holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Initial revision

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-07 14:28:04 +00:00
parent ede4e38db2
commit 48719a6621
181 changed files with 23327 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

340
STABLE/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

43
STABLE/INSTALL Normal file
View File

@ -0,0 +1,43 @@
Shoreline Firewall (Shorewall) Version 1.3 - 6/14/2002
----- ----
-----------------------------------------------------------------------------
This program is free software; you can redistribute it and/or modify
it under the terms of Version 2 of the GNU General Public License
as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
---------------------------------------------------------------------------
If your system supports rpm, I recommend that you install the Shorewall
.rpm. If you want to install from the tarball:
o Unpack the tarball
o cd to the shorewall-<version> directory
o If you have an earlier version of Shoreline Firewall installed,see the
upgrade instructions below
o Edit the files policy, interfaces, rules, nat, proxyarp and masq to
fit your environment.
o If you are using Caldera, Redhat, Mandrake, Corel, Slackware, SuSE or
Debian, then type "./install.sh".
o For other distributions, determine where your distribution installs
init scripts and type "./install.sh <init script directory>"
o Start the firewall by typing "shorewall start"
o If the install script was unable to configure Shoreline Firewall to
start audomatically at boot, see the HTML documentation contains in the
"documentation" directory.
Upgrade:
o run the install script as described above.
o shorewall restart

19
STABLE/blacklist Normal file
View File

@ -0,0 +1,19 @@
#
# Shorewall 1.3 -- Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# When a packet arrives on in interface that has the 'blacklist' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# MAC addresses must be prefixed with "~" and use "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
###############################################################################
#ADDRESS/SUBNET
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
STABLE/changelog.txt Normal file
View File

@ -0,0 +1,15 @@
Changes since 1.3.5
1. REDIRECT rules are now working again.
2. proxyarp option now works.
3. It is once again possible to specify a host list in an
/etc/shorewall/hosts entry.
4. The lock file is now removed when the firewall script is killed by a
signal.
5. Implemented "new not SYN" dropping.

40
STABLE/common.def Normal file
View File

@ -0,0 +1,40 @@
############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command "source /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject

2681
STABLE/documentation/Documentation.htm Normal file
View File

File diff suppressed because it is too large Load Diff

571
STABLE/documentation/FAQ.htm Normal file
View File

@ -0,0 +1,571 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall FAQs<!--mstheme--></font></h1>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">About Shorewall<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq13">Why do you call it &quot;Shorewall&quot;?</a></p>
<p align="left"><a href="#faq10">What distributions does it work with?</a></p>
<p align="left"><a href="shorewall_features.htm">What features does it support?</a></p>
<p align="left"><a href="#faq12">Why isn't there a GUI?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Filtering<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq14">I'm connected via a cable modem and it has an
internel web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems
web server</a>.</p>
<p align="left"><a href="#faq14a">Even though it assigns public IP addresses, my
ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my
external interface, my DHCP client cannot renew its lease.</a></p>
<p align="left"><a href="#faq4">I just used an online port scanner to check my
firewall and it shows some ports as 'closed' rather than 'blocked'. Why?</a></p>
<p align="left"><a href="#faq4a">I just ran an nmap UDP scan of my firewall and
it showed 100s of ports as open!!!!</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq1">I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</a></p>
<p align="left"><a href="#faq1a">Ok -- I followed those instructions but it
doesn't work.</a></p>
<p align="left"><a href="#faq2">I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</a></p>
<p align="left"><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Applications<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq3">I want to use Netmeeting with Shorewall. What do I do?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Connection Problems<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq5">I've installed Shorewall and now I can't ping through the
firewall</a></p>
<p align="left"><a href="#faq15">My local systems can't see out to the net</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Logging<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq6">Where are the log messages written and&nbsp;
how do I change the destination?</a></p>
<p align="left"><a href="#faq16">Shorewall is writing log messages all over my
console making it unusable!</a></p>
<p align="left"><a href="#faq6a">Are there any log parsers that work with
Shorewall?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and stopping the firewall<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq7">When I stop Shorewall using 'shorewall stop',
I can't connect to anything. Why doesn't that command work?</a></p>
<p align="left"><a href="#faq8">When I try to start Shorewall on RedHat 7.x, I
get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><a href="#faq17">Why can't Shorewall detect my interfaces
properly?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Design<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq9">Why does Shorewall only accept IP addresses as
opposed to FQDNs?</a></p>
</blockquote>
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
file documentation</a> shows how to do port forwarding under Shorewall. Assuming
that you have a dynamic external IP address, the format of a port-forwarding
rule to a local system is as follows:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port #&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">7777<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<div align="left">
<!--mstheme--></font><pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port #&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external IP&gt;</i><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq1a"></a>1a. Ok -- I followed those instructions but
it doesn't work<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address of your
firewall's internal interface).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems -
assuming that the Server can be located near the Firewall, of course :-)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version
9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
externally and 192.168.1.5 internally. That's what I do here at
shorewall.net for my local systems that use static NAT.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is eth0
and your internal interface is eth1
and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify &quot;multi&quot; as an option
for eth1.</p>
<div align="left">
<p align="left">b) In /etc/shorewall/rules, add:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">www<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.151.100.69:192.168.1.254<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
</div>
<div align="left">
<!--mstheme--></font><pre align="left"> <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external IP
address. If you
have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</div>
<div align="left">
<!--mstheme--></font><pre> ETH0_IP=`find_interface_address eth0`</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">and make your DNAT rule:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">www<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">$ETH0_IP:192.168.1.254<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a new IP
address.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
&quot;views&quot;. It allows both external and internal clients to access a
NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and
can be accessed externally and internally using the same address.&nbsp;</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Specify &quot;multi&quot; on the entry for Z's interface in
/etc/shorewall/interfaces.<br>
b) Set the Z-&gt;Z policy to ACCEPT.<br>
c) Masquerade Z to itself.<br>
<br>
Example:</p>
<p align="left">Zone: dmz<br>
Interface: eth2<br>
Subnet: 192.168.2.0/24</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ZONE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>INTERFACE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>BROADCAST</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>OPTIONS</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.2.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">multi<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE </b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>POLICY</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>LIMIT:BURST</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<div align="left">
<!--mstheme--></font><pre align="left"> dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" width="369" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td width="93"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>INTERFACE </b></u><!--mstheme--></font></td>
<td width="31"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SUBNET</b></u><!--mstheme--></font></td>
<td width="120"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ADDRESS</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td width="93"><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td width="31"><!--mstheme--><font face="arial, Arial, Helvetica">192.168.2.0/24<!--mstheme--></font></td>
<td width="120"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq4"></a>4. I just used an online port scanner to
check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x always
rejects connection requests on TCP port 113 rather than dropping them. This is
necessary to prevent outgoing connection problems to services that use the
'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are
used by Windows (Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably your
ISP preventing you from running a web server in violation of your Service
Agreement.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about
UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports
the port as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do
the nmap UDP scan again.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
firewall<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
&quot;ping&quot;: </p>
<p align="left">a) Do NOT specify 'noping' on any interface in
/etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
ACCEPT </p>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq6"></a>6. Where are the log messages written
and&nbsp; how do I change the destination?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
&quot;man openlog&quot;) and you get to choose the log level (again, see
&quot;man syslog&quot;) in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see &quot;man
syslog.conf&quot;). When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages through
<a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
<div align="left">
<!--mstheme--></font><pre align="left"> LOGLIMIT=&quot;&quot;
LOGBURST=&quot;&quot;</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq6a"></a>6a. Are there any log parsers that work
with Shorewall?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
<blockquote>
<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?<!--mstheme--></font></h4>
<p align="left">The 'stop' command is intended to place your firewall into a
safe state whereby only those interfaces/hosts having the 'routestopped' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
to totally open up your firewall, you must use the 'shorewall clear' command. </p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
<!--mstheme--></font><pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">This is usually cured by the following sequence of commands: </p>
<div align="left">
<!--mstheme--></font><pre align="left"> service ipchains stop
chkconfig --delete ipchains
rmmod ipchains</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for
problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"> <a name="faq9"></a>9. Why does Shorewall only accept IP
addresses as opposed to FQDNs?<!--mstheme--></font></h4><p align="left"> <b>Answer: </b>FQDNs in iptables rules
aren't nearly as useful as they first appear. When a DNS name appears in a rule,
the iptables utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So change in the DNS-&gt;IP address relationship
that occur after the firewall has started have absolutely no effect on the
firewall's ruleset.</p>
<p align="left"> I'm also trying to protect
people from themselves. If your firewall rules include FQDN's then:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your /etc/resolv.conf is wrong then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your /etc/nsswitch.conf is wrong then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your Name Server(s) is(are) down then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq10"></a>10. What Distributions does it work
with?<!--mstheme--></font></h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">11. What Features does it have?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature
List</a>.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq12"></a>12. Why isn't there a GUI?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing
other things. I guess I just don't care enough if Shorewall has a GUI to
invest the effort to create one myself. There are several Shorewall GUI
projects underway however and I will publish links to them when the authors
feel that they are ready. <h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the
city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an
internal web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks
the cable modems web server.<!--mstheme--></font></h4>
<p align="left">Is there any way it can add a rule before the
rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than
1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
<!--mstheme--></font><pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">If you are running version 1.3.1 or later, simply add the
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SUBNET </b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>TARGET</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.100.1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">RETURN<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</div>
<div align="left">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, my DHCP client cannot renew its lease.<!--mstheme--></font></h4>
</div>
<div align="left">
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
the IP address of your ISPs DHCP server.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq15"></a>15. My local systems can't see out to the
net<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder
where the poster bought computers with eyes and what those computers will &quot;see&quot;
when things are working properly. That aside, the most common causes of this
problem are:</p>
<ol>
<li><p align="left">The default gateway on each local system isn't set to the
IP address of the local firewall interface.</p>
</li>
<li><p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li><p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and TCP
port 53 from the firewall to the internet.</p>
</li>
</ol>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq16"></a>16. Shorewall is writing log messages all
over my console making it unusable!<!--mstheme--></font></h4>
<p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?<!--mstheme--></font></h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
<div align="left">
<!--mstheme--></font><pre> Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
<b> Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
</b> Deleting user chains...
Creating input Chains...
...</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">Why can't Shorewall detect my interfaces properly?</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1.
</div>
<p align="left"><font size="2">Last updated
7/31/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

277
STABLE/documentation/GnuCopyright.htm Normal file
View File

@ -0,0 +1,277 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a href="#TOC1" name="SEC1">GNU Free Documentation License</a><!--mstheme--></font></h2>
<p>Version 1.1, March 2000 </p>
<!--mstheme--></font><pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU
General Public License, which is a copyleft license designed for free software.
</p>
<p>We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual work,
regardless of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is instruction or
reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
member of the public is a licensee, and is addressed as &quot;you&quot;. </p>
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language. </p>
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a
matter of historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position regarding them.
</p>
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that
the Document is released under this License. </p>
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
is released under this License. </p>
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general public,
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs
or (for drawings) some widely available drawing editor, and that is suitable for
input to text formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise Transparent
file format whose markup has been designed to thwart or discourage subsequent
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
called &quot;Opaque&quot;. </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a
publicly available DTD, and standard-conforming simple HTML designed for human
modification. Opaque formats include PostScript, PDF, proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML produced by some word processors for output purposes
only. </p>
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have any
title page as such, &quot;Title Page&quot; means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the text.
</p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the
license notice saying this License applies to the Document are reproduced in all
copies, and that you add no other conditions whatsoever to those of this
License. You may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough number of
copies you must also follow the conditions in section 3. </p>
<p>You may also lend copies, under the same conditions stated above, and you may
publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the title
of the Document and satisfy these conditions, can be treated as verbatim copying
in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly, you
should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with
each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the
Document, free of added material, which the general network-using public has
access to download anonymously at no charge using public-standard network
protocols. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at
least one year after the last time you distribute an Opaque copy (directly or
through your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a
chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
in the Modified Version: </p>
<p>&nbsp;</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
publisher of that version gives permission. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five). <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>D.</strong> Preserve all the copyright notices of the Document.
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
the terms of this License, in the form shown in the Addendum below. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
notice. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>H.</strong> Include an unaltered copy of this License. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
sentence. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
permission. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
dedications given therein. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
or to conflict in title with any Invariant Section. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
do this, add their titles to the list of Invariant Sections in the Modified
Version's license notice. These titles must be distinct from any other section
titles. </p>
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one
entity. If the Document already includes a cover text for the same cover,
previously added by you or by arrangement made by the same entity you are acting
on behalf of, you may not add another; but you may replace the old one, on
explicit permission from the previous publisher that added the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections of
all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are
multiple Invariant Sections with the same name but different contents, make the
title of each such section unique by adding at the end of it, in parentheses,
the name of the original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work. </p>
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each
of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into
the extracted document, and follow this License in all other respects regarding
verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document,
provided no compilation copyright is claimed for the compilation. Such a
compilation is called an &quot;aggregate&quot;, and this License does not apply to the
other self-contained works thus compiled with the Document, on account of their
being thus compiled, if they are not themselves derivative works of the
Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only
the Document within the aggregate. Otherwise they must appear on covers around
the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in
addition to the original versions of these Invariant Sections. You may include a
translation of this License provided that you also include the original English
version of this License. In case of a disagreement between the translation and
the original English version of this License, the original English version will
prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify,
sublicense or distribute the Document is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>
<!--mstheme--></font></body>
</html>

