forked from extern/shorewall_code
Merge branch 'master' into 5.0.6
This commit is contained in:
commit
4e9f4742cb
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to install Shoreline Firewall Core Modules
|
||||
#
|
||||
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
#
|
||||
|
@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for
|
||||
#
|
||||
# Show traffic control information
|
||||
#
|
||||
show_tc() {
|
||||
show_tc1() {
|
||||
|
||||
show_one_tc() {
|
||||
local device
|
||||
@ -292,6 +292,19 @@ show_tc() {
|
||||
|
||||
}
|
||||
|
||||
show_tc() {
|
||||
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
|
||||
echo
|
||||
shift
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
$g_tool -t mangle -L -n -v | $output_filter
|
||||
echo
|
||||
fi
|
||||
|
||||
show_tc1 $1
|
||||
}
|
||||
|
||||
#
|
||||
# Show classifier information
|
||||
#
|
||||
@ -928,6 +941,66 @@ show_actions() {
|
||||
grep -Ev '^\#|^$' ${g_sharedir}/actions.std
|
||||
fi
|
||||
}
|
||||
|
||||
show_chain() {
|
||||
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
|
||||
echo
|
||||
done
|
||||
else
|
||||
$g_tool -t $table -L $g_ipt_options | $output_filter
|
||||
fi
|
||||
}
|
||||
|
||||
show_chains() {
|
||||
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
for chain in $*; do
|
||||
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
|
||||
echo
|
||||
done
|
||||
}
|
||||
|
||||
show_table() {
|
||||
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t $table -L $g_ipt_options | $output_filter
|
||||
}
|
||||
|
||||
show_nat() {
|
||||
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t nat -L $g_ipt_options | $output_filter
|
||||
}
|
||||
|
||||
show_macros() {
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
temp=
|
||||
for macro in ${directory}/macro.*; do
|
||||
case $macro in
|
||||
*\*)
|
||||
;;
|
||||
*)
|
||||
if [ -z "$temp" ]; then
|
||||
echo
|
||||
echo "Macros in $directory:"
|
||||
echo
|
||||
temp=Yes
|
||||
fi
|
||||
show_macro
|
||||
;;
|
||||
esac
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Show Command Executor
|
||||
#
|
||||
@ -1084,31 +1157,28 @@ show_command() {
|
||||
;;
|
||||
nat)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t nat -L $g_ipt_options | $output_filter
|
||||
eval show_nat $g_pager
|
||||
;;
|
||||
raw)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t raw -L $g_ipt_options | $output_filter
|
||||
eval { echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t raw -L $g_ipt_options | $output_filter } $g_pager
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t rawpost -L $g_ipt_options | $output_filter
|
||||
eval { echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t rawpost -L $g_ipt_options | $output_filter } $g_pager
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t mangle -L $g_ipt_options | $output_filter
|
||||
eval { echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t mangle -L $g_ipt_options | $output_filter } $g_pager
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
@ -1128,22 +1198,13 @@ show_command() {
|
||||
;;
|
||||
tc)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
|
||||
echo
|
||||
shift
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
$g_tool -t mangle -L -n -v | $output_filter
|
||||
echo
|
||||
fi
|
||||
|
||||
show_tc $1
|
||||
eval show_tc $g_pager
|
||||
;;
|
||||
classifiers|filters)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
|
||||
echo
|
||||
show_classifiers
|
||||
eval { echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
|
||||
echo
|
||||
show_classifiers } $g_pager
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
@ -1173,22 +1234,22 @@ show_command() {
|
||||
determine_capabilities
|
||||
VERBOSITY=2
|
||||
if [ -n "$g_filemode" ]; then
|
||||
report_capabilities1
|
||||
eval report_capabilities1 $g_pager
|
||||
else
|
||||
report_capabilities
|
||||
eval report_capabilities $g_pager
|
||||
fi
|
||||
;;
|
||||
ip)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
|
||||
echo
|
||||
ip -$g_family addr list
|
||||
eval { echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
|
||||
echo
|
||||
ip -$g_family addr list } $g_pager
|
||||
;;
|
||||
routing)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
|
||||
echo
|
||||
show_routing
|
||||
eval { echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
|
||||
echo
|
||||
show_routing } $g_pager
|
||||
;;
|
||||
config)
|
||||
. ${g_sharedir}/configpath
|
||||
@ -1210,33 +1271,23 @@ show_command() {
|
||||
;;
|
||||
chain)
|
||||
shift
|
||||
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
|
||||
echo
|
||||
done
|
||||
else
|
||||
$g_tool -t $table -L $g_ipt_options | $output_filter
|
||||
fi
|
||||
eval show_chain $@ $g_pager
|
||||
;;
|
||||
vardir)
|
||||
echo $VARDIR;
|
||||
;;
|
||||
policies)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
|
||||
echo
|
||||
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
|
||||
eval { echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
|
||||
echo
|
||||
[ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies } $g_pager
|
||||
;;
|
||||
ipa)
|
||||
[ $g_family -eq 4 ] || usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
|
||||
echo
|
||||
[ $# -gt 1 ] && usage 1
|
||||
perip_accounting
|
||||
eval { echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
|
||||
echo
|
||||
[ $# -gt 1 ] && usage 1
|
||||
perip_accounting } $g_pager
|
||||
;;
|
||||
marks)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
@ -1246,17 +1297,17 @@ show_command() {
|
||||
;;
|
||||
nfacct)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
|
||||
echo
|
||||
show_nfacct
|
||||
eval { echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
|
||||
echo
|
||||
show_nfacct } $g_pager
|
||||
;;
|
||||
arptables)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
resolve_arptables
|
||||
if [ -n "$arptables" -a -x $arptables ]; then
|
||||
echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
|
||||
echo
|
||||
$arptables -L -n -v
|
||||
eval { echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
|
||||
echo
|
||||
$arptables -L -n -v } $g_pager
|
||||
else
|
||||
error_message "Cannot locate the arptables executable"
|
||||
fi
|
||||
@ -1270,9 +1321,9 @@ show_command() {
|
||||
;;
|
||||
events)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
|
||||
echo
|
||||
show_events
|
||||
eval { echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
|
||||
echo
|
||||
show_events } $g_pager
|
||||
;;
|
||||
bl|blacklists)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
@ -1298,7 +1349,7 @@ show_command() {
|
||||
case $1 in
|
||||
actions)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
show_actions | sort
|
||||
eval show_actions | sort $pager
|
||||
return
|
||||
;;
|
||||
macro)
|
||||
@ -1315,25 +1366,7 @@ show_command() {
|
||||
;;
|
||||
macros)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
|
||||
for directory in $(split $CONFIG_PATH); do
|
||||
temp=
|
||||
for macro in ${directory}/macro.*; do
|
||||
case $macro in
|
||||
*\*)
|
||||
;;
|
||||
*)
|
||||
if [ -z "$temp" ]; then
|
||||
echo
|
||||
echo "Macros in $directory:"
|
||||
echo
|
||||
temp=Yes
|
||||
fi
|
||||
show_macro
|
||||
;;
|
||||
esac
|
||||
done
|
||||
done
|
||||
eval show_macros $g_pager
|
||||
return
|
||||
;;
|
||||
esac
|
||||
@ -1353,20 +1386,11 @@ show_command() {
|
||||
error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
for chain in $*; do
|
||||
$g_tool -t $table -L $chain $g_ipt_options | $output_filter
|
||||
echo
|
||||
done
|
||||
eval show_chains $@ $g_pager
|
||||
else
|
||||
echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t $table -L $g_ipt_options | $output_filter
|
||||
eval show_table $g_pager
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -1417,12 +1441,16 @@ dump_filter() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$command $filter
|
||||
eval $command $filter $g_pager
|
||||
else
|
||||
cat -
|
||||
fi
|
||||
}
|
||||
|
||||
dump_filter_wrapper() {
|
||||
eval dump_filter $g_pager
|
||||
}
|
||||
|
||||
#
|
||||
# Dump Command Executor
|
||||
#
|
||||
@ -1633,14 +1661,14 @@ do_dump_command() {
|
||||
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
heading "Traffic Control"
|
||||
show_tc
|
||||
show_tc1
|
||||
heading "TC Filters"
|
||||
show_classifiers
|
||||
fi
|
||||
}
|
||||
|
||||
dump_command() {
|
||||
do_dump_command $@ | dump_filter
|
||||
do_dump_command $@ | dump_filter_wrapper
|
||||
}
|
||||
|
||||
#
|
||||
@ -4040,6 +4068,7 @@ shorewall_cli() {
|
||||
g_counters=
|
||||
g_loopback=
|
||||
g_compiled=
|
||||
g_pager=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
@ -4194,6 +4223,19 @@ shorewall_cli() {
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -t 1 ]; then
|
||||
#
|
||||
# Output is to a terminal -- use a pager on commands with verbose output
|
||||
#
|
||||
if qt mywhich less; then
|
||||
g_pager='| less'
|
||||
elif qt mywhich more; then
|
||||
g_pager='| more'
|
||||
else
|
||||
g_pager=''
|
||||
fi
|
||||
fi
|
||||
|
||||
COMMAND=$1
|
||||
|
||||
case "$COMMAND" in
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://www.shorewall.net
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to install Shoreline Firewall Init
|
||||
#
|
||||
# (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to install Shoreline Firewall Lite
|
||||
#
|
||||
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
|
@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
|
||||
#
|
||||
# This macro handles SNMP traps.
|
||||
# This macro deprecated by SNMPtrap.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - udp 162
|
||||
SNMPtrap
|
||||
|
9
Shorewall/Macros/macro.SNMPtrap
Normal file
9
Shorewall/Macros/macro.SNMPtrap
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
|
||||
#
|
||||
# This macro handles SNMP traps.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - udp 162
|
@ -264,6 +264,7 @@ our %EXPORT_TAGS = (
|
||||
have_address_variables
|
||||
set_global_variables
|
||||
save_dynamic_chains
|
||||
save_docker_rules
|
||||
load_ipsets
|
||||
create_save_ipsets
|
||||
validate_nfobject
|
||||
@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule
|
||||
# reference and the old.
|
||||
# Clone an existing rule.
|
||||
#
|
||||
sub clone_irule( $ ) {
|
||||
my $oldruleref = $_[0];
|
||||
@ -2989,11 +2989,31 @@ sub initialize_chain_table($) {
|
||||
}
|
||||
}
|
||||
|
||||
my $chainref;
|
||||
|
||||
if ( $full ) {
|
||||
#
|
||||
# Create this chain early in case it is needed by Policy actions
|
||||
#
|
||||
new_standard_chain 'reject';
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
}
|
||||
}
|
||||
|
||||
if ( my $docker = $config{DOCKER} ) {
|
||||
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
|
||||
$chainref = new_standard_chain( 'DOCKER' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
|
||||
$chainref = new_nat_chain( 'DOCKER' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
|
||||
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
|
||||
}
|
||||
|
||||
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
||||
@ -8043,6 +8063,32 @@ sub emitr1( $$ ) {
|
||||
#
|
||||
# Emit code to save the dynamic chains to hidden files in ${VARDIR}
|
||||
#
|
||||
sub save_docker_rules($) {
|
||||
my $tool = $_[0];
|
||||
|
||||
emit( qq(if [ -n "\$g_docker" ]; then),
|
||||
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
|
||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
|
||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
|
||||
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION)
|
||||
);
|
||||
|
||||
if ( known_interface( 'docker0' ) ) {
|
||||
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) );
|
||||
} else {
|
||||
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) );
|
||||
}
|
||||
|
||||
emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
|
||||
qq(else),
|
||||
qq( rm -f \$VARDIR/.nat_DOCKER),
|
||||
qq( rm -f \$VARDIR/.nat_POSTROUTING),
|
||||
qq( rm -f \$VARDIR/.filter_DOCKER),
|
||||
qq( rm -f \$VARDIR/.filter_DOCKER-ISOLATION),
|
||||
qq( rm -f \$VARDIR/.filter_FORWARD),
|
||||
qq(fi)
|
||||
)
|
||||
}
|
||||
|
||||
sub save_dynamic_chains() {
|
||||
|
||||
@ -8077,25 +8123,23 @@ else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
EOF
|
||||
|
||||
emit(''), save_docker_rules( $tool ) if $config{DOCKER};
|
||||
} else {
|
||||
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
|
||||
|
||||
emit <<"EOF";
|
||||
if chain_exists 'UPnP -t nat'; then
|
||||
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||
$utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||
else
|
||||
rm -f \${VARDIR}/.UPnP
|
||||
fi
|
||||
|
||||
if chain_exists forwardUPnP; then
|
||||
$tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
|
||||
$utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
|
||||
else
|
||||
rm -f \${VARDIR}/.forwardUPnP
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||
$utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||
else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
@ -8115,10 +8159,11 @@ EOF
|
||||
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||
qq( if chain_exists dynamic; then),
|
||||
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
|
||||
emit( '' ), save_docker_rules( $tool ) if $config{DOCKER};
|
||||
} else {
|
||||
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||
qq( if chain_exists dynamic; then),
|
||||
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
|
||||
qq( $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
|
||||
}
|
||||
|
||||
emit <<"EOF";
|
||||
@ -8421,7 +8466,7 @@ sub create_netfilter_load( $ ) {
|
||||
|
||||
my @chains;
|
||||
#
|
||||
# iptables-restore seems to be quite picky about the order of the builtin chains
|
||||
# Iptables-restore seems to be quite picky about the order of the builtin chains
|
||||
#
|
||||
for my $chain ( @builtins ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
@ -8437,8 +8482,25 @@ sub create_netfilter_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@ -8524,8 +8586,24 @@ sub preview_netfilter_load() {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
|
||||
print ":$chainref->{name} - [0:0]\n";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@ -8710,13 +8788,11 @@ sub create_stop_load( $ ) {
|
||||
|
||||
emit '';
|
||||
|
||||
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
|
||||
'',
|
||||
'progress_message2 "Running $command..."',
|
||||
'',
|
||||
'$command <<__EOF__' );
|
||||
save_progress_message "Preparing $utility input...";
|
||||
|
||||
$mode = CAT_MODE;
|
||||
emit "exec 3>\${VARDIR}/.${utility}-stop-input";
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
unless ( $test ) {
|
||||
my $date = localtime;
|
||||
@ -8746,8 +8822,24 @@ sub create_stop_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name =~ /^DOCKER/ ) {
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@ -8760,10 +8852,19 @@ sub create_stop_load( $ ) {
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
emit_unindented 'COMMIT';
|
||||
}
|
||||
|
||||
emit_unindented '__EOF__';
|
||||
enter_cmd_mode;
|
||||
|
||||
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
|
||||
|
||||
emit( '',
|
||||
'progress_message2 "Running $command..."',
|
||||
'',
|
||||
"cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
|
||||
);
|
||||
#
|
||||
# Test result
|
||||
#
|
||||
|
@ -261,7 +261,15 @@ sub generate_script_2() {
|
||||
'# The library requires that ${VARDIR} exist',
|
||||
'#',
|
||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
||||
);
|
||||
);
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
emit( '',
|
||||
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
|
||||
);
|
||||
emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
|
||||
emit( '' );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
|
||||
|
@ -736,6 +736,7 @@ sub initialize( $;$$) {
|
||||
RPFILTER_LOG_TAG => '',
|
||||
INVALID_LOG_TAG => '',
|
||||
UNTRACKED_LOG_TAG => '',
|
||||
POSTROUTING => 'POSTROUTING',
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -874,6 +875,7 @@ sub initialize( $;$$) {
|
||||
WORKAROUNDS => undef ,
|
||||
LEGACY_RESTART => undef ,
|
||||
RESTART => undef ,
|
||||
DOCKER => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -5857,6 +5859,13 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
default_yes_no 'BASIC_FILTERS' , '';
|
||||
default_yes_no 'WORKAROUNDS' , 'Yes';
|
||||
default_yes_no 'DOCKER' , '';
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
|
||||
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
|
||||
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{RESTART} ) ) {
|
||||
fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
|
||||
@ -6429,7 +6438,7 @@ sub generate_aux_config() {
|
||||
|
||||
if ( -f $fn ) {
|
||||
emit( '',
|
||||
'dump_filter() {' );
|
||||
'dump_filter1() {' );
|
||||
push_indent;
|
||||
append_file( $fn,1 ) or emit 'cat -';
|
||||
pop_indent;
|
||||
|
@ -628,6 +628,22 @@ sub process_stoppedrules() {
|
||||
$result;
|
||||
}
|
||||
|
||||
sub create_docker_rules() {
|
||||
|
||||
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
||||
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
||||
|
||||
my $chainref = $filter_table->{FORWARD};
|
||||
|
||||
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
|
||||
|
||||
if ( known_interface('docker0') ) {
|
||||
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
|
||||
}
|
||||
|
||||
add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
|
||||
}
|
||||
|
||||
sub setup_mss();
|
||||
|
||||
sub add_common_rules ( $ ) {
|
||||
@ -646,6 +662,10 @@ sub add_common_rules ( $ ) {
|
||||
my $level = $config{BLACKLIST_LOG_LEVEL};
|
||||
my $tag = $globals{BLACKLIST_LOG_TAG};
|
||||
my $rejectref = $filter_table->{reject};
|
||||
#
|
||||
# Insure that Docker jumps are early in the builtin chains
|
||||
#
|
||||
create_docker_rules if $config{DOCKER};
|
||||
|
||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
||||
@ -1508,13 +1528,15 @@ sub add_interface_jumps {
|
||||
# Add Nat jumps
|
||||
#
|
||||
for my $interface ( @_ ) {
|
||||
addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
|
||||
}
|
||||
|
||||
addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
|
||||
if ( have_capability 'RAWPOST_TABLE' ) {
|
||||
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
||||
@ -2246,8 +2268,8 @@ sub generate_matrix() {
|
||||
#
|
||||
# Make sure that the 1:1 NAT jumps are last in PREROUTING
|
||||
#
|
||||
addnatjump 'PREROUTING' , 'nat_in';
|
||||
addnatjump 'POSTROUTING' , 'nat_out';
|
||||
addnatjump 'PREROUTING' , 'nat_in';
|
||||
addnatjump $globals{POSTROUTING} , 'nat_out';
|
||||
|
||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||
|
||||
@ -2455,6 +2477,16 @@ EOF
|
||||
|
||||
EOF
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
push_indent;
|
||||
emit( 'if [ $COMMAND = stop ]; then' );
|
||||
push_indent;
|
||||
save_docker_rules( $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}');
|
||||
pop_indent;
|
||||
emit( "fi\n");
|
||||
pop_indent;
|
||||
}
|
||||
|
||||
if ( have_capability( 'NAT_ENABLED' ) ) {
|
||||
emit<<'EOF';
|
||||
if [ -f ${VARDIR}/nat ]; then
|
||||
@ -2504,6 +2536,10 @@ EOF
|
||||
emit( 'undo_routing',
|
||||
"restore_default_route $config{USE_DEFAULT_RT}"
|
||||
);
|
||||
#
|
||||
# Insure that Docker jumps are early in the builtin chains
|
||||
#
|
||||
create_docker_rules if $config{DOCKER};
|
||||
|
||||
if ( $config{ADMINISABSENTMINDED} ) {
|
||||
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||
|
@ -481,17 +481,22 @@ sub process_a_provider( $ ) {
|
||||
$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
|
||||
}
|
||||
|
||||
my $gatewaycase = '';
|
||||
|
||||
if ( $physical =~ /\+$/ ) {
|
||||
return 0 if $pseudo;
|
||||
fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
|
||||
}
|
||||
|
||||
if ( $gateway eq 'detect' ) {
|
||||
my $gatewaycase = '';
|
||||
my $gw;
|
||||
|
||||
if ( ( $gw = lc $gateway ) eq 'detect' ) {
|
||||
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
||||
$gateway = get_interface_gateway $interface;
|
||||
$gatewaycase = 'detect';
|
||||
} elsif ( $gw eq 'none' ) {
|
||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||
$gatewaycase = 'none';
|
||||
$gateway = '';
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
( $gateway, $mac ) = split_host_list( $gateway, 0 );
|
||||
validate_address $gateway, 0;
|
||||
@ -506,7 +511,7 @@ sub process_a_provider( $ ) {
|
||||
|
||||
$gatewaycase = 'specified';
|
||||
} else {
|
||||
$gatewaycase = 'none';
|
||||
$gatewaycase = 'omitted';
|
||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||
$gateway = '';
|
||||
}
|
||||
@ -529,10 +534,12 @@ sub process_a_provider( $ ) {
|
||||
} elsif ( $option eq 'notrack' ) {
|
||||
$track = 0;
|
||||
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
||||
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
fatal_error 'The balance setting must be non-zero' unless $1;
|
||||
$balance = $1;
|
||||
} elsif ( $option eq 'balance' || $option eq 'primary') {
|
||||
fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$balance = 1;
|
||||
} elsif ( $option eq 'loose' ) {
|
||||
$loose = 1;
|
||||
@ -550,11 +557,13 @@ sub process_a_provider( $ ) {
|
||||
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
|
||||
$mtu = "mtu $1 ";
|
||||
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
$default = $1;
|
||||
$default_balance = 0;
|
||||
fatal_error 'fallback must be non-zero' unless $default;
|
||||
} elsif ( $option eq 'fallback' ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$default = -1;
|
||||
$default_balance = 0;
|
||||
} elsif ( $option eq 'local' ) {
|
||||
@ -567,6 +576,7 @@ sub process_a_provider( $ ) {
|
||||
$track = 0 if $config{TRACK_PROVIDERS};
|
||||
$default_balance = 0 if $config{USE_DEFAULT_RT};
|
||||
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$load = sprintf "%1.8f", $1;
|
||||
require_capability 'STATISTIC_MATCH', "load=$1", 's';
|
||||
} elsif ( $option eq 'autosrc' ) {
|
||||
@ -596,13 +606,13 @@ sub process_a_provider( $ ) {
|
||||
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
|
||||
|
||||
if ( $local ) {
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted';
|
||||
fatal_error "'track' not valid with 'local'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||
fatal_error "'persistent' is not valid with 'local" if $persistent;
|
||||
} elsif ( $tproxy ) {
|
||||
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
|
||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
|
||||
fatal_error "'track' not valid with 'tproxy'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
|
||||
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
|
||||
@ -649,7 +659,7 @@ sub process_a_provider( $ ) {
|
||||
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
|
||||
}
|
||||
|
||||
$balance = $default_balance unless $balance;
|
||||
$balance = $default_balance unless $balance || $gatewaycase eq 'none';
|
||||
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
|
||||
|
||||
@ -789,7 +799,7 @@ sub add_a_provider( $$ ) {
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $gatewaycase eq 'none' ) {
|
||||
if ( $gatewaycase eq 'omitted' ) {
|
||||
if ( $tproxy ) {
|
||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||
} else {
|
||||
@ -867,7 +877,7 @@ sub add_a_provider( $$ ) {
|
||||
}
|
||||
$provider_interfaces{$interface} = $table;
|
||||
|
||||
if ( $gatewaycase eq 'none' ) {
|
||||
if ( $gatewaycase eq 'omitted' ) {
|
||||
if ( $tproxy ) {
|
||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||
} else {
|
||||
@ -907,7 +917,7 @@ CEOF
|
||||
|
||||
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
|
||||
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
|
||||
);
|
||||
);
