diff --git a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
new file mode 100755
index 000000000..63b6b92fa
--- /dev/null
+++ b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
@@ -0,0 +1,549 @@
+
+
+
+ Shorewall and Aliased Interfaces
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Shorewall and Aliased Interfaces
+ |
+
+
+
+
+
+
+
+Background
+ The traditional net-tools contain a program called ifconfig which
+ is used to configure network devices. ifconfig introduced the concept of
+aliased or virtial interfaces. These virtual interfaces have
+names of the form interface:integer (e.g., eth0:0) and ifconfig
+treats them more or less like real interfaces.
+
+ Example:
+
+[root@gateway root]# ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]#
+ The ifconfig utility is being gradually phased out in favor of the ip
+ utility which is part of the iproute package. The ip utility does
+not use the concept of aliases or virtual interfaces but rather treats additional
+ addresses on an interface as addresses. The ip utility does provide for interaction
+ with ifconfig in that it allows addresses to be labeled.
+
+ Example:
+
+
+[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
+ Note that one cannot type "ip addr show dev eth0:0"
+
+[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
+ The iptables program doesn't support virtual interfaces in either it's
+"-i" or "-o" command options; as a consequence, Shorewall does not allow
+them to be used in the /etc/shorewall/interfaces file.
+
+
+So how do I handle more than one address on an interface?
+ Depends on what you are trying to do with the interfaces. In the sub-sections
+ that follow, we'll take a look at common scenarios.
+
+Separate Rules
+ If you need to make a rule for traffic to/from the firewall itself only
+apply to a particular IP address, simply qualify the $FW zone with the IP
+address.
+
+ Example (allow SSH from net to eth0:0 above):
+
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DESTINATION
+ |
+ PROTOCOL
+ |
+ PORT(S)
+ |
+ SOURCE PORT(S)
+ |
+ ORIGINAL DESTINATION
+ |
+
+
+ DNAT
+ |
+ net
+ |
+ fw:206.124.146.178
+ |
+ tcp
+ |
+ 22
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+
+DNAT
+ Suppose that I had set up eth0:0 as above and I wanted to port forward
+from that virtual interface to a web server running in my local zone at 192.168.1.3.
+ That is accomplised by a single rule in the /etc/shorewall/rules file:
+
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DESTINATION
+ |
+ PROTOCOL
+ |
+ PORT(S)
+ |
+ SOURCE PORT(S)
+ |
+ ORIGINAL DESTINATION
+ |
+
+
+ DNAT
+ |
+ net
+ |
+ loc:192.168.1.3
+ |
+ tcp
+ |
+ 80
+ |
+ -
+ |
+ 206.124.146.178
+ |
+
+
+
+
+
+
+
+SNAT
+ If you wanted to use eth0:0 as the IP address for outbound connections
+from your local zone (eth1), then in /etc/shorewall/masq:
+
+
+
+
+
+
+ INTERFACE
+ |
+ SUBNET
+ |
+ ADDRESS
+ |
+
+
+ eth0
+ |
+ eth1
+ |
+ 206.124.146.178
+ |
+
+
+
+
+
+
+ Shorewall can create the alias (additional address) for you if you set
+ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
+1.3.14, Shorewall can actually create the "label" (virtual interface) so
+that you can see the created address using ifconfig. In addition to setting
+ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
+column as follows:
+
+
+
+
+
+ INTERFACE
+ |
+ SUBNET
+ |
+ ADDRESS
+ |
+
+
+ eth0:0
+ |
+ eth1
+ |
+ 206.124.146.178
+ |
+
+
+
+
+
+
+
+STATIC NAT
+ If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
+ you would have the following in /etc/shorewall/nat:
+
+
+
+
+
+
+ EXTERNAL
+ |
+ INTERFACE
+ |
+ INTERNAL
+ |
+ ALL INTERFACES
+ |
+ LOCAL
+ |
+
+
+ 206.124.146.178
+ |
+ eth0
+ |
+ 192.168.1.3
+ |
+ no
+ |
+ no
+ |
+
+
+
+
+
+
+ Shorewall can create the alias (additional address) for you if you set
+ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
+1.3.14, Shorewall can actually create the "label" (virtual interface) so
+that you can see the created address using ifconfig. In addition to setting
+ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
+column as follows:
+
+
+
+
+
+
+ EXTERNAL
+ |
+ INTERFACE
+ |
+ INTERNAL
+ |
+ ALL INTERFACES
+ |
+ LOCAL
+ |
+
+
+ 206.124.146.178
+ |
+ eth0:0
+ |
+ 192.168.1.3
+ |
+ no
+ |
+ no
+ |
+
+
+
+
+
+
+ In either case, to create rules that pertain only to this NAT pair, you
+simply qualify the local zone with the internal IP address.