172
STABLE/documentation/IPIP.htm Normal file
View File

@ -0,0 +1,172 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">GRE and IPIP Tunnels<!--mstheme--></font></h1>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk<!--mstheme--></font></h3>
<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE
tunnels were introduced in shorewall version 1.2.0_Beta2.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a> work fine with Shorewall. Shorewall also includes a tunnel
script for automating tunnel configuration. If you have installed the RPM, the
tunnel script may be found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Bridging two Masqueraded Networks<!--mstheme--></font></h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.jpg" width="651" height="394"></p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file
and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In
/etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tosysb<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.255.255.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>TYPE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY ZONE</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipip<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">134.28.54.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tosysa<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>TYPE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY ZONE</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipip<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.191.148.9<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they are
secured so that root can execute them. </p>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>SOURCE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>DEST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>POLICY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>LOG LEVEL</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>On both systems, restart Shorewall and
run the modified tunnel script with the &quot;start&quot; argument on each
system. The systems in the two masqueraded subnetworks can now talk to each
other</p>
<p><font size="2">Updated 5/18/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

240
STABLE/documentation/IPSEC.htm Normal file
View File

@ -0,0 +1,240 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">IPSEC Tunnels<!--mstheme--></font></h1>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">Configuring FreeS/Wan</font><!--mstheme--></font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
(ipsecX) rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the following (I
haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
<font color="#660066">IPSec Gateway
on the Firewall System
</font><!--mstheme--></font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.jpg" width="651" height="394">
</font></p>
</font>
<p align="Left">We want systems
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
<p align="Left">To make this work, we need to do two things:</p>
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="Left">b) Allow traffic through the tunnel.</p>
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by
adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="Left">In /etc/shorewall/tunnels
on system A, we need the following </p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">134.28.54.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.161.148.9<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw"
interface:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
INTERFACE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
BROADCAST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
OPTIONS</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>SOURCE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>DEST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>POLICY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>LOG LEVEL</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="Left"> Once
you have these entries in place, restart Shorewall (type shorewall restart);
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
FreeS/WAN</a>
.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font><!--mstheme--></font></h2>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.jpg" width="535" height="402">
</font></strong></p>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks
(<i>gw</i> in the default /etc/shorewall/zones). This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
<p><font size="2"> Last
updated 5/18/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

165
STABLE/documentation/Install.htm Normal file
View File

@ -0,0 +1,165 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"><h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Installation<!--mstheme--></font></h1>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Start the firewall by typing &quot;shorewall start&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">unpack the tarball<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Start the firewall by typing &quot;shorewall
start&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm">the errata </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Restart the firewall (shorewall restart).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm">the errata </a>for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">unpack the tarball<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Restart the firewall by typing &quot;shorewall restart&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Config_Files"></a>Configuring Shorewall<!--mstheme--></font></h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><font size="2">Updated 7/31/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body></html>

86
STABLE/documentation/NAT.htm Normal file
View File

@ -0,0 +1,86 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Static NAT<!--mstheme--></font></h1>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static NAT.
Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a
firewall and configured with private IP addresses (those
reserved for private use in RFC1918) appear to have public IP
addresses.</p>
<p>The following figure represents a static NAT
environment.</p>
<p align="center"><strong><img src="images/staticnat.jpg" width="595" height="455"></strong></p>
<blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear to have
IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>EXTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ALL INTERFACES</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>LOCAL</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.18<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.1.1.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.19<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.1.1.3<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The &quot;ALL INTERFACES&quot; column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, &quot;Yes&quot; is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>=&quot;no&quot;
(or &quot;No&quot;) in /etc/shorewall/shorewall.conf; If you do not set
ADD_IP_ALIASES or if you set it to &quot;Yes&quot; or &quot;yes&quot; then you must NOT configure your own alias(es).</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the &quot;LOCAL&quot;
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains &quot;yes&quot; or &quot;Yes&quot; (and the ALL
INTERFACES COLUMN also contains &quot;Yes&quot; or &quot;yes&quot;) then
such packets are redirected; otherwise, such packets are not redirected. The
LOCAL column was added in version 1.1.8.</p>
</blockquote>
<blockquote>
</blockquote>
<p><font size="2">Last updated 3/27/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>

