorewall/tunnels +# /etc/shorewall/proxyarp +# /etc/shorewall/nat +# +# All columns +############################################################################## +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/STABLE/policy b/STABLE/policy new file mode 100644 index 000000000..abee2aa0c --- /dev/null +++ b/STABLE/policy @@ -0,0 +1,47 @@ +# +# Shorewall 1.3 -- Policy File +# +# /etc/shorewall/policy +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file or from the +# /etc/shorewall/common[.def] file. For each source/destination pair, the +# file is processed in order until a match is found ("all" will match +# any client or server). +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# If you don't want to log but need to specify the +# following column, place "_" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# As shipped, the default policies are: +# +# a) All connections from the local network to the internet are allowed +# b) All connections from the internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. +############################################################################### +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc net ACCEPT +net all DROP info +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/STABLE/proxyarp b/STABLE/proxyarp new file mode 100644 index 000000000..f7261543a --- /dev/null +++ b/STABLE/proxyarp @@ -0,0 +1,30 @@ +############################################################################## +# +# Shorewall 1.3 -- Proxy ARP +# +# /etc/shorewall/proxyarp +# +# This file is used to define Proxy ARP. +# +# Columns must be separated by white space and are: +# +# ADDRESS IP Address +# INTERFACE Local interface where system is connected. If the +# local interface is obvious from the subnetting, +# you may enter "-" in this column. +# EXTERNAL External Interface to be used to access this system +# +# HAVEROUTE If there is already a route from the firewall to +# the host whose address is given, enter "Yes" or "yes" +# in this column. Otherwise, entry "no", "No" or leave +# the column empty. +# +# Example: Host with IP 155.186.235.6 is connected to +# interface eth1 and we want hosts attached via eth0 +# to be able to access it using that address. +# +# #ADDRESS INTERFACE EXTERNAL HAVEROUTE +# 155.186.235.6 eth1 eth0 No +############################################################################## +#ADDRESS INTERFACE EXTERNAL HAVEROUTE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt new file mode 100644 index 000000000..d3e57380b --- /dev/null +++ b/STABLE/releasenotes.txt @@ -0,0 +1,15 @@ +This is a minor release of Shorewall which rolls up a number of bug +fixes. + +New features include: + +1) The new "Shorewall Setup Guide" is included in this release. This + guide is intended for users who have multiple static external IP + addresses and for users who what to learn a bit more abound + Shorewall than is described in the single-address guides. + +2) Shorewall now drops non-SYN tcp packets that are not part of an + established connection. These packets can be optionally logged by + setting the new LOGNEWNOTSYN variable in shorewall.conf. + + diff --git a/STABLE/rfc1918 b/STABLE/rfc1918 new file mode 100644 index 000000000..d3ef5954a --- /dev/null +++ b/STABLE/rfc1918 @@ -0,0 +1,61 @@ +# +# Shorewall 1.3 -- RFC1918 File +# +# /etc/shorewall/rfc1918 +# +# Lists the subnetworks that are blocked by the 'norfc1918' interface option. +# +# The default list includes those IP addresses listed in RFC 1918, those listed +# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C +# reserved for use in documentation and examples. +# +# Columns are: +# +# SUBNET The subnet (host addresses also allowed) +# TARGET Where to send packets to/from this subnet +# RETURN - let the packet be processed normally +# DROP - silently drop the packet +# logdrop - log then drop +# +############################################################################### +#SUBNET TARGET +255.255.255.255 RETURN # We need to allow limited broadcast +169.254.0.0/16 DROP # DHCP autoconfig +172.16.0.0/12 logdrop # RFC 1918 +192.0.2.0/24 logdrop # Example addresses +192.168.0.0/16 logdrop # RFC 1918 +# +# The following are generated using the Python program found at: +# +# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ +# +# The program was contributed by Andy Wiggin +# +0.0.0.0/7 logdrop # Reserved +2.0.0.0/8 logdrop # Reserved +5.0.0.0/8 logdrop # Reserved +7.0.0.0/8 logdrop # Reserved +10.0.0.0/8 logdrop # Reserved +23.0.0.0/8 logdrop # Reserved +27.0.0.0/8 logdrop # Reserved +31.0.0.0/8 logdrop # Reserved +36.0.0.0/7 logdrop # Reserved +39.0.0.0/8 logdrop # Reserved +41.0.0.0/8 logdrop # Reserved +42.0.0.0/8 logdrop # Reserved +58.0.0.0/7 logdrop # Reserved +60.0.0.0/8 logdrop # Reserved +69.0.0.0/8 logdrop # Reserved +70.0.0.0/7 logdrop # Reserved +72.0.0.0/5 logdrop # Reserved +82.0.0.0/7 logdrop # Reserved +84.0.0.0/6 logdrop # Reserved +88.0.0.0/5 logdrop # Reserved +96.0.0.0/3 logdrop # Reserved +197.0.0.0/8 logdrop # Reserved +222.0.0.0/7 logdrop # Reserved +240.0.0.0/4 logdrop # Reserved +# +# End of generated entries +# +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/routestopped b/STABLE/routestopped new file mode 100644 index 000000000..db1459080 --- /dev/null +++ b/STABLE/routestopped @@ -0,0 +1,25 @@ +############################################################################## +# +# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped +# +# /etc/shorewall/routestopped +# +# This file is used to define the hosts that are accessible when the +# firewall is stopped +# +# Columns must be separated by white space and are: +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# +# Example: +# +# INTERFACE HOST(S) +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 +############################################################################## +#INTERFACE HOST(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/rules b/STABLE/rules new file mode 100644 index 000000000..8e686d040 --- /dev/null +++ b/STABLE/rules @@ -0,0 +1,173 @@ +# +# Shorewall version 1.3 - Rules File +# +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +# +# Columns are: +# +# +# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# +# May optionally be followed by ":" and a syslog log +# level (e.g, REJECT:info). This causes the packet to be +# logged at the specified level. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones or $FW to indicate the +# firewall itself. If the ACTION is DNAT or REDIRECT, +# sub-zones of the specified zone may be excluded from +# the rule by following the zone name with "!' and a +# comma-separated list of sub-zone names. +# +# Clients may be further restricted to a list of subnets +# and/or hosts by appending ":" and a comma-separated +# list of subnets and/or hosts. Hosts may be specified +# by IP or MAC address; mac addresses must begin with +# "~" and must use "-" as a separator. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# Alternatively, clients may be specified by interface +# by appending ":" followed by the interface name. For +# example, loc:eth1 specifies a client that +# communicates with the firewall system through eth1. +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones or $FW to indicate the firewall +# itself. +# +# The server may be further restricted to a particular +# subnet, host or interface by appending ":" and the +# subnet, host or interface. See above. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, +# "all" or "related". If "related", the remainder of the +# entry must be omitted and connection requests that are +# related to existing requests will be accepted. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ADDRESS in the next column, then place "-" +# in this column. +# +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# REDIRECT) If included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# The address may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the internet +# to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +############################################################################## +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/shorewall b/STABLE/shorewall new file mode 100755 index 000000000..196b838cd --- /dev/null +++ b/STABLE/shorewall @@ -0,0 +1,719 @@ +#!/bin/sh +# +# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# +# This file should be placed in /sbin/shorewall. +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# If an error occurs while starting or restarting the firewall, the +# firewall is automatically stopped. +# +# The firewall uses configuration files in /etc/shorewall/ - skeleton +# files is included with the firewall. +# +# Commands are: +# +# shorewall start Starts the firewall +# shorewall restart Restarts the firewall +# shorewall stop Stops the firewall +# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status +# plus the last 20 "interesting" +# packets +# shorewall status Displays firewall status +# shorewall reset Resets iptables packet and +# byte counts +# shorewall clear Open the floodgates by +# removing all iptables rules +# and setting the three permanent +# chain policies to ACCEPT +# shorewall refresh Rebuild the common chain to +# compensate for a change of +# broadcast address on any "detect" +# interface. +# shorewall show Display the rules in a +# shorewall show log Print the last 20 log messages +# shorewall show connections Show the kernel's connection +# tracking table +# shorewall show nat Display the rules in the nat table +# shorewall show {mangle|tos} Display the rules in the mangle table +# shorewall show tc Display traffic control info +# shorewall version Display the installed version id +# shorewall check Verify the more heavily-used +# configuration files. +# shorewall try [ ] Try a new configuration and if +# it doesn't work, revert to the +# standard one. If a timeout is supplied +# the command reverts back to the +# standard configuration after that many +# seconds have elapsed after successfully +# starting the new configuration. +# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall +# messages. +# shorewall drop
... Temporarily drop all packets from the +# listed address(es) +# shorewall reject
... Temporarily reject all packets from the +# listed address(es) +# shorewall allow
... Reenable address(es) previously +# disabled with "drop" or "reject" +# shorewall save Save the list of "rejected" and +# "dropped" addresses so that it will +# be automatically reinstated the +# next time that Shorewall starts. +# +# Display a chain if it exists +# +showfirstchain() # $1 = name of chain +{ + awk \ + 'BEGIN {prnt=0; rslt=1; }; \ + /^$/ { next; };\ + /^Chain/ {if ( prnt == 1 ) { rslt=0; exit 0; }; };\ + /Chain '$1'/ { prnt=1; }; \ + { if (prnt == 1) print; };\ + END { exit rslt; }' /tmp/chains-$$ +} + +showchain() # $1 = name of chain +{ + if [ "$firstchain" = "Yes" ]; then + if showfirstchain $1; then + firstchain= + fi + else + awk \ + 'BEGIN {prnt=0;};\ + /^$|^ pkts/ { next; };\ + /^Chain/ {if ( prnt == 1 ) exit; };\ + /Chain '$1'/ { prnt=1; };\ + { if (prnt == 1) print; }' /tmp/chains-$$ + fi +} + +################################################################################# +# Set the configuration variables from shorewall.conf # +################################################################################# +get_config() { + get_statedir + + [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages + + if [ ! -f $LOGFILE ]; then + echo "LOGFILE ($LOGFILE) does not exist!" >&2 + exit 2 + fi + # + # See if we have a real version of "tail" -- use separate redirection so + # that ash (aka /bin/sh on LRP) doesn't crap + # + if ( tail -n5 $LOGFILE > /dev/null 2> /dev/null ) ; then + realtail="Yes" + else + realtail="" + fi + + [ -n "$FW" ] || FW=fw +} + +################################################################################# +# Display IPTABLES rules -- we used to store them in a variable but ash # +# dies when trying to display large sets of rules # +################################################################################# +display_chains() +{ + trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 + + if [ "$haveawk" = "Yes" ]; then + # + # Send the output to a temporary file since ash craps if we try to store + # the output in a variable. + # + iptables -L -n -v > /tmp/chains-$$ + + clear + echo -e "$banner `date`\\n" + echo -e "Standard Chains\\n" + firstchain="Yes" + showchain INPUT + showchain OUTPUT + showchain FORWARD + + timed_read + + clear + echo -e "$banner `date`\\n" + firstchain=Yes + echo -e "Input Chains\\n" + + chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` + + for chain in $chains; do + showchain $chain + done + + timed_read + + for zone in $zones; do + + if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then + clear + echo -e "$banner `date`\\n" + firstchain=Yes + eval display=\$${zone}_display + echo -e "$display Chains\\n" + for zone1 in $FW $zones; do + showchain ${zone}2$zone1 + showchain @${zone}2$zone1 + [ "$zone" != "$zone1" ] && \ + showchain ${zone1}2${zone} && \ + showchain @${zone1}2${zone} + done + + timed_read + fi + done + + clear + echo -e "$banner `date`\\n" + firstchain=Yes + echo -e "Policy Chains\\n" + showchain common + showchain badpkt + showchain icmpdef + showchain rfc1918 + showchain blacklst + showchain reject + showchain newnotsyn + for zone in $zones all; do + showchain ${zone}2all + showchain @${zone}2all + [ "$zone" = "all" ] || { showchain all2${zone}; showchain @all2${zone}; } + done + + timed_read + + clear + echo -e "$banner `date`\\n" + firstchain=Yes + echo -e "Dynamic Chain\\n" + showchain dynamic + timed_read + + qt rm -f /tmp/chains-$$ + else + iptables -L -n -v + timed_read + fi + trap - 1 2 3 4 5 6 9 + +} + +################################################################################# +# Delay $timeout seconds -- if we're running on a recent bash2 then allow # +# to terminate the delay # +################################################################################# +timed_read () +{ + read -t $timeout foo 2> /dev/null + + test $? -eq 2 && sleep $timeout +} + +################################################################################# +# Display the last $1 packets logged # +################################################################################# +packet_log() # $1 = number of messages +{ + local options + + [ -n "$realtail" ] && options="-n$1" + + grep 'Shorewall:\|ipt_unclean' $LOGFILE | \ + sed s/" $host kernel: Shorewall:"/" "/ | \ + sed s/" $host kernel: ipt_unclean: "/" "/ | \ + sed 's/MAC=.*SRC=/SRC=/' | \ + tail $options +} + +################################################################################# +# Show traffic control information # +################################################################################# +show_tc() { + + show_one_tc() { + local device=${1%@*} + qdisc=`tc qdisc list dev $device` + + if [ -n "$qdisc" ]; then + echo Device $device: + tc -s -d qdisc show dev $device + tc -s -d class show dev $device + echo + fi + } + + ip link list | \ + while read inx interface details; do + case $inx in + [0-9]*) + show_one_tc ${interface%:} + ;; + *) + ;; + esac + done + +} + +################################################################################# +# Monitor the Firewall # +################################################################################# +monitor_firewall() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + get_config + host=`echo $HOSTNAME | sed 's/\..*$//'` + oldrejects=`iptables -L -v -n | grep 'LOG'` + + if [ $1 -lt 0 ]; then + let "timeout=- $1" + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt which awk && { haveawk=Yes; determine_zones; } || haveawk= + + while true; do + display_chains + + clear + echo -e "$banner `date`\\n" + + echo -e "Dropped/Rejected Packet Log\\n" + + rejects=`iptables -L -v -n | grep 'LOG'` + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + echo -e '\a' + packet_log 20 + + if [ "$pause" = "Yes" ]; then + echo -en '\nEnter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 20 + timed_read + fi + + clear + echo -e "$banner `date`\\n" + echo -e "NAT Status\\n" + iptables -t nat -L -n -v + timed_read + + clear + echo -e "$banner `date`\\n" + echo -e "\\nTOS/MARK Status\\n" + iptables -t mangle -L -n -v + timed_read + + clear + echo -e "$banner `date`\\n" + echo -e "\\nTracked Connections\\n" + cat /proc/net/ip_conntrack + timed_read + + clear + echo -e "$banner `date`\\n" + echo -e "\\nTraffic Shaping/Control\\n" + show_tc + timed_read + done +} + +################################################################################# +# Watch the Firewall Log # +################################################################################# +logwatch() # $1 = timeout -- if negative, prompt each time that + # an 'interesting' packet count changes +{ + + get_config + host=`echo $HOSTNAME | sed 's/\..*$//'` + oldrejects=`iptables -L -v -n | grep 'LOG'` + + if [ $1 -lt 0 ]; then + timeout=$((- $1)) + pause="Yes" + else + pause="No" + timeout=$1 + fi + + qt which awk && haveawk=Yes || haveawk= + + while true; do + clear + echo -e "$banner `date`\\n" + + echo -e "Dropped/Rejected Packet Log\\n" + + rejects=`iptables -L -v -n | grep 'LOG'` + + if [ "$rejects" != "$oldrejects" ]; then + oldrejects="$rejects" + echo -e '\a' + packet_log 40 + + if [ "$pause" = "Yes" ]; then + echo -en '\nEnter any character to continue: ' + read foo + else + timed_read + fi + else + echo + packet_log 40 + timed_read + fi + done +} + +################################################################################# +# Give Usage Information # +################################################################################# +usage() # $1 = exit status +{ + echo "Usage: `basename $0` [debug] [nolock] [-c ] " + echo "where is one of:" + echo " show [|connections|log|nat|tc|tos]" + echo " start" + echo " stop" + echo " reset" + echo " restart" + echo " status" + echo " clear" + echo " refresh" + echo " hits" + echo " monitor []" + echo " version" + echo " check" + echo " try [ ]" + echo " logwatch []" + echo " drop
..." + echo " reject
..." + echo " allow