|
||||
}
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
|
@ -1178,12 +1178,11 @@ sub finish_section ( $ ) {
|
||||
#
|
||||
# Internally, action invocations are uniquely identified by a 5-tuple that
|
||||
# includes the action name, log level, log tag, calling chain and params.
|
||||
# The pieces of the tuple are separated by ":".
|
||||
# The pieces of the tuple are separated by ":". The calling chain is non-empty
|
||||
# only when the action refers to @CALLER.
|
||||
#
|
||||
sub normalize_action( $$$ ) {
|
||||
my $action = shift;
|
||||
my $level = shift;
|
||||
my $param = shift;
|
||||
my ( $action, $level, $param ) = @_;
|
||||
my $caller = ''; #We assume that the function doesn't use @CALLER
|
||||
|
||||
( $level, my $tag ) = split ':', $level;
|
||||
|
@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
||||
},
|
||||
},
|
||||
|
||||
ECN => {
|
||||
defaultchain => POSTROUTING,
|
||||
allowedchains => ALLCHAINS,
|
||||
minparams => 0,
|
||||
maxparams => 0,
|
||||
function => sub() {
|
||||
fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
|
||||
|
||||
if ( $proto eq '-' ) {
|
||||
$proto = TCP;
|
||||
} else {
|
||||
$proto = resolve_proto( $proto ) || 0;
|
||||
fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
|
||||
}
|
||||
|
||||
$target = 'ECN --ecn-tcp-remove';
|
||||
}
|
||||
},
|
||||
|
||||
HL => {
|
||||
defaultchain => FORWARD,
|
||||
allowedchains => PREROUTING | FORWARD,
|
||||
|
@ -1,4 +1,4 @@
|
||||
# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is part of Shorewall.
|
||||
#
|
||||
|
@ -125,6 +125,8 @@ g_sha1sum2=
|
||||
g_counters=
|
||||
g_compiled=
|
||||
g_file=
|
||||
g_docker=
|
||||
g_dockernetwork=
|
||||
|
||||
initialize
|
||||
|
||||
|
@ -146,6 +146,8 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
@ -154,6 +154,8 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
@ -150,6 +150,8 @@ DETECT_DNAT_IPADDRS=No
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DONT_LOAD=
|
||||
|
||||
DYNAMIC_BLACKLIST=Yes
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to install Shoreline Firewall
|
||||
#
|
||||
# (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.net
|
||||
#
|
||||
|
@ -339,6 +339,18 @@ DIVERTHA - - tcp</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ECN</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.6 as an alternative to entries in
|
||||
<ulink url="shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
|
||||
PROTO is specified, it must be 'tcp' (6). If no PROTO is
|
||||
supplied, TCP is assumed. This action causes all ECN bits in
|
||||
the TCP header to be cleared.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
|
||||
|
@ -130,7 +130,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
|
||||
role="bold">detect</emphasis>}</term>
|
||||
role="bold">detect|none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the provider's gateway router. Beginning
|
||||
@ -139,8 +139,12 @@
|
||||
interface. When the MAC is not specified, Shorewall will detect the
|
||||
MAC during firewall start or restart.</para>
|
||||
|
||||
<para>You can enter "detect" here and Shorewall will attempt to
|
||||
detect the gateway automatically.</para>
|
||||
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||
Shorewall will attempt to detect the gateway automatically.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||
role="bold">none</emphasis>. This causes creation of a routing table
|
||||
with no default route in it.</para>
|
||||
|
||||
<para>For PPP devices, you may omit this column.</para>
|
||||
</listitem>
|
||||
|
@ -733,6 +733,23 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
|
||||
the generated script will save Docker-generated rules before and
|
||||
restore them after executing the <command>start</command>,
|
||||
<command>stop</command>, <command>reload</command> and
|
||||
<command>restart</command> commands. If set to <option>No</option>
|
||||
(the default), the generated script will delete any Docker-generated
|
||||
rules when executing those commands. See<ulink url="/Docker.html">
|
||||
http://www.shorewall.net/Docker.html</ulink> for additional
|
||||
information.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
|
||||
@ -763,8 +780,8 @@
|
||||
<listitem>
|
||||
<para>Normally, when the SOURCE or DEST columns in
|
||||
shorewall-policy(5) contains 'all', a single policy chain is created
|
||||
and the policy is enforced in that chain. For example, if the policy
|
||||
entry is<programlisting>#SOURCE DEST POLICY LOG
|
||||
and thes policy is enforced in that chain. For example, if the
|
||||
policy entry is<programlisting>#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall
|
||||
#
|
||||
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://www.shorewall.net
|
||||
#
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall 6 Lite
|
||||
#
|
||||
# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
|
@ -119,13 +119,17 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
|
||||
role="bold">detect</emphasis>}</term>
|
||||
role="bold">detect|none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the provider's gateway router.</para>
|
||||
|
||||
<para>You can enter "detect" here and Shorewall6 will attempt to
|
||||
detect the gateway automatically.</para>
|
||||
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||
Shorewall6 will attempt to detect the gateway automatically.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||
role="bold">none</emphasis>. This causes creation of a routing table
|
||||
with no default route in it.</para>
|
||||
|
||||
<para>For PPP devices, you may omit this column.</para>
|
||||
</listitem>
|
||||
|
@ -2,7 +2,7 @@
|
||||
#
|
||||
# Script to back uninstall Shoreline Firewall 6
|
||||
#
|
||||
# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://www.shorewall.net
|
||||
#
|
||||
|
@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
|
||||
wireless). eth4 goes to my DMZ which holds a single server. Here is a
|
||||
diagram of the IPv4 network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009.png" />
|
||||
<graphic align="center" fileref="images/Network2009.png"/>
|
||||
|
||||
<para>Here is the configuration after IPv6 is configured; the part in
|
||||
bold font is configured by the /etc/init.d/ipv6 script.</para>
|
||||
@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>Here is the resulting simple IPv6 Network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009b.png" />
|
||||
<graphic align="center" fileref="images/Network2009b.png"/>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>So the IPv4 network was transformed to this:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009a.png" />
|
||||
<graphic align="center" fileref="images/Network2009a.png"/>
|
||||
|
||||
<para>To implement the same IPv6 network as described above, I used this
|
||||
/etc/shorewall/interfaces file:</para>
|
||||
@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
|
||||
|
||||
<para>That file produces the following IPv6 network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2008c.png" />
|
||||
<graphic align="center" fileref="images/Network2008c.png"/>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
|
||||
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
net all DROP info
|
||||
loc net ACCEPT
|
||||
dmz net ACCEPT
|
||||
@ -485,7 +485,7 @@ all all REJECT info</programlisting></para>
|
||||
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
@ -493,7 +493,6 @@ all all REJECT info</programlisting></para>
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
@ -505,8 +504,7 @@ SSH(ACCEPT) loc $FW
|
||||
#
|
||||
# Allow Ping everywhere
|
||||
#
|
||||
Ping(ACCEPT) all all</programlisting>
|
||||
</para>
|
||||
Ping(ACCEPT) all all</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
@ -652,7 +650,7 @@ interface eth2 {
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoIPv6Nets1.png" />
|
||||
<graphic fileref="images/TwoIPv6Nets1.png"/>
|
||||
|
||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||
|
242
docs/Actions.xml
242
docs/Actions.xml
@ -101,13 +101,11 @@
|
||||
# both directions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
|
||||
ACCEPT - - udp 135,445
|
||||
ACCEPT - - udp 137:139
|
||||
ACCEPT - - udp 1024: 137
|
||||
ACCEPT - - tcp 135,139,445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
ACCEPT - - tcp 135,139,445</programlisting>
|
||||
|
||||
<para>If you wish to modify one of the standard actions, do not modify
|
||||
the definition in <filename
|
||||
@ -335,21 +333,11 @@ ACCEPT - - tcp 135,139,445
|
||||
</orderedlist>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.4.16 and Later.</title>
|
||||
<title>Shorewall 5.0.0 and Later.</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.16, the columns in action.template
|
||||
are the same as those in shorewall-rules (5). The first non-commentary
|
||||
line in the template must be</para>
|
||||
|
||||
<programlisting>FORMAT 2</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
|
||||
below, and the above format is deprecated.</para>
|
||||
|
||||
<programlisting>?FORMAT 2</programlisting>
|
||||
|
||||
<para>When using Shorewall 4.4.16 or later, there are no restrictions
|
||||
regarding which targets can be used within your action.</para>
|
||||
<para>In Shorewall 5.0, the columns in action.template are the same as
|
||||
those in shorewall-rules (5). There are no restrictions regarding which
|
||||
targets can be used within your action.</para>
|
||||
|
||||
<para>The SOURCE and DEST columns in the action file may not include
|
||||
zone names; those are given when the action is invoked.</para>
|
||||
@ -361,22 +349,18 @@ ACCEPT - - tcp 135,139,445
|
||||
|
||||
<para>/etc/shorewall/action.A:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
FORMAT 2
|
||||
<programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
|
||||
$1 - - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
A(REDIRECT) net fw</programlisting>
|
||||
|
||||
<para>The above is equivalent to this rule:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>You can 'omit' parameters by using '-'.</para>
|
||||
@ -413,194 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
url="configuration_file_basics.htm#ActionVariables">Action Variables
|
||||
section</ulink> of the Configuration Basics article.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.4.15 and Earlier.</title>
|
||||
|
||||
<para>Prior to 4.4.16, columns in the
|
||||
<filename>action.template</filename> file were as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
|
||||
an <<emphasis>action</emphasis>> where
|
||||
<<emphasis>action</emphasis>> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in
|
||||
your <filename>/etc/shorewall/actions</filename> file). These
|
||||
actions have the same meaning as they do in the
|
||||
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
|
||||
processing of the current action and returns to the point where that
|
||||
action was invoked). The TARGET may optionally be followed by a
|
||||
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
|
||||
ACCEPT:debugging). This causes the packet to be logged at the
|
||||
specified level. You may also specify ULOG (must be in upper case)
|
||||
as a log level. This will log to the ULOG target for routing to a
|
||||
separate log through use of ulogd (<ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
|
||||
your action provided that the macro's expansion only results in the
|
||||
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
|
||||
<filename>/usr/share/shorewall/action.Drop</filename> for an example
|
||||
of an action that users macros extensively.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE - Source hosts to which the rule applies. A
|
||||
comma-separated list of subnets and/or hosts. Hosts may be specified
|
||||
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
|
||||
and must use <quote>-</quote> as a separator.</para>
|
||||
|
||||
<para>Alternatively, clients may be specified by interface name. For
|
||||
example, eth1 specifies a client that communicates with the firewall
|
||||
system through eth1. This may be optionally followed by another
|
||||
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
|
||||
above (e.g., eth1:192.168.1.5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST - Location of Server. Same as above with the exception
|
||||
that MAC addresses are not allowed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
|
||||
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
|
||||
<quote>all</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
|
||||
Port names (from <filename>/etc/services</filename>), port numbers
|
||||
or port ranges; if the protocol is <quote>icmp</quote>, this column
|
||||
is interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <<emphasis>low
|
||||
port</emphasis>>:<<emphasis>high port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTO = <quote>all</quote>, but must
|
||||
be entered if any of the following fields are supplied. In that
|
||||
case, it is suggested that this field contain
|
||||
<quote>-</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
|
||||
source port is acceptable. Specified as a comma-separated list of
|
||||
port names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
any of the subsequent fields, then place <quote>-</quote> in this
|
||||
column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded
|
||||
in the specification.</para>
|
||||
|
||||
<para><programlisting> Example: 10/sec:20</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>USER/GROUP - For output rules (those with the firewall as
|
||||
their source), you may control connections based on the effective
|
||||
UID and/or GID of the process requesting the connection. This column
|
||||
can contain any of the following:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]+<<emphasis>program name</emphasis>> (Note:
|
||||
support for this form was removed from Netfilter in kernel version
|
||||
2.6.14).</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>MARK</para>
|
||||
|
||||
<para><simplelist>
|
||||
<member>[!]<<emphasis>value</emphasis>>[/<<emphasis>mask</emphasis>>][:C]</member>
|
||||
</simplelist></para>
|
||||
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don’t want to define a test but need to specify
|
||||
anything in the subsequent columns, place a <quote>-</quote> in this
|
||||
field.<simplelist>
|
||||
<member>! — Inverts the test (not equal)</member>
|
||||
|
||||
<member><<emphasis>value</emphasis>> — Value of the packet
|
||||
or connection mark.</member>
|
||||
|
||||
<member><<emphasis>mask</emphasis>> —A mask to be applied
|
||||
to the mark before testing.</member>
|
||||
|
||||
<member>:C — Designates a connection mark. If omitted, the
|
||||
packet mark’s value is tested. This option is only supported by
|
||||
Shorewall-perl</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Omitted column entries should be entered using a dash
|
||||
(<quote>-</quote>).</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
|
||||
role="bold">Note:</emphasis> If your
|
||||
<filename>/etc/shorewall/actions</filename> file doesn't have an
|
||||
indication where to place the comment, put the <quote>#</quote> in
|
||||
column 21.</para>
|
||||
|
||||
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
|
||||
ACCEPT</programlisting></para>
|
||||
|
||||
<para>Placing a comment on the line causes the comment to appear in the
|
||||
output of the <command>shorewall show actions</command> command.</para>
|
||||
|
||||
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
|
||||
you might do something like:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
LogAndAccept loc $FW tcp 22</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Logging">
|
||||
@ -625,19 +421,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
foo:debug $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:info</programlisting>
|
||||
</listitem>
|
||||
@ -651,19 +447,19 @@ bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
foo:debug! $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug</programlisting>
|
||||
</listitem>
|
||||
@ -1113,22 +909,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
|
||||
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
|
||||
way:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
|
||||
|
||||
<para>If you want dropped connections to be logged at the info level, use
|
||||
this rule instead:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>To summarize, you pass four pieces of information to the Limit
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Anatomy of Shorewall 4.5</title>
|
||||
<title>Anatomy of Shorewall 5.0</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -43,7 +43,7 @@
|
||||
<section id="Products">
|
||||
<title>Products</title>
|
||||
|
||||
<para>Shorewall 4.5 consists of six packages.</para>
|
||||
<para>Shorewall 5.0 consists of six packages.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
|
@ -74,12 +74,11 @@
|
||||
<section>
|
||||
<title>Policy Rate Limiting</title>
|
||||
|
||||
<para>The LIMIT:BURST column in the
|
||||
<filename>/etc/shorewall/policy</filename> file applies to TCP
|
||||
connections that are subject to the policy. The limiting is applied
|
||||
BEFORE the connection request is passed through the rules generated by
|
||||
entries in <filename>/etc/shorewall/rules</filename>. Those connections
|
||||
in excess of the limit are logged and dropped.</para>
|
||||
<para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
|
||||
file applies to TCP connections that are subject to the policy. The
|
||||
limiting is applied BEFORE the connection request is passed through the
|
||||
rules generated by entries in <filename>/etc/shorewall/rules</filename>.