+
+ Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
+
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DESTINATION
+ |
+ PROTOCOL
+ |
+ PORT(S)
+ |
+ SOURCE PORT(S)
+ |
+ ORIGINAL DESTINATION
+ |
+
+
+ ACCEPT
+ |
+ net
+ |
+ loc:192.168.1.3
+ |
+ tcp
+ |
+ 22
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+
+MULTIPLE SUBNETS
+ Sometimes multiple IP addresses are used because there are multiple subnetworks
+ configured on a LAN segment. This technique does not provide for any security
+ between the subnetworks if the users of the systems have administrative privileges
+ because in that case, the users can simply manipulate their system's routing
+ table to bypass your firewall/router. Nevertheless, there are cases where
+ you simply want to consider the LAN segment itself as a zone and allow your
+ firewall/router to route between the two subnetworks.
+
+ Example 1: Local interface eth1 interfaces to 192.168.1.0/24 and
+192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
+is 192.168.20.254. You want to simply route all requests between the two
+subnetworks.
+
+ In /etc/shorewall/interfaces:
+
+
+
+
+
+
+ ZONE
+ |
+ INTERFACE
+ |
+ BROADCAST
+ |
+ OPTIONS
+ |
+
+
+ loc
+ |
+ eth1
+ |
+ 192.168.1.255,192.168.20.255
+ |
+ Note 1:
+ |
+
+
+
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
+ the multi option.
+
+ In /etc/shorewall/policy:
+
+
+
+
+
+
+ SOURCE
+ |
+ DESTINATION
+ |
+ POLICY
+ |
+ LOG LEVEL
+ |
+ BURST:LIMIT
+ |
+
+
+ loc
+ |
+ loc
+ |
+ ACCEPT
+ |
+
+ |
+
+ |
+
+
+
+
+
+
+ Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
+ The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
+ You want to make these subnetworks into separate zones and control the
+access between them (the users of the systems do not have administrative
+privileges).
+
+ In /etc/shorewall/zones:
+
+
+
+
+
+
+ ZONE
+ |
+ DISPLAY
+ |
+ DESCRIPTION
+ |
+
+
+ loc
+ |
+ Local
+ |
+ Local Zone 1
+ |
+
+
+ loc2
+ |
+ Local2
+ |
+ Local Zone 2
+ |
+
+
+
+
+
+
+ In /etc/shorewall/interfaces:
+
+
+
+
+
+
+ ZONE
+ |
+ INTERFACE
+ |
+ BROADCAST
+ |
+ OPTIONS
+ |
+
+
+ -
+ |
+ eth1
+ |
+ 192.168.1.255,192.168.20.255
+ |
+ Note 1:
+ |
+
+
+
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
+ the multi option.
+
+ In /etc/shorewall/hosts:
+
+
+
+
+
+ ZONE
+ |
+ HOSTS
+ |
+ OPTIONS
+ |
+
+
+ loc
+ |
+ eth0:192.168.1.0/24
+ |
+
+ |
+
+
+ loc2
+ |
+ eth0:192.168.20.0/24
+ |
+
+ |
+
+
+
+
+
+
+ In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
+ you want to permit.
+
+
+Last Updated 3/5/2003 A - Tom Eastep
+
+Copyright ©
+ 2001, 2002, 2003 Thomas M. Eastep.
+
+
+
+
+
+