..." + echo " save" + exit $1 +} + +################################################################################# +# Display the time that the counters were last reset # +################################################################################# +show_reset() { + [ -f /var/lib/shorewall/restarted ] && \ + echo -e "Counters reset `cat /var/lib/shorewall/restarted`\\n" +} + +################################################################################# +# Execution begins here # +################################################################################# +debugging= + +if [ $# -gt 0 ] && [ "$1" = "debug" ]; then + debugging=debug + shift +fi + +nolock= + +if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then + nolock=nolock + shift +fi + +SHOREWALL_DIR= +done=0 + +while [ $done -eq 0 ]; do + [ $# -eq 0 ] && usage 1 + case $1 in + -c) + [ $# -eq 1 ] && usage 1 + + if [ ! -d $2 ]; then + if [ -e $2 ]; then + echo "$2 is not a directory" >&2 && exit 2 + else + echo "Directory $2 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$2 + shift + shift + ;; + *) + done=1 + ;; + esac +done + +if [ $# -eq 0 ]; then + usage 1 +fi + +[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR + +functions=/var/lib/shorewall/functions + +if [ -f $functions ]; then + . $functions +else + echo "$functions does not exist!" >&2 + exit 2 +fi + +firewall=/var/lib/shorewall/firewall + +if [ ! -f $firewall ]; then + echo "ERROR: Shorewall is not properly installed" + if [ -L $firewall ]; then + echo " $firewall is a symbolic link to a" + echo " non-existant file" + else + echo " The file /var/lib/shorewall/firewall does not exist" + fi + + exit 2 +fi + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin + +version_file=/var/lib/shorewall/version + +if [ -f $version_file ]; then + version=`cat $version_file` +else + echo "ERROR: Shorewall is not properly installed" + echo " The file /var/lib/shorewall/version does not exist" + exit 1 +fi + +banner="Shorewall-$version Status at $HOSTNAME -" + +case "$1" in + start|stop|restart|reset|clear|refresh|check) + [ $# -ne 1 ] && usage 1 + exec $firewall $debugging $nolock $1 + ;; + show) + [ $# -gt 2 ] && usage 1 + case "$2" in + connections) + echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n" + cat /proc/net/ip_conntrack + ;; + nat) + echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n" + show_reset + iptables -t nat -L -n -v + ;; + tos|mangle) + echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" + show_reset + iptables -t mangle -L -n -v + ;; + log) + get_config + echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" + host=`echo $HOSTNAME | sed 's/\..*$//'` + packet_log 20 + ;; + tc) + echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n" + show_tc + ;; + *) + echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" + show_reset + iptables -L $2 -n -v + ;; + esac + ;; + monitor) + if [ $# -eq 2 ]; then + monitor_firewall $2 + elif [ $# -eq 1 ]; then + monitor_firewall 30 + else + usage 1 + fi + ;; + status) + [ $# -eq 1 ] || usage 1 + get_config + clear + echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" + show_reset + host=`echo $HOSTNAME | sed 's/\..*$//'` + iptables -L -n -v + echo + packet_log 20 + echo + iptables -t nat -L -n -v + echo + iptables -t mangle -L -n -v + echo + cat /proc/net/ip_conntrack + ;; + hits) + [ $# -eq 1 ] || usage 1 + get_config + clear + echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n" + timeout=30 + + if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then + echo " HITS IP DATE" + echo " ---- --------------- ------" + grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS IP PORT" + echo " ---- --------------- -----" + grep "Shorewall:" $LOGFILE | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/ + t + s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS DATE" + echo " ---- ------" + grep "Shorewall:" $LOGFILE | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn + echo "" + + echo " HITS PORT SERVICE(S)" + echo " ---- ----- ----------" + grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ + while read count port ; do + # List all services defined for the given port + srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` + srv=`echo $srv | sed 's/ /,/g'` + + if [ -n "$srv" ] ; then + printf '%7d %5d %s\n' $count $port $srv + else + printf '%7d %5d\n' $count $port + fi + done + fi + ;; + version) + echo $version + ;; + try) + [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" + [ $# -lt 2 -o $# -gt 3 ] && usage 1 + if ! $0 -c $2 restart; then + if ! iptables -L shorewall > /dev/null 2> /dev/null; then + $0 start + fi + elif ! iptables -L shorewall > /dev/null 2> /dev/null; then + $0 start + elif [ $# -eq 3 ]; then + sleep $3 + $0 restart + fi + ;; + logwatch) + if [ $# -eq 2 ]; then + logwatch $2 + elif [ $# -eq 1 ]; then + logwatch 30 + else + usage 1 + fi + ;; + drop) + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + iptables -A dynamic -s $1 -j DROP || break 1 + echo "$1 Dropped" + done + mutex_off + ;; + reject) + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + iptables -A dynamic -s $1 -j reject || break 1 + echo "$1 Rejected" + done + mutex_off + ;; + allow) + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + if qt iptables -D dynamic -s $1 -j reject; then + # + # Address was rejected -- silently remove any drop as well + # + qt iptables -D dynamic -s $1 -j DROP + echo "$1 Allowed" + elif qt iptables -D dynamic -s $1 -j DROP; then + echo "$1 Allowed" + else + echo "$1 Not Dropped or Rejected" + fi + done + mutex_off + ;; + save) + [ $# -ne 1 ] && usage 1 + mutex_on + if qt iptables -L shorewall -n; then + if iptables -L dynamic -n > /var/lib/shorewall/save; then + echo "Dynamic Rules Saved" + else + echo "Error Saving the Dynamic Rules" + fi + else + echo "Shorewall isn't started" + fi + mutex_off + ;; + *) + usage 1 + ;; +esac diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf new file mode 100644 index 000000000..36ccc6955 --- /dev/null +++ b/STABLE/shorewall.conf @@ -0,0 +1,352 @@ +############################################################################## +# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# +# NAME OF THE FIREWALL ZONE +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw + +# +# SUBSYSTEM LOCK FILE +# +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it +# should be /var/state/shorewall. If your init scripts don't use lock files, +# set this to "". +# + +SUBSYSLOCK=/var/lock/subsys/shorewall + +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/var/lib/shorewall + +# +# ALLOW RELATED CONNECTIONS +# +# Set this to "yes" or "Yes" if you want to accept all connection requests +# that are related to already established connections. For example, you want +# to accept FTP data connections. If you say "no" here, then to accept +# these connections between particular zones or hosts, you must include +# explicit "related" rules in /etc/shorewall/rules. +# + +ALLOWRELATED=yes + +# +# KERNEL MODULE DIRECTORY +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +# +# LOG RATE LIMITING +# +# The next two variables can be used to control the amount of log output +# generated. LOGRATE is expressed as a number followed by an optional +# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum +# rate at which a particular message will occur. LOGBURST determines the +# maximum initial burst size that will be logged. If set empty, the default +# value of 5 will be used. +# +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# +# If BOTH variables are set empty then logging will not be rate-limited. +# + +LOGRATE= +LOGBURST= + +# +# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS +# +# This variable determines the level at which Mangled/Invalid packets are logged +# under the 'dropunclean' interface option. If you set this variable to an +# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped +# silently. +# +# The value of this variable also determines the level at which Mangled/Invalid +# packets are logged under the 'logunclean' interface option. If the variable +# is empty, these packets will still be logged at the 'info' level. +# + +LOGUNCLEAN=info + +# +# LOG FILE LOCATION +# +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/FAQ.htm#faq6 + +LOGFILE=/var/log/messages + +# +# ENABLE NAT SUPPORT +# +# You probally want yes here. Only gateways not doing NAT in any form, like +# SNAT,DNAT masquerading, port forwading etc. should say "no" here. +# +NAT_ENABLED=Yes + +# +# ENABLE MANGLE SUPPORT +# +# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file +# and will not initialize the mangle table when starting or stopping +# your firewall. You must enable mangling if you want Traffic Shaping +# (see TC_ENABLED below). +# +MANGLE_ENABLED=Yes + +# +# ENABLE IP FORWARDING +# +# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you +# say "Off" or "off", packet forwarding will be disabled. You would only want +# to disable packet forwarding if you are installing Shorewall on a +# standalone system or if you want all traffic through the Shorewall system +# to be handled by proxies. +# +# If you set this variable to "Keep" or "keep", Shorewall will neither +# enable nor disable packet forwarding. +# +IP_FORWARDING=On + +# +# AUTOMATICALLY ADD NAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each NAT external address that you give in /etc/shorewall/nat. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_IP_ALIASES=Yes + +# +# AUTOMATICALLY ADD SNAT IP ADDRESSES +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses +# for each SNAT external address that you give in /etc/shorewall/masq. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_SNAT_ALIASES=No + +# +# ENABLE TRAFFIC SHAPING +# +# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If +# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic +# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and +# you must enable packet mangling above. +# +TC_ENABLED=No + +# +# BLACKLIST DISPOSITION +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + +# +# BLACKLIST LOG LEVEL +# +# Set this variable to the syslogd level that you want blacklist packets logged +# (beward of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. +# +BLACKLIST_LOGLEVEL= + +# +# MSS CLAMPING +# +# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" +# option. This option is most commonly required when your internet +# interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] +# +# If left blank, or set to "No" or "no", the option is not enabled. +# +CLAMPMSS=No + +# +# ROUTE FILTERING +# +# Set this variable to "Yes" or "yes" if you want kernel route filtering on all +# interfaces (anti-spoofing measure). +# +# If this variable is not set or is set to the empty value, "No" is assumed. +# In that case, you can still enable route filtering on individual interfaces +# in the /etc/shorewall/interfaces file. + +ROUTE_FILTER=No + +# +# NAT BEFORE RULES +# +# Shorewall has traditionally processed static NAT rules before port forwarding +# rules. If you would like to reverse the order, set this variable to "No". +# +# If this variable is not set or is set to the empty value, "Yes" is assumed. + +NAT_BEFORE_RULES=Yes + +# MULTIPORT support +# +# If your kernel includes the multiport match option +# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this +# option is enabled by setting it's value to "Yes" or "yes": +# +# 1) If you list more that 15 ports in a comma-seperated list in +# /etc/shorewall/rules, Shorewall will not use the multiport option +# but will generate a separate rule for each element of each port +# list. +# 2) If you include a port range (:) in the +# rule, Shorewall will not use the multiport option but will generate +# a separate rule for each element of each port list. +# +# See the /etc/shorewall/rules file for additional information on this option. +# +# if this variable is not set or is set to the empty value, "No" is assumed. + +MULTIPORT=No + +# DNAT IP ADDRESS DETECTION +# +# Normally when Shorewall encounters the following rule: +# +# DNAT net loc:192.168.1.3 tcp 80 +# +# it will forward TCP port 80 connections from the net to 192.168.1.3 +# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is +# convenient for two reasons: +# +# a) If the the network interface has a dynamic IP address, the +# firewall configuration will work even when the address +# changes. +# +# b) It saves having to configure the IP address in the rule +# while still allowing the firewall to be started before the +# internet interface is brought up. +# +# This default behavior can also have a negative effect. If the +# internet interface has more than one IP address then the above +# rule will forward connection requests on all of these addresses; +# that may not be what is desired. +# +# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply +# only if the original destination address is the primary IP address of +# one of the interfaces associated with the source zone. Note that this +# requires all interfaces to the source zone to be up when the firewall +# is [re]started. + +DETECT_DNAT_IPADDRS=No + +# +# MERGE HOSTS FILE +# +# The traditional