|
||||
Those connections in excess of the limit are logged and dropped.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
94
docs/Docker.xml
Normal file
94
docs/Docker.xml
Normal file
@ -0,0 +1,94 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Docker Support</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2016</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 5.0.5 and Earlier</title>
|
||||
|
||||
<para>Both Docker and Shorewall assume that they 'own' the iptables
|
||||
configuration. This leads to problems when Shorewall is restarted or
|
||||
reloaded, because it drops all of the rules added by Docker. Fortunately,
|
||||
the extensibility features in Shorewall allow users to <ulink
|
||||
url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
|
||||
their own solution</ulink> for saving the Docker-generated rules before
|
||||
these operations and restoring them afterwards.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 5.0.6 and Later</title>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, Shorewall has native support for
|
||||
simple Docker configurations. This support is enabled by setting
|
||||
DOCKER=Yes in shorewall.conf. With this setting, the generated script
|
||||
saves the Docker-created ruleset before executing a
|
||||
<command>stop</command>, <command>start</command>,
|
||||
<command>restart</command> or <command>reload</command> operation and
|
||||
restores those rules along with the Shorewall-generated ruleset.</para>
|
||||
|
||||
<para>This support assumes that the default Docker bridge (docker0) is
|
||||
being used. It is recommended that this bridge be defined to Shorewall in
|
||||
<ulink
|
||||
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
|
||||
As shown below, you can control inter-container communication using the
|
||||
<option>bridge</option> and <option>routeback</option> options. If docker0
|
||||
is not defined to Shorewall, then Shorewall will save and restore the
|
||||
FORWARD chain rules involving that interface.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||
|
||||
<programlisting>DOCKER=Yes</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
dock ipv4 #'dock' is just an example -- call it anything you like</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LEVEL
|
||||
dock $FW REJECT
|
||||
dock all ACCEPT</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
dock docker0 bridge #Allow ICC (bridge implies routeback=1)</programlisting>
|
||||
|
||||
<para>or</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
dock docker0 bridge,routeback=0 #Disallow ICC</programlisting>
|
||||
</section>
|
||||
</article>
|
@ -265,7 +265,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
|
||||
<entry><ulink url="Docker.html">Docker</ulink></entry>
|
||||
|
||||
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
|
||||
Shorewall</ulink></entry>
|
||||
@ -275,8 +275,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="ECN.html">ECN Disabling by host or
|
||||
subnet</ulink></entry>
|
||||
<entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
|
||||
|
||||
<entry><ulink url="PacketMarking.html">Packet
|
||||
Marking</ulink></entry>
|
||||
@ -285,7 +284,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Events.html">Events</ulink></entry>
|
||||
<entry><ulink url="ECN.html">ECN Disabling by host or
|
||||
subnet</ulink></entry>
|
||||
|
||||
<entry><ulink url="PacketHandling.html">Packet Processing in a
|
||||
Shorewall-based Firewall</ulink></entry>
|
||||
@ -294,8 +294,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="shorewall_extension_scripts.htm">Extension
|
||||
Scripts (User Exits)</ulink></entry>
|
||||
<entry><ulink url="Events.html">Events</ulink></entry>
|
||||
|
||||
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
|
||||
|
||||
@ -304,8 +303,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink
|
||||
url="fallback.htm">Fallback/Uninstall</ulink></entry>
|
||||
<entry><ulink url="shorewall_extension_scripts.htm">Extension
|
||||
Scripts (User Exits)</ulink></entry>
|
||||
|
||||
<entry><ulink url="two-interface.htm#DNAT">Port
|
||||
Forwarding</ulink></entry>
|
||||
@ -315,7 +314,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
|
||||
<entry><ulink
|
||||
url="fallback.htm">Fallback/Uninstall</ulink></entry>
|
||||
|
||||
<entry><ulink url="ports.htm">Port Information</ulink></entry>
|
||||
|
||||
@ -324,8 +324,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink
|
||||
url="shorewall_features.htm">Features</ulink></entry>
|
||||
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
|
||||
|
||||
<entry><ulink url="PortKnocking.html">Port Knocking
|
||||
(deprecated)</ulink></entry>
|
||||
@ -334,8 +333,8 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
|
||||
Same Interface</ulink></entry>
|
||||
<entry><ulink
|
||||
url="shorewall_features.htm">Features</ulink></entry>
|
||||
|
||||
<entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
|
||||
and Other Uses of the 'Recent Match'</ulink></entry>
|
||||
@ -344,18 +343,28 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
|
||||
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
|
||||
Same Interface</ulink></entry>
|
||||
|
||||
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="FoolsFirewall.html">Fool's
|
||||
Firewall</ulink></entry>
|
||||
|
||||
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
|
||||
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
@ -364,8 +373,7 @@
|
||||
<entry><ulink url="Helpers.html">Helpers/Helper
|
||||
Modules</ulink></entry>
|
||||
|
||||
<entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides</ulink></entry>
|
||||
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
@ -374,14 +382,6 @@
|
||||
<entry><ulink
|
||||
url="Install.htm">Installation/Upgrade</ulink></entry>
|
||||
|
||||
<entry><ulink url="NewRelease.html">Release Model</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
|
||||
|
||||
<entry><ulink
|
||||
url="shorewall_prerequisites.htm">Requirements</ulink></entry>
|
||||
|
||||
@ -389,7 +389,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
|
||||
<entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall_and_Routing.html">Routing and
|
||||
Shorewall</ulink></entry>
|
||||
@ -398,7 +398,7 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
|
||||
<entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
|
||||
|
||||
<entry><ulink url="Multiple_Zones.html">Routing on One
|
||||
Interface</ulink></entry>
|
||||
@ -407,18 +407,27 @@
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
|
||||
<entry><ulink url="ipsets.html">Ipsets</ulink></entry>
|
||||
|
||||
<entry><ulink url="samba.htm">Samba</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
|
||||
|
||||
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><ulink url="ISO-3661.html">ISO 3661 Country
|
||||
Codes</ulink></entry>
|
||||
|
||||
<entry><ulink url="Events.html">Shorewall Events</ulink></entry>
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
@ -427,8 +436,8 @@
|
||||
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
|
||||
Filtering</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-init.html">Shorewall
|
||||
Init</ulink></entry>
|
||||
<entry><ulink url="Shorewall-Lite.html">Shorewall
|
||||
Lite</ulink></entry>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
@ -437,8 +446,7 @@
|
||||
<entry><ulink url="kernel.htm">Kernel
|
||||
Configuration</ulink></entry>
|
||||
|
||||
<entry><ulink url="Shorewall-Lite.html">Shorewall
|
||||
Lite</ulink></entry>
|
||||
<entry/>
|
||||
|
||||
<entry/>
|
||||
</row>
|
||||
|
245
docs/Dynamic.xml
245
docs/Dynamic.xml
@ -49,140 +49,12 @@
|
||||
support is based on <ulink
|
||||
url="http://ipset.netfilter.org/">ipset</ulink>. Most current
|
||||
distributions have ipset, but you may need to install the <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="xtables-addons">
|
||||
<title>Installing xtables-addons</title>
|
||||
|
||||
<para>If your distribution does not have an xtables-addons package, the
|
||||
xtables-addons are fairly easy to install. You do not need to recompile
|
||||
your kernel.</para>
|
||||
|
||||
<para><trademark>Debian</trademark> users can find xtables-addons-common
|
||||
and xtables-addons-source packages in <firstterm>testing</firstterm>. The
|
||||
kernel modules can be built and installed with the help of
|
||||
module-assistant. As of this writing, these packages are in the
|
||||
<firstterm>admin</firstterm> group rather than in the
|
||||
<firstterm>network</firstterm> group!!??</para>
|
||||
|
||||
<para>For other users, the basic steps are as follows:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Install gcc and make</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Install the headers for the kernel you are running. In some
|
||||
distributions, such as <trademark>Debian</trademark> and
|
||||
<trademark>Ubuntu</trademark>, the packet is called kernel-headers.
|
||||
For other distrubutions, such as OpenSuSE, you must install the
|
||||
kernel-source package.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>download the iptables source tarball</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>untar the source</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the iptables source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>as root, run 'make install'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your new iptables binary will now be installed in
|
||||
/usr/local/sbin. Modify shorewall.conf to specify
|
||||
IPTABLES=/usr/local/sbin/iptables</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Download the latest xtables-addons source tarball</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Untar the xtables-addons source</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the xtables-addons source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run './configure'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, cd to the xtables-addons directory and run 'make
|
||||
install'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Restart shorewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'shorewall show capabilities' should now indicate<emphasis
|
||||
role="bold"> Ipset Match: Available</emphasis></para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>You will have to repeat steps 10-13 each time that you receive a
|
||||
kernel upgrade from your distribution vendor. You can install
|
||||
xtables-addons before booting to the new kernel as follows
|
||||
(<emphasis>new-kernel-version</emphasis> is the version of the
|
||||
newly-installed kernel - example <emphasis
|
||||
role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
|
||||
directory to get the full version name)</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>cd to the xtables-addons source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make clean'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run './configure
|
||||
--with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
|
||||
--with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, cd to the xtables-addons source directory and run 'make
|
||||
install'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, run 'depmod -a
|
||||
<emphasis>new-kernel-version'</emphasis></para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
||||
package.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
|
||||
<title>Dynamic Zones</title>
|
||||
|
||||
<para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
|
||||
<filename>/etc/shorewall/hosts</filename>, Shorewall would create a
|
||||
@ -288,117 +160,6 @@ rsyncok:
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Version-4.5.9">
|
||||
<title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
|
||||
|
||||
<para>The method described in this section is still supported in the later
|
||||
releases.</para>
|
||||
|
||||
<section id="defining1">
|
||||
<title>Defining a Dynamic Zone</title>
|
||||
|
||||
<para>A dynamic zone is defined by using the keyword <emphasis
|
||||
role="bold">dynamic</emphasis> in the zones host list.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME TYPE OPTIONS
|
||||
loc ipv4
|
||||
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
webok eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Once the above definition is added, Shorewall will automatically
|
||||
create an ipset named <emphasis>webok_eth0</emphasis> the next time that
|
||||
Shorewall is started or restarted. Shorewall will create an ipset of
|
||||
type <firstterm>iphash</firstterm>. If you want to use a different type
|
||||
of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
|
||||
manually create that ipset yourself before the next Shorewall
|
||||
start/restart.</para>
|
||||
|
||||
<para>The dynamic zone capability was added to Shorewall6 in Shorewall
|
||||
4.4.21.</para>
|
||||
</section>
|
||||
|
||||
<section id="adding1">
|
||||
<title>Adding a Host to a Dynamic Zone</title>
|
||||
|
||||
<para>Adding a host to a dynamic zone is accomplished by adding the
|
||||
host's IP address to the appropriate ipset. Shorewall provldes a command
|
||||
for doing that:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall add</command> <replaceable>interface:address
|
||||
...</replaceable> <replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall add eth0:192.168.3.4 webok</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The command can only be used when the ipset involved is of type
|
||||
iphash. For other ipset types, the <command>ipset</command> command must
|
||||
be used directly.</para>
|
||||
</section>
|
||||
|
||||
<section id="deleting">
|
||||
<title>Deleting a Host from a Dynamic Zone</title>
|
||||
|
||||
<para>Deleting a host from a dynamic zone is accomplished by removing
|
||||
the host's IP address from the appropriate ipset. Shorewall provldes a
|
||||
command for doing that:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall delete</command>
|
||||
<replaceable>interface:address ...</replaceable>
|
||||
<replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall delete eth0:192.168.3.4
|
||||
webok</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The command can only be used when the ipset involved is of type
|
||||
iphash. For other ipset types, the <command>ipse t</command> command
|
||||
must be used directly.</para>
|
||||
</section>
|
||||
|
||||
<section id="listing1">
|
||||
<title>Listing the Contents of a Dynamic Zone</title>
|
||||
|
||||
<para>The shorewall show command may be used to list the current
|
||||
contents of a dynamic zone.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall show dynamic</command>
|
||||
<replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>shorewall show dynamic webok</command>
|
||||
eth0:
|
||||
192.168.3.4
|
||||
192.168.3.9</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="start-stop">
|
||||
<title>Dynamic Zone Contents and Shorewall stop/start/restart</title>
|
||||
|
||||
|
@ -118,6 +118,10 @@
|
||||
</tgroup>
|
||||
</table></para>
|
||||
</example>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, you may also specify clearing of the
|
||||
ECN flags through use of the ECN action in <ulink
|
||||
url="manpages/shorewall-ecn.html">shorewall-mangle(8)</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<lot/>
|
||||
|
@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
|
||||
|
||||
<para><filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSHLIMIT net $FW tcp 22 </programlisting>
|
||||
|
||||
<caution>
|
||||
@ -645,8 +644,7 @@ SSHLIMIT net $FW tcp 22
|
||||
<para>To duplicate the SSHLIMIT entry in
|
||||
<filename>/etc/shorewall/rules</filename> shown above:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
AutoBL(SSH,-,-,-,REJECT,warn)\
|
||||
net $FW tcp 22 </programlisting>
|
||||
</section>
|
||||
@ -688,8 +686,7 @@ Knock #Port Knocking</programlisting>
|
||||
#
|
||||
?format 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
|
||||
- - tcp 22
|
||||
SetEvent(SSH,ACCEPT) - - tcp 1600
|
||||
@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info) </programlisting>
|
||||
|
||||
<para><filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Knock net $FW tcp 22,1599-1601 </programlisting>
|
||||
</section>
|
||||
|
||||
@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => '
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">original_dest</emphasis> is the rule
|
||||
ORIGINAL DEST</para>
|
||||
ORIGDEST</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
|
||||
a single address?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Specify the external
|
||||
address that you want to redirect in the ORIGINAL DEST column.</para>
|
||||
address that you want to redirect in the ORIGDEST column.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
<para>You have a policy for traffic from
|
||||
<replaceable>zone1</replaceable> to
|
||||
<replaceable>zone2</replaceable> that specifies TCP connection
|
||||
rate limiting (value in the LIMIT:BURST column). The logged packet
|
||||
rate limiting (value in the LIMIT column). The logged packet
|
||||
exceeds that limit and was dropped. Note that these log messages
|
||||
themselves are severely rate-limited so that a syn-flood won't
|
||||
generate a secondary DOS because of excessive log message. These
|
||||
|
59
docs/FTP.xml
59
docs/FTP.xml
@ -345,23 +345,22 @@ xt_tcpudp 3328 0
|
||||
HELPER rules allow specification of a helper for connections that are
|
||||
ACCEPTed by the applicable policy.</para>
|
||||
|
||||
<para> Example (loc->net policy is ACCEPT) - In
|
||||
<para>Example (loc->net policy is ACCEPT) - In
|
||||
/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
FTP(HELPER) loc - </programlisting>
|
||||
|
||||
<para>or equivalently </para>
|
||||
<para>or equivalently</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
HELPER loc - tcp 21 { helper=ftp }</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
|
||||
<para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
|
||||
HELPERS column) can be taylored using the new HELPERS option in
|
||||
shorewall.conf. </para>
|
||||
shorewall.conf.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
|
||||
/etc/shorewall[6]/conntrack file. These rules are included conditionally
|
||||
based in the setting of AUTOHELPERS.</para>
|
||||
|
||||
<para> Example:</para>
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
?if __FTP_HELPER
|
||||
CT:helper:ftp all - tcp 21
|
||||
@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21
|
||||
...
|
||||
?endif</programlisting>
|
||||
|
||||
<para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
|
||||
<para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
|
||||
and 'ftp' is not listed in that setting. For example, if you only need FTP
|
||||
access from your 'loc' zone, then add this rule outside of the outer-most
|
||||
?if....?endif shown above.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
...
|
||||
CT:helper:ftp loc - tcp 21</programlisting>
|
||||
|
||||
<para> For an overview of Netfilter Helpers and Shorewall's support for
|
||||
<para>For an overview of Netfilter Helpers and Shorewall's support for
|
||||
dealing with them, see <ulink
|
||||
url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
|
||||
|
||||
<para>See <ulink
|
||||
url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
|
||||
for additional information. </para>
|
||||
for additional information.</para>
|
||||
</section>
|
||||
|
||||
<section id="Ports">
|
||||
@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21</programlisti
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
|
||||
|
||||
<para>That entry will accept ftp connections on port 12345 from the net
|
||||
@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
|
||||
|
||||
<para><filename>/etc/shorewall/conntrack:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
...
|
||||
CT:helper:ftp loc - tcp 12345</programlisting>
|
||||
|
||||
@ -531,20 +526,19 @@ options nf_nat_ftp</programlisting>
|
||||
<para>Otherwise, for FTP you need exactly <emphasis
|
||||
role="bold">one</emphasis> rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT or <<emphasis>source</emphasis>> <<emphasis>destination</emphasis>> tcp 21 - <external IP addr> if
|
||||
DNAT ACTION = DNAT</programlisting>
|
||||
|
||||
<para>You need an entry in the ORIGINAL DESTINATION column only if the
|
||||
ACTION is DNAT, you have multiple external IP addresses and you want a
|
||||
specific IP address to be forwarded to your server.</para>
|
||||
<para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
|
||||
you have multiple external IP addresses and you want a specific IP address
|
||||
to be forwarded to your server.</para>
|
||||
|
||||
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
|
||||
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
|
||||
the mailing list and they show 20 in the DEST PORT(S) column, we will know
|
||||
that you haven't read this article and will either ignore your post or
|
||||
tell you to RTFM.</para>
|
||||
with 20 (ftp-data) in the DPORT column. If you post your rules on the
|
||||
mailing list and they show 20 in the DPORT column, we will know that you
|
||||
haven't read this article and will either ignore your post or tell you to
|
||||
RTFM.</para>
|
||||
|
||||
<para>Shorewall includes an FTP macro that simplifies creation of FTP
|
||||
rules. The macro source is in
|
||||
@ -558,15 +552,13 @@ DNAT ACTION =
|
||||
<para>Suppose that you run an FTP server on 192.168.1.5 in your local
|
||||
zone using the standard port (21). You need this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
FTP(DNAT) net loc:192.168.1.5</programlisting>
|
||||
</example><example id="Example4">
|
||||
<title>Allow your DMZ FTP access to the Internet</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
FTP(ACCEPT) dmz net</programlisting>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
FTP(ACCEPT) dmz net</programlisting>
|
||||
</example></para>
|
||||
|
||||
<para>Note that the FTP connection tracking in the kernel cannot handle
|
||||
@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
|
||||
<para>I see this problem occasionally with the FTP server in my DMZ. My
|
||||
solution is to add the following rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT:info dmz net tcp - 20</programlisting>
|
||||
|
||||
<para>The above rule accepts and logs all active mode connections from my
|
||||
|
@ -50,7 +50,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@ -91,7 +91,7 @@ vpn tun0 10.255.255.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
generic:tcp:1071 net 134.28.54.2
|
||||
generic:47 net 134.28.54.2</programlisting>
|
||||
|
||||
@ -104,7 +104,7 @@ vpn tun0 192.168.1.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
generic:tcp:1071 net 206.191.148.9
|
||||
generic:47 net 206.191.148.9</programlisting>
|
||||
|
||||
|
@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane ports=0</programlisting>
|
||||
limit the scope of the helper. Suppose that your Linux FTP server is
|
||||
in zone dmz and has address 70.90.191.123.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(2)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
SECTION RELATED
|
||||
ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
|
||||
ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server
|
||||
|
@ -62,7 +62,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@ -103,12 +103,12 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tosysb 10.255.255.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tosysb</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipip net 134.28.54.2</programlisting>
|
||||
|
||||
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
@ -133,12 +133,12 @@ subnet=10.0.0.0/8
|
||||
<emphasis role="bold">vpn</emphasis> zone. In
|
||||
/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
vpn tosysa 192.168.1.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE
|
||||
vpn tosysa</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipip net 206.191.148.9</programlisting>
|
||||
|
||||