988
STABLE/documentation/News.htm Normal file
View File

@ -0,0 +1,988 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall News</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall News Archive<!--mstheme--></font></h1>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall will now DROP TCP packets that are not part of or
related to an existing connection and that are not SYN packets. These &quot;New
not SYN&quot; packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The processing of &quot;New not SYN&quot; packets may be extended by command in the
new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
<p>This interim release:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Causes the firewall script to remove the lock file if it is killed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Once again allows lists in the second column of the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Includes the latest <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
<p>The first draft of this guide is available at
<a href="http://www.shorewall.net/shorewall_setup_guide.htm">
http://www.shorewall.net/shorewall_setup_guide.htm</a>. The guide is intended
for use by people who are setting up Shorewall to manage multiple public IP
addresses and by people who want to learn more about Shorewall than is
described in the single-address guides. Feedback on the new guide is welcome.</p>
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
<p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
<p>This interim release restores correct handling of REDIRECT rules. </p>
<p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
<p>This will be the last Shorewall release for a while. I'm going to be
focusing on rewriting a lot of the documentation.</p>
<p><b>&nbsp;</b>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Empty and invalid source and destination qualifiers are now detected in
the rules file. It is a good idea to use the 'shorewall check' command before
you issue a 'shorewall restart' command be be sure that you don't have any
configuration problems that will prevent a successful restart.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Added <b>MERGE_HOSTS</b> variable in <a href="Documentation.htm#Conf">
shorewall.conf</a> to provide saner behavior of the /etc/shorewall/hosts
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The time that the counters were last reset is now displayed in the
heading of the 'status' and 'show' commands.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <b>proxyarp </b>option has been added for entries in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option facilitates Proxy ARP sub-netting as described in the Proxy ARP
subnetting mini-HOWTO (<a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
Specifying the proxyarp option for an interface causes Shorewall to set
/proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The Samples have been updated to reflect the new capabilities in this
release. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/16/2002 - New Mirror in Argentina</b></p>
<p>Thanks to Arturo &quot;Buanzo&quot; Busleiman, there is now a Shorewall mirror in
Argentina. Thanks Buanzo!!!</p>
<p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A new <a href="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</a> file has been added. This file is intended to
eventually replace the <b>routestopped</b> option in the
/etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes
remote firewall administration easier by allowing any IP or subnet to be
enabled while Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">An /etc/shorewall/stopped <a href="Documentation.htm#Scripts">extension
script</a> has been added. This script is invoked after Shorewall has
stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <b>DETECT_DNAT_ADDRS </b>option has been added to
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
option is selected, DNAT rules only apply when the destination address is the
external interface's primary IP address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> has
been broken into three guides and has been almost entirely rewritten.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The Samples have been updated to reflect the new capabilities in this
release. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the packages are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in /etc/shorewall/interface that use the wildcard character (&quot;+&quot;)
now have the &quot;multi&quot; option assumed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 'rfc1918' chain in the mangle table has been renamed 'man1918' to
make log messages generated from that chain distinguishable from those
generated by the 'rfc1918' chain in the filter table.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Interface names appearing in the hosts file are now validated against the
interfaces file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The TARGET column in the rfc1918 file is now checked for correctness.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The chain structure in the nat table has been changed to reduce the
number of rules that a packet must traverse and to correct problems with
NAT_BEFORE_RULES=No<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;hits&quot; command has been enhanced.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>6/25/2002 - Samples Updated for 1.3.2</b></p>
<p>The comments in the sample configuration files have been updated to reflect
new features introduced in Shorewall 1.3.2.</p>
<p><b>6/25/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
<a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
PDF format.</p>
<p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <a href="Documentation.htm#Starting">logwatch command</a> has been
added to /sbin/shorewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <a href="blacklisting_support.htm">dynamic blacklist facility</a> has
been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for the <a href="Documentation.htm#Conf">Netfilter multiport
match function</a> has been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The files <b>firewall, functions </b>and <b>version</b> have been moved
from /etc/shorewall to /var/lib/shorewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
<p>Last weekend, I installed the CVS Web package to provide brower-based access
to the Shorewall CVS repository. Since then, I have had several instances where
my server was almost unusable due to the high load generated by website copying
tools like HTTrack and WebStripper. These mindless tools:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Ignore robot.txt files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Recursively copy everything that they find.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Should be classified as weapons rather than tools.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>These tools/weapons are particularly damaging when combined with CVS Web
because they doggedly follow every link in the cgi-generated HTML resulting in
1000s of executions of the cvsweb.cgi script. Yesterday, I spend several hours
implementing measures to block these tools but unfortunately, these measures
resulted in my server OOM-ing under even moderate load.</p>
<p>Until I have the time to understand the cause of the OOM (or until I buy
more RAM if that is what is required), CVS Web access will remain Password
Protected. </p>
<p><b>6/5/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>6/2/2002 - Samples Corrected</b></p>
<p>The 1.3.0 samples configurations had several serious problems that prevented
DNS and SSH from working properly. These problems have been corrected in the
<a href="/pub/shorewall/samples-1.3.1">1.3.1 samples.</a></p>
<p><b>6/1/2002 - Shorewall 1.3.1 Released</b></p>
<p>Hot on the heels of 1.3.0, this release:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Corrects a serious problem with &quot;all <i>&lt;zone&gt;</i> CONTINUE&quot; policies.
This problem is present in all versions of Shorewall that support the
CONTINUE policy. These previous versions optimized away the &quot;all2<i>&lt;zone&gt;</i>&quot;
chain and replaced it with the &quot;all2all&quot; chain with the usual result that a
policy of REJECT was enforced rather than the intended CONTINUE policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
file for defining the exact behavior of the<a href="Documentation.htm#Interfaces">
'norfc1918' interface option</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/29/2002 - Shorewall 1.3.0 Released</b></p>
<p>In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
includes:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A 'filterping' interface option that allows ICMP echo-request (ping)
requests addressed to the firewall to be handled by entries in
/etc/shorewall/rules and /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/23/2002 - Shorewall 1.3 RC1 Available</b></p>
<p>In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
incorporates the following:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for the /etc/shorewall/whitelist file has been withdrawn. If you
need whitelisting, see <a href="/1.3/whitelisting_under_shorewall.htm">these
instructions</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/19/2002 - Shorewall 1.3 Beta 2 Available</b></p>
<p>In addition to the changes in Beta 1, this release which carries the
designation 1.2.91 adds:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The structure of the firewall is changed markedly. There is now an INPUT
and a FORWARD chain for each interface; this reduces the number of rules that
a packet must traverse, especially in complicated setups.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Exclude">Sub-zones may now be excluded from
DNAT and REDIRECT rules.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The names of the columns in a number of the configuration files have been
changed to be more consistent and self-explanatory and the documentation has
been updated accordingly.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The sample configurations have been updated for 1.3.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/17/2002 - Shorewall 1.3 Beta 1 Available</b></p>
<p>Beta 1 carries the version designation 1.2.90 and implements the following
features:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Simplified rule syntax which makes the intent of each rule clearer and
hopefully makes Shorewall easier to learn.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Upward compatibility with 1.2 configuration files has been maintained so
that current users can migrate to the new syntax at their convenience.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><b><font color="#CC6666">WARNING:&nbsp; Compatibility with the old
parameterized sample configurations has NOT been maintained. Users still
running those configurations should migrate to the new sample configurations
before upgrading to 1.3 Beta 1.</font></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/4/2002 - Shorewall 1.2.13 is Available</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Whitelist">White-listing</a> is supported.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Policy">SYN-flood protection </a>is added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">IP addresses added under <a href="Documentation.htm#Conf">ADD_IP_ALIASES
and ADD_SNAT_ALIASES</a> now inherit the VLSM and Broadcast Address of the
interface's primary IP address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The order in which port forwarding DNAT and Static DNAT
<a href="Documentation.htm#Conf">can now be reversed</a> so that port
forwarding rules can override the contents of <a href="Documentation.htm#NAT">
/etc/shorewall/nat</a>. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/30/2002 - Shorewall Debian News</b></p>
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</p>
<p><b>4/20/2002 - Shorewall 1.2.12 is Available</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 'try' command works again<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">There is now a single RPM that also works with SuSE.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/17/2002 - Shorewall Debian News</b></p>
<p>Lorenzo Marignoni reports that:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall 1.2.10 is in the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall 1.2.11 is in the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Thanks, Lorenzo!</p>
<p><b>4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE</b></p>
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
now a Shorewall 1.2.11
<a href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
SuSE RPM</a> available. </p>
<p><b>4/13/2002 - Shorewall 1.2.11 Available </b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 'try' command now accepts an optional timeout. If the timeout is
given in the command, the standard configuration will automatically be
restarted after the new configuration has been running for that length of
time. This prevents a remote admin from being locked out of the firewall in
the case where the new configuration starts but prevents access.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Kernel route filtering may now be enabled globally using the new
ROUTE_FILTER parameter in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Individual IP source addresses and/or subnets may now be excluded from
masquerading/SNAT.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Simple &quot;Yes/No&quot; and &quot;On/Off&quot; values are now case-insensitive in
/etc/shorewall/shorewall.conf.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/13/2002 - Hamburg Mirror now has FTP </b></p>
<p>Stefan now has an FTP mirror at
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
ftp://germany.shorewall.net/pub/shorewall</a>.&nbsp; Thanks Stefan!</p>
<p><b>4/12/2002 - New Mirror in Hamburg</b></p>
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
now a mirror of the Shorewall website at
<a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a>. </p>
<p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.1 of the QuickStart Guide</a>
is now available. Thanks to those who have read version 1.0 and offered their
suggestions. Corrections have also been made to the sample scripts.</p>
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart Guide</a>
is now available. This Guide and its accompanying sample configurations are
expected to provide a replacement for the recently withdrawn parameterized
samples. </p>
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
<p>Although the <a href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
samples</a> have allowed people to get a firewall up and running quickly, they
have unfortunately set the wrong level of expectation among those who have used
them. I am therefore withdrawing support for the samples and I am recommending
that they not be used in new Shorewall installations.</p>
<p><b>4/2/2002 - Updated Log Parser</b></p>
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
version of his
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> with corrected date
handling. </p>
<p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
<p>The quick search on the home page now excludes the mailing list archives.
The <a href="htdig/search.html">Extended Search</a> allows excluding the
archives or restricting the search to just the archives. An archive search form
is also available on the <a href="mailing_list.htm">mailing list information
page</a>.</p>
<p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 1.2.10 Debian Package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall 1.2.9 is now in the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Distribution</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/25/2002 - Log Parser Available</b></p>
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided a
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> for Shorewall. Thanks
John.</p>
<p><b>3/20/2002 - Shorewall 1.2.10 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A &quot;shorewall try&quot; command has been added (syntax: shorewall try <i>
&lt;configuration directory&gt;</i>). This command attempts &quot;shorewall -c <i>
&lt;configuration directory&gt;</i> start&quot; and if that results in the firewall
being stopped due to an error, a &quot;shorewall start&quot; command is executed. The
'try' command allows you to create a new <a href="Documentation.htm#Configs">
configuration</a> and attempt to start it; if there is an error that leaves
your firewall in the stopped state, it will automatically be restarted using
the default configuration (in /etc/shorewall).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A new variable ADD_SNAT_ALIASES has been added to
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. If this
variable is set to &quot;Yes&quot;, Shorewall will automatically add IP addresses
listed in the third column of the <a href="Documentation.htm#Masq">
/etc/shorewall/masq</a> file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Copyright notices have been added to the documenation.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/11/2002 - Shorewall 1.2.9 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Filtering by <a href="Documentation.htm#MAC">MAC address</a> has been added.
MAC addresses may be used as the source address in:<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Filtering rules (<a href="Documentation.htm#Rules">/etc/shorewall/rules</a>)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Traffic Control Classification Rules (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TOS Rules (<a href="Documentation.htm#TOS">/etc/shorewall/tos</a>)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Blacklist (<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a>)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Several bugs have been fixed<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 1.2.9 Debian Package is also available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/1/2002 - 1.2.8 Debian Package is Available</b></p>
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/25/2002 - New Two-interface Sample</b></p>
<p>I've enhanced the two interface sample to allow access from the firewall to
servers in the local zone -
<a href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
<p><b>2/23/2002 - Shorewall 1.2.8 Released</b></p>
<p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
problems associated with the lock file used to prevent multiple state-changing
operations from occuring simultaneously. My apologies for any inconvenience my
carelessness may have caused.</p>
<p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">UPnP probes (UDP destination port 1900) are now silently dropped in the
<i>common</i> chain<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">RFC 1918 checking in the mangle table has been streamlined to no longer
require packet marking. RFC 1918 checking in the filter table has been
changed to require half as many rules as previously.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A 'shorewall check' command has been added that does a cursory validation
of the zones, interfaces, hosts, rules and policy files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>2/18/2002 - 1.2.6 Debian Package is Available</b></p>
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/8/2002 - Shorewall 1.2.6 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">$-variables may now be used anywhere in the configuration files except
/etc/shorewall/zones.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The interfaces and hosts files now have their contents validated before
any changes are made to the existing Netfilter configuration. The appearance
of a zone name that isn't defined in /etc/shorewall/zones causes &quot;shorewall
start&quot; and &quot;shorewall restart&quot; to abort without changing the Shorewall state.
Unknown options in either file cause a warning to be issued.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A problem occurring when BLACKLIST_LOGLEVEL was not set has been
corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>2/4/2002 - Shorewall 1.2.5 Debian Package Available</b></p>
<p>see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/1/2002 - Shorewall 1.2.5 Released</b></p>
<p>Due to installation problems with Shorewall 1.2.4, I have released Shorewall
1.2.5. Sorry for the rapid-fire development.</p>
<p>In version 1.2.5:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The installation problems have been corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Masq">SNAT</a> is now supported.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A &quot;shorewall version&quot; command has been added<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The default value of the STATEDIR variable in
/etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in
order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;fw&quot; zone <a href="Documentation.htm#FW">may now be given a
different name</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You may now place end-of-line comments (preceded by '#') in any of the
configuration files<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">There is now protection against against two state changing operations
occuring concurrently. This is implemented using the 'lockfile' utility if
it is available (lockfile is part of procmail); otherwise, a less robust
technique is used. The lockfile is created in the STATEDIR defined in
/etc/shorewall/shorewall.conf and has the name &quot;lock&quot;.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">&quot;shorewall start&quot; no longer fails if &quot;detect&quot; is
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> for an interface with subnet mask 255.255.255.255.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>1/27/2002 - Shorewall 1.2.3 Debian Package Available </b>-- see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>1/20/2002 - Corrected firewall script available&nbsp;</b></p>
<p>Corrects a problem with BLACKLIST_LOGLEVEL. See <a href="errata.htm">the
errata</a> for details.</p>
<p><b>1/19/2002 - Shorewall 1.2.3 Released</b></p>
<p>This is a minor feature and bugfix release. The single new feature is:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for TCP MSS Clamp to PMTU -- This support is usually required when
the internet connection is via PPPoE or PPTP and may be enabled using the <a href="Documentation.htm#ClampMSS">CLAMPMSS</a>
option in /etc/shorewall/shorewall.conf.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>The following problems were corrected:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;shorewall status&quot; command no longer hangs.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;shorewall monitor&quot; command now displays the icmpdef chain<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The CLIENT PORT(S) column in tcrules is no longer ignored<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>1/18/2002 - Shorewall 1.2.2 packaged with new </b><a href="http://leaf.sourceforge.net">LEAF</a><b>
release</b></p>
<p>Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
that includes Shorewall 1.2.2. See <a href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a>
for details.</p>
<p><b>1/11/2002 - Debian Package (.deb) Now Available - </b>Thanks to <a href="mailto:lorenzo.martignoni@milug.org">Lorenzo
Martignoni</a>, a 1.2.2 Shorewall Debian package is now available. There is a
link to Lorenzo's site from the <a href="download.htm">Shorewall download page</a>.</p>
<p><b>1/9/2002 - Updated 1.2.2 /sbin/shorewall available - </b><a href="/pub/shorewall/errata/1.2.2/shorewall">This
corrected version </a>restores the &quot;shorewall status&quot; command to
health.</p>
<p><b>1/8/2002 - Shorewall 1.2.2 Released</b></p>
<p>In version 1.2.2</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for IP blacklisting has been added
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts dropped or
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION
</a>setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts logged and
at what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify the interfaces you want checked against the blacklist
using the new &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot;
option in /etc/shorewall/interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The black list is refreshed from /etc/shorewall/blacklist by the
&quot;shorewall refresh&quot; command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Use of TCP RST replies has been expanded&nbsp;
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TCP connection requests rejected because of a REJECT policy are now
replied with a TCP RST packet.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TCP connection requests rejected because of a protocol=all rule in
/etc/shorewall/rules are now replied with a TCP RST packet.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <a href="Documentation.htm#Logfile">LOGFILE</a> specification has been
added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the
/sbin/shorewall program where to look for Shorewall messages.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>1/5/2002 - New Parameterized Samples (<a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.2.0/" target="_blank">version
1.2.0</a>) released. </b>These are minor updates to the previously-released
samples. There are two new rules added:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Unless you have explicitly enabled Auth connections (tcp port 113) to your
firewall, these connections will be REJECTED rather than DROPPED. This
speeds up connection establishment to some servers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Orphan DNS replies are now silently dropped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>See the README file for upgrade instructions.</p>
<p><b>1/1/2002 - <u><font color="#FF6633">Shorewall Mailing List Moving</font></u></b></p>
<p>The Shorewall mailing list hosted at <a href="http://sourceforge.net"> Sourceforge</a> is moving to Shorewall.net.
If you are a current subscriber to the list at Sourceforge, please <a href="shorewall_mailing_list_migration.htm">see
these instructions</a>. If you would like to subscribe to the new list, visit <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p><b>12/31/2001 - Shorewall 1.2.1 Released</b></p>
<p>In version 1.2.1:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
Packets</a> is added.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="IPIP.htm">tunnel script</a> has been corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">'shorewall show tc' now correctly handles tunnels.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist
releasing 1.2 on 12/21/2001</b></p>
<p>Version 1.2 contains the following new features:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for <a href="traffic_shaping.htm">Traffic Control/Shaping</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for <a href="Documentation.htm#Unclean">Filtering of
Mangled/Invalid Packets</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for <a href="IPIP.htm">GRE Tunnels</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For the next month or so, I will continue to provide corrections to version
1.1.18 as necessary so that current version 1.1.x users will not be forced into a
quick upgrade to 1.2.0 just to have access to bug fixes.</p>
<p>For those of you who have installed one of the Beta RPMS, you will need to
use the &quot;--oldpackage&quot; option when upgrading to 1.2.0:</p>
<blockquote>
<p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
</blockquote>
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site is
mirrored at <a href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall</a>
and the ftp site is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b>&nbsp;</b></p>
<p><b>11/30/2001 - A new set of the parameterized <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
Configurations</a> has been released</b>. In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Ping is now allowed between the zones.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">In the three-interface configuration, it is now possible to configure the
internet services that are to be available to servers in the DMZ.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>11/20/2001 - The current version of Shorewall is 1.1.18.&nbsp;</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf
file<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The logic for deleting user-defined chains has been simplified so that it
avoids a bug in the LRP version of the 'cut' utility.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /var/lib/lrpkg/shorwall.conf file has been corrected to properly
display the NAT entry in that file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
Ontkanin</a>, there is now a Shorewall mirror in the Slovak Republic</b>. The website is now mirrored at <a href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
and the FTP site is mirrored at <a href="ftp://ftp.nrg.sk/mirror/shorewall">ftp://ftp.nrg.sk/mirror/shorewall</a>.</p>
<p><b>11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.</b>
There are three sample configurations:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">One Interface -- for a standalone system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Two Interfaces -- A masquerading firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Three Interfaces -- A masquerading firewall with DMZ.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Samples may be downloaded from <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17">
ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17</a>
. See the README file for instructions.</p>
<p><b>11/1/2001 - The current version of Shorewall is 1.1.17</b>.&nbsp; I intend
this to be the last of the 1.1 Shorewall releases.</p>
<p> In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The handling of <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>
has been corrected. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>10/22/2001 - The current version of Shorewall is 1.1.16</b>. In this
version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A new &quot;shorewall show connections&quot; command has been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">In the &quot;shorewall monitor&quot; output, the currently tracked
connections are now shown on a separate page.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Prior to this release, Shorewall unconditionally added the external IP
adddress(es) specified in /etc/shorewall/nat. Beginning with version
1.1.16, a new parameter (<a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)
may be set to &quot;no&quot; (or &quot;No&quot;) to inhibit this behavior.
This allows IP aliases created using your distribution's network
configuration tools to be used in static NAT.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>10/15/2001 - The current version of Shorewall is 1.1.15.</b> In this
version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for nested zones has been improved. See <a href="Documentation.htm#Nested">
the documentation</a>
for details<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall now correctly checks the alternate configuration directory for
the 'zones' file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>10/4/2001 - The current version of Shorewall is 1.1.14.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall now supports alternate configuration directories. When an
alternate directory is specified when starting or restarting Shorewall
(e.g., &quot;shorewall -c /etc/testconf restart&quot;), Shorewall will first
look for configuration files in the alternate directory then in
/etc/shorewall. To create an alternate configuration simply:<br>
1. Create a New Directory<br>
2. Copy to that directory any of your configuration files that you want to
change.<br>
3. Modify the copied files as needed.<br>
4. Restart Shorewall specifying the new directory.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The rules for allowing/disallowing icmp echo-requests (pings) are now
moved after rules created when processing the rules file. This allows you to
add rules that selectively allow/deny ping based on source or destination
address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Rules that specify multiple client ip addresses or subnets no longer cause
startup failures.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Zone names in the policy file are now validated against the zones file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you have <a href="Documentation.htm#MangleEnabled">packet mangling</a>
support enabled, the &quot;<a href="Documentation.htm#Interfaces">norfc1918</a>&quot;
interface option now logs and drops any incoming packets on the interface
that have an RFC 1918 destination address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>9/12/2001 - The current version of Shorewall is 1.1.13</b>. In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shell variables can now be used to parameterize Shorewall rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The second column in the hosts file may now contain a comma-separated
list.<br>
<br>
Example:<br>
&nbsp;&nbsp;&nbsp; sea&nbsp;&nbsp;&nbsp;
eth0:130.252.100.0/24,206.191.149.0/24<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Handling of multi-zone interfaces has been improved. See the <a href="Documentation.htm#Interfaces">documentation
for the /etc/shorewall/interfaces file</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>8/28/2001 - The current version of Shorewall is 1.1.12</b>. In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Several columns in the rules file may now contain comma-separated lists.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall is now more rigorous in parsing the options in
/etc/shorewall/interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Complementation using &quot;!&quot; is now supported in rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/28/2001 - The current version of Shorewall is 1.1.11</b>. In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A &quot;shorewall refresh&quot; command has been added to allow for
refreshing the rules associated with the broadcast address on a dynamic
interface. This command should be used in place of &quot;shorewall
restart&quot; when the internet interface's IP address changes.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/start file (if any) is now processed after all
temporary rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;dhcp&quot; interface option is now applicable to firewall
interfaces used by a DHCP server running on the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The RPM can now be built from the .tgz file using &quot;rpm -tb&quot;&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding
may be disabled by specifying IP_FORWARD=Off in
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or
disable packet forwarding, add IP_FORWARDING=Keep to your
/etc/shorewall/shorewall.conf file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;shorewall hits&quot; command no longer lists extraneous service
names in its last report.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Erroneous instructions in the comments at the head of the firewall script
have been corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The &quot;tunnels&quot; file <u>really</u> is in the RPM now.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">SNAT can now be applied to port-forwarded connections.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A bug which would cause firewall start failures in some dhcp configurations
has been fixed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The firewall script now issues a message if you have the name of an
interface in the second column in an entry in /etc/shorewall/masq and that
interface is not up.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You can now configure Shorewall so that it<a href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or
mangle netfilter modules</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Thanks to Alex&nbsp; Polishchuk, the &quot;hits&quot; command
from seawall is now in shorewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for <a href="IPIP.htm">IPIP tunnels</a> has been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A typo in the sample rules file has been corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">It is now possible to restrict masquerading by<a href="Documentation.htm#Masq">
destination host or subnet.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">It is now possible to have static <a href="NAT.htm#LocalPackets">NAT rules
applied to packets originating on the firewall itself</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The TOS rules are now deleted when the firewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The .rpm will now install regardless of which version of iptables is
installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The .rpm will now install without iproute2 being installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The documentation has been cleaned up.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The sample configuration files included in Shorewall have been formatted
to 80 columns for ease of editing on a VGA console.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#lograte">You may now rate-limit the packet log.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font face="Century Gothic, Arial, Helvetica">&nbsp;Previous versions of
Shorewall have an implementation of Static NAT which violates the principle
of least surprise.&nbsp; NAT only occurs for packets arriving at (DNAT) or
send from (SNAT) the interface named in the INTERFACE column of
/etc/shorewall/nat. Beginning with version 1.1.6, NAT effective regardless
of which interface packets come from or are destined to. To get
compatibility with prior versions, I have added a new &quot;ALL <a href="NAT.htm#AllInterFaces">&quot;ALL
INTERFACES&quot;&nbsp; column to /etc/shorewall/nat</a>. By placing
&quot;no&quot; or &quot;No&quot; in the new column, the NAT behavior of
prior versions may be retained.&nbsp;</font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels where the remote
gateway is a standalone system has been improved</a>. Previously, it was
necessary to include an additional rule allowing UDP port 500 traffic to
pass through the tunnel. Shorewall will now create this rule automatically
when you place the name of the remote peer's zone in a new GATEWAY ZONE
column in /etc/shorewall/tunnels.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#modules">You may now pass parameters when loading
netfilter modules and you can specify the modules to load.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Compressed modules are now loaded. This requires that you modutils support
loading compressed modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#TOS">You may now set the Type of Service (TOS)
field in packets.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Corrected rules generated for port redirection (again).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"> <a href="Documentation.htm#Conf">Accepting RELATED connections is now
optional.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Corrected problem where if &quot;shorewall start&quot; aborted early
(due to kernel configuration errors for example), superfluous 'sed' error
messages were reported.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Corrected rules generated for port redirection.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The order in which iptables kernel modules are loaded has been
corrected (Thanks to Mark Pavlidis).&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Correct message issued when Proxy ARP address added (Thanks to Jason Kirtland).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">When a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message
referring to "common.so" resulted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Port redirection now works again.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The icmpdef and common chains <a href="Documentation.htm#Icmpdef">may
now be user-defined</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The firewall no longer fails to start if &quot;routefilter&quot; is
specified for an interface that isn't started. A warning message is now
issued in this case.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The LRP Version is renamed &quot;shorwall&quot; for 8,3 MSDOS file
system compatibility.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A couple of LRP-specific problems were corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>4/8/2001 - Shorewall is now affiliated with the <a href="http://leaf.sourceforge.net">Leaf
Project</a> </b> <a href="http://leaf.sourceforge.net">
<img border="0" src="images/leaflogo.gif" width="49" height="36"></a></p>
<p><b>4/5/2001 - The current version of Shorewall is 1.1.1. In this version:</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The common chain is traversed from INPUT, OUTPUT and FORWARD before
logging occurs<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The source has been cleaned up dramatically<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">DHCP DISCOVER packets with RFC1918 source addresses no longer
generate log messages. Linux DHCP clients generate such packets and it's
annoying to see them logged.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/25/2001 - The current version of Shorewall is 1.1.0. In this version:</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Log messages now indicate the packet disposition.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Error messages have been improved.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The ability to define zones consisting of an enumerated set of hosts
and/or subnetworks has been added.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The zone-to-zone chain matrix is now sparse so that only those chains
that contain meaningful rules are defined.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">240.0.0.0/4 and 169.254.0.0/16 have been added to the source
subnetworks whose packets are dropped under the <i>norfc1918</i> interface
option.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Exits are now provided for executing an user-defined script when a
chain is defined, when the firewall is initialized, when the firewall is
started, when the firewall is stopped and when the firewall is cleared.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The Linux kernel's route filtering facility can now be specified
selectively on network interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/19/2001 - The current version of Shorewall is 1.0.4. This version:</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Allows user-defined zones. Shorewall now has only one pre-defined
zone (fw) with the remaining zones being defined in the new configuration
file /etc/shorewall/zones. The /etc/shorewall/zones file released in this
version provides behavior that is compatible with Shorewall 1.0.3.&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Adds the ability to specify logging in entries in the
/etc/shorewall/rules file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Correct handling of the icmp-def chain so that only ICMP packets are
sent through the chain.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Compresses the output of &quot;shorewall monitor&quot; if awk is
installed. Allows the command to work if awk isn't installed (although
it's not pretty).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
release with no new features.</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The PATH variable in the firewall script now includes /usr/local/bin
and /usr/local/sbin.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">DMZ-related chains are now correctly deleted if the DMZ is deleted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The interface OPTIONS for &quot;gw&quot; interfaces are no longer
ignored.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
additional &quot;gw&quot; (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
<p><font size="2">Updated 7/31/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body></html>

731
STABLE/documentation/PPTP.htm Normal file
View File

@ -0,0 +1,731 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">PPTP<!--mstheme--></font></h1>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ServerFW">PPTP Server running on your Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ServerBehind">PPTP Server running behind your
Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ClientFW">PPTP Client running on your Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall<!--mstheme--></font></h2>
<p>I will try to give you an idea of how to set up a PPTP server
on your firewall system. This isn't a detailed HOWTO but rather an example of
how I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
<ol>
<li><a href="#PatchPppd">Patching and building pppd</a></li>
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
<li><a href="#Samba">Configuring Samba</a></li>
<li><a href="#ConfigPppd">Configuring pppd</a></li>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="PatchPppd"></a>Patching and Building pppd<!--mstheme--></font></h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>You may also want the following patch if you want to require remote hosts to
use encryption:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Un-tar the pppd source and uncompress the patches into one directory (the
patches and the ppp-2.4.1 directory are all in a single parent directory):</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd ppp-2.4.1<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../ppp-2.4.1-MSCHAPv2-fix.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">(Optional) patch -p1 &lt; ../require-mppe.diff<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">./configure<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">make<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>You will need to install the resulting binary on your firewall system. To do
that, I NFS mount my source filesystem and use &quot;make install&quot; from the
ppp-2.4.1 directory.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="PatchKernel"></a>Patching and Building your Kernel<!--mstheme--></font></h3>
<p>You will need one of the following patches depending on your kernel version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Uncompress the patch into the same directory where your top-level kernel
source is located and:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd &lt;your GNU/Linux source top-level directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734"></p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Samba"></a>Configuring Samba<!--mstheme--></font></h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:</p>
<blockquote>
<!--mstheme--></font><pre>[global]
workgroup = TDM-NSTOP
netbios name = WOOKIE
server string = GNU/Linux Box
encrypt passwords = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 65
domain master = True
preferred master = True
dns proxy = No
wins support = Yes
printing = lprng
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigPppd"></a>Configuring pppd<!--mstheme--></font></h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
lock<br>
mtu 1490<br>
mru 1490<br>
ms-wins 192.168.1.3<br>
ms-dns 206.124.146.177<br>
multilink<br>
proxyarp<br>
auth<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
ipcp-accept-local<br>
ipcp-accept-remote<br>
lcp-echo-failure 30<br>
lcp-echo-interval 5<br>
deflate 0<br>
mppe-128<br>
mppe-stateless<br>
require-mppe<br>
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Since the firewall itself is acting as a WINS server, I have included the
firewall's internal IP as the 'ms-wins' value.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I am requiring 128-bit stateless compression (my kernel is built with the
'require-mppe.diff' patch mentioned above.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using CHAP<br>
# client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; server&nbsp;&nbsp;&nbsp; secret&nbsp;&nbsp;&nbsp;
IP addresses<br>
CPQTDM\\TEastep *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;shhhhhh&gt;
192.168.1.7<br>
TEastep&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;shhhhhh&gt; 192.168.1.7</font></p>
</blockquote>
<p>I am the only user who connects to the server but I may connect either with
or without a domain being specified. The system I connect from is my laptop so I
give it the same IP address when tunneled in as it has when it is in its docking
station.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<!--mstheme--></font><pre> alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigPptpd"></a>Configuring pptpd<!--mstheme--></font></h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
speed 115200<br>
localip 192.168.1.254<br>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I specify the /etc/ppp/options.poptop file as my ppp options file (I have
several).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The local IP is the same as my internal interface's (192.168.1.254).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I have assigned a remote IP range that overlaps my local network. This,
together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote
hosts look like they are part of the local subnetwork.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptpd<br>
#<br>
# chkconfig: 5 12 85<br>
# description: control pptp server<br>
#<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo 1 > /proc/sys/net/ipv4/ip_forward<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_async<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_generic<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_mppe<br>
&nbsp;&nbsp;&nbsp; modprobe slhc<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigFw"></a>Configuring Shorewall<!--mstheme--></font></h3>
<p>I consider hosts connected to my PPTP server to be just like local systems.
My key Shorewall entries are:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/zones:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DISPLAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>COMMENTS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Internet<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">The Internet<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Local<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">My Local Network including remote PPTP clients<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.124.146.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">noping,norfc1918<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/hosts:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HOST(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">routestopped<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>POLICY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>LOG LEVEL</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">Note: I have multiple ppp interfaces on my firewall. If you
have a single ppp interface, you probably want:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces:<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.124.146.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">noping,norfc1918<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ServerBehind"></a>2. PPTP Server Running Behind your Firewall<!--mstheme--></font></h2>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have multiple external IP address and you want to forward a single <i>&lt;external
address&gt;, </i>add the following to your /etc/shorewall/rules file:<p>&nbsp;<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external address&gt;</i><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external address&gt;</i><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind your Firewall<!--mstheme--></font></h2>
<p>You shouldn't have to take any special action for this case unless you wish
to connect multiple clients to the same external server. In that case, you will
need to follow the instructions at <a href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your /etc/shorewall/modules
file:
<blockquote>
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp
</blockquote>
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.<!--mstheme--></font></h2>
<p align="left">The PPTP GNU/Linux client is available at <a href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.&nbsp;&nbsp;&nbsp;
Rather than use the configuration script that comes with the client, I built my
own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client (see
below).</p>
<p>The key elements of this setup are as follows:
<ol>
<li>Define a zone for the remote network accessed via PPTP.</li>
<li>Associate that zone with a ppp interface.</li>
<li>Define rules for PPTP traffic to/from the firewall.</li>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/zones<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DISPLAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>COMMENTS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">cpq<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Compaq<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Compaq Intranet<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/hosts<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HOST(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+:!192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and
Compaq doesn't use that RFC1918 Class C subnet.
<p>I use this script in /etc/init.d to control the client. The reason that I
disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet
and reject the initial TCP connection request if I enable ECN :-(
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptp<br>
#<br>
# chkconfig: 5 60 85<br>
# description: PPTP Link Control<br>
#<br>
NAME=&quot;Tandem&quot;<br>
ADDRESS=tunnel-tandem.compaq.com<br>
USER='Tandem\tommy'<br>
ECN=0<br>
DEBUG=<br>
<br>
start_pptp() {<br>
&nbsp;&nbsp;&nbsp; echo $ECN > /proc/sys/net/ipv4/tcp_ecn<br>
&nbsp;&nbsp;&nbsp; if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptp<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "PPTP Connection to $NAME Started"<br>
&nbsp;&nbsp;&nbsp; fi<br>
}<br>
<br>
stop_pptp() {<br>
&nbsp;&nbsp;&nbsp; if killall /usr/sbin/pptp 2> /dev/null; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "Stopped pptp"<br>
&nbsp;&nbsp;&nbsp; else<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rm -f /var/run/pptp/*<br>
&nbsp;&nbsp;&nbsp; fi<br>
<br>
&nbsp;&nbsp;&nbsp; # if killall pppd; then<br>
&nbsp;&nbsp;&nbsp; # echo "Stopped pppd"<br>
&nbsp;&nbsp;&nbsp; # fi<br>
<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptp<br>
<br>
&nbsp;&nbsp;&nbsp; echo 1 > /proc/sys/net/ipv4/tcp_ecn<br>
}<br>
<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo "Starting PPTP Connection to ${NAME}..."<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; echo "Stopping $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; echo "Restarting $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac<br>
</font>
</blockquote>
<p>Here's my /etc/ppp/options file:
<blockquote>
<p><font face="Courier" size="2">#<br>
# Identify this connection<br>
#<br>
ipparam Compaq<br>
#<br>
# Lock the port<br>
#<br>
lock<br>
#<br>
# We don't need the tunnel server to authenticate itself<br>
#<br>
noauth<br>
<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
<br>
multilink<br>
mrru 1614<br>
#<br>
# Turn off transmission protocols we know won't be used<br>
#<br>
nobsdcomp<br>
nodeflate<br>
<br>
#<br>
# We want MPPE<br>
#<br>
mppe-128<br>
mppe-stateless<br>
<br>
#<br>
# We want a sane mtu/mru<br>
#<br>
mtu 1000<br>
mru 1000<br>
<br>
#<br>
# Time this thing out of it goes poof<br>
#<br>
lcp-echo-failure 10<br>
lcp-echo-interval 10</font>
</blockquote>
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq
traffic through the PPTP tunnel:
<blockquote>
<p><font face="Courier" size="2">#/bin/sh<br>
<br>
case $6 in<br>
Compaq)<br>
&nbsp;&nbsp;&nbsp; route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></blockquote>
<p>Finally, I run the following script every five minutes under crond to
restart the tunnel if it fails:<!--mstheme--></font><pre> #!/bin/sh
restart_pptp() {
/sbin/service pptp stop
sleep 10
if /sbin/service pptp start; then
/usr/bin/logger &quot;PPTP Restarted&quot;
fi
}
if [ -n &quot;`ps ax | grep /usr/sbin/pptp | grep -v grep`&quot; ]; then
exit 0
fi
echo &quot;Attempting to restart PPTP&quot;
restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p><a href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a script
and corresponding ip-up.local </a>from <a href="mailto:jvonau@home.com">Jerry
Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 7/11/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>

65
STABLE/documentation/ProxyARP.htm Normal file
View File

@ -0,0 +1,65 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Proxy ARP<!--mstheme--></font></h1>
<p>&nbsp;</p>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.</p>
<p>The following figure represents a Proxy ARP
environment.</p>
<p align="center"><strong><img src="images/proxyarp.jpg" width="595" height="455"></strong></p>
<blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries in
/etc/shorewall/proxyarp:</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ADDRESS</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>EXTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HAVEROUTE</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.18<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">no<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.19<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">no<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp;
in the above example) are not included in any specification in
/etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that the
Firewall system's eth0 is configured.</p>
</blockquote>
<blockquote>
</blockquote>
<p><font size="2">Last updated 5/16/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>

21
STABLE/documentation/Shorewall_Banner.htm Normal file
View File

@ -0,0 +1,21 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Banner</title>
<base target="contents">
<meta name="Microsoft Theme" content="blueprnt 011">
<meta name="Microsoft Border" content="none, default">
</head>
<body background="_themes/blueprnt/blutextb.gif" bgcolor="#FFFFFF" text="#003399" link="#3366FF" vlink="#9900FF" alink="#000066"><!--mstheme--><font face="Century Gothic, Arial, Helvetica"><p align="right"><b><font size="2"><img border="0" src="images/Shorewall_Banner.gif" align="left" width="600" height="60"></font><font size="4"><strong>
</strong></font><font size="2">The Shorewall Project uses the Services of</font><font size="4">
&nbsp;</font></b><a href="http://sourceforge.net" target="_top"><img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" align="top"></a> </p>
<p align="right">&nbsp; </p>
<!--mstheme--></font></body>
</html>

66
STABLE/documentation/Shorewall_index_frame.htm Normal file
View File

@ -0,0 +1,66 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"><h3 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">&nbsp;Shorewall<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="seattlefirewall_index.htm">Home</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_features.htm">Features</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_prerequisites.htm">Requirements</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="download.htm">Download</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_quickstart_guide.htm">QuickStart Guides</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Install.htm">Installation/Upgrade<br>
/Configuration</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm">Reference Manual</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="FAQ.htm">FAQs</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="troubleshoot.htm">Troubleshooting</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="errata.htm">Errata</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="support.htm">Support</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="mailing_list.htm">Mailing Lists</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_mirrors.htm">Mirrors</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://germany.shorewall.net">Germany</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="News.htm">News Archive</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="quotes.htm">Quotes from Users</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shoreline.htm">About the Author</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch" >
<p>
<strong>Quick Search</strong><br>
<font size="-1">
<input type=text name=words size=15>
<input type=hidden name=format value=long>
<input type=hidden name=method value=and>
<input type=hidden name=config value=htdig>
<input type="submit" value="Search"></font>
</p>
<input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
</form>
<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
<p><a href="http://www.shorewall.net" target="_top">
<img border="1" src="images/shorewall.jpg" width="119" height="38"></a></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

BIN
STABLE/documentation/_themes/radial/aradbck.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/aradbckh.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/aradbnr.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 547 B

BIN
STABLE/documentation/_themes/radial/aradbul1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 B

BIN
STABLE/documentation/_themes/radial/aradbul2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 B

BIN
STABLE/documentation/_themes/radial/aradbul3.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 B

BIN
STABLE/documentation/_themes/radial/aradhbtn.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/aradhhov.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 243 B

BIN
STABLE/documentation/_themes/radial/aradhom.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 198 B

BIN
STABLE/documentation/_themes/radial/aradhomh.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/aradhsel.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 247 B

BIN
STABLE/documentation/_themes/radial/aradnxt.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 B

BIN
STABLE/documentation/_themes/radial/aradnxth.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 B

BIN
STABLE/documentation/_themes/radial/aradrule.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 B

BIN
STABLE/documentation/_themes/radial/aradup.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 198 B

BIN
STABLE/documentation/_themes/radial/araduph.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/aradvbtn.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/aradvhov.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 B

BIN
STABLE/documentation/_themes/radial/aradvsel.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 B

BIN
STABLE/documentation/_themes/radial/blank.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 807 B

BIN
STABLE/documentation/_themes/radial/blhomep.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 161 B

BIN
STABLE/documentation/_themes/radial/blnextp.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 B

BIN
STABLE/documentation/_themes/radial/blprevp.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 164 B

BIN
STABLE/documentation/_themes/radial/bluedot.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 809 B

BIN
STABLE/documentation/_themes/radial/blupp.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 B

93
STABLE/documentation/_themes/radial/color0.css Normal file
View File

@ -0,0 +1,93 @@
a:link
{
color: rgb(102,102,255);
}
a:visited
{
color: rgb(153,51,51);
}
a:active
{
color: rgb(102,204,204);
}
body
{
color: rgb(0,0,0);
background-color: rgb(255,255,255);
}
h1
{
color: rgb(102,102,102);
}
h2, marquee
{
color: rgb(102,102,102);
}
h3
{
color: rgb(102,102,102);
}
h4
{
color: rgb(102,102,102);
}
h5
{
color: rgb(102,102,102);
}
h6
{
color: rgb(102,102,102);
}
BUTTON
{
background-color: rgb(102,102,102);
border-color: rgb(204,204,204);
color: white;
}
LABEL, .MSTHEME-LABEL
{
color: rgb(0,0,0);
}
TEXTAREA
{
border-color: rgb(102,102,102);
color: black;
}
FIELDSET
{
border-color: rgb(102,102,102);
color: black;
}
LEGEND
{
color: rgb(102,102,102);
}
SELECT
{
border-color: rgb(102,102,102);
color: black;
}
TABLE
{
border-color: rgb(102,102,102);
color: rgb(0,0,0);
table-border-color-light: rgb(204,204,204);
table-border-color-dark: rgb(102,102,102);
}
CAPTION
{
color: rgb(102,102,102);
}
TH
{
color: rgb(0,0,0);
}
HR
{
color: rgb(102,102,102);
}
TD
{
border-color: rgb(102,102,102);
}

93
STABLE/documentation/_themes/radial/color1.css Normal file
View File

@ -0,0 +1,93 @@
a:link
{
color: rgb(102,102,204);
}
a:visited
{
color: rgb(153,102,102);
}
a:active
{
color: rgb(102,153,153);
}
body
{
color: rgb(0,0,0);
background-color: rgb(255,255,255);
}
h1
{
color: rgb(102,102,204);
}
h2, marquee
{
color: rgb(102,102,204);
}
h3
{
color: rgb(102,102,204);
}
h4
{
color: rgb(102,102,204);
}
h5
{
color: rgb(102,102,204);
}
h6
{
color: rgb(102,102,204);
}
BUTTON
{
background-color: rgb(102,102,204);
border-color: rgb(153,153,255);
color: white;
}
LABEL, .MSTHEME-LABEL
{
color: rgb(0,0,0);
}
TEXTAREA
{
border-color: rgb(51,0,153);
color: black;
}
FIELDSET
{
border-color: rgb(51,0,153);
color: black;
}
LEGEND
{
color: rgb(102,102,204);
}
SELECT
{
border-color: rgb(51,0,153);
color: black;
}
TABLE
{
border-color: rgb(51,0,153);
color: rgb(0,0,0);
table-border-color-light: rgb(153,153,255);
table-border-color-dark: rgb(51,0,153);
}
CAPTION
{
color: rgb(102,102,204);
}
TH
{
color: rgb(0,0,0);
}
HR
{
color: rgb(102,102,204);
}
TD
{
border-color: rgb(51,0,153);
}

70
STABLE/documentation/_themes/radial/graph0.css Normal file
View File

@ -0,0 +1,70 @@
.mstheme
{
nav-banner-image: url(radbnr.gif);
separator-image: url(radrule.gif);
list-image-1: url(radbul1.gif);
list-image-2: url(radbul2.gif);
list-image-3: url(radbul3.gif);
navbutton-horiz-pushed: url(radhsel.gif);
navbutton-horiz-normal: url(radhbtn.gif);
navbutton-vert-pushed: url(radvsel.gif);
navbutton-vert-normal: url(radvbtn.gif);
navbutton-home-normal: url(radhom.gif);
navbutton-up-normal: url(radup.gif);
navbutton-prev-normal: url(radbck.gif);
navbutton-next-normal: url(radnxt.gif);
}
.mstheme-bannertxt
{
font-family: times new roman, Times New Roman, Times;
font-size: 6;
color: rgb(255,255,255);
}
.mstheme-horiz-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-vert-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxthome
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtup
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtprev
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
.mstheme-navtxtnext
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
UL
{
list-style-image: url(radbul1.gif);
}
UL UL
{
list-style-image: url(radbul2.gif);
}
UL UL UL
{
list-style-image: url(radbul3.gif);
}

80
STABLE/documentation/_themes/radial/graph1.css Normal file
View File

@ -0,0 +1,80 @@
.mstheme
{
nav-banner-image: url(aradbnr.gif);
separator-image: url(aradrule.gif);
list-image-1: url(aradbul1.gif);
list-image-2: url(aradbul2.gif);
list-image-3: url(aradbul3.gif);
navbutton-horiz-pushed: url(aradhsel.gif);
navbutton-horiz-normal: url(aradhbtn.gif);
navbutton-horiz-hovered: url(aradhhov.gif);
navbutton-vert-pushed: url(aradvsel.gif);
navbutton-vert-normal: url(aradvbtn.gif);
navbutton-vert-hovered: url(aradvhov.gif);
navbutton-home-normal: url(aradhom.gif);
navbutton-home-hovered: url(aradhomh.gif);
navbutton-home-pushed: url(blhomep.gif);
navbutton-up-normal: url(aradup.gif);
navbutton-up-hovered: url(araduph.gif);
navbutton-up-pushed: url(blupp.gif);
navbutton-prev-normal: url(aradbck.gif);
navbutton-prev-hovered: url(aradbckh.gif);
navbutton-prev-pushed: url(blprevp.gif);
navbutton-next-normal: url(aradnxt.gif);
navbutton-next-hovered: url(aradnxth.gif);
navbutton-next-pushed: url(blnextp.gif);
}
.mstheme-bannertxt
{
font-family: times new roman, Times New Roman, Times;
font-size: 6;
color: rgb(255,255,255);
}
.mstheme-horiz-navtxt
{
font-family: Arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,204);
}
.mstheme-vert-navtxt
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,204);
}
.mstheme-navtxthome
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtup
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtprev
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
.mstheme-navtxtnext
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(102,102,102);
}
UL
{
list-style-image:url(aradbul1.gif);
}
UL UL
{
list-style-image:url(aradbul2.gif);
}
UL UL UL
{
list-style-image:url(aradbul3.gif);
}

BIN
STABLE/documentation/_themes/radial/radbck.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/radbkgnd.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
STABLE/documentation/_themes/radial/radbnr.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 498 B

BIN
STABLE/documentation/_themes/radial/radbul1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radbul2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radbul3.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 B

BIN
STABLE/documentation/_themes/radial/radglobl.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 131 B

BIN
STABLE/documentation/_themes/radial/radhbtn.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/radhom.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 B

BIN
STABLE/documentation/_themes/radial/radhsel.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 B

38
STABLE/documentation/_themes/radial/radial.inf Normal file
View File

@ -0,0 +1,38 @@
[info]
refcount=2
version=3.00
readonly=true
codepage=65001
format=2.00
title=Radial
[titles]
1033=Radial
1069=Radyal
1046=Radial
1050=Poluzaobljenja
1029=Oblouky
1030=Radial
1043=Radiaal
1036=Transversal
1035=Säde
1031=Radial
1032=Ακτίνες
1038=Kerekített
2070=Radial
1040=Radiale
1044=Radiell
1045=Wiraże
1048=Radial
1049=Закругление
1051=Lúče
1060=Zaobljena
3082=Radial
1053=Radie
1055=Radyal
1041=半円
1042=캡슐 구성
1028=交織如梭
2052=射线
1037=מוקדי
1054=เป็นรัศมี
1025=شعاعي

38
STABLE/documentation/_themes/radial/radial.utf8 Normal file
View File

@ -0,0 +1,38 @@
[info]
refcount=2
version=3.00
readonly=true
codepage=65001
format=2.00
title=Radial
[titles]
1033=Radial
1069=Radyal
1046=Radial
1050=Poluzaobljenja
1029=Oblouky
1030=Radial
1043=Radiaal
1036=Transversal
1035=Säde
1031=Radial
1032=Ακτίνες
1038=Kerekített
2070=Radial
1040=Radiale
1044=Radiell
1045=Wiraże
1048=Radial
1049=Закругление
1051=Lúče
1060=Zaobljena
3082=Radial
1053=Radie
1055=Radyal
1041=半円
1042=캡슐 구성
1028=交織如梭
2052=射线
1037=מוקדי
1054=เป็นรัศมี
1025=شعاعي

BIN
STABLE/documentation/_themes/radial/radnxt.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 B

BIN
STABLE/documentation/_themes/radial/radrule.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 B

BIN
STABLE/documentation/_themes/radial/radup.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 B

BIN
STABLE/documentation/_themes/radial/radvbtn.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 230 B

BIN
STABLE/documentation/_themes/radial/radvsel.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 B

549
STABLE/documentation/_themes/radial/theme.css Normal file
View File

@ -0,0 +1,549 @@
.mstheme
{
navbutton-background-color: rgb(255,255,255);
top-bar-button: url(radglobl.gif);
}
.mstheme-topbar-font
{
font-family: arial, Arial, Helvetica;
font-size: 1;
color: rgb(51,102,102);
}
body
{
font-family: arial, Arial, Helvetica;
background-image: url(radbkgnd.gif);
}
h1
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 24pt;
}
h2
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 18pt;
}
h3
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 14pt;
}
h4
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 12pt;
}
h5
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 10pt;
}
h6
{
font-family: times new roman, Times New Roman, Times;
font-weight: normal;
font-style: normal;
font-size: 8pt;
}
BUTTON
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
LABEL, .MSTHEME-LABEL
{
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style:normal;
}
TEXTAREA
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
FIELDSET
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
LEGEND
{
font-size: 8pt;
font-family: times new roman, Times New Roman, Times;
font-style: normal;
}
SELECT
{
border-style: solid;
border-width: 1pt;
font-size: 8pt;
font-family: arial, Arial, Helvetica;
font-style: normal;
}
TABLE
{
font-family: arial, Arial, Helvetica;
font-style: normal;
}
CAPTION
{
font-size: 14pt;
font-family: times new roman, Times New Roman, Times;
font-style: normal;
}
TH
{
font-family: arial, Arial, Helvetica;
font-style: normal;
}
MARQUEE
{
font-size: 14pt;
font-family: arial, Arial, Helvetica;
}
.ms-main {
border-right: 0 solid #cccccc;
}
.ms-bannerframe {
background-color: #6666cc;
}
.ms-banner {
color: #ffffff;
font-size: 9pt;
font-family: Arial, sans-serif;
}
.ms-banner a:link {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #ffffff;
font-weight: normal;
text-decoration: none;
}
.ms-banner a:visited {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #ffffff;
font-weight: normal;
text-decoration: none;
}
.ms-nav td {
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #000000;
}
.ms-nav th {
font-size: 9pt;
font-family: Arial, sans-serif;
font-weight: normal;
text-align: left;
color: #000000;
}
.ms-navframe {
color: #000000;
}
.ms-nav a {
text-decoration: none;
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #6666ff;
}
.ms-nav a:link {
}
.ms-nav a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-nav a:visited {
color: #993333;
}
.ms-verticaldots {
background-image: url(bluedot.gif);
background-position: right;
background-repeat: repeat-y;
}
.ms-viewselect A:link{
font-size: 9pt;
font-family: Arial, sans-serif;
color: #6666ff;
}
.ms-titlearea {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-titleareaframe {
color: #000000;
}
.ms-pagetitle {
color: #669999;
font-family: Times New Roman, serif;
font-size: 1.25em;
font-weight: bold;
}
.ms-pagetitle a {
text-decoration:underline;
color: #669999;
}
.ms-pagetitle a:hover {
text-decoration: underline;
color: #669999;
}
.ms-announcementtitle {
font-weight: normal;
}
.ms-formlabel {
text-align: left;
font-family: Arial, sans-serif;
font-size: 9pt;
font-weight: normal;
color: #000000;
}
.ms-formdescription a {
color: #6666ff;
text-decoration: underline;
}
.ms-formbody {
text-align: left;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-formdescription
{
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-radiotext {
cursor:default;
text-align: left;
font-family: Arial, sans-serif;
font-size: 10pt;
height: 19px;
}
.ms-searchbox {
width: 100%;
}
.ms-input {
font-size: 9pt;
font-family: Arial, sans-serif;
vertical-align: baseline;
}
.ms-long {
font-size: 9pt;
font-family: Arial, sans-serif;
width: 300px;
}
.ms-wvsel {
color: #3366cc;
}
.ms-selected {
background-color: #6666cc;
color: #ffffff;
}
.ms-selected SPAN {
color: #ffffff;
}
.ms-filedialog TD {
height: 16px;
}
.ms-descriptiontext {
color: #000000;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-descriptiontext a {
color: #6666ff;
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-toolbar {
font-family: Arial, sans-serif;
font-size: 9pt;
text-decoration: none;
color: #669999;
}
.ms-separator {
color: #996666;
font-size: 10pt;
}
.ms-authoringcontrols{
background-color: #f2f2f2;
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
}
.ms-sectionheader{
color: #669999;
font-family: Times New Roman, serif;
font-size: 12pt;
font-weight: normal;
}
.ms-sectionline
{
background-color: #6666cc;
height: 1px;
}
.ms-propertysheet {
font-family: Arial, sans-serif;
font-size: 9pt;
}
.ms-propertysheet th {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
font-weight: normal;
}
.ms-propertysheet a {
text-decoration: none;
color: #6666ff;
}
.ms-propertysheet a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-propertysheet a:visited {
text-decoration: none;
color: #993333;
}
.ms-propertysheet a:visited:hover {
text-decoration: underline;
}
.ms-itemheader a {
font-size: 10pt;
font-family: Arial, sans-serif;
font-weight: normal;
color: #6666ff;
text-decoration: none;
}
.ms-itemheader a:hover {
text-decoration: underline;
color: #66cccc;
}
.ms-itemheader a:visited {
text-decoration: none;
color: #993333;
}
.ms-itemheader a:visited:hover {
text-decoration: underline;
}
.ms-discussiontitle {
font-size: 12pt;
font-family: Times New Roman, serif;
color: #000000;
font-weight: normal;
}
.ms-vh {
font-family: Arial, sans-serif;
font-size: 9pt;
color: #000000;
text-align: left;
text-decoration: none;
font-weight: normal;
}
.ms-vh a {
color: #6666ff;
text-decoration: none;
}
.ms-vh a:hover {
text-decoration: underline;
}
.ms-vb{
font-family: Arial, sans-serif;
font-size: 9pt;
height: 18px;
vertical-align: top;
}
.ms-vb a {
color: #6666ff;
text-decoration: none;
}
.ms-vb a:hover {
color: #66cccc;
text-decoration: underline;
}
.ms-vb a:visited {
color: #993333;
text-decoration: none;
}
.ms-vb a:visited:hover {
text-decoration: underline;
}
.ms-homepagetitle {
font-family: Time New Roman, serif;
font-size: 12pt;
color: #000000;
font-weight: bold;
text-decoration: none;
}
.ms-homepagetitle:Hover {
text-decoration: underline;
color: #000000;
}
.ms-addnew {
font-weight: normal;
font-family: Arial, sans-serif;
font-size: .68em;
color: #669999;
text-decoration: none;
}
.ms-cal {
border-collapse:collapse;
table-layout:fixed;
font-family: Arial, sans-serif;
cursor:default;
}
.ms-caltop {
border-top:1px solid black;
border-left:1px solid black;
border-right:1px solid black;
vertical-align:top;
font-size: 10pt;
width: 14%;
height:30px;
}
.ms-calhead {
border:none;
text-align:center;
background-color: #6666cc;
color: #ffffff;
font-size: 16pt;
font-family: Arial, sans-serif;
padding: 2px;
}
.ms-caldow {
border-top:1px solid black;
border-left:1px solid black;
border-right:1px solid black;
vertical-align:top;
text-align:center;
font-weight: bold;
font-size: 10pt;
height:20px;
}
.ms-calmid {
border-left:1px solid black;
border-right:1px solid black;
height:20px;
}
.ms-calspacer {
border-left:1px solid black;
border-right:1px solid black;
height:4px;
}
.ms-calbot {
border-top:none;
border-left:1px solid black;
border-right:1px solid black;
border-bottom:1px solid black;
height:2px;
}
.ms-appt a {
color: #000000;
}
.ms-appt a:hover {
color: red;
}
.ms-appt {
border:2px solid #669999;
text-align:center;
vertical-align: middle;
font-size:8pt;
height:18px;
overflow:hidden;
background-color: #cccccc;
color: black;
}
.ms-caldowdown {
font-family: Arial, sans-serif;
font-weight: bold;
color: #000000;
text-align: center;
vertical-align: middle;
}
.ms-caldown {
font-size: 8pt;
color: #000000;
text-align: left;
vertical-align: top;
}
.ms-datepickeriframe {
position:absolute;
display:none;
background:white;
}
.ms-datepicker {
font-family: Arial, sans-serif;
background-color: #ffffff;
border: 2 outset activeborder;
cursor:default;
}
.ms-dpdow {
border:none;
vertical-align:top;
text-align:center;
font-weight: bold;
font-size: 8pt;
border-bottom:1px solid black;
}
.ms-dpday {
border:none;
font-size: 8pt;
text-align: center;
}
.ms-dpselectedday {
border:none;
background-color:#cccccc;
font-size: 8pt;
text-align: center;
}
.ms-dpnonmonth {
color:gray;
border:none;
font-size: 8pt;
text-align: center;
}
.ms-dphead {
border:none;
text-align:center;
font-weight: bold;
font-size: 8pt;
background-color: #669999;
color: #ffffff;
}
.ms-dpfoot {
text-align:center;
font-size: 8pt;
text-align: center;
font-style: italic;
border-top:1px solid;
border-left:none;
border-bottom:none;
border-right:none;
height:24px;
}
IMG.ms-button {
cursor:hand;
}

350
STABLE/documentation/backup.shorewall_quickstart_guide.htm Normal file
View File

@ -0,0 +1,350 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guide<br>
Version 1.3-2<!--mstheme--></font></h1>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Introduction<!--mstheme--></font></h2>
<p>One of the design goals of Shorewall was that &quot;it should be simple to do
simple things&quot;. With that in mind, I've written this QuickStart guide to
demonstrate how easy it is to configure common firewall setups.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in three
common basic configurations. If you don't find what you are looking for in this
Guide, check the <a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<!--mstheme--></font><pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]# </pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>After you have <a href="Install.htm">installed Shorewall</a>, simply pick the sample
configuration that best fits your needs and copy the files to
/etc/shorewall. Next modify /etc/shorewall/interfaces and /etc/shorewall/masq to
match your setup as described below. If you have servers, you will also need to
modify /etc/shorewall/rules.</p>
<p>Available samples include:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/one-interface.tgz">Standalone System</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">Two-interface Masquerading Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">Three-interface Masquerading Firewall with DMZ</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>All of these samples assume that you have a single external IP address - it
may be static or dynamic. Configuring Shorewall with multiple external IP
addresses is outside of the scope of this guide; see the
<a target="_top" href="Documentation_Index.htm">Shorewall Documentation</a>.</p>
<p><font color="#FF0000"><b>Do <u>not</u> try to install Shorewall on a remote
system -- you will almost certainly end up not being able to communicate with
that system. </b></font></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configuration Concepts<!--mstheme--></font></h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few of
these as described in this guide. As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the sample configurations, the following zone names are used:</p>
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>dmz</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your demilitarized Zone</b><!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b> although you can change that name in the
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf </a>file. As
shown in the above table, not all zones are available with all sample
configurations.</p>
<p>The simplest way to define a zone is to associate the zone with a
network interface on your firewall system. You do that using the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file. So
for a standalone system, you would associate your single network interface with
<b>net</b>; on a two-interface firewall, you would associate one interface with
<b>net</b> and one with <b>loc</b>; and on a three-interface firewall with DMZ,
you would associate one interface with <b>net</b>, a second with <b>loc</b> and
a third with <b>dmz</b>. The sample interfaces do this as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>One Interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Three Interfaces</b></u><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If your configuration doesn't match the sample then you will need to modify
/etc/shorewall/interfaces.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The /etc/shorewall/rules file is also used to define port forwarding.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If the connection request doesn't match any rule in
that file, the first policy in /etc/shorewall/policy that matches the
request is then applied. If the policy is DROP or REJECT then the connection
request is passed through the rules in /etc/shorewall/common (the samples supply
that file for you).</p>
<p>If you have more than one interface and you have a single external IP address you will need to use
either IP masquerade (if your IP address is dynamic) or Source Network Address
Translation (SNAT). Whichever applies, you will define it in&nbsp; <a href="Documentation.htm#Masq">/etc/shorewall/masq</a>
file. <b>Note:</b> This file is used to describe &quot;many-to-one outbound NAT&quot;.
Shorewall also supports one-to-one NAT using the /etc/shorewall/nat file but I recommend <u>against</u>
one-to-one NAT in most applications unless you are willing to deal with the DNS
issues involved. The two- and three-interface samples assume that you will be
using IP masquerade as follows:</p>
<!--mstheme--></font><table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Traffic coming in on this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Will be masqueraded if it goes out this interface</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Two Interfaces</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b><u>Three Interfaces</u></b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td align="center"><!--mstheme--><font face="arial, Arial, Helvetica">X<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h2>
<p>The detailed documentation for this file may be found
<a href="Documentation.htm#Interfaces">here.</a> Entries in this file have four
columns:</p>
<ol>
<li>The name of the zone that this interface connects to - this must be the
name of a zone defined in the /etc/shorewall/zones file.</li>
<li>The name of the interface.</li>
<li>The broadcast address for the subnet on this interface. If you want
Shorewall to detect this address for you, place 'detect' in that column.</li>
<li>A comma-separated list of <a href="Documentation.htm#Interfaces">options</a> that apply to this interface.</li>
</ol>
<p>Some examples:</p>
<p>Standalone system with ethernet interface to the internet.</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Two interface system with eth0 connected to the local network and eth1
connected to the internet. eth1 gets its IP address via DHCP.</p>
<!--mstheme--></font><pre> loc eth0 detect routestopped
net eth1 detect norfc1918,dhcp,routefilter</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Three interface system with eth0 connected to the internet, eth1 connected to
the DMZ and eth2 connected to the local network. eth0 gets its IP address via
DHCP and the firewall runs a DHCP server for configuring local hosts (those
connected to eth2).</p>
<!--mstheme--></font><pre> net eth0 detect norfc1918,routefilter,dhcp
dmz eth1 detect routestopped
loc eth2 detect routestopped,dhcp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>At this point, please edit /etc/shorewall/interfaces to match your setup.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Some other considerations<!--mstheme--></font></h3>
<p>If your primary internet interface uses PPPoE, PPP or PPTP then you will want
to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy<!--mstheme--></font></h2>
<p>The /etc/shorewall/policy file documentation is
<a href="Documentation.htm#Policy">here</a>. I recommend the following (which
are
in the standalone sample):</p>
<p>Standalone system:</p>
<!--mstheme--></font><pre> fw net ACCEPT
all all DROP info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>So by default, all connection requests from your firewall to the internet are
accepted (allowed) and all other connection requests (i.e., those from the
internet to your firewall) are dropped (ignored).</p>
<p>Two and three interface firewalls:</p>
<!--mstheme--></font><pre> loc net ACCEPT
net all DROP info
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you want your firewall system to have full access to servers on the
internet, add the following rule before the last rule above (Note -- in the two-
and three-interface samples, the line below is included but commented out).</p>
</blockquote>
<!--mstheme--></font><pre> fw net ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall
or local network</li>
<li>optionally accept all connection requests from the firewall to the
internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/masq<!--mstheme--></font></h2>
<p>The /etc/shorewall/masq file (documentation <a href="Documentation.htm#Masq">
here</a>) describes output many-to-one source Network Address Translation.</p>
<p>If you have a static external IP address (assume 206.124.146.176 in these
examples), then:</p>
<blockquote>
<p>Two interface firewall with eth0 interfacing to the internet and eth1
interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>Three interface firewall with eth0 interfacing to the internet, eth1
interfacing to the DMZ and eth2 interfacing to the local network:</p>
</blockquote>
<!--mstheme--></font><pre> eth0 eth1 206.124.146.176
eth0 eth2 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have a dynamic internet IP address, simply omit the third column! So
for the two interface firewall, your /etc/shorewall/masq file would have:</p>
<!--mstheme--></font><pre> eth0 eth1</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you don't want to use IP masquerade or SNAT (two- and three-interface
samples), simple delete the entry/entries from /etc/shorewall/masq.</p><p>At
this point, edit your /etc/shorewall/masq file and change it to match your
configuration.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h2>
<p>The rules file (documentation <a href="Documentation.htm#Rules">here</a>) is
probably the most important of the Shorewall configuration files.</p>
<p>The general simplified format for an ACCEPT rule that doesn't involve port forwarding
is:</p>
<!--mstheme--></font><pre> ACCEPT <i>&lt;source zone&gt; &lt;dest zone&gt;[:&lt;server IP address&gt;] &lt;protocol&gt; &lt;port(s)&gt;</i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Here are some rules that I recommend that everyone use (and that I've
included in the samples):</p>
<!--mstheme--></font><pre> ACCEPT fw net udp 53 # Accept DNS queries from your firewall to the internet
ACCEPT fw net tcp 53 # &quot; &quot; &quot; &quot; &quot; &quot; &quot; &quot; &quot;</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>You can omit these rules if your firewall to net policy is
ACCEPT (In other words, if you uncommented the appropriate line in the policy
file as described above).</p>
<p>If you have three interfaces with a DMZ, you probably need DNS access to the
net from your DMZ. To permit that, I've included:</p>
<!--mstheme--></font><pre> ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you run servers on your firewall system that you want to make accessible
to internet clients, you need to include rules to permit that access (note that
the default policy for net-&gt;fw in the policy file above is DROP which causes all
inbound traffic to be ignored by default). For example, if you have a web server
running on your firewall system, you would include the following rule:</p>
<!--mstheme--></font><pre> ACCEPT net fw tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>With multiple local zones, you will probably want to open some ports between
these zones.</p>
<p>Example - You have server system 192.168.2.2 in your DMZ and you want to be
able to access its FTP server from your local systems:</p>
<!--mstheme--></font><pre> ACCEPT loc dmz:192.168.2.2 tcp ftp</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>For FTP to work properly, you will need kernel support for FTP connection
tracking and NAT but all commercial 2.4 kernel's have such support built in.</p>
<p>If you don't know which protocol and/or port that one of your applications
uses, try looking <a href="ports.htm">here</a>.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h3>
<p>When you are using many-to-one network address translation
outbound (IP masquerade or SNAT) and you want to allow connections from the internet to an
internal server (either in your local zone or in your DMZ), then you need to use
<i>port forwarding </i>(also known as Destination Network Address Translation or
<b>DNAT</b>). Inbound connection requests are selective forwarded to internal systems
based on rules that you supply.</p>
<p>The general form of a simple port forwarding rule in
/etc/shorewall/rules is:</p>
<!--mstheme--></font><pre> DNAT net <i>&lt;server zone&gt;:&lt;server local ip address&gt; &lt;protocol&gt; &lt;port&gt;</i></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you run a Web Server on your local zone at 192.168.1.5 and you want
to forward incoming TCP port 80 to that system. You have a single external IP
address:</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.5 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - you want to forward TCP port 80 to 192.168.2.4 in your DMZ and you
want to allow access to that server from your local zone:</p>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
ACCEPT loc dmz:192.168.2.4 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>If you have a static IP address (assume 206.124.146.176)
and you want your local clients to be able to access your web server using that
external address, you can use these entries instead:</p>
</blockquote>
<!--mstheme--></font><pre> DNAT net dmz:192.168.2.4 tcp 80
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example - You have a static external IP address (206.124.146.176) and you
have DNS set up so that <a href="http://www.yourdomain.com">www.yourdomain.com</a>
resolves to that address. You want to run a web server in your local network (I
think that this is a BAD IDEA -- see <a href="FAQ.htm#faq2">FAQ 2</a>) on system
192.168.1.4 and you want internet users and your local users to be able to
access <a href="http://www.yourdomain.com">www.yourdomain.com</a>. Your
firewall's internal IP address is 192.168.1.254 and is on eth1.</p>
<!--mstheme--></font><pre> DNAT net loc:192.168.1.4 tcp 80
&nbsp; DNAT loc loc:192.168.2.4 tcp 80 - 206.124.146.176:192.168.1.254</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p>In addition, you must specify the<b> multi</b> option on eth1<b> </b>in
/etc/shorewall/interfaces:</p>
</blockquote>
<!--mstheme--></font><pre> loc eth1 detect routestopped,multi</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you have requirements for port forwarding beyond what is shown here (like
forwarding to a different port number or redirecting to a proxy), see the
<a href="Documentation.htm#Rules">rules file documentation</a>.</p>
<p>At this point, please edit the /etc/shorewall/rules file and make any
additions required by your setup.</p><p>You are now ready to start shorewall. If
you encounter problems, see the <a href="troubleshoot.htm">troubleshooting
information.</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2><p>The firewall is started using the
&quot;shorewall start&quot; command and stopped using &quot;shorewall stop&quot;. When the firewall
is stopped, routing is enabled on those interfaces that have the &quot;routestopped&quot;
option specified in /etc/shorewall/interfaces. If you want to totally remove any
trace of Shorewall from your Netfilter configuration, use &quot;shorewall clear&quot;.</p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</html>

62
STABLE/documentation/blacklisting_support.htm Normal file
View File

@ -0,0 +1,62 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Blacklisting Support<!--mstheme--></font></h1>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Static Blacklisting<!--mstheme--></font></h2>
<p>Shorewall
static blacklisting support has the following configuration parameters:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts dropped or
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts logged and at
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify the interfaces whose incoming packets you want checked against
the blacklist using the &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot;
option in /etc/shorewall/interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall
refresh</a>&quot; command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Dynamic Blacklisting<!--mstheme--></font></h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be silently dropped by the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be rejected by the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts
previously blacklisted by a <i>deny</i> or <i>reject</i> command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">save - save the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is restarted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">show dynamic - displays the dynamic blacklisting configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>Example 1:</p>
<!--mstheme--></font><pre> shorewall deny 192.0.2.124 192.0.2.125</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p>
<!--mstheme--></font><pre> shorewall allow 192.0.2.125</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

228
STABLE/documentation/configuration_file_basics.htm Normal file
View File

@ -0,0 +1,228 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Configuration Files<!--mstheme--></font></h1>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
dos2unix</a> before you use them with Shorewall.</b></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Files<!--mstheme--></font></h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comments<!--mstheme--></font></h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by
delimiting the comment from the rest of the line with a pound sign.</p>
<p>Examples:</p>
<!--mstheme--></font><pre># This is a comment</pre><!--mstheme--><font face="arial, Arial, Helvetica"><!--mstheme--></font><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Line Continuation<!--mstheme--></font></h2>
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed
immediately by a new line character.</p>
<p>Example:</p>
<!--mstheme--></font><pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Complementing an Address or Subnet<!--mstheme--></font></h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with &quot;!&quot; to specify the complement of the item. For
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comma-separated Lists<!--mstheme--></font></h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you use line continuation to break a comma-separated list, the
continuation line(s) must begin in column 1 (or there would be embedded
white space)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in a comma-separated list may appear in any order.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Numbers/Service Names<!--mstheme--></font></h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Ranges<!--mstheme--></font></h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using Shell Variables<!--mstheme--></font></h2>
<p>You may use the file /etc/shorewall/params
file to set shell variables that you can then use in some of the other
configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font size="1">
</font>to distinguish them from variables used internally within the
Shorewall programs</p>
<p>Example:</p>
<blockquote>
<p>NET_IF=eth0<br>
NET_BCAST=130.252.100.255<br>
NET_OPTIONS=noping,norfc1918</p>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></p>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p>net eth0 130.252.100.255 noping,norfc1918</p>
</blockquote>
</font>
<p>Variables may be used anywhere in the
other configuration files.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using MAC Addresses<!--mstheme--></font></h2>
<p>Media Access Control (MAC)
addresses can be used to specify packet source in several of the
configuration files. To use this feature, your kernel must have MAC
Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields, Shorewall requires
MAC addresses to be written in another way. In Shorewall, MAC addresses
begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by
hyphens. In Shorewall, the MAC address in the example above would be
written &quot;~02-00-08-E3-FA-55&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configurations<!--mstheme--></font></h2>
<p>
Shorewall allows you to have configuration
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p>
<p>
This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li>
copying the files that need modification from /etc/shorewall to a separate
directory;</li>
<li>
modify those files in the separate directory; and</li>
<li>
specifying the separate directory in a shorewall start or shorewall
restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li>
</ol>
<p><font size="2">
Updated 8/6/2002 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

29
STABLE/documentation/copyright.htm Normal file
View File

@ -0,0 +1,29 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Copyright<!--mstheme--></font></h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.1 or
any later version published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled &quot;<a href="GnuCopyright.htm">GNU Free Documentation License</a>&quot;.<br>
&nbsp;</p>
</blockquote>
<!--mstheme--></font></body>
</html>

55
STABLE/documentation/dhcp.htm Normal file
View File

@ -0,0 +1,55 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">DHCP<!--mstheme--></font></h1>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">DHCP Server on your firewall<!--mstheme--></font></h2>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">A Firewall Interface gets its IP Address via DHCP<!--mstheme--></font></h2>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">Specify the &quot;dhcp&quot; option for this interface in
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">If you don't know the subnet address in advance, you should
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file and start Shorewall after the interface has started.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall
refresh&quot; command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

222
STABLE/documentation/download.htm Normal file
View File

@ -0,0 +1,222 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Download<!--mstheme--></font></h1>
<p><b>I strongly urge you to read and print a copy of the
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or
<b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or insserv).
If you find that it works in other cases, let <a href="mailto:teastep@shorewall.net">
me</a>
know so that I can mention them here. See the
<a href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are running LRP, download the .lrp file (you might also want to
download the .tgz so you will have a copy of the documentation).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Otherwise, download the <i>shorewall</i> module (.tgz)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>The documentation in HTML format is included in the .tgz and .rpm files and
there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have
downloaded -- during the release of a new version of Shorewall, the links
below may point to a newer or an older version than is shown below.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">RPM - &quot;rpm -qip LATEST.rpm&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory
name will contain the version)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><font face="Arial">Once you have verified the
version, check the </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font face="Arial">
to see if there are updates that apply to the version that you have
downloaded.</font></p>
<p><font color="#FF0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
<p>Download Latest Version (<b>1.3.6</b>): <b>Remember that updates to the mirrors
occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<!--mstheme--></font><table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SERVER LOCATION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DOMAIN</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HTTP</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>FTP</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Washington State, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Slovak Republic<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Texas, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Infohiiway.com<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.rpm</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Hamburg, Germany<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Martinez (Zona Norte - GBA), Argentina<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Correofuego.com.ar<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>Browse Download Sites:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SERVER LOCATION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DOMAIN</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HTTP</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>FTP</b><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Washington State, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Slovak Republic<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Texas, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Infohiiway.com<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Hamburg, Germany<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Martinez (Zona Norte - GBA), Argentina<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Correofuego.com.ar<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">
Browse</a><!--mstheme--></font></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">California, USA (Incomplete)<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Sourceforge.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://sourceforge.net/projects/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">N/A<!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p align="left">CVS:</p>
<blockquote>
<p align="left">The
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/05/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

338
STABLE/documentation/errata.htm Normal file
View File

@ -0,0 +1,338 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Errata<!--mstheme--></font></h1>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<ol>
<li>
<p align="left">
<b><u>I</u>f you use a Windows system to download a corrected script, be sure to
run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
dos2unix</a></u>
after you have moved it to your Linux system.</b></p>
</li>
<li>
<p align="left">
<b>If you are installing Shorewall for the first time and plan to use the
.tgz and install.sh script, you can untar the archive, replace the
'firewall' script in the untarred directory with the one you downloaded
below, and then run install.sh.</b></p>
</li>
<li>
<p align="left">
<b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
</li>
</ol>
<p align="left">
<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><a href="errata_2.htm">Problems in Version 1.2</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><a href="#V1.3">Problems in Version 1.3</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE SMP</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<h2 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="V1.3"></a>Problems in Version 1.3<!--mstheme--></font></h2>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Versions &gt;= 1.3.5<!--mstheme--></font></h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="Left">Example 1:</p>
<div align="left">
<!--mstheme--></font><pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<p align="Left">Must be replaced with:</p>
<div align="left">
<!--mstheme--></font><pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">Example 2:</div>
<div align="left">
<!--mstheme--></font><pre> ACCEPT loc fw::3128 tcp 80 - all</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<div align="left">
<!--mstheme--></font><pre> REDIRECT loc 3128 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.5-1.3.5b<!--mstheme--></font></h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Versions 1.3.4-1.3.5a<!--mstheme--></font></h3>
<p align="Left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<!--mstheme--></font><pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to&nbsp; include a single host specification on each line. This
problem is corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</div>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.5<!--mstheme--></font></h3>
<p align="Left">REDIRECT rules are broken in this version. Install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.n, n &lt; 4<!--mstheme--></font></h3>
<p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file. The
&quot;shorewall check&quot; command does perform this verification so it's a
good idea to run that command after you have made configuration
changes.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.n, n &lt; 3<!--mstheme--></font></h3>
<p align="Left">If you have upgraded from Shorewall 1.2 and after
&quot;Activating rules...&quot; you see the message: &quot;iptables: No
chains/target/match by that name&quot; then you probably have an entry in
/etc/shorewall/hosts that specifies an interface that you didn't
include in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.2<!--mstheme--></font></h3>
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="Left">Both problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="Left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.1<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<br>
net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT today
should download and install the corrected script again to ensure
that this second problem is corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p align="Left">These problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in
/etc/shorewall/firewall as described above.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.0<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Folks who downloaded 1.3.0 from the links on the download page
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
1.3.0. The &quot;shorewall version&quot; command will tell you which version
that you have installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="top" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd iptables-1.2.3/extensions<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p0 &lt; <i>the-patch-file</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables<!--mstheme--></font></h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<!--mstheme--></font><pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="SuSE"></a>Problems
installing/upgrading RPM on SuSE SMP<!--mstheme--></font></h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the &quot;--nodeps&quot; option to
rpm.</p>
<p>Installing: rpm -ivh <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 8/4/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

210
STABLE/documentation/errata_1.htm Normal file
View File

@ -0,0 +1,210 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Errata for Version 1.1<!--mstheme--></font></h1>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">Prior
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version
of the firewall script. This has now been corrected. I apologize for any confusion
this may have caused.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.18<!--mstheme--></font></h3>
<blockquote>
<p align="Left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.17</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">In
shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">This
problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.16</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES
in the firewall script. To correct this problem, install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">
corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall.</p>
<p align="Left">
This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.14-1.1.15</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
There are no corrections for these versions.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.13</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
The firewall fails to start if a rule with the following format is given:</p>
<p align="Left">
&lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3</p>
<p align="Left">
To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">
this corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.12</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions
file. This incorrect file results in many error messages of the form:</p>
<blockquote>
<p align="Left">
separate_list: not found</p>
</blockquote>
<p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">
The correct file may be obtained here</a>
. This problem is also corrected in version 1.1.13.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.11</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
There are no known problems with this version.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.10</font><!--mstheme--></font></h3>
<blockquote>
<p align="Left">
If the following conditions were met:<br>
</p>
<ol>
<li>
<p align="Left">
A LAN segment attached to the firewall was served by a DHCP server
running on the firewall.</p>
</li>
<li>
<p align="Left">
There were entries in /etc/shorewall/hosts that referred to the
interface to that LAN segment.</p>
</li>
</ol>
<p align="Left">
then up until now it has been necessary to include entries for 0.0.0.0
and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a>
makes those additions unnecessary provided that you simply include
"dhcp" in the options for the interface in /etc/shorewall/interfaces.
Install the script into the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="Left">
This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.9</font><!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The shorewall "hits" command lists extraneous service names in the final
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
This version of the shorewall script</a>
corrects this problem.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.8<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
This version of the firewall script</a>
corrects this problem. Install it into the location pointed to by
the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.7<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<blockquote>
<p align="Left">
This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2">
Last updated 12/21/2001 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

67
STABLE/documentation/fallback.htm Normal file
View File

@ -0,0 +1,67 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Fallback and Uninstall<!--mstheme--></font></h1>
<p><strong>Shorewall includes
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>
and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script<!--mstheme--></font></h2>
<p>If you install Shorewall and discover that
it doesn't work for you, you can fall back to your previously
installed version. To do that:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the distribution directory for the version
of Seattle Firewall <u>that you are
currently running </u>(NOT the version
that you want to fall back to).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Type &quot;./fallback.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><strong><u>Warning:</u> The fallback script
will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces,
/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
these files from before the current version was installed. Any
changes to any of these files will be lost.</strong><!--mstheme--></font></h3>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm<!--mstheme--></font></h2>
<p>If your previous version of Shorewall was
installed using RPM, you may fall back to that version by typing
&quot;rpm -Uvh --force &lt;old rpm&gt;&quot; at a root shell
prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0
version of Shorewall).</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="uninstall"></a>Uninstalling Shorewall<!--mstheme--></font></h2>
<p>If you no longer wish to use Shorewall, you
may remove it by:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the distribution directory for the version
of Shorewall that you have installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">type &quot;./uninstall.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p>If you installed using an rpm, at a root shell prompt
type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>

55
STABLE/documentation/gnu_mailman.htm Normal file
View File

@ -0,0 +1,55 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">GNU Mailman/Postfix<br>
the Easy Way<!--mstheme--></font></h1>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.<!--mstheme--></font></h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run with
proper uid/gid. Postfix has an ability to run a command specified in an alias as
owner of that alias, thus mailman's wrapper is not needed here. The best method
to invoke mailman's mail handling via aliases is to use separate alias file
especially for mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may be
done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper, use the
following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The Shorewall mailing lists are currently running Postfix 1.1.7 together
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.<!--mstheme--></font></h4>
<p align="left"><font size="2">Last updated 5/4/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</html>

21
STABLE/documentation/hosts_file.htm Normal file
View File

@ -0,0 +1,21 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Hosts File</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The Hosts File<!--mstheme--></font></h1>
<p align="left">Since there seems to be a lot of confusion regarding the
/etc/shorewall/hosts file, I have created this page to try to clear the fog.</p>
<p align="left">&nbsp;</p>
<!--mstheme--></font></body>
</html>

BIN
STABLE/documentation/images/BD21298_.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/BD21298_3.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
STABLE/documentation/images/DMZ.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
STABLE/documentation/images/DMZ2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
STABLE/documentation/images/DMZ3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
STABLE/documentation/images/DMZ4.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
STABLE/documentation/images/DMZ5.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
STABLE/documentation/images/DMZ6.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
STABLE/documentation/images/Hiking.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 187 KiB

BIN
STABLE/documentation/images/Hiking1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
STABLE/documentation/images/Mobile.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
STABLE/documentation/images/ORE.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
STABLE/documentation/images/SY00079.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
STABLE/documentation/images/Shorewall_Banner.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
STABLE/documentation/images/TwoNets1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
STABLE/documentation/images/apache_pb1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
STABLE/documentation/images/basics.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
STABLE/documentation/images/basics1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
STABLE/documentation/images/but3.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/compaq.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 932 B

BIN
STABLE/documentation/images/dyndns_anim2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
STABLE/documentation/images/j0213519.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
STABLE/documentation/images/leaflogo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

Some files were not shown because too many files have changed in this diff Show More