behavior of the /etc/shorewall/hosts file has been that +# if that file has ANY entry for a zone then the zone must be defined +# entirely in the hosts file. This is counter-intuitive and has caused +# people some problems. +# +# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file +# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file +# are added to the contents described in the /etc/shorewall/interfaces file. +# +# Example: Suppose that we have the following interfaces and hosts files: +# +# Interfaces: +# +# net eth0 +# loc eth1 +# - ppp+ +# +# Hosts: +# +# loc ppp+:192.168.1.0/24 +# wrk ppp+:!192.168.1.0/24 +# +# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just +# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be +# ppp+:192.168.1.0 and eth1:0.0.0.0/0 +# +# If this variable is not set or is set to the empty value, "No" is assumed. + +MERGE_HOSTS=Yes + +# +# MUTEX TIMEOUT +# +# The value of this variable determines the number of seconds that programs +# will wait for exclusive access to the Shorewall lock file. After the number +# of seconds corresponding to the value of this variable, programs will assume +# that the last program to hold the lock died without releasing the lock. +# +# If not set or set to the empty value, a value of 60 (60 seconds) is assumed. +# +# An appropriate value for this parameter would be twice the length of time +# that it takes your firewall system to process a "shorewall restart" command. + +MUTEX_TIMEOUT=60 + +# +# LOGGING 'New not SYN' rejects +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN= + +#LAST LINE -- DO NOT REMOVE diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec new file mode 100644 index 000000000..24cae25e5 --- /dev/null +++ b/STABLE/shorewall.spec @@ -0,0 +1,239 @@ +%define name shorewall +%define version 1.3.6 +%define release 1 +%define prefix /usr + +Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. +Name: %{name} +Version: %{version} +Release: %{release} +Prefix: %{prefix} +License: GPL +Packager: Tom Eastep +Group: Networking/Utilities +Source: %{name}-%{version}.tgz +URL: http://www.shorewall.net/ +BuildArch: noarch +BuildRoot: %{_tmppath}/%{name}-%{version}-root +Requires: iptables +Conflicts: kernel <= 2.2 + +%description + +The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter +(iptables) based firewall that can be used on a dedicated firewall system, +a multi-function gateway/ router/server or on a standalone GNU/Linux system. + +%prep + +%setup + +%build + +%install +export PREFIX=$RPM_BUILD_ROOT ; \ +export OWNER=`id -n -u` ; \ +export GROUP=`id -n -g` ;\ +./install.sh /etc/init.d + +%clean +rm -rf $RPM_BUILD_ROOT + +%post +if [ -x /sbin/insserv ]; then /sbin/insserv /etc/rc.d/shorewall; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add shorewall; fi + +%preun +if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/shorewall ; elif [ -x /sbin/chkconfig ]; then /sbin/chkconfig --del shorewall; fi ; fi + +%files +/etc/init.d/shorewall +%attr(0700,root,root) %dir /etc/shorewall +%attr(0700,root,root) %dir /var/lib/shorewall +%attr(0600,root,root) /var/lib/shorewall/version +%attr(0600,root,root) /etc/shorewall/common.def +%attr(0600,root,root) /etc/shorewall/icmp.def +%attr(0600,root,root) %config(noreplace) /etc/shorewall/shorewall.conf +%attr(0600,root,root) %config(noreplace) /etc/shorewall/zones +%attr(0600,root,root) %config(noreplace) /etc/shorewall/policy +%attr(0600,root,root) %config(noreplace) /etc/shorewall/interfaces +%attr(0600,root,root) %config(noreplace) /etc/shorewall/rules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/nat +%attr(0600,root,root) %config(noreplace) /etc/shorewall/params +%attr(0600,root,root) %config(noreplace) /etc/shorewall/proxyarp +%attr(0600,root,root) %config(noreplace) /etc/shorewall/routestopped +%attr(0600,root,root) %config(noreplace) /etc/shorewall/masq +%attr(0600,root,root) %config(noreplace) /etc/shorewall/modules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tcrules +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tos +%attr(0600,root,root) %config(noreplace) /etc/shorewall/tunnels +%attr(0600,root,root) %config(noreplace) /etc/shorewall/hosts +%attr(0600,root,root) %config(noreplace) /etc/shorewall/blacklist +%attr(0600,root,root) %config(noreplace) /etc/shorewall/rfc1918 +%attr(0544,root,root) /sbin/shorewall +%attr(0444,root,root) /var/lib/shorewall/functions +/var/lib/shorewall/firewall +%doc documentation +%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel + +%changelog +* Sun Aug 04 2002 Tom Eastep +- Changed version to 1.3.6 +* Mon Jul 29 2002 Tom Eastep +- Changed version to 1.3.5b +* Sat Jul 13 2002 Tom Eastep +- Changed version to 1.3.4 +* Wed Jul 10 2002 Tom Eastep +- Added 'routestopped' configuration file. +* Fri Jul 05 2002 Tom Eastep +- Changed version to 1.3.3 +* Sat Jun 15 2002 Tom Eastep +- Changed version and release for new convention +- Moved version,firewall and functions to /var/lib/shorewall +* Sun Jun 02 2002 Tom Eastep +- Changed version to 1.3.2 +* Fri May 31 2002 Tom Eastep +- Changed version to 1.3.1 +- Added the rfc1918 file +* Wed May 29 2002 Tom Eastep +- Changed version to 1.3.0 +* Mon May 20 2002 Tom Eastep +- Removed whitelist file +* Sat May 18 2002 Tom Eastep +- changed version to 91 +* Wed May 8 2002 Tom Eastep +- changed version to 90 +- removed 'provides' tag. +* Tue Apr 23 2002 Tom Eastep +- changed version to 13 +- Added whitelist file. +* Thu Apr 18 2002 Tom Eastep +- changed version to 12 +* Tue Apr 16 2002 Tom Eastep +- Merged Stefan's changes to create single RPM +* Mon Apr 15 2002 Stefan Mohr +- changed to SuSE Linux 7.3 +* Wed Apr 10 2002 Tom Eastep +- changed Version to 11 +* Tue Mar 19 2002 Tom Eastep +- changed Version to 10 +* Sat Mar 09 2002 Tom Eastep +- changed Version to 9 +* Sat Feb 23 2002 Tom Eastep +- changed Version to 8 +* Thu Feb 21 2002 Tom Eastep +- changed Version to 7 +* Tue Feb 05 2002 Tom Eastep +- changed Version to 6 +* Wed Jan 30 2002 Tom Eastep +- changed Version to 5 +* Sat Jan 26 2002 Tom Eastep +- changed Version to 4 +- Merged Ajay's change to allow build by non-root +* Sun Jan 12 2002 Tom Eastep +- changed Version to 3 +* Tue Jan 01 2002 Tom Eastep +- changed Version to 2 +- Updated URL +- Added blacklist file +* Mon Dec 31 2001 Tom