<para>And in the tunnel script on system B:</para>
|
||||
|
@ -267,16 +267,14 @@
|
||||
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
||||
System A:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 134.28.54.2
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 134.28.54.2</programlisting>
|
||||
|
||||
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
||||
System B:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.162.148.9
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 206.162.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<note>
|
||||
@ -295,11 +293,9 @@ ipsec net 206.162.148.9
|
||||
<para><filename><filename>/etc/shorewall/zones</filename></filename> —
|
||||
Systems A and B:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
net ipv4
|
||||
<emphasis role="bold">vpn ipv4</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
<emphasis role="bold">vpn ipv4</emphasis></programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Remember the assumption that both systems A and B have eth0 as their
|
||||
@ -315,14 +311,12 @@ net ipv4
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Assuming that you want to give each local network free access to the
|
||||
@ -330,17 +324,17 @@ vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ips
|
||||
<filename>/etc/shorewall/policy</filename> entries on each system:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>If you need access from each firewall to hosts in the other network,
|
||||
then you could add:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
||||
$FW vpn ACCEPT</programlisting>
|
||||
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||
$FW vpn ACCEPT</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>If you need access between the firewall's, you should describe the
|
||||
@ -348,7 +342,7 @@ $FW vpn ACCEPT</programlisting>
|
||||
from System B, add this rule on system A:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO POLICY
|
||||
<programlisting>#ACTION SOURCE DEST PROTO POLICY
|
||||
ACCEPT vpn:134.28.54.2 $FW</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
|
||||
through an ESP tunnel then the following entry would be
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
||||
|
||||
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure
|
||||
@ -493,25 +486,24 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
net ipv4
|
||||
<emphasis role="bold">vpn ipsec</emphasis>
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the
|
||||
<filename>/etc/shorewall/tunnels</filename> file on system A, the
|
||||
following entry should be made:<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 0.0.0.0/0 vpn
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
</blockquote></para>
|
||||
|
||||
<para><note>
|
||||
<para>the GATEWAY ZONE column contains the name of the zone
|
||||
<para>the GATEWAY_ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the
|
||||
remote gateway is a standalone system.</para>
|
||||
@ -524,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:0.0.0.0/0
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
vpn eth0:0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>You will need to configure your <quote>through the tunnel</quote>
|
||||
@ -536,24 +527,20 @@ vpn eth0:0.0.0.0/0
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> - System B:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
vpn ipsec
|
||||
net ipv4
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.162.148.9 vpn
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 206.162.148.9 vpn</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:0.0.0.0/0
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
vpn eth0:0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>On system A, here are the IPsec files:</para>
|
||||
@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
net ipv4
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
et ipv4
|
||||
vpn ipsec
|
||||
<emphasis role="bold">l2tp ipv4</emphasis>
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
loc ipv4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Since the L2TP will require the use of pppd, you will end up with
|
||||
@ -737,8 +722,7 @@ loc ipv4
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 192.168.1.255
|
||||
l2tp ppp+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
l2tp ppp+ -</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The next thing that must be done is to adjust the policy so that the
|
||||
@ -776,7 +760,7 @@ l2tp ppp+ -
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc net ACCEPT
|
||||
loc l2tp ACCEPT # Allows local machines to connect to road warriors
|
||||
@ -784,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
|
||||
l2tp net ACCEPT # Allows road warriors to connect to the Internet
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
all all REJECT info</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The final step is to modify your rules file. There are three
|
||||
@ -802,8 +785,7 @@ all all REJECT info
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
?SECTION ESTABLISHED
|
||||
# Prevent IPsec bypass by hosts behind a NAT gateway
|
||||
L2TP(REJECT) net $FW
|
||||
@ -815,8 +797,7 @@ ACCEPT vpn $FW udp 1701
|
||||
HTTP(ACCEPT) loc $FW
|
||||
HTTP(ACCEPT) l2tp $FW
|
||||
HTTPS(ACCEPT) loc $FW
|
||||
HTTPS(ACCEPT) l2tp $FW
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
HTTPS(ACCEPT) l2tp $FW</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter,dhcp,tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter,dhcp,tcpflags</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@ -910,8 +890,7 @@ net ipv4</programlisting>
|
||||
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
|
||||
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
loc eth0:192.168.20.0/24
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
loc eth0:192.168.20.0/24</programlisting>
|
||||
|
||||
<para>It is worth noting that although <emphasis>loc</emphasis> is a
|
||||
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
|
||||
@ -921,15 +900,14 @@ loc eth0:192.168.20.0/24
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc $FW ACCEPT
|
||||
net loc NONE
|
||||
loc net NONE
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
all all REJECT info</programlisting>
|
||||
|
||||
<para>Since there are no cases where net<->loc traffic should
|
||||
occur, NONE policies are used.</para>
|
||||
|
@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT</programlisting> The above policies will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
|
||||
url="manpages/shorewall-rules.html"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW tcp 22</programlisting>
|
||||
|
||||
<para>So although you have a policy of ignoring all connection attempts
|
||||
|
@ -68,10 +68,10 @@
|
||||
optional interfaces for the 'net' zone in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect optional,…
|
||||
net wlan0 detect optional,…
|
||||
net ppp0 - optional,…</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 optional,…
|
||||
net wlan0 optional,…
|
||||
net ppp0 optional,…</programlisting>
|
||||
|
||||
<para>With this configuration, access to the 'net' zone is possible
|
||||
regardless of which of the interfaces is being used.</para>
|
||||
|
@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF 192.168.1.255 dhcp
|
||||
dmz $DMZ_IF -
|
||||
vpn tun+ -
|
||||
Wifi $WIFI_IF - maclist,dhcp
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF dhcp
|
||||
dmz $DMZ_IF
|
||||
vpn tun+
|
||||
Wifi $WIFI_IF maclist,dhcp</programlisting>
|
||||
|
||||
<para>/etc/shorewall/maclist:</para>
|
||||
<para>etc/shorewall/maclist:</para>
|
||||
|
||||
<programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
|
||||
ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
|
||||
ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
|
||||
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop</programlisting>
|
||||
|
||||
<para>As shown above, I used MAC Verification on my wireless zone that
|
||||
was served by a Linksys WET11 wireless bridge.</para>
|
||||
|
@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445</programlist
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
|
||||
<para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
|
||||
|
||||
<para>To use this column, you must include 'FORMAT 2' as the first
|
||||
non-comment line in your macro file.</para>
|
||||
|
@ -195,16 +195,14 @@ sub Knock {
|
||||
|
||||
<para>The rule from the Port Knocking article:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSHKnock net $FW tcp 22,1599,1600,1601
|
||||
</programlisting>
|
||||
|
||||
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
SSHKnock net $FW tcp 1599,1600,1601
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
|
||||
PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 1601]};
|
||||
|
@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
|
||||
net net DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>:</para>
|
||||
@ -913,15 +913,13 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
|
||||
later, you would make this entry in <ulink
|
||||
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
MARK(2):P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>Note that traffic from the firewall itself must be handled in a
|
||||
different rule:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>If you are running a Shorewall version earlier than 4.6.0, the
|
||||
@ -929,14 +927,12 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
|
||||
would be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
2:P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>And for traffic from the firewall:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
2 $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
</section>
|
||||
|
||||
@ -951,8 +947,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 25</programlisting>
|
||||
|
||||
<para>Continuing the above example, to forward only connection requests
|
||||
@ -962,19 +957,16 @@ DNAT net loc:192.168.1.3 tcp 25</programlisting
|
||||
<listitem>
|
||||
<para>Qualify the SOURCE by ISP 1's interface:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
|
||||
|
||||
<para>or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the IP address of ISP 1 in the ORIGINAL DEST
|
||||
column:</para>
|
||||
<para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 25 <emphasis
|
||||
role="bold">- 206.124.146.176</emphasis></programlisting>
|
||||
</listitem>
|
||||
@ -2573,8 +2565,7 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
|
||||
role="bold">avvanta</emphasis> provider.</para>
|
||||
|
||||
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
|
||||
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S) PORT(S)
|
||||
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
|
||||
@ -2583,8 +2574,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
||||
switching to using a mangle file (<command>shorewall update -t</command>
|
||||
will do that for you). Here are the equivalent tcrules entries:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
2 $FW 0.0.0.0/0 tcp 21
|
||||
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
2 $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
@ -2603,8 +2593,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
||||
|
||||
<para>The same rules converted to use the mangle file are:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
@ -2612,8 +2601,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
<para>The remaining files are for a rather standard two-interface config
|
||||
with a bridge as the local interface.</para>
|
||||
|
||||
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
|
||||
@ -2623,17 +2611,17 @@ kvm all ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting></para>
|
||||
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
#
|
||||
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 detect routeback #Virtual Machines</programlisting><note>
|
||||
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 routeback #Virtual Machines</programlisting><note>
|
||||
<para><filename class="devicefile">wlan0</filename> is the wireless
|
||||
adapter in the notebook. Used when the laptop is in our home but not
|
||||
connected to the wired network.</para>
|
||||
</note></para>
|
||||
|
||||
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||
eth0 192.168.0.0/24
|
||||
wlan0 192.168.0.0/24</programlisting><note>
|
||||
<para>Because the firewall has only a single external IP address, I
|
||||
@ -2815,7 +2803,7 @@ dmz ip #LXC Containers</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
|
||||
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
|
||||
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
|
||||
@ -2881,9 +2869,7 @@ root@gateway:~# </programlisting>
|
||||
<para><filename>/etc/shorewall/mangle</filename> is not used to support
|
||||
Multi-ISP:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
FORMAT 2
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
TTL(+1):P INT_IF -
|
||||
SAME:P INT_IF - tcp 80,443
|
||||
?if $PROXY && ! $SQUID2
|
||||
|
@ -114,7 +114,7 @@
|
||||
of this discussion, it makes no difference.</para>
|
||||
</note>
|
||||
|
||||
<graphic fileref="images/MultiZone1.png" />
|
||||
<graphic fileref="images/MultiZone1.png"/>
|
||||
|
||||
<section id="Standard">
|
||||
<title>Can You Use the Standard Configuration?</title>
|
||||
@ -183,7 +183,7 @@
|
||||
all hosts connected to eth1 and a second zone <quote>loc1</quote>
|
||||
(192.168.2.0/24) as a sub-zone.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1A.png" />
|
||||
<graphic fileref="images/MultiZone1A.png"/>
|
||||
|
||||
<para><note>
|
||||
<para>The Router in the above diagram is assumed to NOT be doing
|
||||
@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@ -234,7 +234,7 @@ loc1 loc NONE</programlisting>
|
||||
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||||
two disjoint zones.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1B.png" />
|
||||
<graphic fileref="images/MultiZone1B.png"/>
|
||||
|
||||
<para><note>
|
||||
<para>The Router in the above diagram is assumed to NOT be doing
|
||||
@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 -
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@ -274,7 +274,7 @@ loc2 loc1 NONE</programlisting>
|
||||
<para>There are cases where a subset of the addresses associated with an
|
||||
interface need special handling. Here's an example.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone2.png" />
|
||||
<graphic fileref="images/MultiZone2.png"/>
|
||||
|
||||
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||||
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||||
@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE
|
||||
loc eth1</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||
@ -326,7 +326,7 @@ loc1 loc NONE</programlisting>
|
||||
<quote>loc</quote> zone are configured with their default gateway set to
|
||||
the Shorewall router's RFC1918 address.</para>
|
||||
|
||||
<para><graphic fileref="images/MultiZone3.png" /></para>
|
||||
<para><graphic fileref="images/MultiZone3.png"/></para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
@ -336,8 +336,8 @@ loc:net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
|
@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
|
||||
<section>
|
||||
<title>/etc/shorewall/action.Mirrors</title>
|
||||
|
||||
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
<para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
?COMMENT Accept traffic from Mirrors
|
||||
?FORMAT 2
|
||||
DEFAULTS -
|
||||
@ -508,8 +507,7 @@ $1 $MIRRORS
|
||||
<section>
|
||||
<title>/etc/shorewall/action.tarpit</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
$LOG { rate=s:1/min }
|
||||
TARPIT
|
||||
</programlisting>
|
||||
@ -520,7 +518,8 @@ TARPIT
|
||||
<section id="zones">
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<para><programlisting>fw firewall
|
||||
<para><programlisting>#ZONE TYPE
|
||||
fw firewall
|
||||
loc ip #Local Zone
|
||||
net ipv4 #Internet
|
||||
dmz ipv4 #LXC Containers
|
||||
@ -531,7 +530,7 @@ smc:net ip #10.0.1.0/24
|
||||
<section id="interfaces">
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<para><programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
|
||||
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
|
||||
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
|
||||
@ -552,8 +551,7 @@ smc COMC_IF:10.0.0.0/24
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW dmz REJECT $LOG
|
||||
$FW net REJECT $LOG
|
||||
?else
|
||||
@ -577,8 +575,7 @@ all all REJECT:Reject $LOG
|
||||
<section id="accounting">
|
||||
<title>/etc/shorewall/accounting</title>
|
||||
|
||||
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC
|
||||
?COMMENT
|
||||
?SECTION PREROUTING
|
||||
?SECTION INPUT
|
||||
@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
|
||||
<section id="blacklist">
|
||||
<title>/etc/shorewall/blrules</title>
|
||||
|
||||
<para><programlisting>WHITELIST net:70.90.191.126 all
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
WHITELIST net:70.90.191.126 all
|
||||
BLACKLIST net:+blacklist all
|
||||
BLACKLIST net all udp 1023:1033,1434,5948,23773
|
||||
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
|
||||
@ -714,8 +712,7 @@ br0 70.90.191.120/29 70.90.191.121
|
||||
<title>/etc/shorewall/conntrack</title>
|
||||
|
||||
<para><programlisting>?FORMAT 2
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT(S) PORT(S) GROUP
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
DROP net - udp 3551
|
||||
NOTRACK net - tcp 23
|
||||
@ -818,8 +815,7 @@ br0 - ComcastB 11000
|
||||
<section id="routestopped">
|
||||
<title>/etc/shorewall/stoppedrules</title>
|
||||
|
||||
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
<para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
|
||||
ACCEPT INT_IF:172.20.1.0/24 $FW
|
||||
NOTRACK COMB_IF - 41
|
||||
NOTRACK $FW COMB_IF 41
|
||||
@ -832,9 +828,7 @@ ACCEPT COMC_IF $FW udp 67:68</programlistin
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<para><programlisting>################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
?if $VERSION < 40500
|
||||
?SHELL echo " ERROR: Shorewall version is too low" >&2; exit 1
|
||||
?endif
|
||||
|
@ -60,7 +60,7 @@
|
||||
|
||||
<para>The following figure represents a one-to-one NAT environment.</para>
|
||||
|
||||
<graphic fileref="images/staticnat.png" />
|
||||
<graphic fileref="images/staticnat.png"/>
|
||||
|
||||
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
|
||||
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
||||
@ -73,7 +73,7 @@
|
||||
internal host(s) — such traffic is still subject to your policies and
|
||||
rules.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
130.252.100.18 eth0 10.1.1.2 no no
|
||||
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
|
||||
|
||||
@ -105,7 +105,7 @@
|
||||
<quote>yes</quote> then you must NOT configure your own
|
||||
alias(es).</para>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -126,8 +126,7 @@
|
||||
would need the following entry in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIG
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting>
|
||||
</section>
|
||||
|
||||
|
@ -68,8 +68,8 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>It is widely supported -- I run it on both Linux and Windows
|
||||
XP.</para>
|
||||
<para>It is widely supported -- I run it on both Linux and
|
||||
Windows.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -97,7 +97,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@ -118,8 +118,7 @@
|
||||
<para><filename>/etc/shorewall/zones</filename> — Systems A &
|
||||
B</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
vpn ipv4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -130,7 +129,7 @@ vpn ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -138,7 +137,7 @@ vpn tun0</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -150,7 +149,7 @@ openvpn net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels with port 7777:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:7777 net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -161,7 +160,7 @@ openvpn:7777 net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels using TCP:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:tcp net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -170,7 +169,7 @@ openvpn:tcp net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels using TCP port 7777:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:tcp:7777 net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -206,7 +205,7 @@ vpn tun0 </programlisting>
|
||||
have:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn net 206.191.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -249,7 +248,7 @@ vpn loc ACCEPT</programlisting>
|
||||
<para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
|
||||
the setup in the following diagram:</para>
|
||||
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
<graphic fileref="images/Mobile.png"/>
|
||||
|
||||
<para>On the gateway system (System A), we need a zone to represent the
|
||||
remote clients — we'll call that zone <quote>road</quote>.</para>
|
||||
@ -257,8 +256,7 @@ vpn loc ACCEPT</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
road ipv4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -269,7 +267,7 @@ road ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
road tun+</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -277,7 +275,7 @@ road tun+</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:1194 net 0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -288,7 +286,7 @@ openvpn:1194 net 0.0.0.0/0</programlisting>
|
||||
uses NAT.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -363,7 +361,7 @@ home tun0</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:1194 net 206.162.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -372,7 +370,7 @@ openvpn:1194 net 206.162.148.9</programlisting>
|
||||
prefer:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnclient:1194 net 206.162.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@ -443,7 +441,7 @@ verb 3</programlisting>
|
||||
192.168.1.0/24, there will be times when your roadwarriors need to access
|
||||
your lan from a remote location that uses that same network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Mobile1.png" />
|
||||
<graphic align="center" fileref="images/Mobile1.png"/>
|
||||
|
||||
<para>This may be accomplished by configuring a second server on your
|
||||
firewall that uses a different port and by using <ulink
|
||||
@ -719,7 +717,7 @@ TUNNEL_IF=gif0
|
||||
<para>Add this entry to <ulink
|
||||
url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
@ -736,7 +734,7 @@ openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
|
||||
<para>Consider the following case:</para>
|
||||
|
||||
<graphic align="center" fileref="images/bridge4.png" />
|
||||
<graphic align="center" fileref="images/bridge4.png"/>
|
||||
|
||||
<para>Part of the 192.168.1.0/24 network is in one location and part in
|
||||
another. The two LANs can be bridged with OpenVPN as described in this
|
||||
|
@ -141,17 +141,16 @@ server:~ # </programlisting>
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
#ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS
|
||||
net ipv4
|
||||
vz ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 - proxyarp=1
|
||||
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 proxyarp=1
|
||||
vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -159,8 +158,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
|
||||
|
||||
<para>If you run Shorewall Multi-ISP support on the host, you should
|
||||
arrange for traffic to your containers to use the main routing table. In
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules
|
||||
is appropriate:</para>
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules is
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.178 main 1000</programlisting>
|
||||
@ -290,7 +289,7 @@ done.