Eastep +- changed Version to 1 +* Wed Dec 19 2001 Tom Eastep +- changed Version to 0 +* Tue Dec 18 2001 Tom Eastep +- changed Version to Rc1 +* Sat Dec 15 2001 Tom Eastep +- changed Version to Beta2 +* Thu Nov 08 2001 Tom Eastep +- changed Version to 1.2 +- added tcrules file +* Sun Oct 21 2001 Tom Eastep +- changed release to 17 +* Sun Oct 21 2001 Tom Eastep +- changed release to 16 +* Sun Oct 14 2001 Tom Eastep +- changed release to 15 +* Thu Oct 11 2001 Tom Eastep +- changed release to 14 +* Tue Sep 11 2001 Tom Eastep +- changed release to 13 +- added params file +* Tue Aug 28 2001 Tom Eastep +- Changed release to 12 +* Fri Jul 27 2001 Tom Eastep +- Changed release to 11 +* Sun Jul 08 2001 Ajay Ramaswamy +- reorganized spec file +- s/Copyright/License/ +- now will build fron rpm -tb +* Fri Jul 06 2001 Tom Eastep +- Changed release to 10 +* Tue Jun 19 2001 Tom Eastep +- Changed release to 9 +- Added tunnel file +- Readded tunnels file +* Mon Jun 18 2001 Tom Eastep +- Changed release to 8 +* Sat Jun 02 2001 Tom Eastep +- Changed release to 7 +- Changed iptables dependency. +* Tue May 22 2001 Tom Eastep +- Changed release to 6 +- Added tunnels file +* Sat May 19 2001 Tom Eastep +- Changed release to 5 +- Added modules and tos files +* Sat May 12 2001 Tom Eastep +- Changed release to 4 +- Added changelog.txt and releasenotes.txt +* Sat Apr 28 2001 Tom Eastep +- Changed release to 3 +* Mon Apr 9 2001 Tom Eastep +- Added files common.def and icmpdef.def +- Changed release to 2 +* Wed Apr 4 2001 Tom Eastep +- Changed the release to 1. +* Mon Mar 26 2001 Tom Eastep +- Changed the version to 1.1 +- Added hosts file +* Sun Mar 18 2001 Tom Eastep +- Changed the release to 4 +- Added Zones and Functions files +* Mon Mar 12 2001 Tom Eastep +- Change ipchains dependency to an iptables dependency and + changed the release to 3 +* Fri Mar 9 2001 Tom Eastep +- Add additional files. +* Thu Mar 8 2001 Tom EAstep +- Change version to 1.0.2 +* Tue Mar 6 2001 Tom Eastep +- Change version to 1.0.1 +* Sun Mar 4 2001 Tom Eastep +- Changes for Shorewall +* Thu Feb 22 2001 Tom Eastep +- Change version to 4.1.0 +* Fri Feb 2 2001 Tom Eastep +- Change version to 4.0.4 +* Mon Jan 22 2001 Tom Eastep +- Change version to 4.0.2 +* Sat Jan 20 2001 Tom Eastep +- Changed version to 4.0 +* Fri Jan 5 2001 Tom Eastep +- Added dmzclients file +* Sun Dec 24 2000 Tom Eastep +- Added ftpserver file +* Sat Aug 12 2000 Tom Eastep +- Added "nat" and "proxyarp" files for 4.0 +* Mon May 20 2000 Tom Eastep +- added updown file +* Sat May 20 2000 Simon Piette +- Corrected the group - Networking/Utilities +- Added "noreplace" attributes to config files, so current confis is not + changed. +- Added the version file. +* Sat May 20 2000 Tom Eastep +- Converted Simon's patch to version 3.1 +* Sat May 20 2000 Simon Piette +- 3.0.2 Initial RPM + Patched the install script so it can take a PREFIX variable + + diff --git a/STABLE/tcrules b/STABLE/tcrules new file mode 100644 index 000000000..793a09994 --- /dev/null +++ b/STABLE/tcrules @@ -0,0 +1,47 @@ +# +# Shorewall version 1.3 - Traffic Control Rules File +# +# /etc/shorewall/tcrules +# +# Entries in this file cause packets to be marked as a means of +# classifying them for traffic control or policy routing. +# +# Columns are: +# +# +# MARK The mark value which is an +# integer in the range 1-255 +# +# SOURCE Source of the packet. A comma-separated list of +# interface names, IP addresses, MAC addresses +# and/or subnets. Use $FW if the packet originates on +# the firewall. +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Destination of the packet. Comma separated list of +# IP addresses and/or subnets. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, +# or "all". +# +# PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following field is supplied. +# In that case, it is suggested that this field contain +# "-" +# +# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +############################################################################## +#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/tos b/STABLE/tos new file mode 100644 index 000000000..0254fcdff --- /dev/null +++ b/STABLE/tos @@ -0,0 +1,52 @@ +# +# Shorewall 1.3 -- /etc/shorewall/tos +# +# This file defines rules for setting Type Of Service (TOS) +# +# Columns are: +# +# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address, a MAC address, a subnet +# specification or the name of an interface. +# +# Example: loc:192.168.2.3 +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address or a subnet specification +# +# Example: loc:192.168.2.3 +# +# PROTOCOL Protocol. +# +# SOURCE PORTS Source port or port range. If all ports, use "-". +# +# DEST PORTS Destination port or port range. If all ports, use "-" +# +# TOS Type of service. Must be one of the following: +# +# Minimize-Delay (16) +# Maximize-Throughput (8) +# Maximize-Reliability (4) +# Minimize-Cost (2) +# Normal-Service (0) +# +############################################################################## +#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS +all all tcp - ssh 16 +all all tcp ssh - 16 +all all tcp - ftp 16 +all all tcp ftp - 16 +all all tcp ftp-data - 8 +all all tcp - ftp-data 8 +#LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/STABLE/tunnel b/STABLE/tunnel new file mode 100644 index 000000000..12b26523d --- /dev/null +++ b/STABLE/tunnel @@ -0,0 +1,159 @@ +#!