|
||||
|
||||
<para>The network diagram is shown below.</para>
|
||||
|
||||
<graphic fileref="images/Network2009c.png" />
|
||||
<graphic fileref="images/Network2009c.png"/>
|
||||
|
||||
<para>The two systems shown in the green box are OpenVZ Virtual
|
||||
Environments (containers).</para>
|
||||
@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
@ -472,11 +470,11 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=venet0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
role="bold">proxyarp=1</emphasis>
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
...</programlisting>This is a multi-ISP configuration so entries are required
|
||||
in <filename>/etc/shorewall/rtrules</filename>:</para>
|
||||
|
||||
@ -501,8 +499,7 @@ loc $INT_IF detect dhcp,logmartians=1,routefilter=1
|
||||
|
||||
<para>/etc/shorewall/zones:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4</programlisting>
|
||||
|
||||
@ -526,7 +523,7 @@ net <emphasis role="bold">venet0 </emphasis> detect dhcp,tc
|
||||
|
||||
<para>The network diagram is shown below.</para>
|
||||
|
||||
<graphic fileref="images/Network2010.png" />
|
||||
<graphic fileref="images/Network2010.png"/>
|
||||
|
||||
<para>The two systems shown in the green box are OpenVZ Virtual
|
||||
Environments (containers).</para>
|
||||
@ -768,8 +765,7 @@ NAME="server"
|
||||
|
||||
<para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
@ -783,10 +779,10 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=vzbr0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
...</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp:</filename></para>
|
||||
@ -813,15 +809,14 @@ dmz $VPS_IF detect logmartians=0,routefilter=0,nets
|
||||
|
||||
<para><filename>/etc/shorewall/zones:</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Rules are conditionally executed based on whether the current
|
||||
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
|
||||
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
|
||||
packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
|
||||
USER, TEST, LENGTH and TOS columns.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<para>The relationship between these options is shown in this
|
||||
diagram.</para>
|
||||
|
||||
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
|
||||
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
|
||||
|
||||
<para>The default values of these options are determined by the settings
|
||||
of other options as follows:</para>
|
||||
@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<para>Here's the example (slightly expanded) from the comments at the top
|
||||
of the <filename>/etc/shorewall/mangle</filename> file.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
|
||||
MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
|
||||
@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R
|
||||
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
|
||||
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
|
||||
MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
|
||||
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8
|
||||
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8</programlisting>
|
||||
|
||||
<para>Let's take a look at each rule:</para>
|
||||
|
||||
@ -554,33 +552,25 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
|
||||
<filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1</programlisting>
|
||||
|
||||
<para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</programlisting>
|
||||
|
||||
<para>And here is <filename>/etc/shorewall/tcdevices</filename> and
|
||||
<filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
eth3 1.3mbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
eth3 10 full full 1 tcp-ack,tos-minimize-delay
|
||||
eth3 20 9*full/10 9*full/10 2 default
|
||||
eth3 30 6*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
eth3 30 6*full/10 6*full/10 3</programlisting>
|
||||
|
||||
<para>I've annotated the following output with comments beginning with
|
||||
"<<<<" and ending with ">>>>". This example uses
|
||||
|
@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent --name
|
||||
Internet, add this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
|
||||
|
||||
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
||||
can just add a log level as in:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
|
||||
</listitem>
|
||||
|
||||
@ -146,18 +146,16 @@ SSHKnock:info net $FW tcp 22,1599,1600,1601<
|
||||
206.124.146.178 to internal system 192.168.1.5. In
|
||||
/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
SSHKnock net $FW tcp 1599,1600,1601
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
||||
|
||||
<note>
|
||||
<para>You can use SSHKnock with DNAT on earlier releases provided
|
||||
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
||||
This rule will be quite secure provided that you specify
|
||||
'routefilter' on your external interface and have
|
||||
NULL_ROUTE_RFC1918=Yes in
|
||||
that you omit the ORIGDEST entry on the second SSHKnock rule. This
|
||||
rule will be quite secure provided that you specify 'routefilter' on
|
||||
your external interface and have NULL_ROUTE_RFC1918=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
@ -84,7 +84,7 @@
|
||||
|
||||
<para>The following figure represents a Proxy ARP environment.</para>
|
||||
|
||||
<graphic align="center" fileref="images/proxyarp.png" />
|
||||
<graphic align="center" fileref="images/proxyarp.png"/>
|
||||
|
||||
<para>Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper
|
||||
@ -129,7 +129,7 @@
|
||||
irrelevant, one approach you can take is to make that address the same as
|
||||
the address of your external interface!</para>
|
||||
|
||||
<graphic align="center" fileref="images/proxyarp1.png" />
|
||||
<graphic align="center" fileref="images/proxyarp1.png"/>
|
||||
|
||||
<para>In the diagram above, <filename class="devicefile">eth1</filename>
|
||||
has been given the address 130.252.100.17, the same as
|
||||
@ -142,8 +142,7 @@
|
||||
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
|
||||
then you would need this entry in /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net loc:130.252.100.19 tcp 80</programlisting>
|
||||
|
||||
<warning>
|
||||
|
@ -213,8 +213,7 @@ ip link set ifb0 up</programlisting>
|
||||
|
||||
<para>The tcdevices file describes the two devices:</para>
|
||||
|
||||
<programlisting>#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
<programlisting>#NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0
|
||||
2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting>
|
||||
</section>
|
||||
@ -225,67 +224,66 @@ ip link set ifb0 up</programlisting>
|
||||
<para>The tcclasses file defines the class hierarchy for both
|
||||
devices:</para>
|
||||
|
||||
<programlisting>#IFACE: MARK RATE: CEIL PRIORITY OPTIONS
|
||||
#CLASS DMAX:UMAX
|
||||
1 1 ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
1 1 ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
|
||||
1 2 ${UP_RT_PRIO_RATE}kbit:\
|
||||
${UP_RT_PRIO_DMAX}:\
|
||||
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
|
||||
${UP_UL_PRIO_RATE}kbit 1
|
||||
1 2 ${UP_RT_PRIO_RATE}kbit:\
|
||||
${UP_RT_PRIO_DMAX}:\
|
||||
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
|
||||
${UP_UL_PRIO_RATE}kbit 1
|
||||
|
||||
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
|
||||
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
|
||||
min=$UP_NORMAL_RED_min,\
|
||||
max=$UP_NORMAL_RED_max,\
|
||||
burst=$UP_NORMAL_RED_burst,\
|
||||
probability=$UP_NORMAL_RED_PROB,\
|
||||
ecn)
|
||||
1 4 - ${UP_LS_P2P_RATE}kbit:\
|
||||
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
|
||||
min=$UP_P2P_RED_min,\
|
||||
max=$UP_P2P_RED_max,\
|
||||
burst=$UP_P2P_RED_burst,\
|
||||
probability=$UP_P2P_RED_PROB,\
|
||||
ecn)
|
||||
1 5 - ${UP_LS_BULK_RATE}kbit:\
|
||||
${UP_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$UP_BULK_RED_limit,\
|
||||
min=$UP_BULK_RED_min,\
|
||||
max=$UP_BULK_RED_max,\
|
||||
burst=$UP_BULK_RED_burst,\
|
||||
probability=$UP_BULK_RED_PROB,\
|
||||
ecn)
|
||||
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
|
||||
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
|
||||
min=$UP_NORMAL_RED_min,\
|
||||
max=$UP_NORMAL_RED_max,\
|
||||
burst=$UP_NORMAL_RED_burst,\
|
||||
probability=$UP_NORMAL_RED_PROB,\
|
||||
ecn)
|
||||
1 4 - ${UP_LS_P2P_RATE}kbit:\
|
||||
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
|
||||
min=$UP_P2P_RED_min,\
|
||||
max=$UP_P2P_RED_max,\
|
||||
burst=$UP_P2P_RED_burst,\
|
||||
probability=$UP_P2P_RED_PROB,\
|
||||
ecn)
|
||||
1 5 - ${UP_LS_BULK_RATE}kbit:\
|
||||
${UP_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$UP_BULK_RED_limit,\
|
||||
min=$UP_BULK_RED_min,\
|
||||
max=$UP_BULK_RED_max,\
|
||||
burst=$UP_BULK_RED_burst,\
|
||||
probability=$UP_BULK_RED_PROB,\
|
||||
ecn)
|
||||
|
||||
2:10 - ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
2:10 - ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
|
||||
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
|
||||
${DOWN_RT_PRIO_DMAX}:\
|
||||
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
|
||||
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
|
||||
${DOWN_RT_PRIO_DMAX}:\
|
||||
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
|
||||
|
||||
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
|
||||
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
|
||||
min=$DOWN_NORMAL_RED_min,\
|
||||
max=$DOWN_NORMAL_RED_max,\
|
||||
burst=$DOWN_NORMAL_RED_burst,\
|
||||
probability=$DOWN_NORMAL_RED_PROB)
|
||||
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
|
||||
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
|
||||
min=$DOWN_P2P_RED_min,\
|
||||
max=$DOWN_P2P_RED_max,\
|
||||
burst=$DOWN_P2P_RED_burst,\
|
||||
probability=$DOWN_P2P_RED_PROB)
|
||||
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
|
||||
${DOWN_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$DOWN_BULK_RED_limit,\
|
||||
min=$DOWN_BULK_RED_min,\
|
||||
max=$DOWN_BULK_RED_max,\
|
||||
burst=$DOWN_BULK_RED_burst,\
|
||||
probability=$DOWN_BULK_RED_PROB)</programlisting>
|
||||
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
|
||||
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
|
||||
min=$DOWN_NORMAL_RED_min,\
|
||||
max=$DOWN_NORMAL_RED_max,\
|
||||
burst=$DOWN_NORMAL_RED_burst,\
|
||||
probability=$DOWN_NORMAL_RED_PROB)
|
||||
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
|
||||
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
|
||||
min=$DOWN_P2P_RED_min,\
|
||||
max=$DOWN_P2P_RED_max,\
|
||||
burst=$DOWN_P2P_RED_burst,\
|
||||
probability=$DOWN_P2P_RED_PROB)
|
||||
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
|
||||
${DOWN_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$DOWN_BULK_RED_limit,\
|
||||
min=$DOWN_BULK_RED_min,\
|
||||
max=$DOWN_BULK_RED_max,\
|
||||
burst=$DOWN_BULK_RED_burst,\
|
||||
probability=$DOWN_BULK_RED_PROB)</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -293,8 +291,7 @@ ip link set ifb0 up</programlisting>
|
||||
|
||||
<para>The mangle file classifies upload packets:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
RESTORE:T - - - - - - !0:C
|
||||
CONTINUE:T - - - - - - !0
|
||||
2:T - - icmp
|
||||
@ -319,8 +316,7 @@ SAVE:T - - - - - -
|
||||
|
||||
<para>The tcfilters file classifies download packets:</para>
|
||||
|
||||
<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH
|
||||
#CLASS PORT(S) PORT(S)
|
||||
<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
#
|
||||
# These classify download traffic
|
||||
#
|
||||
|
@ -240,15 +240,15 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S)</para>
|
||||
<para>DPORT</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S)</para>
|
||||
<para>SPORT</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ORIGINAL DEST</para>
|
||||
<para>ORIGDEST</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -284,8 +284,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Notice that the first five columns of both sets are the
|
||||
same.</para>
|
||||
<para>Notice that the first five columns of both sets are the same
|
||||
(although the port-valued column names have changed, the contents are
|
||||
the same).</para>
|
||||
|
||||
<para>In Shorewall 5, support for format-1 macros and actions has been
|
||||
dropped and all macros and actions will be processed as if ?FORMAT 2
|
||||
|
@ -163,8 +163,7 @@ httpd_accel_uses_host_header on</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177
|
||||
</programlisting>
|
||||
@ -175,10 +174,9 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
Squid.</para>
|
||||
|
||||
<para>If needed, you may just add the additional hosts/networks to the
|
||||
ORIGINAL DEST column in your REDIRECT rule.</para>
|
||||
ORIGDEST column in your REDIRECT rule.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||
|
||||
<para>People frequently ask <emphasis>How can I exclude certain
|
||||
@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
|
||||
from the proxy. Your rules would then be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT loc:!192.168.1.5,192.168.1.33\
|
||||
3128 tcp www - !206.124.146.177,130.252.100.0/24
|
||||
@ -215,8 +212,7 @@ gateway:/etc/shorewall# </programlisting>
|
||||
role="bold">(squid)</emphasis> is running under the <emphasis
|
||||
role="bold">proxy</emphasis> user Id. We add these rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
|
||||
# PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT $FW 3128 tcp www - - - <emphasis
|
||||
role="bold"> !proxy</emphasis></programlisting>
|
||||
@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>If you are still using a tcrules file, you should consider
|
||||
switching to using a mangle file (<command>shorewall update
|
||||
-t</command> (<command>shorewall update</command> on
|
||||
Shorewall 5.0 and later) will do that for you). Corresponding
|
||||
-t</command> (<command>shorewall update</command> on Shorewall 5.0
|
||||
and later) will do that for you). Corresponding
|
||||
/etc/shorewall/tcrules entries are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT
|
||||
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -294,8 +288,7 @@ loc eth1 detect <emphasis role="bold">routeback,routefilter=0,
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
|
||||
</section>
|
||||
|
||||
@ -316,14 +309,12 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT
|
||||
202:P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
@ -331,8 +322,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -363,7 +354,7 @@ loc eth2 detect <emphasis role="bold">routefilter=0,logmartian
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT Z SZ tcp SP
|
||||
ACCEPT SZ net tcp 80,443</programlisting>
|
||||
|
||||
@ -371,7 +362,7 @@ ACCEPT SZ net tcp 80,443</programlisting>
|
||||
<title>Squid on the firewall listening on port 8080 with access from the
|
||||
<quote>loc</quote> zone:</title>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc $FW tcp 8080
|
||||
ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
</example>
|
||||
@ -406,8 +397,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- lo - -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- lo -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
@ -422,17 +413,13 @@ Tproxy 1 - - lo - tproxy</programli
|
||||
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
|
||||
eth1 and net interface is eth0):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>Corresponding <filename>/etc/shorewall/tcrules</filename>
|
||||
are:</para>
|
||||
<para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
|
||||
|
||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
@ -445,16 +432,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
on port 80, then you need to exclude it from TPROXY. Suppose that your
|
||||
web server listens on 192.0.2.144; then:</para>
|
||||
|
||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
|
||||
</note>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc $FW tcp 80
|
||||
ACCEPT $FW net tcp 80</programlisting>
|
||||
|
||||
|
@ -166,7 +166,7 @@ iface eth0 inet static
|
||||
<example id="SSH">
|
||||
<title>allow SSH from net to eth0:0 above</title>
|
||||
|
||||
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
@ -179,15 +179,14 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
zone at 192.168.1.3. That is accomplished by a single rule in the
|
||||
<filename>/etc/shorewall/rules</filename> file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
|
||||
|
||||
<para>If I wished to forward tcp port 10000 on that virtual interface to
|
||||
port 22 on local host 192.168.1.3, the rule would be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
|
||||
DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting>
|
||||
</section>
|
||||
|
||||
@ -202,7 +201,7 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20
|
||||
eth0 192.168.1.0/24 206.124.146.178</programlisting>
|
||||
|
||||
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
|
||||
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DEST PORT(S)
|
||||
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
|
||||
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
would have the following in
|
||||
<filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
||||
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
|
||||
the INTERFACE column as follows.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
||||
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
|
||||
|
||||
<para>In either case, to create rules in
|
||||
@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||||
192.168.1.3.</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
@ -305,8 +304,8 @@ loc ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||||
ACCEPT rules for the traffic that you want to permit.</para>
|
||||
@ -327,8 +326,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth1 - </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
|
@ -68,7 +68,7 @@
|
||||
<para>The following diagram shows the relationship between routing
|
||||
decisions and Netfilter.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Netfilter.png" />
|
||||
<graphic align="center" fileref="images/Netfilter.png"/>
|
||||
|
||||
<para>The light blue boxes indicate where routing decisions are made. Upon
|
||||
exit from one of these boxes, if the packet is being sent to another
|
||||
@ -208,8 +208,7 @@
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
206.124.146.177 eth1 eth0 No
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
206.124.146.177 eth1 eth0 No</programlisting>
|
||||
|
||||
<para>The above entry will cause Shorewall to execute the following
|
||||
command:</para>
|
||||
|
@ -86,7 +86,7 @@
|
||||
<para>The following diagram shows a firewall for two bridged LAN
|
||||
segments.</para>
|
||||
|
||||
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
|
||||
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
|
||||
|
||||
<para>This is fundamentally the Two-interface Firewall described in the
|
||||
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
|
||||
@ -108,10 +108,11 @@
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
role="bold">routeback</emphasis>,...</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting>
|
||||
|
||||
<para>So the key points here are:</para>
|
||||
|
||||
@ -128,8 +129,9 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">routeback</emphasis> option is
|
||||
specified for <filename class="devicefile">br0</filename>.</para>
|
||||
<para>The <emphasis role="bold">routeback</emphasis> and <emphasis
|
||||
role="bold">bridge</emphasis> options is specified for <filename
|
||||
class="devicefile">br0</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -138,13 +140,6 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
|
||||
should also specify the <emphasis role="bold">bridge</emphasis>
|
||||
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
|
||||
|
||||
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
||||
unchanged:</para>
|
||||
|
||||
|
@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
||||
role="bold">upnp</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
|
||||
|
||||
<para>If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:</para>
|
||||
|
@ -202,7 +202,7 @@
|
||||
<filename>/etc/shorewall/macro.*</filename>, the general format of a
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
@ -214,7 +214,7 @@
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Web(ACCEPT) net $FW
|
||||
IMAP(ACCEPT)net $FW</programlisting>
|
||||
</example>
|
||||
@ -225,14 +225,14 @@ IMAP(ACCEPT)net $FW</programlisting>
|
||||
general format of a rule in <filename>/etc/shorewall/rules</filename>
|
||||
is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT net $FW tcp 80
|
||||
ACCEPT net $FW tcp 143</programlisting></para>
|
||||
</example>
|
||||
@ -320,7 +320,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
<para>Then at a root prompt, type:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>/sbin/shorewall restart</command></para>
|
||||
<para><command>/sbin/shorewall reload</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -345,7 +345,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
<para>Then at a root prompt, type:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>/sbin/shorewall restart</command></para>
|
||||
<para><command>/sbin/shorewall reload</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
40
docs/VPN.xml
40
docs/VPN.xml
@ -46,7 +46,7 @@
|
||||
The two most common means for doing this are IPSEC and PPTP. The basic
|
||||
setup is shown in the following diagram:</para>
|
||||
|
||||
<graphic fileref="images/VPN.png" />
|
||||
<graphic fileref="images/VPN.png"/>
|
||||
|
||||
<para>A system with an RFC 1918 address needs to access a remote network
|
||||
through a remote gateway. For this example, we will assume that the local
|
||||
@ -87,15 +87,15 @@
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
<entry align="center">PROTO</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
<entry align="center">DPORT</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT</entry>
|
||||
<entry align="center">SPORT</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DEST</entry>
|
||||
<entry align="center">ORIGDEST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@ -109,11 +109,11 @@
|
||||
|
||||
<entry>50</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -127,9 +127,9 @@
|
||||
|
||||
<entry>500</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -146,15 +146,15 @@
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DESTINATION</entry>
|
||||
<entry align="center">DEST</entry>
|
||||
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
<entry align="center">PROTO</entry>
|
||||
|
||||
<entry align="center">PORT</entry>
|
||||
<entry align="center">DPORT</entry>
|
||||
|
||||
<entry align="center">CLIENT PORT</entry>
|
||||
<entry align="center">SPORT</entry>
|
||||
|
||||
<entry align="center">ORIGINAL DEST</entry>
|
||||
<entry align="center">ORIGDEST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@ -170,9 +170,9 @@
|
||||
|
||||
<entry>4500</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -186,9 +186,9 @@
|
||||
|
||||
<entry>500</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
@ -115,7 +115,7 @@
|
||||
|
||||
<para>Incoming traffic is similar.</para>
|
||||
|
||||
<graphic align="center" fileref="images/VPNBasics.png" />
|
||||
<graphic align="center" fileref="images/VPNBasics.png"/>
|
||||
</section>
|
||||
|
||||
<section id="Shorewall">
|
||||
@ -203,8 +203,8 @@ loc ipv4
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">rem ppp0 -</emphasis></programlisting>
|
||||
</section>
|
||||
@ -216,7 +216,7 @@ loc eth1 -
|
||||
client(s) and the local zone. You can do that with a couple of
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST/LIMIT
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL BURST
|
||||
rem loc ACCEPT
|
||||
loc rem ACCEPT</programlisting>
|
||||
|
||||
@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">- tun+ -</emphasis></programlisting>
|
||||
|
||||
@ -291,15 +291,14 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
|
||||
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec Z1 1.2.3.4 Z2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
ACCEPT $FW Z1:1.2.3.4 udp 500
|
||||
ACCEPT Z1:1.2.3.4 $FW udp 500
|
||||
ACCEPT $FW Z1:1.2.3.4 50
|
||||
@ -322,15 +321,14 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
pptpserver Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>/<filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW tcp 1723
|
||||
ACCEPT $FW Z1:1.2.3.4 47
|
||||
@ -347,15 +345,14 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpn:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
|
||||
@ -364,15 +361,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnclient:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp - <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
|
||||
@ -381,15 +377,14 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnserver:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp - <emphasis>port</emphasis></programlisting>
|
||||
|
@ -122,7 +122,7 @@ gateway:~#</programlisting>
|
||||
<para>This is a diagram of the network configuration here at Shorewall.net
|
||||
during the summer of 2010:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2010a.png" />
|
||||
<graphic align="center" fileref="images/Network2010a.png"/>
|
||||
|
||||
<para>I created a zone for the vservers as follows:</para>
|
||||
|
||||
@ -138,8 +138,9 @@ vpn ipv4 #OpenVPN clients
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<emphasis role="bold">net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
<emphasis role="bold">net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
@ -164,8 +165,7 @@ drct eth4:dynamic
|
||||
|
||||
<para><filename>/etc/shorewall6/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv6
|
||||
loc ipv6
|
||||
@ -175,8 +175,9 @@ vpn ipv6
|
||||
|
||||
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<emphasis role="bold">net sit1 detect tcpflags,forward=1,nosmurfs,routeback</emphasis>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
<emphasis role="bold">net sit1 tcpflags,forward=1,nosmurfs,routeback</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall6/hosts</filename>:</para>
|
||||
@ -204,7 +205,7 @@ vpn ipv6
|
||||
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
|
||||
is as shown below:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2011.png" />
|
||||
<graphic align="center" fileref="images/Network2011.png"/>
|
||||
|
||||
<para>This change was accompanied by the following additions to
|
||||
<filename>/etc/shorewall6/proxyndp</filename>:</para>
|
||||
|
@ -105,7 +105,7 @@
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
<graphic align="center" fileref="images/Xen5.png"/>
|
||||
|
||||
<para>As shown in this diagram, the Xen system has three physical network
|
||||
interfaces. These are:</para>
|
||||
@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
<para>With the three Xen domains up and running, the system looks as
|
||||
shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen4a.png" />
|
||||
<graphic align="center" fileref="images/Xen4a.png"/>
|
||||
|
||||
<para>The zones correspond to the Shorewall zones in the Dom0
|
||||
configuration.</para>
|
||||
@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
a bridged OpenVPN server for the wireless network in our home. Here is
|
||||
the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4a.png" />
|
||||
<graphic align="center" fileref="images/network4a.png"/>
|
||||
|
||||
<para>The three laptops can be directly attached to the LAN as shown
|
||||
above or they can be attached wirelessly -- their IP addresses are the
|
||||
@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall #The firewall itself.
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
dmz ipv4 #DMZ
|
||||
vpn ipv4 #Open VPN clients
|
||||
wifi ipv4 #Local Wireless Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW $FW ACCEPT
|
||||
$FW net ACCEPT
|
||||
loc net ACCEPT
|
||||
@ -549,8 +545,7 @@ net $FW DROP $LOG 1/sec:2
|
||||
net loc DROP $LOG 2/sec:4
|
||||
net dmz DROP $LOG 8/sec:30
|
||||
net vpn DROP $LOG
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
all all REJECT $LOG</programlisting>
|
||||
|
||||
<para><filename>Note that the firewall<->local network interface
|
||||
is wide open so from a security point of view, the firewall system is
|
||||
@ -572,9 +567,7 @@ EXT_IF=eth0
|
||||
WIFI_IF=eth2
|
||||
TEST_IF=eth4
|
||||
|
||||
OMAK=<IP address at our second home>
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
OMAK=<IP address at our second home></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
@ -591,16 +584,14 @@ loc $TEST_IF detect optional
|
||||
loc $TEST1_IF detect optional
|
||||
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
COMMENT One-to-one NAT
|
||||
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
@ -609,7 +600,7 @@ COMMENT One-to-one NAT
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
|
||||
COMMENT Handle DSL 'Modem'
|
||||
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.168.1.1 $EXT_IF $INT_IF yes
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||
192.168.1.7 $TEST_IF $INT_IF yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/blacklist</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors # Accept traffic from Shorewall Mirrors
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
ACCEPT $MIRRORS</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
@ -893,28 +869,24 @@ Ping(ACCEPT) fw dmz
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
DROP net:82.96.96.3 all
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||
<para><filename>etc/shorewall/tcdevices</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 2*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The <filename class="devicefile">tap0</filename> device used by
|
||||
|
@ -72,7 +72,7 @@
|
||||
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
||||
as shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen1.png" />
|
||||
<graphic align="center" fileref="images/Xen1.png"/>
|
||||
|
||||
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
|
||||
the bridge and virtual interfaces from Dom0 itself. That distinction is
|
||||
@ -169,7 +169,7 @@
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
<graphic align="center" fileref="images/Xen5.png"/>
|
||||
|
||||
<para>As shown in this diagram, the Xen system has three physical network
|
||||
interfaces. These are:</para>
|
||||
@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||
<para>With all three Xen domains up and running, the system looks as
|
||||
shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen4.png" />
|
||||
<graphic align="center" fileref="images/Xen4.png"/>
|
||||
|
||||
<para>The zones correspond to the Shorewall zones in the firewall DomU
|
||||
configuration.</para>
|
||||
@ -430,39 +430,24 @@ done</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
loc ipv4
|
||||
dmz ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
dmz ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
|
||||
of an ACCEPT all->all policy):</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
dmz all REJECT info
|
||||
all dmz REJECT info
|
||||
all all ACCEPT
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
all all ACCEPT</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||
dmz xenbr1 - routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
dmz xenbr1 - routeback</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -478,7 +463,7 @@ SECTION NEW
|
||||
for our two laptops and a bridged OpenVPN server for the wireless
|
||||
network in our home. Here is the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4.png" />
|
||||
<graphic align="center" fileref="images/network4.png"/>
|
||||
|
||||
<para>The two laptops can be directly attached to the LAN as shown above
|
||||
or they can be attached wirelessly -- their IP addresses are the same in
|
||||
@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
dmz ipv4 #DMZ
|
||||
vpn ipv4 #Open VPN clients
|
||||
wifi ipv4 #Local Wireless Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW $FW ACCEPT
|
||||
$FW net ACCEPT
|
||||
loc net ACCEPT
|
||||
@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2
|
||||
net loc DROP $LOG 2/sec:4
|
||||
net dmz DROP $LOG 8/sec:30
|
||||
net vpn DROP $LOG
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
all all REJECT $LOG</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
|
||||
|
||||
@ -591,9 +571,7 @@ DMZ_IF=eth1
|
||||
EXT_IF=eth3
|
||||
WIFI_IF=eth4
|
||||
|
||||
OMAK=<IP address at our second home>
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
OMAK=<IP address at our second home></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
@ -607,15 +585,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians
|
||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
@ -624,45 +601,39 @@ vpn tun+ -
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.168.1.1 $EXT_IF $INT_IF yes
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors # Accept traffic from Shorewall Mirrors
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
<programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
|
||||
ACCEPT $MIRRORS</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
<programlisting>?SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
@ -815,28 +786,24 @@ Ping(ACCEPT) fw dmz
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
DROP net:82.96.96.3 all
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 2*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||
|
@ -85,14 +85,13 @@
|
||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
||||
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
||||
standard and custom macros as well as standard and custom actions. See
|
||||
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||
details.</para>
|
||||
<ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
|
||||
for details.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORTS(S)
|
||||
SECTION BLACKLIST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
WHITELIST net:70.90.191.126 all
|
||||
DROP net all udp 1023:1033,1434,5948,23773
|
||||
DROP all net udp 1023:1033
|
||||
@ -107,243 +106,74 @@ DROP net:200.55.14.18 all
|
||||
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
||||
command supports a <option>-b</option> option that causes your legacy
|
||||
blacklisting configuration to use the blrules file.</para>
|
||||
|
||||
<note>
|
||||
<para>If you prefer to keep your blacklisting rules in your rules file
|
||||
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5)), you can place them in the BLACKLIST section of that file rather
|
||||
than in blrules.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Legacy Blacklisting</title>
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
|
||||
and dynamic. The dynamic variety is still appropriate for
|
||||
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
|
||||
deprecated.</para>
|
||||
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
||||
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
|
||||
Prior to that release, the feature is always enabled.</para>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">By default, only the source address is
|
||||
checked against the blacklists</emphasis>. Blacklists only stop
|
||||
blacklisted hosts from connecting to you — they do not stop you or your
|
||||
users from connecting to blacklisted hosts .</para>
|
||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
|
||||
<emphasis role="bold">Note</emphasis> that <emphasis
|
||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||
later</emphasis>.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>UPDATE</term>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be silently dropped by
|
||||
the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
|
||||
destination address. See <ulink
|
||||
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
|
||||
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
|
||||
for details.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</important>
|
||||
<listitem>
|
||||
<para>reject [to|from]<emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be rejected by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Dynamic Shorewall blacklisting is not
|
||||
appropriate for blacklisting 1,000s of different addresses. Static
|
||||
Blacklisting can handle large blacklists but only if you use
|
||||
ipsets</emphasis>. Without ipsets, the blacklists will take forever to
|
||||
load, and will have a very negative effect on firewall
|
||||
performance.</para>
|
||||
</important>
|
||||
<listitem>
|
||||
<para>allow [to|from] <emphasis><ip address list></emphasis> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
|
||||
command.</para>
|
||||
</listitem>
|
||||
|
||||
<section id="Static">
|
||||
<title>Static Blacklisting</title>
|
||||
<listitem>
|
||||
<para>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</para>
|
||||
|
||||
<para>Shorewall static blacklisting support has the following
|
||||
configuration parameters:</para>
|
||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
|
||||
<command>stop/start</command> sequences and over
|
||||
<command>restart</command> and <emphasis
|
||||
role="bold">reload</emphasis>.</para>
|
||||
</listitem>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>show dynamic - displays the dynamic blacklisting
|
||||
configuration.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
||||
in <ulink
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be dropped and logged
|
||||
by the firewall. Logging will occur at the level specified by the
|
||||
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
|
||||
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist
|
||||
in <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5). You may also specify PROTOCOL and Port numbers/Service names in
|
||||
the blacklist file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the <quote>blacklist</quote>
|
||||
option in <ulink
|
||||
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
|
||||
(<ulink
|
||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
|
||||
Shorewall 4.4.12 and later).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
|
||||
was supported.</para>
|
||||
|
||||
<para>Users with a large static black list may want to set the
|
||||
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
|
||||
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
|
||||
connections before loading the blacklist rules. While this may allow
|
||||
connections from blacklisted hosts to slip by during construction of the
|
||||
blacklist, it can substantially reduce the time that all new connections
|
||||
are disabled during "shorewall [re]start".</para>
|
||||
|
||||
<para>Beginning with Shorewall 2.4.0, you can use <ulink
|
||||
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
|
||||
an example:</para>
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+Blacklistports[dst]
|
||||
+Blacklistnets[src,dst]
|
||||
+Blacklist[src,dst]
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>In this example, there is a portmap ipset
|
||||
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
|
||||
destination ports included in the ipset. There are also
|
||||
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
|
||||
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
|
||||
ipsets that allow blacklisting networks and individual IP addresses.
|
||||
Note that [src,dst] is specified so that individual entries in the sets
|
||||
can be bound to other portmap ipsets to allow blacklisting
|
||||
(<emphasis>source address</emphasis>, <emphasis>destination
|
||||
port</emphasis>) combinations. For example:</para>
|
||||
|
||||
<programlisting>ipset -N SMTP portmap --from 1 --to 31
|
||||
ipset -A SMTP 25
|
||||
ipset -A Blacklist 206.124.146.177
|
||||
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
|
||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
||||
</section>
|
||||
|
||||
<section id="whitelisting">
|
||||
<title>Static Whitelisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, you can create
|
||||
<firstterm>whitelist</firstterm> entries in the blacklist file.
|
||||
Connections/packets matching a whitelist entry are not matched against
|
||||
the entries in the blacklist file that follow. Whitelist entries are
|
||||
created using the <emphasis role="bold">whitelist</emphasis> option
|
||||
(OPTIONS column). See <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5).</para>
|
||||
</section>
|
||||
|
||||
<section id="Dynamic">
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
||||
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
|
||||
Prior to that release, the feature is always enabled.</para>
|
||||
|
||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite]
|
||||
commands. <emphasis role="bold">Note</emphasis> that <emphasis
|
||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||
later</emphasis>.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be silently dropped
|
||||
by the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>reject [to|from]<emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be rejected by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>allow [to|from] <emphasis><ip address list></emphasis> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
|
||||
command.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</para>
|
||||
|
||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained
|
||||
over <command>stop/start</command> sequences and over
|
||||
<command>restart</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>show dynamic - displays the dynamic blacklisting
|
||||
configuration.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be dropped and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
|
||||
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logreject [to|from}<emphasis><ip address
|
||||
list></emphasis> - causes packets from the listed IP addresses to
|
||||
be rejected and logged by the firewall. Logging will occur at the
|
||||
level specified by the BLACKLIST_LOGLEVEL setting at the last
|
||||
[re]start (logging will be at the 'info' level if no
|
||||
BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Dynamic blacklisting is not dependent on the
|
||||
<quote>blacklist</quote> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<example id="Ignore">
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||
</example>
|
||||
|
||||
<example id="Allow">
|
||||
<title>Re-enable packets from a system</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Displaying the Dynamic Blacklist</title>
|
||||
|
||||
<programlisting> <command>shorewall show dynamic</command></programlisting>
|
||||
|
||||
<para>Displays the 'dynamic' chain which contains rules for the
|
||||
dynamic blacklist. The <firstterm>source</firstterm> column contains
|
||||
the set of blacklisted addresses.</para>
|
||||
</example>
|
||||
</section>
|
||||
<listitem>
|
||||
<para>logreject [to|from}<emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be rejected and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
|
||||
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -134,7 +134,7 @@
|
||||
the bridge would work exactly the same if public IP addresses were used
|
||||
(remember that the bridge doesn't deal with IP addresses).</para>
|
||||
|
||||
<graphic fileref="images/bridge.png" />
|
||||
<graphic fileref="images/bridge.png"/>
|
||||
|
||||
<para>There are a several key differences in this setup and a normal
|
||||
Shorewall configuration:</para>
|
||||
@ -180,7 +180,7 @@
|
||||
systems connected to that switch. All of the systems on the local side of
|
||||
the <emphasis role="bold">router</emphasis> would still be configured with
|
||||
IP addresses in 192.168.1.0/24 as shown below.<graphic
|
||||
fileref="images/bridge3.png" /></para>
|
||||
fileref="images/bridge3.png"/></para>
|
||||
</section>
|
||||
|
||||
<section id="Bridge">
|
||||
@ -571,8 +571,7 @@ rc-update add bridge boot
|
||||
fw firewall
|
||||
world ipv4
|
||||
net:world bport
|
||||
loc:world bport
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
loc:world bport</programlisting>
|
||||
|
||||
<para>The <emphasis>world</emphasis> zone can be used when defining rules
|
||||
whose source zone is the firewall itself (remember that fw-><BP
|
||||
@ -581,11 +580,10 @@ loc:world bport
|
||||
<para>A conventional two-zone policy file is appropriate here —
|
||||
<filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
all all REJECT info</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||
|
||||
@ -596,11 +594,10 @@ all all REJECT info
|
||||
is connected to <filename class="devicefile">eth0</filename> and the
|
||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 detect bridge
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
net br0:eth0
|
||||
loc br0:eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
loc br0:eth1</programlisting>
|
||||
|
||||
<para>The <emphasis>world</emphasis> zone is associated with the bridge
|
||||
itself which is defined with the <emphasis role="bold">bridge</emphasis>
|
||||
@ -616,8 +613,7 @@ loc br0:eth1
|
||||
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||
br0 192.168.1.0/24 routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
br0 192.168.1.0/24 routeback</programlisting>
|
||||
|
||||
<para>The <filename>/etc/shorewall/rules</filename> file from the
|
||||
two-interface sample is a good place to start for defining a set of
|
||||
@ -645,9 +641,9 @@ br0 192.168.1.0/24 routeback
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:p+
|
||||
z2 br1:p+</programlisting>
|
||||
|
||||
@ -657,11 +653,11 @@ br0 192.168.1.0/24 routeback
|
||||
configuration may be defined using the following in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
z1 br0:x+ - physical=p+
|
||||
z2 br1:y+ - physical=p+</programlisting>
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:x+ physical=p+
|
||||
z2 br1:y+ physical=p+</programlisting>
|
||||
|
||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||
@ -673,8 +669,7 @@ br0 192.168.1.0/24 routeback
|
||||
|
||||
<para>Example from /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
||||
</section>
|
||||
|
||||
@ -683,7 +678,7 @@ br0 192.168.1.0/24 routeback
|
||||
|
||||
<para>A system running Shorewall doesn't have to be exclusively a bridge
|
||||
or a router -- it can act as both, which is also know as a brouter. Here's
|
||||
an example:<graphic fileref="images/bridge2.png" /></para>
|
||||
an example:<graphic fileref="images/bridge2.png"/></para>
|
||||
|
||||
<para>This is basically the same setup as shown in the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||
@ -710,11 +705,11 @@ loc ipv4</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
pub br0 detect routefilter,bridge
|
||||
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
pub br0 routefilter,bridge
|
||||
net br0:eth0
|
||||
dmz br0:eth2
|
||||
loc eth1 detect</programlisting></para>
|
||||
loc eth1</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -761,9 +756,7 @@ all all REJECT info</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
#
|
||||
PORT(S) PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
ACCEPT all all icmp 8
|
||||
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
||||
ACCEPT loc $DMZ udp 53
|
||||
@ -784,7 +777,7 @@ ACCEPT $FW $DMZ tcp 53 </
|
||||
|
||||
<para>This configuration is shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/veth1.png" />
|
||||
<graphic align="center" fileref="images/veth1.png"/>
|
||||
|
||||
<para>In this configuration, veth0 is assigned the internal IP address;
|
||||
br0 does not have an IP address.</para>
|
||||
@ -872,8 +865,7 @@ iface veth0 inet static
|
||||
<para>For this configuration, we need several additional zones as shown
|
||||
here:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
zone1 bport
|
||||
@ -943,22 +935,19 @@ all all REJECT:info</programlisting>
|
||||
|
||||
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
|
||||
<para>or more compactly:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
|
||||
<para>Similarly, rules allowing traffic from the firewall to zone3:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
|
||||
role="bold">fw</emphasis></programlisting>
|
||||
|
||||
@ -969,8 +958,7 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
|
||||
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
||||
zone3:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
DNAT- net loc:172.168.4.45 tcp 80
|
||||
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
@ -979,15 +967,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
|
||||
role="bold">zonei</emphasis> zones to the <emphasis
|
||||
role="bold">net</emphasis> zone look like this:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
ACCEPT loc net tcp 21 - - - - <emphasis
|
||||
role="bold">zone1</emphasis></programlisting>
|
||||
|
||||
<para>And to the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
ACCEPT zone2 col tcp - - - - <emphasis
|
||||
role="bold">zone2</emphasis></programlisting>
|
||||
</section>
|
||||
|
@ -464,8 +464,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
@ -483,8 +482,7 @@ ACCEPT net:\
|
||||
<para>A trailing backslash is not ignored in a comment. So the continued
|
||||
rule above can be commented out with a single '#' as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<emphasis role="bold">#</emphasis>ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
@ -765,8 +763,7 @@ ACCEPT net:\
|
||||
|
||||
<para>Example (rules file):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
|
||||
|
||||
<para>Here's the same line in several equivalent formats:</para>
|
||||
@ -1133,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
INCLUDE params.mgmt
|
||||
|
||||
# params unique to this host here
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
|
||||
----- end params -----
|
||||
|
||||
shorewall/rules.mgmt:
|
||||
@ -1154,7 +1150,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
INCLUDE rules.mgmt
|
||||
|
||||
# rules unique to this host here
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
||||
----- end rules -----</programlisting>
|
||||
|
||||
@ -1166,14 +1162,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
|
||||
gateway:/etc/shorewall # </programlisting></para>
|
||||
|
||||
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
||||
<para>/etc/shorewall/rules:<programlisting>?SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||||
|
||||
<para>If you are the sort to put such an entry in your rules file even
|
||||
though /etc/shorewall/rules.d might not exist or might be empty, then
|
||||
you probably want:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
<programlisting>?SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.2, in files other than
|
||||
@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
<term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <replaceable>comment</replaceable> is present, it will
|
||||
@ -1363,8 +1359,7 @@ gateway:~ #
|
||||
|
||||
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT RATE USER
|
||||
?COMMENT SSH
|
||||
PARAM - - tcp 22 </programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
|
||||
@ -1771,7 +1766,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>They may also appear in the ORIGINAL DEST column of:</para>
|
||||
<para>They may also appear in the ORIGDEST column of:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -2318,8 +2313,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
|
||||
<para>So this rule may work for five minutes then suddently stop
|
||||
working:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<para>If your firewall rules include DNS names then:</para>
|
||||
@ -2418,7 +2412,7 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter
|
||||
<para>Must not have any embedded white space.+<programlisting> Valid: routefilter,dhcp,arpfilter
|
||||
Invalid: routefilter, dhcp, arpfilter</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
@ -2608,7 +2602,7 @@ redirect => 137</programlisting>
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
@ -2790,8 +2784,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
|
||||
on.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
|
||||
role="bold">primary_down</emphasis> </programlisting>
|
||||
</blockquote>
|
||||
@ -2822,17 +2815,16 @@ DNAT net dmz:$BACKUP tcp 80 - -
|
||||
|
||||
<para>Here is an example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||
role="bold">physical=eth0</emphasis>
|
||||
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||
net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||
role="bold">physical=eth2</emphasis>
|
||||
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||
loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||
role="bold">physical=eth1</emphasis>
|
||||
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis
|
||||
dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
|
||||
role="bold">physical=venet0</emphasis>
|
||||
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis
|
||||
role="bold">physical=tun+</emphasis></programlisting>
|
||||
loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
|
||||
|
||||
<para>In this example, COM_IF is a logical interface name that refers to
|
||||
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
||||
|
@ -154,15 +154,13 @@
|
||||
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
|
||||
the server zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT ZONEA ZONEB udp 67:68
|
||||
ACCEPT ZONEB ZONEA udp 67:68</programlisting>
|
||||
|
||||
<para>Alternatively, use the DHCPfwd macro:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
|
||||
</listitem>
|
||||
|
||||
|
@ -107,13 +107,13 @@
|
||||
|
||||
<para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
|
||||
|
||||
<para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+blacklist</programlisting></para>
|
||||
<para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DROP net:+blacklist</programlisting></para>
|
||||
|
||||
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>The name of the ipset can be optionally followed by a
|
||||
comma-separated list of flags enclosed in square brackets ([...]). Each
|
||||
|
@ -54,7 +54,7 @@
|
||||
|
||||
<para>Shorewall NETMAP support is designed to supply a solution. The basic
|
||||
situation is as shown in the following diagram.<graphic
|
||||
fileref="images/netmap.png" /></para>
|
||||
fileref="images/netmap.png"/></para>
|
||||
|
||||
<para>While the link between the two firewalls is shown here as a VPN, it
|
||||
could be any type of interconnection that allows routing of <ulink
|
||||
@ -163,8 +163,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">DPORT (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -190,8 +190,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">SPORT (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
||||
|
||||
<entry>192.168.1.27</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
||||
|
||||
<entry>192.168.1.4</entry>
|
||||
|
||||
<entry></entry>
|
||||
<entry/>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
|
||||
<para>IPv6 Netmap has been verified at shorewall.net using the
|
||||
configuration shown below.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2011b.png" />
|
||||
<graphic align="center" fileref="images/Network2011b.png"/>
|
||||
|
||||
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
|
||||
block is 2001:470:b:227::/64.</para>
|
||||
|
@ -55,7 +55,7 @@
|
||||
policy for z1 to z2 is not ACCEPT, you need a rule in
|
||||
<filename>/etc/shorewall/rules</filename> of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Ping(ACCEPT) z1 z2</programlisting>
|
||||
|
||||
<example id="Example1">
|
||||
@ -63,7 +63,7 @@ Ping(ACCEPT) z1 z2</programlisting>
|
||||
|
||||
<para>To permit ping from the local zone to the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Ping(ACCEPT) loc $FW</programlisting>
|
||||
</example>
|
||||
|
||||
@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
|
||||
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||||
from z1 to z2 then you need a rule of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Ping(DROP) z1 z2</programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
|
||||
<para>To drop ping from the Internet, you would need this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Ping(DROP) net $FW</programlisting>
|
||||
</example>
|
||||
|
||||
|
@ -61,7 +61,7 @@
|
||||
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
|
||||
role="bold">net</emphasis> zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
DNS(ACCEPT) dmz net</programlisting>
|
||||
</note>
|
||||
|
||||
@ -74,12 +74,12 @@ DNS(ACCEPT) dmz net</programlisting>
|
||||
<para>Example: You want to port forward FTP from the net to your server
|
||||
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>You would code your rule as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
||||
</note>
|
||||
</section>
|
||||
@ -93,7 +93,7 @@ FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
||||
anymore.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -110,14 +110,14 @@ Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination&
|
||||
port(s)</emphasis></emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
BitTorrent(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="DNS">
|
||||
<title>DNS</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
|
||||
<para>Note that if you are setting up a DNS server that supports recursive
|
||||
@ -128,7 +128,7 @@ DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination&
|
||||
a public DNS server in your DMZ that supports recursive resolution for
|
||||
local clients then you would need:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNS(ACCEPT) all dmz
|
||||
DNS(ACCEPT) dmz net </programlisting>
|
||||
|
||||
@ -174,7 +174,7 @@ DNS(ACCEPT) dmz net </programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Edonkey(DNAT) net loc:192.168.1.4
|
||||
#if you wish to enable the Emule webserver, add this rule too.
|
||||
DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
@ -183,7 +183,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
<section id="FTP">
|
||||
<title>FTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>Look <ulink url="FTP.html">here</ulink> for much more
|
||||
@ -212,14 +212,14 @@ FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
<listitem>
|
||||
<para>Your loc->net policy is ACCEPT</para>
|
||||
</listitem>
|
||||
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="ICQ">
|
||||
<title>ICQ/AIM</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
||||
</section>
|
||||
|
||||
@ -236,7 +236,7 @@ ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
IMAP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP
|
||||
IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlisting>
|
||||
</section>
|
||||
@ -244,7 +244,7 @@ IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlis
|
||||
<section id="IPSEC">
|
||||
<title>IPSEC</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500
|
||||
@ -263,9 +263,9 @@ ACCEPT <emphasis><destination></emphasis> <emphasis><source></e
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
LDAP(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis>
|
||||
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
|
||||
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="MySQL">
|
||||
@ -284,14 +284,14 @@ LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> &
|
||||
how to deal with the consequences, you have been warned.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
MySQL(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="NFS">
|
||||
<title>NFS</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d tcp 111
|
||||
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d udp</programlisting>
|
||||
|
||||
@ -302,14 +302,14 @@ ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis
|
||||
<section id="NTP">
|
||||
<title>NTP (Network Time Protocol)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
NTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="PCA">
|
||||
<title><trademark>PCAnywhere</trademark></title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -325,7 +325,7 @@ PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
<para>This information is valid only for Shorewall 3.2 or later</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
POP3(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure
|
||||
POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlisting>
|
||||
</section>
|
||||
@ -333,7 +333,7 @@ POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlist
|
||||
<section id="PPTP">
|
||||
<title>PPTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting>
|
||||
|
||||
@ -344,14 +344,14 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination></e
|
||||
<section id="Rdate">
|
||||
<title>rdate</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Rdate(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="rsync">
|
||||
<title>rsync</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -363,16 +363,16 @@ Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
firewall and is using the default ports</emphasis>.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
REDIRECT loc 5060 udp 5060
|
||||
ACCEPT net fw udp 5060
|
||||
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis></emphasis></programlisting>
|
||||
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="SSH">
|
||||
<title>SSH/SFTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
</section>
|
||||
|
||||
@ -380,7 +380,7 @@ SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></e
|
||||
<title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
|
||||
Sharing)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SMB(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis>
|
||||
SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting>
|
||||
|
||||
@ -394,7 +394,7 @@ SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source>
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SMTP(ACCEPT)<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP
|
||||
SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting>
|
||||
</section>
|
||||
@ -402,7 +402,7 @@ SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
<section id="SNMP">
|
||||
<title>SNMP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -418,7 +418,7 @@ SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&g
|
||||
role="bold">svnserve mode only.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -430,7 +430,7 @@ SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
insecure</emphasis>, don't use it.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -447,14 +447,14 @@ Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination
|
||||
that the <filename>/etc/shorewall/modules</filename> file released with
|
||||
recent Shorewall versions contains entries for these modules.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 69</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Traceroute">
|
||||
<title>Traceroute</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting>
|
||||
|
||||
<para>UDP traceroute uses ports 33434 through 33434+<max number of
|
||||
@ -464,7 +464,7 @@ Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
automatically since those sample configurations enable all ICMP packet
|
||||
types originating on the firewall itself.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT fw net icmp
|
||||
ACCEPT fw loc icmp
|
||||
ACCEPT fw ...</programlisting>
|
||||
@ -473,7 +473,7 @@ ACCEPT fw ...</programlisting>
|
||||
<section id="NNTP">
|
||||
<title>Usenet (NNTP)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
NNTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisting>
|
||||
|
||||
@ -493,13 +493,13 @@ NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisti
|
||||
<para>the following rule handles VNC traffic for VNC displays 0 -
|
||||
9.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
VNC(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
</programlisting>
|
||||
|
||||
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -519,7 +519,7 @@ VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&g
|
||||
<para>This information is valid for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
HTTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP
|
||||
HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisting>
|
||||
</section>
|
||||
@ -527,7 +527,7 @@ HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisti
|
||||
<section id="Webmin">
|
||||
<title>Webmin</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin
|
||||
use TCP port 10000.</para>
|
||||
</section>
|
||||
@ -535,7 +535,7 @@ Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination
|
||||
<section id="Whois">
|
||||
<title>Whois</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para>
|
||||
</section>
|
||||
|
||||
@ -546,7 +546,7 @@ Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
||||
applications are running at <<emphasis>apps</emphasis>>.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP
|
||||
ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting>
|
||||
</section>
|
||||
|
@ -44,15 +44,13 @@
|
||||
<para>If you wish to run Samba on your firewall and access shares between
|
||||
the firewall and local hosts, you need the following rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
SMB(ACCEPT) $FW loc
|
||||
SMB(ACCEPT) loc $FW</programlisting>
|
||||
|
||||
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
SMB(ACCEPT) Z1 Z2
|
||||
SMB(ACCEPT) Z2 Z1</programlisting>
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall 4.4/4.5/4.6 Features</title>
|
||||
<title>Shorewall 5.0 Features</title>
|
||||
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
@ -16,7 +16,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2014</year>
|
||||
<year>2001-2016</year>
|
||||
|
||||
<holder>Thomas M Eastep</holder>
|
||||
</copyright>
|
||||
@ -32,13 +32,6 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
4.3.5 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section id="Features">
|
||||
<title>Features</title>
|
||||
|
||||
@ -278,6 +271,10 @@
|
||||
<listitem>
|
||||
<para><ulink url="LXC.html">LXC</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Docker (Shorewall 5.0.6 and later)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
@ -314,14 +314,34 @@ gateway:/etc/shorewall# </programl
|
||||
<para><filename>/etc/shorewall/shorewall.conf</filename>:
|
||||
<programlisting>MACLIST_LOG_LEVEL=NFLOG(1,0,1)</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlisting><important>
|
||||
<para>Shorewall considers <emphasis role="bold">ULOG(...)</emphasis>
|
||||
and <emphasis role="bold">NFLOG(...)</emphasis> to be <emphasis
|
||||
role="bold">log levels</emphasis>, just like info, debug, etc. even
|
||||
though they are not defined by syslog.</para>
|
||||
</important></para>
|
||||
|
||||
<para>Here is a copy of a ulogd.conf file that logs to
|
||||
/var/log/firewall. It was contributed by a Shorewall user on IRC:</para>
|
||||
|
||||
<programlisting>[global]
|
||||
user="ulogd"
|
||||
logfile="/var/log/ulogd/ulogd.log"
|
||||
loglevel=7
|
||||
|
||||
plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
|
||||
|
||||
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
|
||||
|
||||
[firewall]
|
||||
file="/var/log/firewall"
|
||||
sync=1</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
|
@ -106,19 +106,13 @@
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
class="directory">/etc/shorewall</filename> directory is almost empty.
|
||||
This is intentional. The released configuration file skeletons may be
|
||||
found on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall-common/default-config/modules to
|
||||
<filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify those files.</para>
|
||||
</warning></para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
@ -269,8 +263,7 @@ dmz ipv4</programlisting>
|
||||
<filename>/etc/shorewall/policy</filename> file had the following
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@ -416,10 +409,11 @@ all all REJECT info</programlisting>
|
||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
||||
</ulink>file, that file would might contain:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
||||
in the /etc/shorewall/interfaces file.</para>
|
||||
@ -435,10 +429,11 @@ dmz eth2 detect</programlisting>
|
||||
<example id="multi">
|
||||
<title>Multiple Interfaces to a Zone</title>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
loc eth2 detect</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
loc eth2</programlisting>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
<filename><ulink
|
||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>If one of your daughter's friends at address <emphasis
|
||||
@ -1424,8 +1418,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>This example used the firewall's external IP address for DNAT.
|
||||
You can use another of your public IP addresses (place it in the
|
||||
ORIGINAL DEST column in the rule above) but Shorewall will not add
|
||||
that address to the firewall's external interface for you.</para>
|
||||
ORIGDEST column in the rule above) but Shorewall will not add that
|
||||
address to the firewall's external interface for you.</para>
|
||||
|
||||
<important>
|
||||
<para>When testing DNAT rules like those shown above, you must test
|
||||
@ -1489,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.0.2.177 eth2 eth0 No
|
||||
192.0.2.178 eth2 eth0 No</programlisting>
|
||||
|
||||
@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
You would do that by adding an entry in <filename><ulink
|
||||
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
|
||||
|
||||
<para>With this entry in place, you daughter has her own IP address
|
||||
@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
to use a DNAT rule for you daughter's web server -- you would rather
|
||||
just use an ACCEPT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
|
||||
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>A word of warning is in order here. ISPs typically configure
|
||||
@ -1719,14 +1712,13 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
rules.</para>
|
||||
|
||||
<note>
|
||||
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
|
||||
this section, they won't be shown</para>
|
||||
<para>Since the SPORT and ORIGDEST. Columns aren't used in this
|
||||
section, they won't be shown</para>
|
||||
</note>
|
||||
|
||||
<para>You probably want to allow ping between your zones:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz icmp echo-request
|
||||
ACCEPT net loc icmp echo-request
|
||||
ACCEPT dmz loc icmp echo-request
|
||||
@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request</programlisting>
|
||||
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
|
||||
Web Server on DMZ 1. The rules that you would need are:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
|
||||
#Internet
|
||||
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
|
||||
@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
|
||||
<para>If you run a public DNS server on 192.0.2.177, you would need to
|
||||
add the following rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
|
||||
#Internet
|
||||
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
|
||||
@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
|
||||
scp utility can also do publishing and software update
|
||||
distribution.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc dmz tcp ssh #SSH to the DMZ
|
||||
ACCEPT net $FW tcp ssh #SSH to the
|
||||
#Firewall</programlisting>
|
||||
@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (The
|
||||
<quote>options</quote> will be very site-specific).</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The setup described here requires that your network interfaces be
|
||||
brought up before Shorewall can start. This opens a short window during
|
||||
which you have no firewall protection. If you replace
|
||||
<quote>detect</quote> with the actual broadcast addresses in the entries
|
||||
above, you can bring up Shorewall before you bring up your network
|
||||
interfaces.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 192.0.2.255
|
||||
loc eth1 192.168.201.7
|
||||
dmz eth2 192.168.202.7</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
||||
|
||||
@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net dmz icmp echo-request
|
||||
ACCEPT net loc icmp echo-request
|
||||
ACCEPT dmz loc icmp echo-request
|
||||
|
@ -194,7 +194,7 @@ eth0 External</programlisting>
|
||||
band 2.</para>
|
||||
|
||||
<note>
|
||||
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
|
||||
<para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
|
||||
column must contain '-'.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@ -203,14 +203,14 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic from a particular IP address to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
1 - - 192.168.1.44</programlisting>
|
||||
|
||||
<para>In this example, traffic from 192.168.1.44 will be assigned to
|
||||
priority band 1.</para>
|
||||
|
||||
<note>
|
||||
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
|
||||
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
|
||||
columns must be empty.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@ -219,7 +219,7 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic to/from a particular application to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
1 udp 1194</programlisting>
|
||||
|
||||
<para>In that example, OpenVPN traffic is assigned to priority band
|
||||
@ -230,7 +230,7 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic that uses a particular Netfilter helper to a
|
||||
particular priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
1 - - - - sip</programlisting>
|
||||
|
||||
<para>In this example, SIP and associated RTP traffic will be assigned
|
||||
@ -318,11 +318,11 @@ tun0 Internal</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
|
||||
</programlisting>etc/shorewall/tcpri:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
COMMENT All DMZ traffic in band 3 by default
|
||||
3 - - 70.90.191.124/31
|
||||
COMMENT Bit Torrent is in band 3
|
||||
@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
|
||||
|
||||
<para>etc/shorewall6/tcpri:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
COMMENT All DMZ traffic in band 3 by default
|
||||
3 - - 2001:470:b:227::40/124
|
||||
COMMENT But give a boost to DNS queries
|
||||
|
@ -277,7 +277,7 @@ net ipv4</programlisting>
|
||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||
the one-interface sample has the following policies:</para>
|
||||
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@ -517,20 +517,19 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
|
||||
later).</para>
|
||||
role="bold">?SECTION NEW</emphasis>.</para>
|
||||
</important>
|
||||
|
||||
<example id="Example1">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Web(ACCEPT) net $FW
|
||||
IMAP(ACCEPT)net $FW</programlisting>
|
||||
</example>
|
||||
@ -546,14 +545,14 @@ IMAP(ACCEPT)net $FW</programlisting>
|
||||
a pre-defined macro that meets your requirements. In that case the general
|
||||
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW tcp 80
|
||||
ACCEPT net $FW tcp 143</programlisting></para>
|
||||
</example>
|
||||
@ -566,7 +565,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
SSH(ACCEPT) net $FW </programlisting>
|
||||
</important>
|
||||
|
||||
@ -615,7 +614,7 @@ SSH(ACCEPT) net $FW </programlisting>
|
||||
(<filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
|
||||
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <quote><command>shorewall restart</command></quote> command. If you
|
||||
the <quote><command>shorewall reload</command></quote> command. If you
|
||||
want to totally remove any trace of Shorewall from your Netfilter
|
||||
configuration, use <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
@ -639,7 +638,7 @@ SSH(ACCEPT) net $FW </programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an <emphasis><ulink
|
||||
reload</command></quote>; it is better to create an <emphasis><ulink
|
||||
url="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</ulink></emphasis> and test it using the <ulink
|
||||
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
||||
|
@ -165,7 +165,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>If you change your configuration and want to install the
|
||||
changes, use the <command>shorewall restart </command>command.</para>
|
||||
changes, use the <command>shorewall reload </command>command.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -616,7 +616,7 @@
|
||||
<row>
|
||||
<entry align="center">/sbin/shorewall Command</entry>
|
||||
|
||||
<entry align="center">Resulting /usr/share/shorewall/firewall
|
||||
<entry align="center">Resulting /var/lib/shorewall/firewall
|
||||
Command</entry>
|
||||
|
||||
<entry align="center">Effect if the Command Succeeds</entry>
|
||||
@ -646,6 +646,15 @@
|
||||
firewall are accepted.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>shorewall reload</entry>
|
||||
|
||||
<entry>firewall reload</entry>
|
||||
|
||||
<entry>Very similar to start, replacing the existing ruleset with
|
||||
one that reflects the current configuration file contents.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>shorewall restart</entry>
|
||||
|
||||
@ -721,15 +730,15 @@
|
||||
transition while the compiler is running. If compilation fails, the state
|
||||
remains unchanged.</para>
|
||||
|
||||
<para>Also, <command>shorewall start</command> and <command>shorewall
|
||||
restart</command> involve compilation followed by execution of the
|
||||
compiled script. So it is the compiled script that performs the state
|
||||
transition in these commands rather than
|
||||
<command>/usr/share/shorewall/firewall</command>.</para>
|
||||
<para>Also, <command>shorewall start</command>, <command>shorewall
|
||||
reload</command> and <command>shorewall restart</command> involve
|
||||
compilation followed by execution of the compiled script. So it is the
|
||||
compiled script that performs the state transition in these commands
|
||||
rather than <command>/usr/share/shorewall/firewall</command>.</para>
|
||||
|
||||
<para>The compiled script is placed in <filename
|
||||
class="directory">/var/lib/shorewall</filename> and is named either
|
||||
<filename>.start</filename> or <filename>.restart</filename> depending on
|
||||
the command.</para>
|
||||
<filename>.start</filename>, .reload or <filename>.restart</filename>
|
||||
depending on the command.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -90,7 +90,7 @@
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
@ -148,19 +148,18 @@
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" />.</para>
|
||||
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||
|
||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||
format="GIF" />.</para>
|
||||
format="GIF"/>.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
||||
server in that modem, you must make the <ulink
|
||||
@ -176,7 +175,7 @@
|
||||
<filename>/etc/shorewall</filename> -- for simple setups, you will only
|
||||
need to deal with a few of these as described in this guide.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>After you have installed Shorewall, locate the three-interface
|
||||
Sample configuration:</para>
|
||||
@ -210,7 +209,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
|
||||
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
|
||||
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
|
||||
role="bold"><filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
|
||||
@ -248,8 +247,7 @@
|
||||
a set of zones. In the three-interface sample configuration, the following
|
||||
zone names are used:</para>
|
||||
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
@ -305,7 +303,7 @@ dmz ipv4</programlisting>Zone names are defined in
|
||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||
the three-interface sample has the following policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@ -315,7 +313,7 @@ all all REJECT info</programlisting>
|
||||
commented out. If you want your firewall system to have full access to
|
||||
servers on the Internet, uncomment that line.</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT</programlisting>
|
||||
</important>
|
||||
|
||||
@ -351,7 +349,7 @@ $FW net ACCEPT</programlisting>
|
||||
local network from a security perspective. If you want to do this, add
|
||||
these two policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc $FW ACCEPT
|
||||
$FW loc ACCEPT</programlisting>
|
||||
|
||||
@ -363,7 +361,7 @@ $FW loc ACCEPT</programlisting>
|
||||
<emphasis>net</emphasis> zone even though connections are not allowed from
|
||||
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||
file and make any changes that you wish.</para>
|
||||
@ -377,7 +375,7 @@ $FW loc ACCEPT</programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
|
||||
the external interface.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>I<emphasis role="bold">f your external interface is <filename
|
||||
class="devicefile">ppp0</filename> or <filename
|
||||
@ -463,7 +461,7 @@ root@lists:~# </programlisting>
|
||||
exactly one default route via your ISP's Router.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The Shorewall three-interface sample configuration assumes that the
|
||||
external interface is <filename class="devicefile">eth0</filename>, the
|
||||
@ -528,7 +526,7 @@ root@lists:~# </programlisting>
|
||||
<title>Example sub-network</title>
|
||||
|
||||
<tgroup cols="2">
|
||||
<colspec align="left" />
|
||||
<colspec align="left"/>
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
@ -573,7 +571,7 @@ root@lists:~# </programlisting>
|
||||
directly. To communicate with systems outside of the subnetwork, systems
|
||||
send packets through a gateway (router).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>Your local computers (Local Computers 1 & 2) should be
|
||||
configured with their default gateway set to the IP address of the
|
||||
@ -596,7 +594,7 @@ root@lists:~# </programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/dmz2.png" />
|
||||
<imagedata fileref="images/dmz2.png"/>
|
||||
</imageobject>
|
||||
|
||||
<caption><para>The default gateway for the DMZ computers would be
|
||||
@ -652,7 +650,7 @@ root@lists:~# </programlisting>
|
||||
class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||
file.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If your external firewall interface is <filename
|
||||
class="devicefile">eth0</filename> then you do not need to modify the file
|
||||
@ -665,7 +663,7 @@ root@lists:~# </programlisting>
|
||||
modify the SOURCE column to list just your local interface (10.10.10.0/24
|
||||
in the above example).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If your external IP is static, you can enter it in the third column
|
||||
in the <filename
|
||||
@ -673,7 +671,7 @@ root@lists:~# </programlisting>
|
||||
entry if you like although your firewall will work fine if you leave that
|
||||
column empty. Entering your static IP in column 3 makes processing
|
||||
outgoing packets a little more efficient.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png" /></para>
|
||||
fileref="images/openlogo-nd-25.png"/></para>
|
||||
|
||||
<para><emphasis role="bold">If you are using the Debian package, please
|
||||
check your <filename>shorewall.conf</filename> file to ensure that the
|
||||
@ -736,7 +734,7 @@ root@lists:~# </programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If you are running a distribution that logs netfilter messages to a
|
||||
log other than <filename>/var/log/messages</filename>, then modify the
|
||||
@ -776,7 +774,7 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
||||
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
||||
</section>
|
||||
@ -801,7 +799,7 @@ root@lists:~# </programlisting>
|
||||
|
||||
<para>The general form of a simple port forwarding rule in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
If you don't specify the <emphasis><varname><server
|
||||
port></varname></emphasis>, it is assumed to be the same as
|
||||
@ -816,7 +814,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
||||
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
||||
incoming TCP port 80 to that system</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Web(DNAT) net dmz:10.10.11.2
|
||||
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
<listitem>
|
||||
@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
||||
must use DNAT from the loc zone as well (see below).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
||||
|
||||
<para>where <replaceable>external-ip-address</replaceable> is the
|
||||
@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
|
||||
you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000 (e.g., connect to
|
||||
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
<para>If you want to be able to access your server from the local
|
||||
network using your external address, then if you have a static
|
||||
external IP you can replace the loc->dmz rule above
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||
you have a dynamic IP then you must ensure that your external
|
||||
interface is up before starting Shorewall and you must take steps
|
||||
@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><
|
||||
|
||||
<listitem>
|
||||
<para>Make your <literal>loc->dmz</literal> rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
@ -886,7 +880,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
</itemizedlist></para>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>At this point, add the DNAT and ACCEPT rules for your
|
||||
servers.</para>
|
||||
@ -924,7 +918,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
|
||||
<listitem>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /></para>
|
||||
format="GIF"/></para>
|
||||
|
||||
<para>You can configure a <emphasis>Caching Name Server</emphasis>
|
||||
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
|
||||
@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
<filename>/etc/shorewall/rules</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist> If you run the name server on the firewall:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT) loc $FW
|
||||
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT) loc dmz:10.10.11.1
|
||||
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
|
||||
@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
||||
server on the firewall) could also have been coded as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc $FW tcp 53
|
||||
ACCEPT loc $FW udp 53
|
||||
ACCEPT dmz $FW tcp 53
|
||||
@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 </programlist
|
||||
<title>Other Connections</title>
|
||||
|
||||
<para>The three-interface sample includes the following rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
||||
from your firewall and may be removed if you commented out the line in
|
||||
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
||||
the firewall to the Internet.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
||||
an SSH server on your firewall and in each of your DMZ systems and to
|
||||
connect to those servers from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections between your systems, the
|
||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||
|
||||
<para>The general format when not using a defined macro
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
||||
|
||||
<example id="Example2">
|
||||
@ -1009,12 +1003,12 @@ ACCEPT <emphasis><source zone> <destination zone> <protocol&g
|
||||
|
||||
<para>Using defined macros:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<para>Not using defined macros:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW tcp 53
|
||||
ACCEPT net $FW udp 53 </programlisting>
|
||||
|
||||
@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 </programlisting>
|
||||
<important>
|
||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSH(ACCEPT) net $FW</programlisting></para>
|
||||
</important>
|
||||
|
||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
|
||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
|
||||
users will want to add the following two rules to be compatible with
|
||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc $FW udp 53
|
||||
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
||||
<listitem>
|
||||
@ -1045,7 +1039,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
|
||||
</listitem>
|
||||
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /></para>
|
||||
format="GIF"/></para>
|
||||
|
||||
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
|
||||
remove other connections as required.</para>
|
||||
@ -1110,7 +1104,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but startup is
|
||||
@ -1119,7 +1113,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
firewall, you can enable Shorewall startup by editing
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
||||
STARTUP_ENABLED=Yes.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png" /><important>
|
||||
fileref="images/openlogo-nd-25.png"/><important>
|
||||
<para>Users of the <filename>.deb</filename> package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<varname>startup=1</varname>.</para>
|
||||
@ -1138,11 +1132,11 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
(<ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
||||
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <command>shorewall restart</command> command. If you want to totally
|
||||
the <command>shorewall reload</command> command. If you want to totally
|
||||
remove any trace of Shorewall from your Netfilter configuration, use
|
||||
<command>shorewall clear</command>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The three-interface sample assumes that you want to enable routing
|
||||
to/from <filename class="devicefile">eth1</filename> (your local network)
|
||||
@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
reload</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
</warning></para>
|
||||
@ -1239,7 +1233,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
|
||||
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
|
||||
<para>At this point, disable your existing firewall service.</para>
|
||||
</section>
|
||||
|
@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
packets arriving on eth2 and eth3 should be marked with 2. All packets
|
||||
originating on the firewall itself should be marked with 3.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
MARK(1) eth1 0.0.0.0/0 all
|
||||
MARK(2) eth2 0.0.0.0/0 all
|
||||
MARK(2) eth3 0.0.0.0/0 all
|
||||
@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
|
||||
<para>All GRE (protocol 47) packets destined for 155.186.235.151
|
||||
should be marked with 12.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||
</example>
|
||||
|
||||
@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||
<para>All SSH request packets originating in 192.168.1.0/24 and
|
||||
destined for 155.186.235.151 should be marked with 22.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
|
||||
</example>
|
||||
|
||||
@ -956,8 +956,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
|
||||
/etc/shorewall/tcdevices should be assigned to the class with mark
|
||||
value 10.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
|
||||
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
|
||||
</example>
|
||||
@ -975,8 +974,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
|
||||
means unclassified. Traffic originating on the firewall is not covered
|
||||
by this example.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
|
||||
# PORT(S) GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
|
||||
@ -1002,8 +1000,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
|
||||
ensure that all VOIP packets also receive that mark (assumes that
|
||||
nf_conntrack_sip is loaded).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
|
||||
# PORT(S) GROUP
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER
|
||||
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
||||
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
|
||||
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
|
||||
@ -1235,7 +1232,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
<programlisting>#INTERFACE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
eth0 100mbit 100mbit</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
@ -1293,7 +1290,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
|
||||
<section id="realtcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
ppp0 5000kbit 500kbit</programlisting>
|
||||
</section>
|
||||
|
||||
@ -1309,8 +1306,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
|
||||
<section id="realtcr">
|
||||
<title>mangle file</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
# mark traffic which should have a lower priority with a 3:
|
||||
@ -1347,23 +1343,14 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
<para>This would result in the following additional settings to the
|
||||
mangle file:</para>
|
||||
|
||||
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
MARK(3) 192.168.1.128/25 0.0.0.0/0 all
|
||||
MARK(3) 192.168.3.28 0.0.0.0/0 all
|
||||
MARK(3) 0.0.0.0/0 60.0.0.0/24 all
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
||||
|
||||
<para>Corresponding tcrules file entries are:</para>
|
||||
|
||||
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
|
||||
3 192.168.3.28 0.0.0.0/0 all
|
||||
3 0.0.0.0/0 60.0.0.0/24 all
|
||||
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -1378,7 +1365,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
|
||||
<section id="simpletcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
ppp0 6000kbit 700kbit</programlisting>
|
||||
|
||||
<para>We have 6mbit down and 700kbit upstream.</para>
|
||||
@ -1403,8 +1390,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
<section id="simpletcr">
|
||||
<title>mangle file</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
MARK(2):F 192.168.2.23 0.0.0.0/0 all
|
||||
@ -1412,8 +1398,7 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
|
||||
|
||||
<para>Corresponding tcrules file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
2:F 192.168.2.23 0.0.0.0/0 all
|
||||
@ -1472,13 +1457,12 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
|
||||
eth0 - 1000kbit hfsc</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
|
||||
# DMAX:UMAX
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
1:10 1 500kbit full 1
|
||||
1:20 2 500kbit full 1
|
||||
1:10:11 3 400kbit:53ms:1500b full 2
|
||||
@ -1649,8 +1633,7 @@ ip link set ifb0 up</command></programlisting>
|
||||
|
||||
<para>Example: <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting>
|
||||
|
||||
<para>Requests redirected by this rule will have destination IP
|
||||
@ -1721,7 +1704,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S)</term>
|
||||
<term>DPORT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of destination port names or numbers.
|
||||
@ -1731,7 +1714,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT</term>
|
||||
<term>SPORT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of source port names or numbers. May
|
||||
@ -1810,8 +1793,7 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<para><programlisting>
|
||||
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
# INTERFACES
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
1:eth0 - 384kbit classify
|
||||
2:ifb0 - 1300kbit - eth0</programlisting>
|
||||
<filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
@ -1820,8 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
1:130 - 2*full/10 6*full/10 3
|
||||
2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
2:120 - 2*full/10 6*full/10 2 default
|
||||
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE
|
||||
#CLASS PORT(S) PORT(S)
|
||||
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# OUTGOING TRAFFIC
|
||||
#
|
||||
|
@ -74,7 +74,7 @@
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG" />
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure> <caution>
|
||||
@ -121,19 +121,18 @@
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" />.</para>
|
||||
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||
|
||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||
format="GIF" />.</para>
|
||||
format="GIF"/>.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If you have an <acronym>ADSL</acronym> Modem and you use
|
||||
<acronym>PPTP</acronym> to communicate with a server in that modem, you
|
||||
@ -146,7 +145,7 @@
|
||||
<section id="Concepts">
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
@ -154,7 +153,7 @@
|
||||
this guide.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /><important>
|
||||
format="GIF"/><important>
|
||||
<para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, locate the two-interfaces samples:</para>
|
||||
|
||||
@ -189,10 +188,10 @@
|
||||
|
||||
<listitem>
|
||||
<para><graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png" />If you installed using a
|
||||
fileref="images/openlogo-nd-25.png"/>If you installed using a
|
||||
Shorewall 4.x .deb, the samples are in <emphasis
|
||||
role="bold"><filename
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis>
|
||||
class="directory">/usr/share/doc/shorewall/examples/two-interfaces</filename>.</emphasis>
|
||||
You do not need the shorewall-doc package to have access to the
|
||||
samples.</para>
|
||||
|
||||
@ -230,8 +229,7 @@
|
||||
a set of zones. In the two-interface sample configuration, the following
|
||||
zone names are used:</para>
|
||||
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4</programlisting>Zones are defined in the <ulink
|
||||
@ -289,13 +287,13 @@ loc ipv4</programlisting>Zones are defined in the <ulink
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the two-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the two-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -333,11 +331,11 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
local network from a security perspective. If you want to do this, add
|
||||
these two policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc $FW ACCEPT
|
||||
$FW loc ACCEPT</programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>At this point, edit your <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
@ -349,7 +347,7 @@ $FW loc ACCEPT</programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG" />
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
|
||||
@ -393,7 +391,7 @@ root@lists:~# </programlisting>
|
||||
the external interface.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>I<emphasis role="bold">f your external interface is <filename
|
||||
class="devicefile">ppp0</filename> or <filename
|
||||
@ -421,7 +419,7 @@ root@lists:~# </programlisting>
|
||||
internal interface.</emphasis> Your firewall should have exactly one
|
||||
default route via your ISP's Router.</para>
|
||||
</warning> <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /></para>
|
||||
format="GIF"/></para>
|
||||
|
||||
<para>The Shorewall two-interface sample configuration assumes that the
|
||||
external interface is <filename class="devicefile">eth0</filename> and the
|
||||
@ -533,7 +531,7 @@ root@lists:~# </programlisting>
|
||||
directly. To communicate with systems outside of the subnetwork, systems
|
||||
send packets through a gateway (router).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>Your local computers (computer 1 and computer 2 in the above
|
||||
diagram) should be configured with their default gateway to be the
|
||||
@ -550,7 +548,7 @@ root@lists:~# </programlisting>
|
||||
<para id="Diagram">The remainder of this guide will assume that you have
|
||||
configured your network as shown here: <mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
|
||||
<imagedata align="center" fileref="images/basics1.png" format="PNG"/>
|
||||
</imageobject>
|
||||
</mediaobject> The default gateway for computer's 1 & 2 would be
|
||||
<systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
|
||||
@ -607,7 +605,7 @@ root@lists:~# </programlisting>
|
||||
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
|
||||
<acronym>IP</acronym> is static.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If your external firewall interface is <filename
|
||||
class="devicefile">eth0</filename>, you do not need to modify the file
|
||||
@ -616,7 +614,7 @@ root@lists:~# </programlisting>
|
||||
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
|
||||
change the first column to the name of your external interface.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If your external <acronym>IP</acronym> is static, you can enter it
|
||||
in the third column in the <filename
|
||||
@ -626,7 +624,7 @@ root@lists:~# </programlisting>
|
||||
column 3 (SNAT) makes the processing of outgoing packets a little more
|
||||
efficient.</para>
|
||||
|
||||
<graphic align="left" fileref="images/openlogo-nd-25.png" />
|
||||
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
|
||||
|
||||
<para>I<emphasis role="bold">f you are using the Debian package, please
|
||||
check your <filename>shorewall.conf</filename> file to ensure that the
|
||||
@ -689,7 +687,7 @@ root@lists:~# </programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>If you are running a distribution that logs netfilter messages to a
|
||||
log other than <filename>/var/log/messages</filename>, then modify the
|
||||
@ -729,7 +727,7 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
||||
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
||||
</section>
|
||||
@ -758,7 +756,7 @@ root@lists:~# </programlisting>
|
||||
a server in the <emphasis>loc</emphasis> zone, the general form of a
|
||||
simple port forwarding rule in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting><important>
|
||||
<para><emphasis role="bold">If you want to forward traffic from the
|
||||
<emphasis>loc</emphasis> zone to a server in the
|
||||
@ -784,14 +782,14 @@ DNAT net loc:<emphasis><server local ip address></emphasis>[:<e
|
||||
<para>You run a Web Server on computer 2 in <link
|
||||
linkend="Diagram">the above diagram</link> and you want to forward
|
||||
incoming <acronym>TCP</acronym> port 80 to that system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Web(DNAT) net loc:10.10.10.2</programlisting></para>
|
||||
</example> <example id="Example2" label="2">
|
||||
<title>FTP Server</title>
|
||||
|
||||
<para>You run an <acronym>FTP</acronym> Server on <link
|
||||
linkend="Diagram">computer 1</link> so you want to forward incoming
|
||||
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
FTP(DNAT) net loc:10.10.10.1</programlisting> For
|
||||
<acronym>FTP</acronym>, you will also need to have
|
||||
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
|
||||
@ -829,11 +827,11 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
|
||||
server, try the following rule and try connecting to port
|
||||
5000.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" /></para>
|
||||
format="GIF"/></para>
|
||||
|
||||
<para>At this point, modify <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> to
|
||||
@ -881,7 +879,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><anchor id="cachingdns" /> You can configure a
|
||||
<para><anchor id="cachingdns"/> You can configure a
|
||||
<emphasis>Caching Name Server</emphasis> on your firewall.
|
||||
<trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
|
||||
caching name server (the <acronym>RPM</acronym> also requires the
|
||||
@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
network to the firewall; you do that by adding the following rules
|
||||
in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT)loc $FW</programlisting></para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW</programlisting></para>
|
||||
<title>Other Connections</title>
|
||||
|
||||
<para>The two-interface sample includes the following rules:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||
uncommented the line in <filename
|
||||
@ -922,7 +920,7 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
<para>You don't have to use defined macros when coding a rule in
|
||||
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
|
||||
faster if you code your rules directly rather than using macros. The the
|
||||
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT $FW net udp 53
|
||||
ACCEPT $FW net tcp 53</programlisting></para>
|
||||
|
||||
@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53</programlisting></para>
|
||||
your needs, you can either define the macro yourself or you can simply
|
||||
code the appropriate rules directly.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
|
||||
<acronym>SSH</acronym> server on your firewall and connect to that server
|
||||
from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections from your firewall to other
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<macro>(ACCEPT) $FW <emphasis><destination zone></emphasis></programlisting>The
|
||||
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT $FW <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example
|
||||
id="Example3">
|
||||
<title>Web Server on Firewall</title>
|
||||
|
||||
<para>You want to run a Web Server on your firewall system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Web(ACCEPT) net $FW
|
||||
Web(ACCEPT) loc $FW </programlisting>Those two rules would of
|
||||
course be in addition to the rules listed above under <quote><link
|
||||
@ -957,14 +955,14 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
|
||||
shell access to your firewall from the Internet, use
|
||||
<acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
SSH(ACCEPT) net $FW</programlisting>
|
||||
</important> <inlinegraphic fileref="images/leaflogo.gif"
|
||||
format="GIF" />Bering users will want to add the following two rules to be
|
||||
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
format="GIF"/>Bering users will want to add the following two rules to be
|
||||
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
|
||||
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>Now edit your <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
@ -1030,7 +1028,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but startup is
|
||||
@ -1038,7 +1036,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
configuration is complete. Once you have completed configuration of your
|
||||
firewall, you must edit /etc/shorewall/shorewall.conf and set
|
||||
STARTUP_ENABLED=Yes.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png" /><important>
|
||||
fileref="images/openlogo-nd-25.png"/><important>
|
||||
<para>Users of the .deb package must edit <filename
|
||||
class="directory">/etc/default/</filename><filename>shorewall</filename>
|
||||
and set <varname>startup=1</varname>.</para>
|
||||
@ -1056,11 +1054,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
|
||||
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
|
||||
A running firewall may be restarted using the <quote><command>shorewall
|
||||
restart</command></quote> command. If you want to totally remove any trace
|
||||
reload</command></quote> command. If you want to totally remove any trace
|
||||
of Shorewall from your Netfilter configuration, use
|
||||
<quote><command>shorewall clear</command></quote>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The two-interface sample assumes that you want to enable routing
|
||||
to/from <filename class="devicefile">eth1</filename> (the local network)
|
||||
@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
reload</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
</warning></para>
|
||||
@ -1158,7 +1156,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
|
||||
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
|
||||
<para>At this point, disable your existing firewall service.</para>
|
||||
</section>
|
||||
@ -1202,9 +1200,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</caution></para>
|
||||
|
||||
<para>Your new network will look similar to what is shown in the following
|
||||
figure.<graphic align="center" fileref="images/basics2.png" /></para>
|
||||
figure.<graphic align="center" fileref="images/basics2.png"/></para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>The first thing to note is that the computers in your wireless
|
||||
network will be in a different subnet from those on your wired local LAN.
|
||||
@ -1217,7 +1215,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
traffic may flow freely between the local wired network and the wireless
|
||||
network.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
|
||||
<para>There are only two changes that need to be made to the Shorewall
|
||||
configuration:</para>
|
||||
@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
network interface. If the wireless interface is <filename
|
||||
class="devicefile">wlan0</filename>, the entry might look like:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc wlan0 detect maclist</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc wlan0 maclist</programlisting>
|
||||
|
||||
<para>As shown in the above entry, I recommend using the <ulink
|
||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||
@ -1248,7 +1246,7 @@ loc wlan0 detect maclist</programlisting>
|
||||
from the wireless network to the Internet. If you file looks like
|
||||
this:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK
|
||||
eth0 10.0.0.0/8,\
|
||||
169.254.0.0/16,\
|
||||
172.16.0.0/12,\
|
||||
|
@ -120,7 +120,7 @@ loc eth2:0.0.0.0/0</programlisting>
|
||||
|
||||
<bridgehead renderas="sect4">Policy File</bridgehead>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL
|
||||
<emphasis role="bold">ops all ACCEPT
|
||||
all ops CONTINUE</emphasis>
|
||||
loc net ACCEPT
|
||||
@ -134,7 +134,7 @@ all all REJECT info</programlisting>
|
||||
|
||||
<bridgehead renderas="sect4">Rules File</bridgehead>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
REDIRECT loc!ops 3128 tcp http</programlisting>
|
||||
|
||||
<para>This is the rule that transparently redirects web traffic to the
|
||||
|
Loading…
Reference in New Issue
Block a user