/bin/sh + +RCDLINKS="2,S45 3,S45 6,K45" +################################################################################ +# Script to create a gre or ipip tunnel -- Shorewall 1.3 +# +# Modified - Steve Cowles 5/9/2000 +# Incorporated init {start|stop} syntax and iproute2 usage +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# Modify the following variables to match your configuration +# +# chkconfig: 2345 26 89 +# description: GRE/IP Tunnel +# +################################################################################ + +# +# Type of tunnel (gre or ipip) +# + +tunnel_type=gre + +# Name of the tunnel +# + +tunnel="dfwbos" +# +# Address of your External Interface (only required for gre tunnels) +# +myrealip="x.x.x.x" + +# Address of the local system -- this is the address of one of your +# local interfaces (or for a mobile host, the address that this system has +# when attached to the local network). +# + +myip="192.168.1.254" + +# Address of the Remote system -- this is the address of one of the +# remote system's local interfaces (or if the remote system is a mobile host, +# the address that it uses when attached to the local network). + +hisip="192.168.9.1" + +# Internet address of the Remote system +# + +gateway="x.x.x.x" + +# Remote sub-network -- if the remote system is a gateway for a +# private subnetwork that you wish to +# access, enter it here. If the remote +# system is a stand-alone/mobile host, leave this +# empty + +subnet="192.168.9.0/24" + +PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin + +load_modules () { + case $tunnel_type in + ipip) + echo "Loading IP-ENCAP Module" + modprobe ipip + ;; + gre) + echo "Loading GRE Module" + modprobe ip_gre + ;; + esac +} + +do_stop() { + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + echo "Stopping $tunnel" + ip link set dev $tunnel down + fi + + if [ -n "`ip addr show $tunnel 2>/dev/null`" ]; then + echo "Deleting $tunnel" + ip tunnel del $tunnel + fi +} + +do_start() { + + #NOTE: Comment out the next line if you have built gre/ipip into your kernel + + load_modules + + if [ -n "`ip link show $tunnel 2>/dev/null`" ]; then + do_stop + fi + + echo "Adding $tunnel" + + case $tunnel_type in + gre) + ip tunnel add $tunnel mode gre remote $gateway local $myrealip ttl 255 + ;; + *) + ip tunnel add $tunnel mode ipip remote $gateway + ;; + esac + + echo "Starting $tunnel" + + + ip link set dev $tunnel up + + case $tunnel_type in + gre) + ip addr add $myip dev $tunnel + ;; + *) + ip addr add $myip peer $hisip dev $tunnel + ;; + esac + + # + # As with all interfaces, the 2.4 kernels will add the obvious host + # route for this point-to-point interface + # + + if [ -n "$subnet" ]; then + echo "Adding Routes" + case $tunnel_type in + gre) + ip route add $subnet dev $tunnel + ;; + ipip) + ip route add $subnet via $gateway dev $tunnel onlink + ;; + esac + fi +} + +case "$1" in + start) + do_start + ;; + stop) + do_stop + ;; + restart) + do_stop + sleep 1 + do_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 +esac +exit 0 diff --git a/STABLE/tunnels b/STABLE/tunnels new file mode 100644 index 000000000..1e841e814 --- /dev/null +++ b/STABLE/tunnels @@ -0,0 +1,51 @@ +# +# Shorewall 1.3 - /etc/shorewall/tunnels +# +# This file defines IPSEC, GRE and IPIP tunnels. +# +# IPIP and GRE tunnels must be configured on the firewall/gateway itself. +# IPSEC endpoints may be defined on the firewall/gateway or on an +# internal system. +# +# The columns are: +# +# TYPE -- must start in column 1 and be "ipsec", "ip" or "gre" +# +# ZONE -- The zone of the physical interface through which +# tunnel traffic passes. This is normally your internet +# zone. +# +# GATEWAY -- The IP address of the remote tunnel gateway. If the +# remote getway has no fixed address (Road Warrior) +# then specify the gateway as 0.0.0.0/0. +# +# GATEWAY ZONE-- Optional. If the gateway system specified in the third +# column is a standalone host then this column should +# contain the name of the zone that the host is in. This +# column only applies to IPSEC tunnels. +# +# Example 1: +# +# IPSec tunnel. The remote gateway is 4.33.99.124 and +# the remote subnet is 192.168.9.0/24 +# +# ipsec net 4.33.99.124 +# +# Example 2: +# +# Road Warrior (LapTop that may connect from anywhere) +# where the "gw" zone is used to represent the remote +# LapTop. +# +# ipsec net 0.0.0.0/0 gw +# +# Example 3: +# +# Host 4.33.99.124 is a standalone system connected +# via an ipsec tunnel to the firewall system. The host +# is in zone gw. +# +# ipsec net 4.33.99.124 gw +# +# TYPE ZONE GATEWAY GATEWAY ZONE +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh new file mode 100755 index 000000000..7e9920320 --- /dev/null +++ b/STABLE/uninstall.sh @@ -0,0 +1,104 @@ +#!/bin/sh +# +# Script to back uninstall Shoreline Firewall +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +# +# Shorewall documentation is available at http://shorewall.sourceforge.net +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of Version 2 of the GNU General Public License +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA +# +# Usage: +# +# You may only use this script to uninstall the version +# shown below. Simply run this script to remove Seattle Firewall + +VERSION=1.3.6 + +usage() # $1 = exit status +{ + ME=`basename $0` + echo "usage: $ME" + exit $1 +} + +qt() +{ + "$@" >/dev/null 2>&1 +} + +restore_file() # $1 = file to restore +{ + if [ -f ${1}-shorewall.bkout ]; then + if (mv -f ${1}-shorewall.bkout $1); then + echo + echo "$1 restored" + else + exit 1 + fi + fi +} + +remove_file() # $1 = file to restore +{ + if [ -f $1 -o -L $1 ] ; then + rm -f $1 + echo "$1 Removed" + fi +} + +if [ -f /var/lib/shorewall/version ]; then + INSTALLED_VERSION="`cat /var/lib/shorewall/version`" + if [ "$INSTALLED_VERSION" != "$VERSION" ]; then + echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed" + echo " and this is the $VERSION uninstaller." + VERSION="$INSTALLED_VERSION" + fi +else + echo "WARNING: Shorewall Version $VERSION is not installed" + VERSION="" +fi + +echo "Uninstalling Shorewall $VERSION" + +if qt iptables -L shorewall -n; then + /sbin/shorewall clear +fi + +if [ -L /var/lib/shorewall/firewall ]; then + FIREWALL=`ls -l /var/lib/shorewall/firewall | sed 's/^.*> //'` + + if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then + insserv -r $FIREWALL + elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then + chkconfig --del `basename $FIREWALL` + fi + + remove_file $FIREWALL +fi + +remove_file /sbin/shorewall + +if [ -n "$VERSION" ]; then + restore_file /etc/rc.d/rc.local +fi + +rm -rf /etc/shorewall +rm -rf /var/lib/shorewall + +echo "Shorewall Uninstalled" + + diff --git a/STABLE/zones b/STABLE/zones new file mode 100644 index 000000000..6d5add70c --- /dev/null +++ b/STABLE/zones @@ -0,0 +1,14 @@ +# +# Shorewall 1.3 /etc/shorewall/zones +# +# This file determines your network zones. Columns are: +# +# ZONE Short name of the zone +# DISPLAY Display name of the zone +# COMMENTS Comments about the zone +# +#ZONE DISPLAY COMMENTS +net Net Internet +loc Local Local networks +dmz DMZ Demilitarized zone +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE