diff --git a/Shorewall-core/install.sh b/Shorewall-core/install.sh index a8aacd968..7d3f9bae2 100755 --- a/Shorewall-core/install.sh +++ b/Shorewall-core/install.sh @@ -2,7 +2,7 @@ # # Script to install Shoreline Firewall Core Modules # -# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.net # diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index a197de807..66a4c0af1 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -266,7 +266,7 @@ search_log() # $1 = IP address to search for # # Show traffic control information # -show_tc() { +show_tc1() { show_one_tc() { local device @@ -292,6 +292,19 @@ show_tc() { } +show_tc() { + echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)" + echo + shift + + if [ -z "$1" ]; then + $g_tool -t mangle -L -n -v | $output_filter + echo + fi + + show_tc1 $1 +} + # # Show classifier information # @@ -928,6 +941,66 @@ show_actions() { grep -Ev '^\#|^$' ${g_sharedir}/actions.std fi } + +show_chain() { + echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)" + echo + show_reset + if [ $# -gt 0 ]; then + for chain in $*; do + $g_tool -t $table -L $chain $g_ipt_options | $output_filter + echo + done + else + $g_tool -t $table -L $g_ipt_options | $output_filter + fi +} + +show_chains() { + echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" + echo + show_reset + for chain in $*; do + $g_tool -t $table -L $chain $g_ipt_options | $output_filter + echo + done +} + +show_table() { + echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)" + echo + show_reset + $g_tool -t $table -L $g_ipt_options | $output_filter +} + +show_nat() { + echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)" + echo + show_reset + $g_tool -t nat -L $g_ipt_options | $output_filter +} + +show_macros() { + for directory in $(split $CONFIG_PATH); do + temp= + for macro in ${directory}/macro.*; do + case $macro in + *\*) + ;; + *) + if [ -z "$temp" ]; then + echo + echo "Macros in $directory:" + echo + temp=Yes + fi + show_macro + ;; + esac + done + done +} + # # Show Command Executor # @@ -1084,31 +1157,28 @@ show_command() { ;; nat) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t nat -L $g_ipt_options | $output_filter + eval show_nat $g_pager ;; raw) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t raw -L $g_ipt_options | $output_filter + eval { echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)" + echo + show_reset + $g_tool -t raw -L $g_ipt_options | $output_filter } $g_pager ;; rawpost) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t rawpost -L $g_ipt_options | $output_filter + eval { echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)" + echo + show_reset + $g_tool -t rawpost -L $g_ipt_options | $output_filter } $g_pager ;; tos|mangle) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t mangle -L $g_ipt_options | $output_filter + eval { echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" + echo + show_reset + $g_tool -t mangle -L $g_ipt_options | $output_filter } $g_pager ;; log) [ $# -gt 2 ] && usage 1 @@ -1128,22 +1198,13 @@ show_command() { ;; tc) [ $# -gt 2 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)" - echo - shift - - if [ -z "$1" ]; then - $g_tool -t mangle -L -n -v | $output_filter - echo - fi - - show_tc $1 + eval show_tc $g_pager ;; classifiers|filters) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)" - echo - show_classifiers + eval { echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)" + echo + show_classifiers } $g_pager ;; zones) [ $# -gt 1 ] && usage 1 @@ -1173,22 +1234,22 @@ show_command() { determine_capabilities VERBOSITY=2 if [ -n "$g_filemode" ]; then - report_capabilities1 + eval report_capabilities1 $g_pager else - report_capabilities + eval report_capabilities $g_pager fi ;; ip) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)" - echo - ip -$g_family addr list + eval { echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)" + echo + ip -$g_family addr list } $g_pager ;; routing) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)" - echo - show_routing + eval { echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)" + echo + show_routing } $g_pager ;; config) . ${g_sharedir}/configpath @@ -1210,33 +1271,23 @@ show_command() { ;; chain) shift - echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)" - echo - show_reset - if [ $# -gt 0 ]; then - for chain in $*; do - $g_tool -t $table -L $chain $g_ipt_options | $output_filter - echo - done - else - $g_tool -t $table -L $g_ipt_options | $output_filter - fi + eval show_chain $@ $g_pager ;; vardir) echo $VARDIR; ;; policies) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)" - echo - [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies; + eval { echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)" + echo + [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies } $g_pager ;; ipa) [ $g_family -eq 4 ] || usage 1 - echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)" - echo - [ $# -gt 1 ] && usage 1 - perip_accounting + eval { echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)" + echo + [ $# -gt 1 ] && usage 1 + perip_accounting } $g_pager ;; marks) [ $# -gt 1 ] && usage 1 @@ -1246,17 +1297,17 @@ show_command() { ;; nfacct) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)" - echo - show_nfacct + eval { echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)" + echo + show_nfacct } $g_pager ;; arptables) [ $# -gt 1 ] && usage 1 resolve_arptables if [ -n "$arptables" -a -x $arptables ]; then - echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)" - echo - $arptables -L -n -v + eval { echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)" + echo + $arptables -L -n -v } $g_pager else error_message "Cannot locate the arptables executable" fi @@ -1270,9 +1321,9 @@ show_command() { ;; events) [ $# -gt 1 ] && usage 1 - echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" - echo - show_events + eval { echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)" + echo + show_events } $g_pager ;; bl|blacklists) [ $# -gt 1 ] && usage 1 @@ -1298,7 +1349,7 @@ show_command() { case $1 in actions) [ $# -gt 1 ] && usage 1 - show_actions | sort + eval show_actions | sort $pager return ;; macro) @@ -1315,25 +1366,7 @@ show_command() { ;; macros) [ $# -gt 1 ] && usage 1 - - for directory in $(split $CONFIG_PATH); do - temp= - for macro in ${directory}/macro.*; do - case $macro in - *\*) - ;; - *) - if [ -z "$temp" ]; then - echo - echo "Macros in $directory:" - echo - temp=Yes - fi - show_macro - ;; - esac - done - done + eval show_macros $g_pager return ;; esac @@ -1353,20 +1386,11 @@ show_command() { error_message "ERROR: Chain '$chain' is not recognized by $g_tool." exit 1 fi - done + done - echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)" - echo - show_reset - for chain in $*; do - $g_tool -t $table -L $chain $g_ipt_options | $output_filter - echo - done + eval show_chains $@ $g_pager else - echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)" - echo - show_reset - $g_tool -t $table -L $g_ipt_options | $output_filter + eval show_table $g_pager fi ;; esac @@ -1417,12 +1441,16 @@ dump_filter() { ;; esac - $command $filter + eval $command $filter $g_pager else cat - fi } +dump_filter_wrapper() { + eval dump_filter $g_pager +} + # # Dump Command Executor # @@ -1633,14 +1661,14 @@ do_dump_command() { if [ -n "$TC_ENABLED" ]; then heading "Traffic Control" - show_tc + show_tc1 heading "TC Filters" show_classifiers fi } dump_command() { - do_dump_command $@ | dump_filter + do_dump_command $@ | dump_filter_wrapper } # @@ -4040,6 +4068,7 @@ shorewall_cli() { g_counters= g_loopback= g_compiled= + g_pager= VERBOSE= VERBOSITY=1 @@ -4194,6 +4223,19 @@ shorewall_cli() { ;; esac + if [ -t 1 ]; then + # + # Output is to a terminal -- use a pager on commands with verbose output + # + if qt mywhich less; then + g_pager='| less' + elif qt mywhich more; then + g_pager='| more' + else + g_pager='' + fi + fi + COMMAND=$1 case "$COMMAND" in diff --git a/Shorewall-core/uninstall.sh b/Shorewall-core/uninstall.sh index 58283deb1..a008fe491 100755 --- a/Shorewall-core/uninstall.sh +++ b/Shorewall-core/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall # -# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index de7edc584..2a3c78285 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -2,7 +2,7 @@ # # Script to install Shoreline Firewall Init # -# (c) 2000-20114 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # (c) 2010 - Roberto C. Sanchez (roberto@connexer.com) # # Shorewall documentation is available at http://shorewall.net diff --git a/Shorewall-init/uninstall.sh b/Shorewall-init/uninstall.sh index 3ba9ca031..01a1a7596 100755 --- a/Shorewall-init/uninstall.sh +++ b/Shorewall-init/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall # -# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.sourceforge.net # diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index f3086ea7d..33ffc65e2 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -2,7 +2,7 @@ # # Script to install Shoreline Firewall Lite # -# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.net # diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index f060acc04..60ef91c2c 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall # -# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.sourceforge.net # diff --git a/Shorewall/Macros/macro.SNMPTrap b/Shorewall/Macros/macro.SNMPTrap index 83cce5b52..a2c1c4b95 100644 --- a/Shorewall/Macros/macro.SNMPTrap +++ b/Shorewall/Macros/macro.SNMPTrap @@ -1,9 +1,9 @@ # # Shorewall - /usr/share/shorewall/macro.SNMPtrap # -# This macro handles SNMP traps. +# This macro deprecated by SNMPtrap. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER -PARAM - - udp 162 +SNMPtrap diff --git a/Shorewall/Macros/macro.SNMPtrap b/Shorewall/Macros/macro.SNMPtrap new file mode 100644 index 000000000..83cce5b52 --- /dev/null +++ b/Shorewall/Macros/macro.SNMPtrap @@ -0,0 +1,9 @@ +# +# Shorewall - /usr/share/shorewall/macro.SNMPtrap +# +# This macro handles SNMP traps. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +PARAM - - udp 162 diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index c5bfafdc1..874874648 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -264,6 +264,7 @@ our %EXPORT_TAGS = ( have_address_variables set_global_variables save_dynamic_chains + save_docker_rules load_ipsets create_save_ipsets validate_nfobject @@ -1525,8 +1526,7 @@ sub create_irule( $$$;@ ) { } # -# Clone an existing rule. Only the rule hash itself is cloned; reference values are shared between the new rule -# reference and the old. +# Clone an existing rule. # sub clone_irule( $ ) { my $oldruleref = $_[0]; @@ -2989,11 +2989,31 @@ sub initialize_chain_table($) { } } + my $chainref; + if ( $full ) { # # Create this chain early in case it is needed by Policy actions # new_standard_chain 'reject'; + + if ( $config{DOCKER} ) { + $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + } + } + + if ( my $docker = $config{DOCKER} ) { + add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' ); + $chainref = new_standard_chain( 'DOCKER' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' ); + $chainref = new_nat_chain( 'DOCKER' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); + $chainref = new_standard_chain( 'DOCKER-ISOLATION' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); } my $ruleref = transform_rule( $globals{LOGLIMIT} ); @@ -8043,6 +8063,32 @@ sub emitr1( $$ ) { # # Emit code to save the dynamic chains to hidden files in ${VARDIR} # +sub save_docker_rules($) { + my $tool = $_[0]; + + emit( qq(if [ -n "\$g_docker" ]; then), + qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER), + qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING), + qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER), + qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION) + ); + + if ( known_interface( 'docker0' ) ) { + emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) ); + } else { + emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) ); + } + + emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD), + qq(else), + qq( rm -f \$VARDIR/.nat_DOCKER), + qq( rm -f \$VARDIR/.nat_POSTROUTING), + qq( rm -f \$VARDIR/.filter_DOCKER), + qq( rm -f \$VARDIR/.filter_DOCKER-ISOLATION), + qq( rm -f \$VARDIR/.filter_FORWARD), + qq(fi) + ) +} sub save_dynamic_chains() { @@ -8077,25 +8123,23 @@ else rm -f \${VARDIR}/.dynamic fi EOF - + emit(''), save_docker_rules( $tool ) if $config{DOCKER}; } else { - $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save'; - emit <<"EOF"; if chain_exists 'UPnP -t nat'; then - $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP + $utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP else rm -f \${VARDIR}/.UPnP fi if chain_exists forwardUPnP; then - $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP + $utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP else rm -f \${VARDIR}/.forwardUPnP fi if chain_exists dynamic; then - $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic + $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic else rm -f \${VARDIR}/.dynamic fi @@ -8115,10 +8159,11 @@ EOF emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), qq( if chain_exists dynamic; then), qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) ); + emit( '' ), save_docker_rules( $tool ) if $config{DOCKER}; } else { emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), qq( if chain_exists dynamic; then), - qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) ); + qq( $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) ); } emit <<"EOF"; @@ -8421,7 +8466,7 @@ sub create_netfilter_load( $ ) { my @chains; # - # iptables-restore seems to be quite picky about the order of the builtin chains + # Iptables-restore seems to be quite picky about the order of the builtin chains # for my $chain ( @builtins ) { my $chainref = $chain_table{$table}{$chain}; @@ -8437,8 +8482,25 @@ sub create_netfilter_load( $ ) { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { my $chainref = $chain_table{$table}{$chain}; unless ( $chainref->{builtin} ) { - assert( $chainref->{cmdlevel} == 0 , $chainref->{name} ); - emit_unindented ":$chainref->{name} - [0:0]"; + my $name = $chainref->{name}; + assert( $chainref->{cmdlevel} == 0 , $name ); + + if ( $name =~ /^DOCKER/ ) { + if ( $name eq 'DOCKER' ) { + enter_cmd_mode; + emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); + enter_cat_mode; + } elsif ( $name eq 'DOCKER-ISOLATION' ) { + enter_cmd_mode; + emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + enter_cat_mode; + } else { + emit_unindented ":$name - [0:0]"; + } + } else { + emit_unindented ":$name - [0:0]"; + } + push @chains, $chainref; } } @@ -8524,8 +8586,24 @@ sub preview_netfilter_load() { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { my $chainref = $chain_table{$table}{$chain}; unless ( $chainref->{builtin} ) { - assert( $chainref->{cmdlevel} == 0, $chainref->{name} ); - print ":$chainref->{name} - [0:0]\n"; + my $name = $chainref->{name}; + assert( $chainref->{cmdlevel} == 0 , $name ); + if ( $name =~ /^DOCKER/ ) { + if ( $name eq 'DOCKER' ) { + enter_cmd_mode; + emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); + enter_cat_mode; + } elsif ( $name eq 'DOCKER-ISOLATION' ) { + enter_cmd_mode; + emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + enter_cat_mode; + } else { + emit_unindented ":$name - [0:0]"; + } + } else { + emit_unindented ":$name - [0:0]"; + } + push @chains, $chainref; } } @@ -8710,13 +8788,11 @@ sub create_stop_load( $ ) { emit ''; - emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY, - '', - 'progress_message2 "Running $command..."', - '', - '$command <<__EOF__' ); + save_progress_message "Preparing $utility input..."; - $mode = CAT_MODE; + emit "exec 3>\${VARDIR}/.${utility}-stop-input"; + + enter_cat_mode; unless ( $test ) { my $date = localtime; @@ -8746,8 +8822,24 @@ sub create_stop_load( $ ) { for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { my $chainref = $chain_table{$table}{$chain}; unless ( $chainref->{builtin} ) { - assert( $chainref->{cmdlevel} == 0 , $chainref->{name} ); - emit_unindented ":$chainref->{name} - [0:0]"; + my $name = $chainref->{name}; + assert( $chainref->{cmdlevel} == 0 , $name ); + if ( $name =~ /^DOCKER/ ) { + if ( $name eq 'DOCKER' ) { + enter_cmd_mode; + emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); + enter_cat_mode; + } elsif ( $name eq 'DOCKER-ISOLATION' ) { + enter_cmd_mode; + emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + enter_cat_mode; + } else { + emit_unindented ":$name - [0:0]"; + } + } else { + emit_unindented ":$name - [0:0]"; + } + push @chains, $chainref; } } @@ -8760,10 +8852,19 @@ sub create_stop_load( $ ) { # # Commit the changes to the table # + enter_cat_mode unless $mode == CAT_MODE; emit_unindented 'COMMIT'; } - emit_unindented '__EOF__'; + enter_cmd_mode; + + emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY ); + + emit( '', + 'progress_message2 "Running $command..."', + '', + "cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux", + ); # # Test result # diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 396ec2008..7492eeb69 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -261,7 +261,15 @@ sub generate_script_2() { '# The library requires that ${VARDIR} exist', '#', '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' - ); + ); + + if ( $config{DOCKER} ) { + emit( '', + 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', + ); + emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' ); + emit( '' ); + } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ae5a2e9ef..cad326877 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -736,6 +736,7 @@ sub initialize( $;$$) { RPFILTER_LOG_TAG => '', INVALID_LOG_TAG => '', UNTRACKED_LOG_TAG => '', + POSTROUTING => 'POSTROUTING', ); # # From shorewall.conf file @@ -874,6 +875,7 @@ sub initialize( $;$$) { WORKAROUNDS => undef , LEGACY_RESTART => undef , RESTART => undef , + DOCKER => undef , # # Packet Disposition # @@ -5857,6 +5859,13 @@ sub get_configuration( $$$$ ) { default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'WORKAROUNDS' , 'Yes'; + default_yes_no 'DOCKER' , ''; + + if ( $config{DOCKER} ) { + fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; + require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' ); + require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' ); + } if ( supplied( $val = $config{RESTART} ) ) { fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/; @@ -6429,7 +6438,7 @@ sub generate_aux_config() { if ( -f $fn ) { emit( '', - 'dump_filter() {' ); + 'dump_filter1() {' ); push_indent; append_file( $fn,1 ) or emit 'cat -'; pop_indent; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index d035d15f2..67e14018c 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -628,6 +628,22 @@ sub process_stoppedrules() { $result; } +sub create_docker_rules() { + + add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); + add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); + + my $chainref = $filter_table->{FORWARD}; + + add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', ); + + if ( known_interface('docker0') ) { + add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' ); + } + + add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', ); +} + sub setup_mss(); sub add_common_rules ( $ ) { @@ -646,6 +662,10 @@ sub add_common_rules ( $ ) { my $level = $config{BLACKLIST_LOG_LEVEL}; my $tag = $globals{BLACKLIST_LOG_TAG}; my $rejectref = $filter_table->{reject}; + # + # Insure that Docker jumps are early in the builtin chains + # + create_docker_rules if $config{DOCKER}; if ( $config{DYNAMIC_BLACKLIST} ) { add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag); @@ -1508,13 +1528,15 @@ sub add_interface_jumps { # Add Nat jumps # for my $interface ( @_ ) { - addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface ); + addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface ); } + addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER}; + for my $interface ( @interfaces ) { addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); - addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface ); - addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface ); + addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface ); + addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface ); if ( have_capability 'RAWPOST_TABLE' ) { insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface}; @@ -2246,8 +2268,8 @@ sub generate_matrix() { # # Make sure that the 1:1 NAT jumps are last in PREROUTING # - addnatjump 'PREROUTING' , 'nat_in'; - addnatjump 'POSTROUTING' , 'nat_out'; + addnatjump 'PREROUTING' , 'nat_in'; + addnatjump $globals{POSTROUTING} , 'nat_out'; add_interface_jumps @interfaces unless $interface_jumps_added; @@ -2455,6 +2477,16 @@ EOF EOF + if ( $config{DOCKER} ) { + push_indent; + emit( 'if [ $COMMAND = stop ]; then' ); + push_indent; + save_docker_rules( $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'); + pop_indent; + emit( "fi\n"); + pop_indent; + } + if ( have_capability( 'NAT_ENABLED' ) ) { emit<<'EOF'; if [ -f ${VARDIR}/nat ]; then @@ -2504,6 +2536,10 @@ EOF emit( 'undo_routing', "restore_default_route $config{USE_DEFAULT_RT}" ); + # + # Insure that Docker jumps are early in the builtin chains + # + create_docker_rules if $config{DOCKER}; if ( $config{ADMINISABSENTMINDED} ) { add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d03fe1499..967326c0d 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -481,17 +481,22 @@ sub process_a_provider( $ ) { $interface = $interfaceref->{name} unless $interfaceref->{wildcard}; } - my $gatewaycase = ''; - if ( $physical =~ /\+$/ ) { return 0 if $pseudo; fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces"; } - if ( $gateway eq 'detect' ) { + my $gatewaycase = ''; + my $gw; + + if ( ( $gw = lc $gateway ) eq 'detect' ) { fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; $gateway = get_interface_gateway $interface; $gatewaycase = 'detect'; + } elsif ( $gw eq 'none' ) { + fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; + $gatewaycase = 'none'; + $gateway = ''; } elsif ( $gateway && $gateway ne '-' ) { ( $gateway, $mac ) = split_host_list( $gateway, 0 ); validate_address $gateway, 0; @@ -506,7 +511,7 @@ sub process_a_provider( $ ) { $gatewaycase = 'specified'; } else { - $gatewaycase = 'none'; + $gatewaycase = 'omitted'; fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; $gateway = ''; } @@ -529,10 +534,12 @@ sub process_a_provider( $ ) { } elsif ( $option eq 'notrack' ) { $track = 0; } elsif ( $option =~ /^balance=(\d+)$/ ) { + fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; fatal_error q('balance=' is not available in IPv6) if $family == F_IPV6; fatal_error 'The balance setting must be non-zero' unless $1; $balance = $1; } elsif ( $option eq 'balance' || $option eq 'primary') { + fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $balance = 1; } elsif ( $option eq 'loose' ) { $loose = 1; @@ -550,11 +557,13 @@ sub process_a_provider( $ ) { } elsif ( $option =~ /^mtu=(\d+)$/ ) { $mtu = "mtu $1 "; } elsif ( $option =~ /^fallback=(\d+)$/ ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; fatal_error q('fallback=' is not available in IPv6) if $family == F_IPV6; $default = $1; $default_balance = 0; fatal_error 'fallback must be non-zero' unless $default; } elsif ( $option eq 'fallback' ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $default = -1; $default_balance = 0; } elsif ( $option eq 'local' ) { @@ -567,6 +576,7 @@ sub process_a_provider( $ ) { $track = 0 if $config{TRACK_PROVIDERS}; $default_balance = 0 if $config{USE_DEFAULT_RT}; } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $load = sprintf "%1.8f", $1; require_capability 'STATISTIC_MATCH', "load=$1", 's'; } elsif ( $option eq 'autosrc' ) { @@ -596,13 +606,13 @@ sub process_a_provider( $ ) { fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)}; if ( $local ) { - fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; + fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted'; fatal_error "'track' not valid with 'local'" if $track; fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; fatal_error "'persistent' is not valid with 'local" if $persistent; } elsif ( $tproxy ) { fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++; - fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none'; + fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted'; fatal_error "'track' not valid with 'tproxy'" if $track; fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-'; fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-'; @@ -649,7 +659,7 @@ sub process_a_provider( $ ) { warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' ); } - $balance = $default_balance unless $balance; + $balance = $default_balance unless $balance || $gatewaycase eq 'none'; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface}; @@ -789,7 +799,7 @@ sub add_a_provider( $$ ) { push_indent; - if ( $gatewaycase eq 'none' ) { + if ( $gatewaycase eq 'omitted' ) { if ( $tproxy ) { emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; } else { @@ -867,7 +877,7 @@ sub add_a_provider( $$ ) { } $provider_interfaces{$interface} = $table; - if ( $gatewaycase eq 'none' ) { + if ( $gatewaycase eq 'omitted' ) { if ( $tproxy ) { emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; } else { @@ -907,7 +917,7 @@ CEOF emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id", "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" - ); + ); } if ( $duplicate ne '-' ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 04eaca9aa..0ba7d8e87 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1178,12 +1178,11 @@ sub finish_section ( $ ) { # # Internally, action invocations are uniquely identified by a 5-tuple that # includes the action name, log level, log tag, calling chain and params. -# The pieces of the tuple are separated by ":". +# The pieces of the tuple are separated by ":". The calling chain is non-empty +# only when the action refers to @CALLER. # sub normalize_action( $$$ ) { - my $action = shift; - my $level = shift; - my $param = shift; + my ( $action, $level, $param ) = @_; my $caller = ''; #We assume that the function doesn't use @CALLER ( $level, my $tag ) = split ':', $level; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 62950d8e6..2b225dcf5 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { }, }, + ECN => { + defaultchain => POSTROUTING, + allowedchains => ALLCHAINS, + minparams => 0, + maxparams => 0, + function => sub() { + fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6; + + if ( $proto eq '-' ) { + $proto = TCP; + } else { + $proto = resolve_proto( $proto ) || 0; + fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP; + } + + $target = 'ECN --ecn-tcp-remove'; + } + }, + HL => { defaultchain => FORWARD, allowedchains => PREROUTING | FORWARD, diff --git a/Shorewall/Perl/lib.core b/Shorewall/Perl/lib.core index ef94f85a9..dc95b3acc 100644 --- a/Shorewall/Perl/lib.core +++ b/Shorewall/Perl/lib.core @@ -1,4 +1,4 @@ -# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net) +# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net) # # This program is part of Shorewall. # diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index d40a635b3..0220b5f43 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -125,6 +125,8 @@ g_sha1sum2= g_counters= g_compiled= g_file= +g_docker= +g_dockernetwork= initialize diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index d58440ca3..f32ff204d 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -146,6 +146,8 @@ DEFER_DNS_RESOLUTION=Yes DISABLE_IPV6=No +DOCKER=No + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 456a117db..ac80e41a5 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes DISABLE_IPV6=No +DOCKER=No + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 57787f0a2..4d5492ef8 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -154,6 +154,8 @@ DEFER_DNS_RESOLUTION=Yes DISABLE_IPV6=No +DOCKER=No + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 2384f6613..c06e403e9 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -157,6 +157,8 @@ DEFER_DNS_RESOLUTION=Yes DISABLE_IPV6=No +DOCKER=No + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 729a3b2a6..7d4386a2b 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -150,6 +150,8 @@ DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No +DOCKER=No + DONT_LOAD= DYNAMIC_BLACKLIST=Yes diff --git a/Shorewall/install.sh b/Shorewall/install.sh index a7653b012..5dab77369 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -2,7 +2,7 @@ # # Script to install Shoreline Firewall # -# (c) 2000-201,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.net # diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index 87eede757..e6aeb050f 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -339,6 +339,18 @@ DIVERTHA - - tcp + + ECN + + + Added in Shorewall 5.0.6 as an alternative to entries in + shorewall-ecn(5). If a + PROTO is specified, it must be 'tcp' (6). If no PROTO is + supplied, TCP is assumed. This action causes all ECN bits in + the TCP header to be cleared. + + + IMQ(number) diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index bafc3e37f..812469328 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -130,7 +130,7 @@ GATEWAY - {-|address[,mac]|detect} + role="bold">detect|none} The IP address of the provider's gateway router. Beginning @@ -139,8 +139,12 @@ interface. When the MAC is not specified, Shorewall will detect the MAC during firewall start or restart. - You can enter "detect" here and Shorewall will attempt to - detect the gateway automatically. + You can enter detect here and + Shorewall will attempt to detect the gateway automatically. + + Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table + with no default route in it. For PPP devices, you may omit this column. diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index b85c2cbfd..eb375662d 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -733,6 +733,23 @@ + + DOCKER=[Yes|No] + + + Added in Shorewall 5.0.6. When set to , + the generated script will save Docker-generated rules before and + restore them after executing the start, + stop, reload and + restart commands. If set to + (the default), the generated script will delete any Docker-generated + rules when executing those commands. See + http://www.shorewall.net/Docker.html for additional + information. + + + DONT_LOAD=[module[,module]...] @@ -763,8 +780,8 @@ Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains 'all', a single policy chain is created - and the policy is enforced in that chain. For example, if the policy - entry is#SOURCE DEST POLICY LOG + and thes policy is enforced in that chain. For example, if the + policy entry is#SOURCE DEST POLICY LOG # LEVEL net all DROP infothen the chain name is 'net-all' ('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall diff --git a/Shorewall/uninstall.sh b/Shorewall/uninstall.sh index e231a8ba5..9826fe00e 100755 --- a/Shorewall/uninstall.sh +++ b/Shorewall/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall # -# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # diff --git a/Shorewall6-lite/uninstall.sh b/Shorewall6-lite/uninstall.sh index 10cf91e0c..609c087c2 100755 --- a/Shorewall6-lite/uninstall.sh +++ b/Shorewall6-lite/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall 6 Lite # -# (c) 2000-2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://shorewall.sourceforge.net # diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml index d6f5885a9..889e002eb 100644 --- a/Shorewall6/manpages/shorewall6-providers.xml +++ b/Shorewall6/manpages/shorewall6-providers.xml @@ -119,13 +119,17 @@ GATEWAY - {-|address|detect} + role="bold">detect|none} The IP address of the provider's gateway router. - You can enter "detect" here and Shorewall6 will attempt to - detect the gateway automatically. + You can enter detect here and + Shorewall6 will attempt to detect the gateway automatically. + + Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table + with no default route in it. For PPP devices, you may omit this column. diff --git a/Shorewall6/uninstall.sh b/Shorewall6/uninstall.sh index 7bbfe8f96..386c12b6f 100755 --- a/Shorewall6/uninstall.sh +++ b/Shorewall6/uninstall.sh @@ -2,7 +2,7 @@ # # Script to back uninstall Shoreline Firewall 6 # -# (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net) +# (c) 2000-2016 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # diff --git a/docs/6to4.xml b/docs/6to4.xml index 2edd3c29f..31455a413 100644 --- a/docs/6to4.xml +++ b/docs/6to4.xml @@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1 wireless). eth4 goes to my DMZ which holds a single server. Here is a diagram of the IPv4 network: - + Here is the configuration after IPv6 is configured; the part in bold font is configured by the /etc/init.d/ipv6 script. @@ -283,7 +283,7 @@ ursa:~ # Here is the resulting simple IPv6 Network: - +
@@ -338,7 +338,7 @@ ursa:~ # So the IPv4 network was transformed to this: - + To implement the same IPv6 network as described above, I used this /etc/shorewall/interfaces file: @@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel That file produces the following IPv6 network. - +
@@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1/etc/shorewall6/policy:
- #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT net all DROP info loc net ACCEPT dmz net ACCEPT @@ -485,7 +485,7 @@ all all REJECT info /etc/shorewall6/rules:
- #ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL ?SECTION ESTABLISHED @@ -493,7 +493,6 @@ all all REJECT info ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW -# PORT PORT(S) DEST LIMIT GROUP # # Accept DNS connections from the firewall to the network # @@ -505,8 +504,7 @@ SSH(ACCEPT) loc $FW # # Allow Ping everywhere # -Ping(ACCEPT) all all - +Ping(ACCEPT) all all
@@ -652,7 +650,7 @@ interface eth2 { Suppose that we have the following situation: - + We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is diff --git a/docs/Actions.xml b/docs/Actions.xml index ecd35eda1..b6471ef63 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -101,13 +101,11 @@ # both directions. # ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP +#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER ACCEPT - - udp 135,445 ACCEPT - - udp 137:139 ACCEPT - - udp 1024: 137 -ACCEPT - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +ACCEPT - - tcp 135,139,445 If you wish to modify one of the standard actions, do not modify the definition in
- Shorewall 4.4.16 and Later. + Shorewall 5.0.0 and Later. - Beginning with Shorewall 4.4.16, the columns in action.template - are the same as those in shorewall-rules (5). The first non-commentary - line in the template must be - - FORMAT 2 - - Beginning with Shorewall 4.5.11, the preferred format is as shown - below, and the above format is deprecated. - - ?FORMAT 2 - - When using Shorewall 4.4.16 or later, there are no restrictions - regarding which targets can be used within your action. + In Shorewall 5.0, the columns in action.template are the same as + those in shorewall-rules (5). There are no restrictions regarding which + targets can be used within your action. The SOURCE and DEST columns in the action file may not include zone names; those are given when the action is invoked. @@ -361,22 +349,18 @@ ACCEPT - - tcp 135,139,445 /etc/shorewall/action.A: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST -FORMAT 2 + #TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST $1 - - tcp 80 - 1.2.3.4 /etc/shorewall/rules: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST A(REDIRECT) net fw The above is equivalent to this rule: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT net - tcp 80 - 1.2.3.4 You can 'omit' parameters by using '-'. @@ -413,194 +397,6 @@ REDIRECT net - tcp 80 - 1.2.3.4 url="configuration_file_basics.htm#ActionVariables">Action Variables section of the Configuration Basics article.
- -
- Shorewall 4.4.15 and Earlier. - - Prior to 4.4.16, columns in the - action.template file were as follows: - - - - TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or - an <action> where - <action> is a previously-defined action - (that is, it must precede the action being defined in this file in - your /etc/shorewall/actions file). These - actions have the same meaning as they do in the - /etc/shorewall/rules file (CONTINUE terminates - processing of the current action and returns to the point where that - action was invoked). The TARGET may optionally be followed by a - colon (:) and a syslog log level (e.g, REJECT:info or - ACCEPT:debugging). This causes the packet to be logged at the - specified level. You may also specify ULOG (must be in upper case) - as a log level. This will log to the ULOG target for routing to a - separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html). - - You may also use a macro in - your action provided that the macro's expansion only results in the - ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See - /usr/share/shorewall/action.Drop for an example - of an action that users macros extensively. - - - - SOURCE - Source hosts to which the rule applies. A - comma-separated list of subnets and/or hosts. Hosts may be specified - by IP or MAC address; MAC addresses must begin with ~ - and must use - as a separator. - - Alternatively, clients may be specified by interface name. For - example, eth1 specifies a client that communicates with the firewall - system through eth1. This may be optionally followed by another - colon (:) and an IP/MAC/subnet address as described - above (e.g., eth1:192.168.1.5). - - - - DEST - Location of Server. Same as above with the exception - that MAC addresses are not allowed. - - - - PROTO - Protocol - Must be tcp, - udp, icmp, a protocol number, or - all. - - - - DEST PORT(S) - Destination Ports. A comma-separated list of - Port names (from /etc/services), port numbers - or port ranges; if the protocol is icmp, this column - is interpreted as the destination icmp-type(s). - - A port range is expressed as <low - port>:<high port>. - - This column is ignored if PROTO = all, but must - be entered if any of the following fields are supplied. In that - case, it is suggested that this field contain - -. - - - - SOURCE PORT(S) - Port(s) used by the client. If omitted, any - source port is acceptable. Specified as a comma-separated list of - port names, port numbers or port ranges. - - If you don't want to restrict client ports but need to specify - any of the subsequent fields, then place - in this - column. - - - - RATE LIMIT - You may rate-limit the rule by placing a value in - this column: - - <rate>/<interval>[:<burst>]where - <rate> is the number of connections per - <interval> (sec or - min) and <burst> is the - largest burst permitted. If no <burst> is - given, a value of 5 is assumed. There may be no whitespace embedded - in the specification. - - Example: 10/sec:20 - - - - USER/GROUP - For output rules (those with the firewall as - their source), you may control connections based on the effective - UID and/or GID of the process requesting the connection. This column - can contain any of the following: - - - [!]<user number>[:] - - [!]<user name>[:] - - [!]:<group number> - - [!]:<group name> - - [!]<user - number>:<group - number> - - [!]<user - name>:<group - number> - - [!]<user - inumber>:<group - name> - - [!]<user - name>:<group - name> - - [!]+<program name> (Note: - support for this form was removed from Netfilter in kernel version - 2.6.14). - - - - - MARK - - - [!]<value>[/<mask>][:C] - - - Defines a test on the existing packet or connection mark. The - rule will match only if the test returns true. - - If you don’t want to define a test but need to specify - anything in the subsequent columns, place a - in this - field. - ! — Inverts the test (not equal) - - <value> — Value of the packet - or connection mark. - - <mask> —A mask to be applied - to the mark before testing. - - :C — Designates a connection mark. If omitted, the - packet mark’s value is tested. This option is only supported by - Shorewall-perl - - - - - Omitted column entries should be entered using a dash - (-). - - Example: - - /etc/shorewall/actions: - - #ACTION COMMENT (place '# ' below the 'C' in comment followed by - # v a comment describing the action) - LogAndAccept # LOG and ACCEPT a connectionNote: If your - /etc/shorewall/actions file doesn't have an - indication where to place the comment, put the # in - column 21. - - /etc/shorewall/action.LogAndAccept LOG:info - ACCEPT - - Placing a comment on the line causes the comment to appear in the - output of the shorewall show actions command. - - To use your action, in /etc/shorewall/rules - you might do something like: - - #ACTION SOURCE DEST PROTO DEST PORT(S) -LogAndAccept loc $FW tcp 22 -
@@ -625,19 +421,19 @@ LogAndAccept loc $FW tcp 22 /etc/shorewall/action.foo - #TARGET SOURCE DEST PROTO DEST PORT(S) + #TARGET SOURCE DEST PROTO DPORT ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT foo:debug $FW net Logging in the invoke foo action will be as if foo had been defined as: - #TARGET SOURCE DEST PROTO DEST PORT(S) + #TARGET SOURCE DEST PROTO DPORT ACCEPT:debug - - tcp 22 bar:info @@ -651,19 +447,19 @@ bar:info /etc/shorewall/action.foo - #TARGET SOURCE DEST PROTO DEST PORT(S) + #TARGET SOURCE DEST PROTO DPORT ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT foo:debug! $FW net Logging in the invoke foo action will be as if foo had been defined as: - #TARGET SOURCE DEST PROTO DEST PORT(S) + #TARGET SOURCE DEST PROTO DPORT ACCEPT:debug - - tcp 22 bar:debug @@ -1113,22 +909,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP'; role="bold">SSHA, and to limit SSH connections to 3 per minute, use this entry in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Limit:none:SSHA,3,60 net $FW tcp 22 Using Shorewall 4.4.16 or later, you can also invoke the action this way: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Limit(SSHA,3,60):none net $FW tcp 22 If you want dropped connections to be logged at the info level, use this rule instead: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Limit:info:SSHA,3,60 net $FW tcp 22 - Shorewall 4.4.16 and later:#ACTION SOURCE DEST PROTO DEST PORT(S) + Shorewall 4.4.16 and later:#ACTION SOURCE DEST PROTO DPORT Limit(SSH,3,60):info net $FW tcp 22 To summarize, you pass four pieces of information to the Limit diff --git a/docs/Anatomy.xml b/docs/Anatomy.xml index 831d9fe27..29d1c5050 100644 --- a/docs/Anatomy.xml +++ b/docs/Anatomy.xml @@ -5,7 +5,7 @@ - Anatomy of Shorewall 4.5 + Anatomy of Shorewall 5.0 @@ -43,7 +43,7 @@
Products - Shorewall 4.5 consists of six packages. + Shorewall 5.0 consists of six packages. diff --git a/docs/ConnectionRate.xml b/docs/ConnectionRate.xml index b46f3954c..98fb8ab2d 100644 --- a/docs/ConnectionRate.xml +++ b/docs/ConnectionRate.xml @@ -74,12 +74,11 @@
Policy Rate Limiting - The LIMIT:BURST column in the - /etc/shorewall/policy file applies to TCP - connections that are subject to the policy. The limiting is applied - BEFORE the connection request is passed through the rules generated by - entries in /etc/shorewall/rules. Those connections - in excess of the limit are logged and dropped. + The LIMIT column in the /etc/shorewall/policy + file applies to TCP connections that are subject to the policy. The + limiting is applied BEFORE the connection request is passed through the + rules generated by entries in /etc/shorewall/rules. + Those connections in excess of the limit are logged and dropped.
diff --git a/docs/Docker.xml b/docs/Docker.xml new file mode 100644 index 000000000..92150c98e --- /dev/null +++ b/docs/Docker.xml @@ -0,0 +1,94 @@ + + +
+ + + + Docker Support + + + + Tom + + Eastep + + + + + + + 2016 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Shorewall 5.0.5 and Earlier + + Both Docker and Shorewall assume that they 'own' the iptables + configuration. This leads to problems when Shorewall is restarted or + reloaded, because it drops all of the rules added by Docker. Fortunately, + the extensibility features in Shorewall allow users to create + their own solution for saving the Docker-generated rules before + these operations and restoring them afterwards. +
+ +
+ Shorewall 5.0.6 and Later + + Beginning with Shorewall 5.0.6, Shorewall has native support for + simple Docker configurations. This support is enabled by setting + DOCKER=Yes in shorewall.conf. With this setting, the generated script + saves the Docker-created ruleset before executing a + stop, start, + restart or reload operation and + restores those rules along with the Shorewall-generated ruleset. + + This support assumes that the default Docker bridge (docker0) is + being used. It is recommended that this bridge be defined to Shorewall in + shorewall-interfaces(8). + As shown below, you can control inter-container communication using the + and options. If docker0 + is not defined to Shorewall, then Shorewall will save and restore the + FORWARD chain rules involving that interface. + + /etc/shorewall/shorewall.conf: + + DOCKER=Yes + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS +dock ipv4 #'dock' is just an example -- call it anything you like + + /etc/shorewall/policy: + + #SOURCE DEST POLICY LEVEL +dock $FW REJECT +dock all ACCEPT + + /etc/shorewall/interfaces: + + #ZONE INTERFACE OPTIONS +dock docker0 bridge #Allow ICC (bridge implies routeback=1) + + or + + #ZONE INTERFACE OPTIONS +dock docker0 bridge,routeback=0 #Disallow ICC +
+
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 6d585fbe3..c064fc918 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -265,7 +265,7 @@ - Dynamic Zones + Docker Operating Shorewall @@ -275,8 +275,7 @@ - ECN Disabling by host or - subnet + Dynamic Zones Packet Marking @@ -285,7 +284,8 @@ - Events + ECN Disabling by host or + subnet Packet Processing in a Shorewall-based Firewall @@ -294,8 +294,7 @@ - Extension - Scripts (User Exits) + Events 'Ping' Management @@ -304,8 +303,8 @@ - Fallback/Uninstall + Extension + Scripts (User Exits) Port Forwarding @@ -315,7 +314,8 @@ - FAQs + Fallback/Uninstall Port Information @@ -324,8 +324,7 @@ - Features + FAQs Port Knocking (deprecated) @@ -334,8 +333,8 @@ - Forwarding Traffic on the - Same Interface + Features Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' @@ -344,18 +343,28 @@ - FTP and Shorewall + Forwarding Traffic on the + Same Interface PPTP + + FTP and Shorewall + + Proxy ARP + + + + Fool's Firewall - Proxy ARP + QuickStart + Guides @@ -364,8 +373,7 @@ Helpers/Helper Modules - QuickStart - Guides + Release Model @@ -374,14 +382,6 @@ Installation/Upgrade - Release Model - - - - - - IPP2P - Requirements @@ -389,7 +389,7 @@ - IPSEC + IPP2P Routing and Shorewall @@ -398,7 +398,7 @@ - Ipsets + IPSEC Routing on One Interface @@ -407,18 +407,27 @@ - IPv6 Support + Ipsets Samba + + IPv6 Support + + Shorewall Events + + + + ISO 3661 Country Codes - Shorewall Events + Shorewall + Init @@ -427,8 +436,8 @@ Kazaa Filtering - Shorewall - Init + Shorewall + Lite @@ -437,8 +446,7 @@ Kernel Configuration - Shorewall - Lite + diff --git a/docs/Dynamic.xml b/docs/Dynamic.xml index aa1cdc074..c7805f537 100644 --- a/docs/Dynamic.xml +++ b/docs/Dynamic.xml @@ -49,140 +49,12 @@ support is based on ipset. Most current distributions have ipset, but you may need to install the xtables-addons. -
- -
- Installing xtables-addons - - If your distribution does not have an xtables-addons package, the - xtables-addons are fairly easy to install. You do not need to recompile - your kernel. - - Debian users can find xtables-addons-common - and xtables-addons-source packages in testing. The - kernel modules can be built and installed with the help of - module-assistant. As of this writing, these packages are in the - admin group rather than in the - network group!!?? - - For other users, the basic steps are as follows: - - - - Install gcc and make - - - - Install the headers for the kernel you are running. In some - distributions, such as Debian and - Ubuntu, the packet is called kernel-headers. - For other distrubutions, such as OpenSuSE, you must install the - kernel-source package. - - - - download the iptables source tarball - - - - untar the source - - - - cd to the iptables source directory - - - - run 'make' - - - - as root, run 'make install' - - - - Your new iptables binary will now be installed in - /usr/local/sbin. Modify shorewall.conf to specify - IPTABLES=/usr/local/sbin/iptables - - - - Download the latest xtables-addons source tarball - - - - Untar the xtables-addons source - - - - cd to the xtables-addons source directory - - - - run './configure' - - - - run 'make' - - - - As root, cd to the xtables-addons directory and run 'make - install'. - - - - Restart shorewall - - - - 'shorewall show capabilities' should now indicate Ipset Match: Available - - - - You will have to repeat steps 10-13 each time that you receive a - kernel upgrade from your distribution vendor. You can install - xtables-addons before booting to the new kernel as follows - (new-kernel-version is the version of the - newly-installed kernel - example 2.6.28.11-generic. Look in the /lib/modules - directory to get the full version name) - - - - cd to the xtables-addons source directory - - - - run 'make clean' - - - - run './configure - --with-kbuild=/lib/modules/new-kernel-version/build - --with-ksource=/lib/modules/new-kernel-version/source' - - - - run 'make' - - - - As root, cd to the xtables-addons source directory and run 'make - install'. - - - - As root, run 'depmod -a - new-kernel-version' - - + url="http://xtables-addons.sourceforge.net/">xtables-addons + package.
- Dynamic Zones -- Shorewall 4.5.9 and Later + Dynamic Zones Prior to Shorewall 4.5.9, when multiple records for a zone appear in /etc/shorewall/hosts, Shorewall would create a @@ -288,117 +160,6 @@ rsyncok:
-
- Dynamic Zones -- Shorewall 4.5.8 and Earlier. - - The method described in this section is still supported in the later - releases. - -
- Defining a Dynamic Zone - - A dynamic zone is defined by using the keyword dynamic in the zones host list. - - Example: - -
- /etc/shorewall/zones:#NAME TYPE OPTIONS -loc ipv4 -webok:loc ipv4/etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS -loc eth0 - … - - - /etc/shorewall/hosts: - - #ZONE HOSTS OPTIONS -webok eth0:dynamic -
- - Once the above definition is added, Shorewall will automatically - create an ipset named webok_eth0 the next time that - Shorewall is started or restarted. Shorewall will create an ipset of - type iphash. If you want to use a different type - of ipset, such as macipmap, then you will want to - manually create that ipset yourself before the next Shorewall - start/restart. - - The dynamic zone capability was added to Shorewall6 in Shorewall - 4.4.21. -
- -
- Adding a Host to a Dynamic Zone - - Adding a host to a dynamic zone is accomplished by adding the - host's IP address to the appropriate ipset. Shorewall provldes a command - for doing that: - -
- shorewall add interface:address - ... zone -
- - Example: - -
- shorewall add eth0:192.168.3.4 webok -
- - The command can only be used when the ipset involved is of type - iphash. For other ipset types, the ipset command must - be used directly. -
- -
- Deleting a Host from a Dynamic Zone - - Deleting a host from a dynamic zone is accomplished by removing - the host's IP address from the appropriate ipset. Shorewall provldes a - command for doing that: - -
- shorewall delete - interface:address ... - zone -
- - Example: - -
- shorewall delete eth0:192.168.3.4 - webok -
- - The command can only be used when the ipset involved is of type - iphash. For other ipset types, the ipse t command - must be used directly. -
- -
- Listing the Contents of a Dynamic Zone - - The shorewall show command may be used to list the current - contents of a dynamic zone. - -
- shorewall show dynamic - zone -
- - Example: - -
- shorewall show dynamic webok -eth0: - 192.168.3.4 - 192.168.3.9 -
-
-
-
Dynamic Zone Contents and Shorewall stop/start/restart diff --git a/docs/ECN.xml b/docs/ECN.xml index 41e5e51df..b73ae6351 100644 --- a/docs/ECN.xml +++ b/docs/ECN.xml @@ -118,6 +118,10 @@ + + Beginning with Shorewall 5.0.6, you may also specify clearing of the + ECN flags through use of the ECN action in shorewall-mangle(8).
diff --git a/docs/Events.xml b/docs/Events.xml index cf41ae00a..74ff72c65 100644 --- a/docs/Events.xml +++ b/docs/Events.xml @@ -538,8 +538,7 @@ SetEvent(SSH,ACCEPT,src) etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSHLIMIT net $FW tcp 22 @@ -645,8 +644,7 @@ SSHLIMIT net $FW tcp 22 To duplicate the SSHLIMIT entry in /etc/shorewall/rules shown above: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT AutoBL(SSH,-,-,-,REJECT,warn)\ net $FW tcp 22
@@ -688,8 +686,7 @@ Knock #Port Knocking # ?format 2 ############################################################################### -#ACTION SOURCE DEST PROTO DEST -# PORT(S) +#ACTION SOURCE DEST PROTO DPORT IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ - - tcp 22 SetEvent(SSH,ACCEPT) - - tcp 1600 @@ -697,8 +694,7 @@ ResetEvent(SSH,DROP:info) etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT Knock net $FW tcp 22,1599-1601 @@ -750,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => ' original_dest is the rule - ORIGINAL DEST + ORIGDEST diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 7045717df..449341a80 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472 Answer: Specify the external - address that you want to redirect in the ORIGINAL DEST column. + address that you want to redirect in the ORIGDEST column. Example: @@ -1685,7 +1685,7 @@ teastep@ursa:~$ The first number determines the maximum log You have a policy for traffic from zone1 to zone2 that specifies TCP connection - rate limiting (value in the LIMIT:BURST column). The logged packet + rate limiting (value in the LIMIT column). The logged packet exceeds that limit and was dropped. Note that these log messages themselves are severely rate-limited so that a syn-flood won't generate a secondary DOS because of excessive log message. These diff --git a/docs/FTP.xml b/docs/FTP.xml index e5aabdf35..f977e4102 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -345,23 +345,22 @@ xt_tcpudp 3328 0 HELPER rules allow specification of a helper for connections that are ACCEPTed by the applicable policy. - Example (loc->net policy is ACCEPT) - In + Example (loc->net policy is ACCEPT) - In /etc/shorewall/rules: #ACTION SOURCE DEST FTP(HELPER) loc - - or equivalently + or equivalently - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT HELPER loc - tcp 21 { helper=ftp } - The set of enabled helpers (either by AUTOHELPERS=Yes or by the + The set of enabled helpers (either by AUTOHELPERS=Yes or by the HELPERS column) can be taylored using the new HELPERS option in - shorewall.conf. + shorewall.conf. @@ -389,10 +388,9 @@ HELPER loc - tcp 21 { helper=ftp } /etc/shorewall[6]/conntrack file. These rules are included conditionally based in the setting of AUTOHELPERS. - Example: + Example: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ?if $AUTOHELPERS && __CT_TARGET ?if __FTP_HELPER CT:helper:ftp all - tcp 21 @@ -400,23 +398,22 @@ CT:helper:ftp all - tcp 21 ... ?endif - __FTP_HELPER evaluates to false if the HELPERS setting is non-empty + __FTP_HELPER evaluates to false if the HELPERS setting is non-empty and 'ftp' is not listed in that setting. For example, if you only need FTP access from your 'loc' zone, then add this rule outside of the outer-most ?if....?endif shown above. - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 21 - For an overview of Netfilter Helpers and Shorewall's support for + For an overview of Netfilter Helpers and Shorewall's support for dealing with them, see http://www.shorewall.net/Helpers.html. See https://home.regit.org/netfilter-en/secure-use-of-helpers/ - for additional information. + for additional information.
@@ -433,8 +430,7 @@ CT:helper:ftp loc - tcp 21/etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the That entry will accept ftp connections on port 12345 from the net @@ -442,8 +438,7 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft /etc/shorewall/conntrack: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH -# PORT(S) PORT(S) GROUP + #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 12345 @@ -531,20 +526,19 @@ options nf_nat_ftp Otherwise, for FTP you need exactly one rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT or <source> <destination> tcp 21 - <external IP addr> if DNAT ACTION = DNAT - You need an entry in the ORIGINAL DESTINATION column only if the - ACTION is DNAT, you have multiple external IP addresses and you want a - specific IP address to be forwarded to your server. + You need an entry in the ORIGDEST column only if the ACTION is DNAT, + you have multiple external IP addresses and you want a specific IP address + to be forwarded to your server. Note that you do NOT need a rule - with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on - the mailing list and they show 20 in the DEST PORT(S) column, we will know - that you haven't read this article and will either ignore your post or - tell you to RTFM. + with 20 (ftp-data) in the DPORT column. If you post your rules on the + mailing list and they show 20 in the DPORT column, we will know that you + haven't read this article and will either ignore your post or tell you to + RTFM. Shorewall includes an FTP macro that simplifies creation of FTP rules. The macro source is in @@ -558,15 +552,13 @@ DNAT ACTION = Suppose that you run an FTP server on 192.168.1.5 in your local zone using the standard port (21). You need this rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST FTP(DNAT) net loc:192.168.1.5 Allow your DMZ FTP access to the Internet - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION -FTP(ACCEPT) dmz net + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST +FTP(ACCEPT) dmz net Note that the FTP connection tracking in the kernel cannot handle @@ -588,8 +580,7 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1I see this problem occasionally with the FTP server in my DMZ. My solution is to add the following rule: - #ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DESTINATION + #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT:info dmz net tcp - 20 The above rule accepts and logs all active mode connections from my diff --git a/docs/GenericTunnels.xml b/docs/GenericTunnels.xml index 425c3b95f..83427e02c 100644 --- a/docs/GenericTunnels.xml +++ b/docs/GenericTunnels.xml @@ -50,7 +50,7 @@ Suppose that we have the following situation: - + We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is @@ -91,7 +91,7 @@ vpn tun0 10.255.255.255 In /etc/shorewall/tunnels on system A, we need the following: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE generic:tcp:1071 net 134.28.54.2 generic:47 net 134.28.54.2 @@ -104,7 +104,7 @@ vpn tun0 192.168.1.255 In /etc/shorewall/tunnels on system B, we have: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE generic:tcp:1071 net 206.191.148.9 generic:47 net 206.191.148.9 diff --git a/docs/Helpers.xml b/docs/Helpers.xml index 7bfde78c7..79d374697 100644 --- a/docs/Helpers.xml +++ b/docs/Helpers.xml @@ -503,8 +503,7 @@ loadmodule nf_conntrack_sane ports=0 limit the scope of the helper. Suppose that your Linux FTP server is in zone dmz and has address 70.90.191.123. - #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(2) + #ACTION SOURCE DEST PROTO DPORT SPORT SECTION RELATED ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535 ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server diff --git a/docs/IPIP.xml b/docs/IPIP.xml index 607615903..3982b1e2d 100644 --- a/docs/IPIP.xml +++ b/docs/IPIP.xml @@ -62,7 +62,7 @@ Suppose that we have the following situation: - + We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is @@ -103,12 +103,12 @@ vpn ipv4 On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -vpn tosysb 10.255.255.255 + #ZONE INTERFACE OPTIONS +vpn tosysb In /etc/shorewall/tunnels on system A, we need the following: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE ipip net 134.28.54.2 This entry in /etc/shorewall/tunnels, opens the firewall so that the @@ -133,12 +133,12 @@ subnet=10.0.0.0/8 vpn zone. In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST -vpn tosysa 192.168.1.255 + #ZONE INTERFACE +vpn tosysa In /etc/shorewall/tunnels on system B, we have: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE ipip net 206.191.148.9 And in the tunnel script on system B: diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 4aeabc572..5fd1f31e6 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -267,16 +267,14 @@ /etc/shorewall/tunnels — System A: - #TYPE ZONE GATEWAY GATEWAY ZONE -ipsec net 134.28.54.2 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + #TYPE ZONE GATEWAY GATEWAY_ZONE +ipsec net 134.28.54.2 /etc/shorewall/tunnels — System B: - #TYPE ZONE GATEWAY GATEWAY ZONE -ipsec net 206.162.148.9 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + #TYPE ZONE GATEWAY GATEWAY_ZONE +ipsec net 206.162.148.9 @@ -295,11 +293,9 @@ ipsec net 206.162.148.9 /etc/shorewall/zones — Systems A and B: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS net ipv4 -vpn ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn ipv4 Remember the assumption that both systems A and B have eth0 as their @@ -315,14 +311,12 @@ net ipv4 /etc/shorewall/hosts — System A #ZONE HOSTS OPTIONS -vpn eth0:10.0.0.0/8,134.28.54.2 ipsec -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:10.0.0.0/8,134.28.54.2 ipsec /etc/shorewall/hosts — System B #ZONE HOSTS OPTIONS -vpn eth0:192.168.1.0/24,206.162.148.9 ipsec -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:192.168.1.0/24,206.162.148.9 ipsec Assuming that you want to give each local network free access to the @@ -330,17 +324,17 @@ vpn eth0:192.168.1.0/24,206.162.148.9 ips /etc/shorewall/policy entries on each system:
- #SOURCE DESTINATION POLICY LEVEL BURST:LIMIT -loc vpn ACCEPT -vpn loc ACCEPT + #SOURCE DEST POLICY LEVEL BURST:LIMIT +loc vpn ACCEPT +vpn loc ACCEPT
If you need access from each firewall to hosts in the other network, then you could add:
- #SOURCE DESTINATION POLICY LEVEL BURST:LIMIT -$FW vpn ACCEPT + #SOURCE DEST POLICY LEVEL BURST:LIMIT +$FW vpn ACCEPT
If you need access between the firewall's, you should describe the @@ -348,7 +342,7 @@ $FW vpn ACCEPT from System B, add this rule on system A:
- #ACTION SOURCE DESTINATION PROTO POLICY + #ACTION SOURCE DEST PROTO POLICY ACCEPT vpn:134.28.54.2 $FW
@@ -458,8 +452,7 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any through an ESP tunnel then the following entry would be appropriate: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS sec ipsec mode=tunnel mss=1400 You should also set FASTACCEPT=No in shorewall.conf to ensure @@ -493,25 +486,24 @@ sec ipsec mode=tunnel mss=1400 /etc/shorewall/zones — System A - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS net ipv4 vpn ipsec loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 0.0.0.0/0 vpn -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
- the GATEWAY ZONE column contains the name of the zone + the GATEWAY_ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system. @@ -524,8 +516,7 @@ ipsec net 0.0.0.0/0 vpn /etc/shorewall/hosts — System A: #ZONE HOSTS OPTIONS -vpn eth0:0.0.0.0/0 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:0.0.0.0/0 You will need to configure your through the tunnel @@ -536,24 +527,20 @@ vpn eth0:0.0.0.0/0
/etc/shorewall/zones - System B: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipsec net ipv4 -loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +loc ipv4 /etc/shorewall/tunnels - System B: - #TYPE ZONE GATEWAY GATEWAY ZONE -ipsec net 206.162.148.9 vpn -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + #TYPE ZONE GATEWAY GATEWAY_ZONE +ipsec net 206.162.148.9 vpn /etc/shorewall/hosts - System B: #ZONE HOSTS OPTIONS -vpn eth0:0.0.0.0/0 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +vpn eth0:0.0.0.0/0
On system A, here are the IPsec files: @@ -716,13 +703,11 @@ RACOON=/usr/sbin/racoon
/etc/shorewall/zones — System A - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -net ipv4 + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS +et ipv4 vpn ipsec l2tp ipv4 -loc ipv4 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +loc ipv4
Since the L2TP will require the use of pppd, you will end up with @@ -737,8 +722,7 @@ loc ipv4 #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter loc eth1 192.168.1.255 -l2tp ppp+ - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +l2tp ppp+ - The next thing that must be done is to adjust the policy so that the @@ -776,7 +760,7 @@ l2tp ppp+ -
/etc/shorewall/policy: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW all ACCEPT loc net ACCEPT loc l2tp ACCEPT # Allows local machines to connect to road warriors @@ -784,8 +768,7 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca l2tp net ACCEPT # Allows road warriors to connect to the Internet net all DROP info # The FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +all all REJECT info
The final step is to modify your rules file. There are three @@ -802,8 +785,7 @@ all all REJECT info
/etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ?SECTION ESTABLISHED # Prevent IPsec bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW @@ -815,8 +797,7 @@ ACCEPT vpn $FW udp 1701 HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW -HTTPS(ACCEPT) l2tp $FW -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +HTTPS(ACCEPT) l2tp $FW
@@ -890,9 +871,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
/etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect routefilter,dhcp,tcpflags -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + #ZONE INTERFACE OPTIONS +net eth0 routefilter,dhcp,tcpflags /etc/shorewall/tunnels: @@ -910,8 +890,7 @@ net ipv4 /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS -loc eth0:192.168.20.0/24 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE +loc eth0:192.168.20.0/24 It is worth noting that although loc is a sub-zone of net, because loc @@ -921,15 +900,14 @@ loc eth0:192.168.20.0/24 /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW all ACCEPT loc $FW ACCEPT net loc NONE loc net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST -all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +all all REJECT info Since there are no cases where net<->loc traffic should occur, NONE policies are used. diff --git a/docs/Introduction.xml b/docs/Introduction.xml index 5c0e85994..f57c3e123 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24) The /etc/shorewall/policy file included with the three-interface sample has the following policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT infoIn the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment - that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + that line. #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT The above policies will: @@ -316,8 +316,7 @@ $FW net ACCEPT The above policies will: url="manpages/shorewall-rules.html">/etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW tcp 22 So although you have a policy of ignoring all connection attempts diff --git a/docs/Laptop.xml b/docs/Laptop.xml index 54eb7a993..33bbea1af 100644 --- a/docs/Laptop.xml +++ b/docs/Laptop.xml @@ -68,10 +68,10 @@ optional interfaces for the 'net' zone in /etc/shorewall/interfaces. - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect optional,… -net wlan0 detect optional,… -net ppp0 - optional,… + #ZONE INTERFACE OPTIONS +net eth0 optional,… +net wlan0 optional,… +net ppp0 optional,… With this configuration, access to the 'net' zone is possible regardless of which of the interfaces is being used. diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml index a77aeb1c1..116ca592d 100644 --- a/docs/MAC_Validation.xml +++ b/docs/MAC_Validation.xml @@ -172,22 +172,20 @@ MACLIST_LOG_LEVEL=info /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs -loc $INT_IF 192.168.1.255 dhcp -dmz $DMZ_IF - -vpn tun+ - -Wifi $WIFI_IF - maclist,dhcp -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE + #ZONE INTERFACE OPTIONS +net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs +loc $INT_IF dhcp +dmz $DMZ_IF +vpn tun+ +Wifi $WIFI_IF maclist,dhcp - /etc/shorewall/maclist: + etc/shorewall/maclist: #DISPOSITION INTERFACE MAC IP ADDRESSES (Optional) ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11 ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11 ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER -ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop As shown above, I used MAC Verification on my wireless zone that was served by a Linksys WET11 wireless bridge. diff --git a/docs/Macros.xml b/docs/Macros.xml index 4d55951c7..712d166c3 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445 - ORIGINAL DEST (Shorewall-perl 4.2.0 and later) + ORIGDEST (Shorewall-perl 4.2.0 and later) To use this column, you must include 'FORMAT 2' as the first non-comment line in your macro file. diff --git a/docs/ManualChains.xml b/docs/ManualChains.xml index 087322e5f..d914d52d3 100644 --- a/docs/ManualChains.xml +++ b/docs/ManualChains.xml @@ -195,16 +195,14 @@ sub Knock { The rule from the Port Knocking article: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSHKnock net $FW tcp 22,1599,1600,1601 - becomes:PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};Similarly#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + becomes:PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};Similarly#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 SSHKnock net $FW tcp 1599,1600,1601 -SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178becomes:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST +SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178becomes:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 1601]}; diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 149c29aa9..e5839d5e2 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -892,7 +892,7 @@ net eth1 detect … /etc/shorewall/policy: - #SOURCE DESTINATION POLICY LIMIT:BURST + #SOURCE DESTINATION POLICY LOGLEVEL LIMIT net net DROP /etc/shorewall/masq: @@ -913,15 +913,13 @@ eth1 0.0.0.0/0 130.252.99.27 later, you would make this entry in /etc/shorewall/mangle. - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(2):P <local network> 0.0.0.0/0 tcp 25 Note that traffic from the firewall itself must be handled in a different rule: - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(2) $FW 0.0.0.0/0 tcp 25 If you are running a Shorewall version earlier than 4.6.0, the @@ -929,14 +927,12 @@ MARK(2) $FW 0.0.0.0/0 tcp 25 url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules would be: - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST 2:P <local network> 0.0.0.0/0 tcp 25 And for traffic from the firewall: - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST 2 $FW 0.0.0.0/0 tcp 25 @@ -951,8 +947,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25 /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORTS(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 25 Continuing the above example, to forward only connection requests @@ -962,19 +957,16 @@ DNAT net loc:192.168.1.3 tcp 25 Qualify the SOURCE by ISP 1's interface: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORTS(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net:eth0 loc:192.168.1.3 tcp 25 or - Specify the IP address of ISP 1 in the ORIGINAL DEST - column: + Specify the IP address of ISP 1 in the ORIGDEST column: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORTS(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 25 - 206.124.146.176 @@ -2573,8 +2565,7 @@ wireless 3 3 - wlan0 172.20.1.1 track,o role="bold">avvanta provider. Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in - shorewall.conf):#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) PORT(S) + shorewall.conf):#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER MARK(2) $FW 0.0.0.0/0 tcp 21 MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp MARK(2) $FW 0.0.0.0/0 tcp 119 @@ -2583,8 +2574,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119shorewall update -t will do that for you). Here are the equivalent tcrules entries: - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) + #MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER 2 $FW 0.0.0.0/0 tcp 21 2 $FW 0.0.0.0/0 tcp - - - - - - - ftp 2 $FW 0.0.0.0/0 tcp 119 @@ -2603,8 +2593,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119The same rules converted to use the mangle file are: - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) + #MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER MARK(2) $FW 0.0.0.0/0 tcp 21 MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp MARK(2) $FW 0.0.0.0/0 tcp 119 @@ -2612,8 +2601,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 119 The remaining files are for a rather standard two-interface config with a bridge as the local interface. - zones:#ZONE IPSEC OPTIONS IN OUT -# ONLY OPTIONS OPTIONS + zones:#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 kvm ipv4policy:net net NONE @@ -2623,17 +2611,17 @@ kvm all ACCEPT net all DROP info all all REJECT info - interfaces:#ZONE INTERFACE BROADCAST OPTIONS GATEWAY + interfaces:#ZONE INTERFACE OPTIONS # -net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore -net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional -kvm br0 detect routeback #Virtual Machines +net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore +net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional +kvm br0 routeback #Virtual Machines wlan0 is the wireless adapter in the notebook. Used when the laptop is in our home but not connected to the wired network. - masq:#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC + masq:#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC eth0 192.168.0.0/24 wlan0 192.168.0.0/24 Because the firewall has only a single external IP address, I @@ -2815,7 +2803,7 @@ dmz ip #LXC Containers /etc/shorewall/interfaces: - #ZONE INTERFACE OPTIONS + #ZONE INTERFACE OPTIONS loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp @@ -2881,9 +2869,7 @@ root@gateway:~# /etc/shorewall/mangle is not used to support Multi-ISP: - #MARK SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) -FORMAT 2 + #MARK SOURCE DEST PROTO DPORT SPORT TTL(+1):P INT_IF - SAME:P INT_IF - tcp 80,443 ?if $PROXY && ! $SQUID2 diff --git a/docs/Multiple_Zones.xml b/docs/Multiple_Zones.xml index 60a587405..8bdbb25a8 100644 --- a/docs/Multiple_Zones.xml +++ b/docs/Multiple_Zones.xml @@ -114,7 +114,7 @@ of this discussion, it makes no difference. - +
Can You Use the Standard Configuration? @@ -183,7 +183,7 @@ all hosts connected to eth1 and a second zone loc1 (192.168.2.0/24) as a sub-zone. - + The Router in the above diagram is assumed to NOT be doing @@ -209,7 +209,7 @@ loc1:loc ipv4 /etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE OPTIONS loc eth1 - /etc/shorewall/hosts @@ -234,7 +234,7 @@ loc1 loc NONE You define both zones in the /etc/shorewall/hosts file to create two disjoint zones. - + The Router in the above diagram is assumed to NOT be doing @@ -247,8 +247,8 @@ loc2 ipv4 /etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST -- eth1 192.168.1.255 + #ZONE INTERFACE OPTIONS +- eth1 - /etc/shorewall/hosts @@ -274,7 +274,7 @@ loc2 loc1 NONE There are cases where a subset of the addresses associated with an interface need special handling. Here's an example. - + In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29) are to be treated as their own zone (loc1). @@ -287,8 +287,8 @@ loc1:loc ipv4 /etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST -loc eth1 - + #ZONE INTERFACE +loc eth1 /etc/shorewall/hosts#ZONE HOSTS OPTIONS loc1 eth1:192.168.1.8/29 broadcast @@ -326,7 +326,7 @@ loc1 loc NONE loc zone are configured with their default gateway set to the Shorewall router's RFC1918 address. - + /etc/shorewall/zones @@ -336,8 +336,8 @@ loc:net ipv4 /etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect routefilter + #ZONE INTERFACE OPTIONS +net eth0 routefilter /etc/shorewall/hosts diff --git a/docs/MyNetwork.xml b/docs/MyNetwork.xml index 82159f282..596a5518c 100644 --- a/docs/MyNetwork.xml +++ b/docs/MyNetwork.xml @@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
/etc/shorewall/action.Mirrors - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT + #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE ?COMMENT Accept traffic from Mirrors ?FORMAT 2 DEFAULTS - @@ -508,8 +507,7 @@ $1 $MIRRORS
/etc/shorewall/action.tarpit - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER $LOG { rate=s:1/min } TARPIT @@ -520,7 +518,8 @@ TARPIT
/etc/shorewall/zones - fw firewall + #ZONE TYPE +fw firewall loc ip #Local Zone net ipv4 #Internet dmz ipv4 #LXC Containers @@ -531,7 +530,7 @@ smc:net ip #10.0.1.0/24
/etc/shorewall/interfaces - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE OPTIONS loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0 net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp @@ -552,8 +551,7 @@ smc COMC_IF:10.0.0.0/24
/etc/shorewall/policy - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW dmz REJECT $LOG $FW net REJECT $LOG ?else @@ -577,8 +575,7 @@ all all REJECT:Reject $LOG
/etc/shorewall/accounting - #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC -# PORT(S) PORT(S) GROUP + #ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC ?COMMENT ?SECTION PREROUTING ?SECTION INPUT @@ -604,7 +601,8 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
/etc/shorewall/blrules - WHITELIST net:70.90.191.126 all + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH +WHITELIST net:70.90.191.126 all BLACKLIST net:+blacklist all BLACKLIST net all udp 1023:1033,1434,5948,23773 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 @@ -714,8 +712,7 @@ br0 70.90.191.120/29 70.90.191.121 /etc/shorewall/conntrack ?FORMAT 2 -#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ -# PORT(S) PORT(S) GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT # DROP net - udp 3551 NOTRACK net - tcp 23 @@ -818,8 +815,7 @@ br0 - ComcastB 11000
/etc/shorewall/stoppedrules - #TARGET HOST(S) DEST PROTO DEST SOURCE -# PORT(S) PORT(S) + #TARGET HOST(S) DEST PROTO DPORT SPORT ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 @@ -832,9 +828,7 @@ ACCEPT COMC_IF $FW udp 67:68/etc/shorewall/rules ################################################################################################################################################################################################ -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH -# PORT(S) PORT(S) DEST LIMIT GROUP -################################################################################################################################################################################################ +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH ?if $VERSION < 40500 ?SHELL echo " ERROR: Shorewall version is too low" >&2; exit 1 ?endif diff --git a/docs/NAT.xml b/docs/NAT.xml index e683c6775..1dcf6a73b 100644 --- a/docs/NAT.xml +++ b/docs/NAT.xml @@ -60,7 +60,7 @@ The following figure represents a one-to-one NAT environment. - + One-to-one NAT can be used to make the systems with the 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we assume @@ -73,7 +73,7 @@ internal host(s) — such traffic is still subject to your policies and rules. - /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL + /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 130.252.100.18 eth0 10.1.1.2 no no 130.252.100.19 eth0 10.1.1.3 no no @@ -105,7 +105,7 @@ yes then you must NOT configure your own alias(es). - + @@ -126,8 +126,7 @@ would need the following entry in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIG -# PORT(S) PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18
diff --git a/docs/OPENVPN.xml b/docs/OPENVPN.xml index bf7c667dc..f6f6b102d 100644 --- a/docs/OPENVPN.xml +++ b/docs/OPENVPN.xml @@ -68,8 +68,8 @@ - It is widely supported -- I run it on both Linux and Windows - XP. + It is widely supported -- I run it on both Linux and + Windows. @@ -97,7 +97,7 @@ Suppose that we have the following situation: - + We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is @@ -118,8 +118,7 @@ /etc/shorewall/zones — Systems A & B - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipv4
@@ -130,7 +129,7 @@ vpn ipv4 In /etc/shorewall/interfaces on system A: - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE OPTIONS vpn tun0 @@ -138,7 +137,7 @@ vpn tun0 the following:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn net 134.28.54.2
@@ -150,7 +149,7 @@ openvpn net 134.28.54.2
/etc/shorewall/tunnels with port 7777: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:7777 net 134.28.54.2
@@ -161,7 +160,7 @@ openvpn:7777 net 134.28.54.2
/etc/shorewall/tunnels using TCP: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:tcp net 134.28.54.2
@@ -170,7 +169,7 @@ openvpn:tcp net 134.28.54.2
/etc/shorewall/tunnels using TCP port 7777: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:tcp:7777 net 134.28.54.2
@@ -206,7 +205,7 @@ vpn tun0 have:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn net 206.191.148.9
@@ -249,7 +248,7 @@ vpn loc ACCEPT OpenVPN 2.0 provides excellent support for roadwarriors. Consider the setup in the following diagram: - + On the gateway system (System A), we need a zone to represent the remote clients — we'll call that zone road. @@ -257,8 +256,7 @@ vpn loc ACCEPT
/etc/shorewall/zones — System A: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS road ipv4
@@ -269,7 +267,7 @@ road ipv4 In /etc/shorewall/interfaces on system A: - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE OPTIONS road tun+ @@ -277,7 +275,7 @@ road tun+ the following:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:1194 net 0.0.0.0/0
@@ -288,7 +286,7 @@ openvpn:1194 net 0.0.0.0/0 uses NAT.
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:1194 net 0.0.0.0/0
@@ -363,7 +361,7 @@ home tun0 the following:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:1194 net 206.162.148.9
@@ -372,7 +370,7 @@ openvpn:1194 net 206.162.148.9 prefer:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnclient:1194 net 206.162.148.9
@@ -443,7 +441,7 @@ verb 3 192.168.1.0/24, there will be times when your roadwarriors need to access your lan from a remote location that uses that same network. - + This may be accomplished by configuring a second server on your firewall that uses a different port and by using Add this entry to /etc/shorewall/tunnels: - #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:1194 net 0.0.0.0/0 @@ -736,7 +734,7 @@ openvpnserver:1194 net 0.0.0.0/0 Consider the following case: - + Part of the 192.168.1.0/24 network is in one location and part in another. The two LANs can be bridged with OpenVPN as described in this diff --git a/docs/OpenVZ.xml b/docs/OpenVZ.xml index f49363422..2439930d3 100644 --- a/docs/OpenVZ.xml +++ b/docs/OpenVZ.xml @@ -141,17 +141,16 @@ server:~ # /etc/shorewall/zones: ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS +#ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS net ipv4 vz ipv4 /etc/shorewall/interfaces: ############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 - proxyarp=1 -vz venet0 - routeback,arp_filter=0 +#ZONE INTERFACE OPTIONS +net eth0 proxyarp=1 +vz venet0 routeback,arp_filter=0
@@ -159,8 +158,8 @@ vz venet0 - routeback,arp_f If you run Shorewall Multi-ISP support on the host, you should arrange for traffic to your containers to use the main routing table. In - the configuration shown here, this entry in /etc/shorewall/rtrules - is appropriate: + the configuration shown here, this entry in /etc/shorewall/rtrules is + appropriate: #SOURCE DEST PROVIDER PRIORITY - 206.124.146.178 main 1000 @@ -290,7 +289,7 @@ done. The network diagram is shown below. - + The two systems shown in the green box are OpenVZ Virtual Environments (containers). @@ -457,8 +456,7 @@ NAME="server" /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone @@ -472,11 +470,11 @@ INT_IF=eth1 VPS_IF=venet0 ... - /etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS -net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,/etc/shorewall/interfaces:#ZONE INTERFACE OPTIONS +net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,proxyarp=1 -loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags -dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback +loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags +dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback ...This is a multi-ISP configuration so entries are required in /etc/shorewall/rtrules: @@ -501,8 +499,7 @@ loc $INT_IF detect dhcp,logmartians=1,routefilter=1 /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 @@ -526,7 +523,7 @@ net venet0 detect dhcp,tc The network diagram is shown below. - + The two systems shown in the green box are OpenVZ Virtual Environments (containers). @@ -768,8 +765,7 @@ NAME="server" /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone @@ -783,10 +779,10 @@ INT_IF=eth1 VPS_IF=vzbr0 ... - /etc/shorewall/interfaces:#ZONE INTERFACE BROADCAST OPTIONS -net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0 -loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags -dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback + /etc/shorewall/interfaces:#ZONE INTERFACE OPTIONS +net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0 +loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags +dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback ... /etc/shorewall/proxyarp: @@ -813,15 +809,14 @@ dmz $VPS_IF detect logmartians=0,routefilter=0,nets /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,tcpflags,logmartians,nosmurfs + #ZONE INTERFACE OPTIONS +net eth0 dhcp,tcpflags,logmartians,nosmurfs
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 3d0acc2a1..95d987833 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= Rules are conditionally executed based on whether the current - packet matches the contents of the SOURCE, DEST, PROTO, PORT(S), - CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns. + packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT, + USER, TEST, LENGTH and TOS columns. @@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= The relationship between these options is shown in this diagram. - + The default values of these options are determined by the settings of other options as follows: @@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= Here's the example (slightly expanded) from the comments at the top of the /etc/shorewall/mangle file. - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 @@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 -SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 -##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 Let's take a look at each rule: @@ -554,33 +552,25 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R /etc/shorewall/providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - +Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 Here is /etc/shorewall/mangle: - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority #over the server -CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - +CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 And here is /etc/shorewall/tcdevices and /etc/shorewall/tcclasses: - #INTERFACE IN-BANDWITH OUT-BANDWIDTH + #INTERFACE IN_BANDWITH OUT_BANDWIDTH eth3 1.3mbit 384kbit -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 20 9*full/10 9*full/10 2 default -eth3 30 6*full/10 6*full/10 3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - +eth3 30 6*full/10 6*full/10 3 I've annotated the following output with comments beginning with "<<<<" and ending with ">>>>". This example uses diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index 84dba1eca..742b1e970 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent --name Internet, add this rule in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSHKnock net $FW tcp 22,1599,1600,1601 If you want to log the DROPs and ACCEPTs done by SSHKnock, you can just add a log level as in: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSHKnock:info net $FW tcp 22,1599,1600,1601 @@ -146,18 +146,16 @@ SSHKnock:info net $FW tcp 22,1599,1600,1601< 206.124.146.178 to internal system 192.168.1.5. In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178 You can use SSHKnock with DNAT on earlier releases provided - that you omit the ORIGINAL DEST entry on the second SSHKnock rule. - This rule will be quite secure provided that you specify - 'routefilter' on your external interface and have - NULL_ROUTE_RFC1918=Yes in + that you omit the ORIGDEST entry on the second SSHKnock rule. This + rule will be quite secure provided that you specify 'routefilter' on + your external interface and have NULL_ROUTE_RFC1918=Yes in shorewall.conf. diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index 38fc2ac8a..e75041200 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -84,7 +84,7 @@ The following figure represents a Proxy ARP environment. - + Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper @@ -129,7 +129,7 @@ irrelevant, one approach you can take is to make that address the same as the address of your external interface! - + In the diagram above, eth1 has been given the address 130.252.100.17, the same as @@ -142,8 +142,7 @@ you have configured to be in the loc zone then you would need this entry in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT + #ACTION SOURCE DEST PROTO DPORT ACCEPT net loc:130.252.100.19 tcp 80 diff --git a/docs/QOSExample.xml b/docs/QOSExample.xml index 2f034d58c..71db2f368 100644 --- a/docs/QOSExample.xml +++ b/docs/QOSExample.xml @@ -213,8 +213,7 @@ ip link set ifb0 up The tcdevices file describes the two devices: - #NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -#INTERFACE INTERFACES + #NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT 1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0 2:ifb0 - ${DOWNLOAD}kbit hfsc eth0 @@ -225,67 +224,66 @@ ip link set ifb0 up The tcclasses file defines the class hierarchy for both devices: - #IFACE: MARK RATE: CEIL PRIORITY OPTIONS -#CLASS DMAX:UMAX -1 1 ${UP_SC_VOIP_RATE}kbit:\ - ${UP_SC_VOIP_DMAX}:\ - ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 + #INTERFACE MARK RATE CEIL PRIORITY OPTIONS +1 1 ${UP_SC_VOIP_RATE}kbit:\ + ${UP_SC_VOIP_DMAX}:\ + ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 -1 2 ${UP_RT_PRIO_RATE}kbit:\ - ${UP_RT_PRIO_DMAX}:\ - ${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\ - ${UP_UL_PRIO_RATE}kbit 1 +1 2 ${UP_RT_PRIO_RATE}kbit:\ + ${UP_RT_PRIO_DMAX}:\ + ${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\ + ${UP_UL_PRIO_RATE}kbit 1 -1 3 - ${UP_LS_NORMAL_RATE}kbit:\ - ${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\ - min=$UP_NORMAL_RED_min,\ - max=$UP_NORMAL_RED_max,\ - burst=$UP_NORMAL_RED_burst,\ - probability=$UP_NORMAL_RED_PROB,\ - ecn) -1 4 - ${UP_LS_P2P_RATE}kbit:\ - ${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\ - min=$UP_P2P_RED_min,\ - max=$UP_P2P_RED_max,\ - burst=$UP_P2P_RED_burst,\ - probability=$UP_P2P_RED_PROB,\ - ecn) -1 5 - ${UP_LS_BULK_RATE}kbit:\ - ${UP_UL_BULK_RATE}kbit 1 default,\ - red=(limit=$UP_BULK_RED_limit,\ - min=$UP_BULK_RED_min,\ - max=$UP_BULK_RED_max,\ - burst=$UP_BULK_RED_burst,\ - probability=$UP_BULK_RED_PROB,\ - ecn) +1 3 - ${UP_LS_NORMAL_RATE}kbit:\ + ${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\ + min=$UP_NORMAL_RED_min,\ + max=$UP_NORMAL_RED_max,\ + burst=$UP_NORMAL_RED_burst,\ + probability=$UP_NORMAL_RED_PROB,\ + ecn) +1 4 - ${UP_LS_P2P_RATE}kbit:\ + ${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\ + min=$UP_P2P_RED_min,\ + max=$UP_P2P_RED_max,\ + burst=$UP_P2P_RED_burst,\ + probability=$UP_P2P_RED_PROB,\ + ecn) +1 5 - ${UP_LS_BULK_RATE}kbit:\ + ${UP_UL_BULK_RATE}kbit 1 default,\ + red=(limit=$UP_BULK_RED_limit,\ + min=$UP_BULK_RED_min,\ + max=$UP_BULK_RED_max,\ + burst=$UP_BULK_RED_burst,\ + probability=$UP_BULK_RED_PROB,\ + ecn) -2:10 - ${UP_SC_VOIP_RATE}kbit:\ - ${UP_SC_VOIP_DMAX}:\ - ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 +2:10 - ${UP_SC_VOIP_RATE}kbit:\ + ${UP_SC_VOIP_DMAX}:\ + ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 -2:20 - ${DOWN_RT_PRIO_RATE}kbit:\ - ${DOWN_RT_PRIO_DMAX}:\ - ${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1 +2:20 - ${DOWN_RT_PRIO_RATE}kbit:\ + ${DOWN_RT_PRIO_DMAX}:\ + ${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1 -2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\ - ${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\ - min=$DOWN_NORMAL_RED_min,\ - max=$DOWN_NORMAL_RED_max,\ - burst=$DOWN_NORMAL_RED_burst,\ - probability=$DOWN_NORMAL_RED_PROB) -2:40 - - ${DOWN_LS_P2P_RATE}kbit:\ - ${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\ - min=$DOWN_P2P_RED_min,\ - max=$DOWN_P2P_RED_max,\ - burst=$DOWN_P2P_RED_burst,\ - probability=$DOWN_P2P_RED_PROB) -2:50 - - ${DOWN_LS_BULK_RATE}kbit:\ - ${DOWN_UL_BULK_RATE}kbit 1 default,\ - red=(limit=$DOWN_BULK_RED_limit,\ - min=$DOWN_BULK_RED_min,\ - max=$DOWN_BULK_RED_max,\ - burst=$DOWN_BULK_RED_burst,\ - probability=$DOWN_BULK_RED_PROB) +2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\ + ${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\ + min=$DOWN_NORMAL_RED_min,\ + max=$DOWN_NORMAL_RED_max,\ + burst=$DOWN_NORMAL_RED_burst,\ + probability=$DOWN_NORMAL_RED_PROB) +2:40 - - ${DOWN_LS_P2P_RATE}kbit:\ + ${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\ + min=$DOWN_P2P_RED_min,\ + max=$DOWN_P2P_RED_max,\ + burst=$DOWN_P2P_RED_burst,\ + probability=$DOWN_P2P_RED_PROB) +2:50 - - ${DOWN_LS_BULK_RATE}kbit:\ + ${DOWN_UL_BULK_RATE}kbit 1 default,\ + red=(limit=$DOWN_BULK_RED_limit,\ + min=$DOWN_BULK_RED_min,\ + max=$DOWN_BULK_RED_max,\ + burst=$DOWN_BULK_RED_burst,\ + probability=$DOWN_BULK_RED_PROB)
@@ -293,8 +291,7 @@ ip link set ifb0 up The mangle file classifies upload packets: - #MARK SOURCE DEST PROTO DEST SOURCE USER TEST -# PORT(S) PORT(S) + #MARK SOURCE DEST PROTO DPORT SPORT USER TEST RESTORE:T - - - - - - !0:C CONTINUE:T - - - - - - !0 2:T - - icmp @@ -319,8 +316,7 @@ SAVE:T - - - - - - The tcfilters file classifies download packets: - #INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH -#CLASS PORT(S) PORT(S) + #INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH # # These classify download traffic # diff --git a/docs/Shorewall-5.xml b/docs/Shorewall-5.xml index 5b27dc171..0af75100c 100644 --- a/docs/Shorewall-5.xml +++ b/docs/Shorewall-5.xml @@ -240,15 +240,15 @@ - DEST PORT(S) + DPORT - SOURCE PORT(S) + SPORT - ORIGINAL DEST + ORIGDEST @@ -284,8 +284,9 @@ - Notice that the first five columns of both sets are the - same. + Notice that the first five columns of both sets are the same + (although the port-valued column names have changed, the contents are + the same). In Shorewall 5, support for format-1 macros and actions has been dropped and all macros and actions will be processed as if ?FORMAT 2 diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index c6d48cd18..c6ecf9379 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -163,8 +163,7 @@ httpd_accel_uses_host_header on In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT $FW net tcp www REDIRECT loc 3128 tcp www - !206.124.146.177 @@ -175,10 +174,9 @@ REDIRECT loc 3128 tcp www - !206.124.146. Squid. If needed, you may just add the additional hosts/networks to the - ORIGINAL DEST column in your REDIRECT rule. + ORIGDEST column in your REDIRECT rule. - /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24 People frequently ask How can I exclude certain @@ -188,8 +186,7 @@ REDIRECT loc 3128 tcp www - !206.124.146. Suppose that you want to exclude 192.168.1.5 and 192.168.1.33 from the proxy. Your rules would then be: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT $FW net tcp www REDIRECT loc:!192.168.1.5,192.168.1.33\ 3128 tcp www - !206.124.146.177,130.252.100.0/24 @@ -215,8 +212,7 @@ gateway:/etc/shorewall# role="bold">(squid) is running under the proxy user Id. We add these rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/ -# PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ACCEPT $FW net tcp www REDIRECT $FW 3128 tcp www - - - !proxy @@ -242,18 +238,16 @@ Squid 1 202 - eth1 192.168.1.3 loose,no In /etc/shorewall/mangle add: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 If you are still using a tcrules file, you should consider switching to using a mangle file (shorewall update - -t (shorewall update on - Shorewall 5.0 and later) will do that for you). Corresponding + -t (shorewall update on Shorewall 5.0 + and later) will do that for you). Corresponding /etc/shorewall/tcrules entries are: - #MARK SOURCE DEST PROTO DEST -# PORT(S) + #MARK SOURCE DEST PROTO DPORT 202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 @@ -261,8 +255,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 In /etc/shorewall/interfaces : - #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 detect routeback,routefilter=0,logmartians=0 + #ZONE INTERFACE OPTIONS +loc eth1 routeback,routefilter=0,logmartians=0 @@ -294,8 +288,7 @@ loc eth1 detect routeback,routefilter=0, In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177
@@ -316,14 +309,12 @@ Squid 1 202 - eth2 192.0.2.177 loose,no In /etc/shorewall/mangle add: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT MARK(202):P eth1 0.0.0.0/0 tcp 80 Corresponding /etc/shorewall/tcrules entries are: - #MARK SOURCE DEST PROTO DEST -# PORT(S) + #MARK SOURCE DEST PROTO DPORT 202:P eth1 0.0.0.0/0 tcp 80 @@ -331,8 +322,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80 In /etc/shorewall/interfaces : - #ZONE INTERFACE BROADCAST OPTIONS -loc eth2 detect routefilter=0,logmartians=0 + #ZONE INTERFACE OPTIONS +loc eth2 routefilter=0,logmartians=0 @@ -363,7 +354,7 @@ loc eth2 detect routefilter=0,logmartian /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80,443 @@ -371,7 +362,7 @@ ACCEPT SZ net tcp 80,443 Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone: - /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) + /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW tcp 8080 ACCEPT $FW net tcp 80,443 @@ -406,8 +397,8 @@ ACCEPT $FW net tcp 80,443 /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -- lo - - + #ZONE INTERFACE OPTIONS +- lo - /etc/shorewall/providers: @@ -422,17 +413,13 @@ Tproxy 1 - - lo - tproxy/etc/shorewall/mangle (assume loc interface is eth1 and net interface is eth0): - #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT DIVERT eth0 0.0.0.0/0 tcp - 80 TPROXY(3129) eth1 0.0.0.0/0 tcp 80 - Corresponding /etc/shorewall/tcrules - are: + Corresponding /etc/shorewall/mangle are: - FORMAT 2 -#MARK SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) + #MARK SOURCE DEST PROTO DPORT SPORT DIVERT eth0 0.0.0.0/0 tcp - 80 TPROXY(3129) eth1 0.0.0.0/0 tcp 80 @@ -445,16 +432,14 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80 on port 80, then you need to exclude it from TPROXY. Suppose that your web server listens on 192.0.2.144; then: - FORMAT 2 -#MARK SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) + #MARK SOURCE DEST PROTO DPORT SPORT DIVERT eth0 0.0.0.0/0 tcp - 80 TPROXY(3129) eth1 !192.0.2.144 tcp 80 - /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW tcp 80 ACCEPT $FW net tcp 80 diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index 432fbb9f1..5d063596b 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -166,7 +166,7 @@ iface eth0 inet static allow SSH from net to eth0:0 above - /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) + /etc/shorewall/rules#ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW:206.124.146.178 tcp 22 @@ -179,15 +179,14 @@ ACCEPT net $FW:206.124.146.178 tcp 22 zone at 192.168.1.3. That is accomplished by a single rule in the /etc/shorewall/rules file: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 If I wished to forward tcp port 10000 on that virtual interface to port 22 on local host 192.168.1.3, the rule would be: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST +DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 @@ -202,7 +201,7 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20 eth0 192.168.1.0/24 206.124.146.178 Similarly, you want SMTP traffic from local system 192.168.1.22 to - have source IP 206.124.146.178:#INTERFACE SUBNET ADDRESS PROTO DEST PORT(S) + have source IP 206.124.146.178:#INTERFACE SUBNET ADDRESS PROTO DPORT eth0 192.168.1.22 206.124.146.178 tcp 25 Shorewall can create the alias (additional address) for you if you @@ -246,7 +245,7 @@ eth0:2 = 206.124.146.180 would have the following in /etc/shorewall/nat: - #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL + #EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL 206.124.146.178 eth0 192.168.1.3 no no Shorewall can create the alias (additional address) for you if you @@ -263,7 +262,7 @@ eth0:2 = 206.124.146.180 setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows. - /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL + /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL 206.124.146.178 eth0:0 192.168.1.3 no no In either case, to create rules in @@ -275,7 +274,7 @@ eth0:2 = 206.124.146.180 You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3. - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net loc:192.168.1.3 tcp 22 @@ -305,8 +304,8 @@ loc ipv4 In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 - routeback + #ZONE INTERFACE OPTIONS +loc eth1 routeback In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that you want to permit. @@ -327,8 +326,8 @@ loc2 ipv4 In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -- eth1 - + #ZONE INTERFACE OPTIONS +- eth1 In /etc/shorewall/hosts: diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index d42da77e8..ee8de8021 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -68,7 +68,7 @@ The following diagram shows the relationship between routing decisions and Netfilter. - + The light blue boxes indicate where routing decisions are made. Upon exit from one of these boxes, if the packet is being sent to another @@ -208,8 +208,7 @@ /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT -206.124.146.177 eth1 eth0 No -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +206.124.146.177 eth1 eth0 No The above entry will cause Shorewall to execute the following command: diff --git a/docs/SimpleBridge.xml b/docs/SimpleBridge.xml index 0087ef97e..a77d6f3da 100644 --- a/docs/SimpleBridge.xml +++ b/docs/SimpleBridge.xml @@ -86,7 +86,7 @@ The following diagram shows a firewall for two bridged LAN segments. - + This is fundamentally the Two-interface Firewall described in the Two-interface Quickstart Guide. The @@ -108,10 +108,11 @@ /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect ... -loc br0 10.0.1.255 routeback,... + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth0 ... +loc br0 routeback,bridge,... So the key points here are: @@ -128,8 +129,9 @@ loc br0 10.0.1.255 < - The routeback option is - specified for br0. + The routeback and bridge options is specified for br0. @@ -138,13 +140,6 @@ loc br0 10.0.1.255 < - Note to Shorewall-perl users: You - should also specify the bridge - option:#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect ... -loc br0 10.0.1.255 routeback,bridge,... - Your entry in /etc/shorewall/masq should be unchanged: diff --git a/docs/UPnP.xml b/docs/UPnP.xml index 82597e581..430c78005 100644 --- a/docs/UPnP.xml +++ b/docs/UPnP.xml @@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP Example: - #ZONE INTERFACE BROADCAST OPTIONS -net eth1 detect dhcp,routefilter,tcpflags,upnp + #ZONE INTERFACE OPTIONS +net eth1 dhcp,routefilter,tcpflags,upnp If your loc->fw policy is not ACCEPT then you need this rule: diff --git a/docs/Universal.xml b/docs/Universal.xml index 44a5daea1..a1842d2a2 100644 --- a/docs/Universal.xml +++ b/docs/Universal.xml @@ -202,7 +202,7 @@ /etc/shorewall/macro.*, the general format of a rule in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT <macro>(ACCEPT) net $FW @@ -214,7 +214,7 @@ You want to run a Web Server and a IMAP Server on your firewall system: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW @@ -225,14 +225,14 @@ IMAP(ACCEPT)net $FW general format of a rule in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT net $FW <protocol> <port> You want to run a Web Server and a IMAP Server on your firewall system: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143 @@ -320,7 +320,7 @@ ACCEPT net $FW tcp 143 Then at a root prompt, type:
- /sbin/shorewall restart + /sbin/shorewall reload
@@ -345,7 +345,7 @@ ACCEPT net $FW tcp 143 Then at a root prompt, type:
- /sbin/shorewall restart + /sbin/shorewall reload
diff --git a/docs/VPN.xml b/docs/VPN.xml index e441bed86..5c87c9088 100644 --- a/docs/VPN.xml +++ b/docs/VPN.xml @@ -46,7 +46,7 @@ The two most common means for doing this are IPSEC and PPTP. The basic setup is shown in the following diagram: - + A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local @@ -87,15 +87,15 @@ SOURCE - DESTINATION + DEST - PROTOCOL + PROTO - PORT + DPORT - CLIENT PORT + SPORT - ORIGINAL DEST + ORIGDEST @@ -109,11 +109,11 @@ 50 - + - + - + @@ -127,9 +127,9 @@ 500 - + - + @@ -146,15 +146,15 @@ SOURCE - DESTINATION + DEST - PROTOCOL + PROTO - PORT + DPORT - CLIENT PORT + SPORT - ORIGINAL DEST + ORIGDEST @@ -170,9 +170,9 @@ 4500 - + - + @@ -186,9 +186,9 @@ 500 - + - + diff --git a/docs/VPNBasics.xml b/docs/VPNBasics.xml index 0e273f5b8..4a8e6f665 100644 --- a/docs/VPNBasics.xml +++ b/docs/VPNBasics.xml @@ -115,7 +115,7 @@ Incoming traffic is similar. - +
@@ -203,8 +203,8 @@ loc ipv4 /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTION -net eth0 - tcpflags,routefilter + #ZONE INTERFACE OPTION +net eth0 tcpflags,routefilter loc eth1 - rem ppp0 -
@@ -216,7 +216,7 @@ loc eth1 - client(s) and the local zone. You can do that with a couple of policies: - #SOURCE DESTINATION POLICY LEVEL BURST/LIMIT + #SOURCE DESTINATION POLICY LOGLEVEL BURST rem loc ACCEPT loc rem ACCEPT @@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2 /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTION -net eth0 - tcpflags,routefilter + #ZONE INTERFACE OPTION +net eth0 tcpflags,routefilter loc eth1 - - tun+ - @@ -291,15 +291,14 @@ rem2 tun+:10.0.1.0/24 /etc/shorewall/tunnels:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec Z1 1.2.3.4 Z2
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT $FW Z1:1.2.3.4 udp 500 ACCEPT Z1:1.2.3.4 $FW udp 500 ACCEPT $FW Z1:1.2.3.4 50 @@ -322,15 +321,14 @@ ACCEPT Z2:1.2.3.4 $FW udp 500 /etc/shorewall/tunnels:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE pptpserver Z1 1.2.3.4
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT Z1:1.2.3.4 $FW tcp 1723 ACCEPT $FW Z1:1.2.3.4 47 @@ -347,15 +345,14 @@ ACCEPT Z1:1.2.3.4 $FW 47 /etc/shorewall/tunnels:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:port Z1 1.2.3.4
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT Z1:1.2.3.4 $FW udp port ACCEPT $FW Z1:1.2.3.4 udp port @@ -364,15 +361,14 @@ ACCEPT $FW Z1:1.2.3.4 udp port/etc/shorewall/tunnels:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnclient:port Z1 1.2.3.4
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT Z1:1.2.3.4 $FW udp - port ACCEPT $FW Z1:1.2.3.4 udp port @@ -381,15 +377,14 @@ ACCEPT $FW Z1:1.2.3.4 udp port/etc/shorewall/tunnels:
- #TYPE ZONE GATEWAY GATEWAY ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:port Z1 1.2.3.4
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST SOURCE -# PORT PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT Z1:1.2.3.4 $FW udp port ACCEPT $FW Z1:1.2.3.4 udp - port diff --git a/docs/Vserver.xml b/docs/Vserver.xml index 09345bfca..0009529c0 100644 --- a/docs/Vserver.xml +++ b/docs/Vserver.xml @@ -122,7 +122,7 @@ gateway:~# This is a diagram of the network configuration here at Shorewall.net during the summer of 2010: - + I created a zone for the vservers as follows: @@ -138,8 +138,9 @@ vpn ipv4 #OpenVPN clients /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp ... /etc/shorewall/hosts: @@ -164,8 +165,7 @@ drct eth4:dynamic /etc/shorewall6/zones - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv6 loc ipv6 @@ -175,8 +175,9 @@ vpn ipv6 /etc/shorewall6/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net sit1 detect tcpflags,forward=1,nosmurfs,routeback + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +net sit1 tcpflags,forward=1,nosmurfs,routeback ... /etc/shorewall6/hosts: @@ -204,7 +205,7 @@ vpn ipv6 Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram is as shown below: - + This change was accompanied by the following additions to /etc/shorewall6/proxyndp: diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml index 745da652a..44ce5330e 100644 --- a/docs/XenMyWay-Routed.xml +++ b/docs/XenMyWay-Routed.xml @@ -105,7 +105,7 @@ Here is a high-level diagram of our network. - + As shown in this diagram, the Xen system has three physical network interfaces. These are: @@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen' With the three Xen domains up and running, the system looks as shown in the following diagram. - + The zones correspond to the Shorewall zones in the Dom0 configuration. @@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen' a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: - + The three laptops can be directly attached to the LAN as shown above or they can be attached wirelessly -- their IP addresses are the @@ -520,21 +520,17 @@ TCP_FLAGS_DISPOSITION=DROP /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall #The firewall itself. net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ vpn ipv4 #Open VPN clients -wifi ipv4 #Local Wireless Zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - +wifi ipv4 #Local Wireless Zone /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW $FW ACCEPT $FW net ACCEPT loc net ACCEPT @@ -549,8 +545,7 @@ net $FW DROP $LOG 1/sec:2 net loc DROP $LOG 2/sec:4 net dmz DROP $LOG 8/sec:30 net vpn DROP $LOG -all all REJECT $LOG -#LAST LINE -- DO NOT REMOVE +all all REJECT $LOG Note that the firewall<->local network interface is wide open so from a security point of view, the firewall system is @@ -572,9 +567,7 @@ EXT_IF=eth0 WIFI_IF=eth2 TEST_IF=eth4 -OMAK=<IP address at our second home> - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +OMAK=<IP address at our second home> /etc/shorewall/init: @@ -591,16 +584,14 @@ loc $TEST_IF detect optional loc $TEST1_IF detect optional wifi $WIFI_IF detect dhcp,maclist,mss=1400 vpn tun+ - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/nat: - #EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES + #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL COMMENT One-to-one NAT 206.124.146.178 $EXT_IF:0 192.168.1.3 No No -206.124.146.180 $EXT_IF:2 192.168.1.6 No No -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +206.124.146.180 $EXT_IF:2 192.168.1.6 No No /etc/shorewall/masq (Note the cute trick here and in the following proxyarp file that allows me to @@ -609,7 +600,7 @@ COMMENT One-to-one NAT rule before the SNAT rules generated by entries in /etc/shorewall/nat above. - #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC + #INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC COMMENT Handle DSL 'Modem' +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 @@ -624,51 +615,36 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98 COMMENT Masquerade Local Network -$EXT_IF 192.168.1.0/24 206.124.146.179 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +$EXT_IF 192.168.1.0/24 206.124.146.179 /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes -192.168.1.7 $TEST_IF $INT_IF yes -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +192.168.1.7 $TEST_IF $INT_IF yes /etc/shorewall/tunnels: - #TYPE ZONE GATEWAY GATEWAY -# ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access -openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - /etc/shorewall/blacklist: - - #ADDRESS/SUBNET PROTOCOL PORT -- udp 1024:1033,1434 -- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server /etc/shorewall/actions: #ACTION -Mirrors # Accept traffic from Shorewall Mirrors -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +Mirrors # Accept traffic from Shorewall Mirrors /etc/shorewall/action.Mirrors: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT $MIRRORS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE +ACCEPT $MIRRORS /etc/shorewall/rules: SECTION NEW ############################################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ############################################################################################################################################################################### REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net udp 1025:1031 @@ -893,28 +869,24 @@ Ping(ACCEPT) fw dmz # Avoid logging Freenode.net probes # DROP net:82.96.96.3 all -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + - /etc/shorewall/tcdevices + etc/shorewall/tcdevices - #INTERFACE IN-BANDWITH OUT-BANDWIDTH + #INTERFACE IN_BANDWITH OUT_BANDWIDTH $EXT_IF 1300kbit 384kbit -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/tcclasses#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 20 3*full/10 9*full/10 2 default -$EXT_IF 30 2*full/10 6*full/10 3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +$EXT_IF 30 2*full/10 6*full/10 3 - /etc/shorewall/tcrules#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority - #over the server -1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the - #Shorewall Mirrors. -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/mangle#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST +CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority + #over the server +CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the + #Shorewall Mirrors.
The tap0 device used by diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 06b07d505..428b240d0 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -72,7 +72,7 @@ class="devicefile">xenbr0) and a number of virtual interfaces as shown in the following diagram. - + I use the term Extended Dom0 to distinguish the bridge and virtual interfaces from Dom0 itself. That distinction is @@ -169,7 +169,7 @@ Here is a high-level diagram of our network. - + As shown in this diagram, the Xen system has three physical network interfaces. These are: @@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ] With all three Xen domains up and running, the system looks as shown in the following diagram. - + The zones correspond to the Shorewall zones in the firewall DomU configuration. @@ -430,39 +430,24 @@ done
/etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall loc ipv4 -dmz ipv4 -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - +dmz ipv4 /etc/shorewall/policy (Note the unusual use of an ACCEPT all->all policy): - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL + #SOURCE DEST POLICY LOGLEVEL LIMIT dmz all REJECT info all dmz REJECT info -all all ACCEPT -#LAST LINE -- DO NOT REMOVE +all all ACCEPT /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc xenbr0 192.168.1.255 dhcp,routeback -dmz xenbr1 - routeback -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - /etc/shorewall/rules: - - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP -#SECTION ESTABLISHED -#SECTION RELATED -SECTION NEW -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +dmz xenbr1 - routeback
@@ -478,7 +463,7 @@ SECTION NEW for our two laptops and a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: - + The two laptops can be directly attached to the LAN as shown above or they can be attached wirelessly -- their IP addresses are the same in @@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ vpn ipv4 #Open VPN clients -wifi ipv4 #Local Wireless Zone -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - +wifi ipv4 #Local Wireless Zone /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LIMIT:BURST -# LEVEL + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW $FW ACCEPT $FW net ACCEPT loc net ACCEPT @@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2 net loc DROP $LOG 2/sec:4 net dmz DROP $LOG 8/sec:30 net vpn DROP $LOG -all all REJECT $LOG -#LAST LINE -- DO NOT REMOVE +all all REJECT $LOG /etc/shorewall/params (edited): @@ -591,9 +571,7 @@ DMZ_IF=eth1 EXT_IF=eth3 WIFI_IF=eth4 -OMAK=<IP address at our second home> - -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +OMAK=<IP address at our second home> /etc/shorewall/init: @@ -607,15 +585,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians wifi $WIFI_IF 192.168.3.255 dhcp,maclist vpn tun+ - -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/nat: - #EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES + #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie 206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + /etc/shorewall/masq (Note the cute trick here and in the following proxyarp file that allows me to @@ -624,45 +601,39 @@ vpn tun+ - rule before the SNAT rules generated by entries in /etc/shorewall/nat above. - #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC + #INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 -$EXT_IF 192.168.0.0/22 206.124.146.179 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +$EXT_IF 192.168.0.0/22 206.124.146.179 /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes -206.124.146.177 $DMZ_IF $EXT_IF yes -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +206.124.146.177 $DMZ_IF $EXT_IF yes /etc/shorewall/tunnels: - #TYPE ZONE GATEWAY GATEWAY -# ZONE + #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/actions: #ACTION Mirrors # Accept traffic from Shorewall Mirrors -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE + /etc/shorewall/action.Mirrors: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# PORT PORT(S) DEST LIMIT -ACCEPT $MIRRORS -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + #TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE +ACCEPT $MIRRORS /etc/shorewall/rules: - SECTION NEW + ?SECTION NEW ############################################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ############################################################################################################################################################################### REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net udp 1025:1031 @@ -815,28 +786,24 @@ Ping(ACCEPT) fw dmz # Avoid logging Freenode.net probes # DROP net:82.96.96.3 all -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/tcdevices - #INTERFACE IN-BANDWITH OUT-BANDWIDTH -$EXT_IF 1300kbit 384kbit -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - + #INTERFACE IN_BANDWITH OUT_BANDWIDTH +$EXT_IF 1300kbit 384kbit /etc/shorewall/tcclasses#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 20 3*full/10 9*full/10 2 default -$EXT_IF 30 2*full/10 6*full/10 3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +$EXT_IF 30 2*full/10 6*full/10 3 - /etc/shorewall/tcrules#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority - #over the server -1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the - #Shorewall Mirrors. -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/mangle#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST +CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority + #over the server +CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the + #Shorewall Mirrors. +
The tap0 device used by the bridged OpenVPN server is bridged to diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 9b0d1acf8..d611197be 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -85,14 +85,13 @@ url="manpages/shorewall-blrules.html">shorewall-blrules (5)). There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, standard and custom macros as well as standard and custom actions. See - shorewall-rules (5) for - details. + shorewall-blrules (5) + for details. Example: - #ACTION SOURCE DEST PROTO DEST -# PORTS(S) -SECTION BLACKLIST + #ACTION SOURCE DEST PROTO DPORT + WHITELIST net:70.90.191.126 all DROP net all udp 1023:1033,1434,5948,23773 DROP all net udp 1023:1033 @@ -107,243 +106,74 @@ DROP net:200.55.14.18 all Beginning with Shorewall 4.4.26, the update command supports a option that causes your legacy blacklisting configuration to use the blrules file. - - - If you prefer to keep your blacklisting rules in your rules file - (shorewall-rules - (5)), you can place them in the BLACKLIST section of that file rather - than in blrules. -
- Legacy Blacklisting + Dynamic Blacklisting - Prior to 4.4.25, two forms of blacklisting were supported; static - and dynamic. The dynamic variety is still appropriate for - on-the-fly blacklisting; the static form is - deprecated. + Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by + setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. + Prior to that release, the feature is always enabled. - - By default, only the source address is - checked against the blacklists. Blacklists only stop - blacklisted hosts from connecting to you — they do not stop you or your - users from connecting to blacklisted hosts . + Once enabled, dynamic blacklisting doesn't use any configuration + parameters but is rather controlled using /sbin/shorewall[-lite] commands. + Note that to and from may + only be specified when running Shorewall 4.4.12 or + later. - - - UPDATE + + + drop [to|from] <ip address list> - + causes packets from the listed IP addresses to be silently dropped by + the firewall. + - - Beginning with Shorewall 4.4.12, you can also blacklist by - destination address. See shorewall-blacklist - (5) and shorewall (8) - for details. - - - - + + reject [to|from]<ip address list> - + causes packets from the listed IP addresses to be rejected by the + firewall. + - - Dynamic Shorewall blacklisting is not - appropriate for blacklisting 1,000s of different addresses. Static - Blacklisting can handle large blacklists but only if you use - ipsets. Without ipsets, the blacklists will take forever to - load, and will have a very negative effect on firewall - performance. - + + allow [to|from] <ip address list> - + re-enables receipt of packets from hosts previously blacklisted by a + drop or reject + command. + -
- Static Blacklisting + + save - save the dynamic blacklisting configuration so that it + will be automatically restored the next time that the firewall is + restarted. - Shorewall static blacklisting support has the following - configuration parameters: + Update: Beginning with + Shorewall 4.4.10, the dynamic blacklist is automatically retained over + stop/start sequences and over + restart and reload. + - - - You specify whether you want packets from blacklisted hosts - dropped or rejected using the BLACKLIST_DISPOSITION setting in - shorewall.conf(5). - + + show dynamic - displays the dynamic blacklisting + configuration. + - - You specify whether you want packets from blacklisted hosts - logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in shorewall.conf(5). - + + logdrop [to|from] <ip address list> - + causes packets from the listed IP addresses to be dropped and logged + by the firewall. Logging will occur at the level specified by the + BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at + the 'info' level if no BLACKLIST_LOGLEVEL was given). + - - You list the IP addresses/subnets that you wish to blacklist - in shorewall-blacklist - (5). You may also specify PROTOCOL and Port numbers/Service names in - the blacklist file. - - - - You specify the interfaces whose incoming packets you want - checked against the blacklist using the blacklist - option in shorewall-interfaces(5) - (shorewall-zones(5) in - Shorewall 4.4.12 and later). - - - - Prior to Shorewall 4.4.20, only source-address static blacklisting - was supported. - - Users with a large static black list may want to set the - DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version - 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new - connections before loading the blacklist rules. While this may allow - connections from blacklisted hosts to slip by during construction of the - blacklist, it can substantially reduce the time that all new connections - are disabled during "shorewall [re]start". - - Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's - an example: - - #ADDRESS/SUBNET PROTOCOL PORT -+Blacklistports[dst] -+Blacklistnets[src,dst] -+Blacklist[src,dst] -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - In this example, there is a portmap ipset - Blacklistports that blacklists all traffic with - destination ports included in the ipset. There are also - Blacklistnets (type nethash) - and Blacklist (type iphash) - ipsets that allow blacklisting networks and individual IP addresses. - Note that [src,dst] is specified so that individual entries in the sets - can be bound to other portmap ipsets to allow blacklisting - (source address, destination - port) combinations. For example: - - ipset -N SMTP portmap --from 1 --to 31 -ipset -A SMTP 25 -ipset -A Blacklist 206.124.146.177 -ipset -B Blacklist 206.124.146.177 -b SMTP - - This will blacklist SMTP traffic from host 206.124.146.177. -
- -
- Static Whitelisting - - Beginning with Shorewall 4.4.20, you can create - whitelist entries in the blacklist file. - Connections/packets matching a whitelist entry are not matched against - the entries in the blacklist file that follow. Whitelist entries are - created using the whitelist option - (OPTIONS column). See shorewall-blacklist - (5). -
- -
- Dynamic Blacklisting - - Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by - setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. - Prior to that release, the feature is always enabled. - - Once enabled, dynamic blacklisting doesn't use any configuration - parameters but is rather controlled using /sbin/shorewall[-lite] - commands. Note that to and from may - only be specified when running Shorewall 4.4.12 or - later. - - - - drop [to|from] <ip address list> - - causes packets from the listed IP addresses to be silently dropped - by the firewall. - - - - reject [to|from]<ip address list> - - causes packets from the listed IP addresses to be rejected by the - firewall. - - - - allow [to|from] <ip address list> - - re-enables receipt of packets from hosts previously blacklisted by a - drop or reject - command. - - - - save - save the dynamic blacklisting configuration so that it - will be automatically restored the next time that the firewall is - restarted. - - Update: Beginning with - Shorewall 4.4.10, the dynamic blacklist is automatically retained - over stop/start sequences and over - restart. - - - - show dynamic - displays the dynamic blacklisting - configuration. - - - - logdrop [to|from] <ip address list> - - causes packets from the listed IP addresses to be dropped and - logged by the firewall. Logging will occur at the level specified by - the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will - be at the 'info' level if no BLACKLIST_LOGLEVEL was given). - - - - logreject [to|from}<ip address - list> - causes packets from the listed IP addresses to - be rejected and logged by the firewall. Logging will occur at the - level specified by the BLACKLIST_LOGLEVEL setting at the last - [re]start (logging will be at the 'info' level if no - BLACKLIST_LOGLEVEL was given). - - - - Dynamic blacklisting is not dependent on the - blacklist option in - /etc/shorewall/interfaces. - - - Ignore packets from a pair of systems - - shorewall[-lite] drop 192.0.2.124 192.0.2.125 - - Drops packets from hosts 192.0.2.124 and 192.0.2.125 - - - - Re-enable packets from a system - - shorewall[-lite] allow 192.0.2.125 - - Re-enables traffic from 192.0.2.125. - - - - Displaying the Dynamic Blacklist - - shorewall show dynamic - - Displays the 'dynamic' chain which contains rules for the - dynamic blacklist. The source column contains - the set of blacklisted addresses. - -
+ + logreject [to|from}<ip address list> + - causes packets from the listed IP addresses to be rejected and + logged by the firewall. Logging will occur at the level specified by + the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be + at the 'info' level if no BLACKLIST_LOGLEVEL was given). + +
diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml index 386c6e6cb..903ea0174 100644 --- a/docs/bridge-Shorewall-perl.xml +++ b/docs/bridge-Shorewall-perl.xml @@ -134,7 +134,7 @@ the bridge would work exactly the same if public IP addresses were used (remember that the bridge doesn't deal with IP addresses). - + There are a several key differences in this setup and a normal Shorewall configuration: @@ -180,7 +180,7 @@ systems connected to that switch. All of the systems on the local side of the router would still be configured with IP addresses in 192.168.1.0/24 as shown below. + fileref="images/bridge3.png"/>
@@ -571,8 +571,7 @@ rc-update add bridge boot fw firewall world ipv4 net:world bport -loc:world bport -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +loc:world bport The world zone can be used when defining rules whose source zone is the firewall itself (remember that fw-><BP @@ -581,11 +580,10 @@ loc:world bport A conventional two-zone policy file is appropriate here — /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info -all all REJECT info -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +all all REJECT info In /etc/shorewall/shorewall.conf: @@ -596,11 +594,10 @@ all all REJECT info is connected to eth0 and the switch to eth1: - #ZONE INTERFACE BROADCAST OPTIONS -world br0 detect bridge + #ZONE INTERFACE OPTIONS +world br0 bridge net br0:eth0 -loc br0:eth1 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +loc br0:eth1 The world zone is associated with the bridge itself which is defined with the bridge @@ -616,8 +613,7 @@ loc br0:eth1 /etc/shorewall/routestopped: #INTERFACE HOST(S) OPTIONS -br0 192.168.1.0/24 routeback -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +br0 192.168.1.0/24 routeback The /etc/shorewall/rules file from the two-interface sample is a good place to start for defining a set of @@ -645,9 +641,9 @@ br0 192.168.1.0/24 routeback /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge + #ZONE INTERFACE OPTIONS + world br0 bridge + world br1 bridge z1 br0:p+ z2 br1:p+ @@ -657,11 +653,11 @@ br0 192.168.1.0/24 routeback configuration may be defined using the following in /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS - world br0 - bridge - world br1 - bridge - z1 br0:x+ - physical=p+ - z2 br1:y+ - physical=p+ + #ZONE INTERFACE OPTIONS + world br0 bridge + world br1 bridge + z1 br0:x+ physical=p+ + z2 br1:y+ physical=p+ In this configuration, 'x+' is the logical name for ports p+ on bridge br0 while 'y+' is the logical name for ports p+ on bridge @@ -673,8 +669,7 @@ br0 192.168.1.0/24 routeback Example from /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT REJECT z1:x1023 z1:x1024 tcp 1234
@@ -683,7 +678,7 @@ br0 192.168.1.0/24 routeback A system running Shorewall doesn't have to be exclusively a bridge or a router -- it can act as both, which is also know as a brouter. Here's - an example: + an example: This is basically the same setup as shown in the Shorewall Setup Guide with the @@ -710,11 +705,11 @@ loc ipv4 The /etc/shorewall/interfaces file is as - follows:#ZONE INTERFACE BROADCAST OPTIONS -pub br0 detect routefilter,bridge + follows:#ZONE INTERFACE OPTIONS +pub br0 routefilter,bridge net br0:eth0 dmz br0:eth2 -loc eth1 detect +loc eth1 @@ -761,9 +756,7 @@ all all REJECT info /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE -# - PORT(S) PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT all all icmp 8 ACCEPT loc $DMZ tcp 25,53,80,443,... ACCEPT loc $DMZ udp 53 @@ -784,7 +777,7 @@ ACCEPT $FW $DMZ tcp 53 This configuration is shown in the following diagram. - + In this configuration, veth0 is assigned the internal IP address; br0 does not have an IP address. @@ -872,8 +865,7 @@ iface veth0 inet static For this configuration, we need several additional zones as shown here: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 zone1 bport @@ -943,22 +935,19 @@ all all REJECT:info Rules allowing traffic from the net to zone2 look like this: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK ACCEPT col zone2 tcp 22 - - - - net or more compactly: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT col zone2 tcp 22 ; mark=net Similarly, rules allowing traffic from the firewall to zone3: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT col zone3 tcp 22 ; mark=fw @@ -969,8 +958,7 @@ ACCEPT col zone3 tcp 22 Suppose that you want to forward tcp port 80 to 192.168.4.45 in zone3: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK DNAT- net loc:172.168.4.45 tcp 80 ACCEPT col zone3:172.168.4.45 tcp 80 - - - - net @@ -979,15 +967,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - - role="bold">zonei zones to the net zone look like this: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK ACCEPT loc net tcp 21 - - - - zone1 And to the firewall: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK ACCEPT zone2 col tcp - - - - zone2 diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 5cb0d55d8..8d072bd18 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -464,8 +464,7 @@ smtp,www,pop3,imap #Services running on the firewall Example (/etc/shorewall/rules): - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net:\ 206.124.146.177,\ 206.124.146.178,\ @@ -483,8 +482,7 @@ ACCEPT net:\ A trailing backslash is not ignored in a comment. So the continued rule above can be commented out with a single '#' as follows: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT #ACCEPT net:\ 206.124.146.177,\ 206.124.146.178,\ @@ -765,8 +763,7 @@ ACCEPT net:\ Example (rules file): - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10.0.0.1 tcp 80 ; mark="88" Here's the same line in several equivalent formats: @@ -1133,8 +1130,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123 @@ -1166,14 +1162,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123 - /etc/shorewall/rules:SECTION NEW + /etc/shorewall/rules:?SECTION NEW SHELL cat /etc/shorewall/rules.d/*.rules If you are the sort to put such an entry in your rules file even though /etc/shorewall/rules.d might not exist or might be empty, then you probably want: - SECTION NEW + ?SECTION NEW SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true Beginning with Shorewall 4.5.2, in files other than @@ -1306,7 +1302,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true - [?]COMMENT [ comment ] + ?COMMENT [ comment ] If comment is present, it will @@ -1363,8 +1359,7 @@ gateway:~ # /usr/share/shorewall/macro.SSH: - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT RATE USER ?COMMENT SSH PARAM - - tcp 22 /etc/shorewall/rules:?COMMENT Allow SSH from home @@ -1771,7 +1766,7 @@ SSH(ACCEPT) net:$MYIP $FW - They may also appear in the ORIGINAL DEST column of: + They may also appear in the ORIGDEST column of: @@ -2318,8 +2313,7 @@ gmail-pop.l.google.com. 300 IN A 209.85.2 So this rule may work for five minutes then suddently stop working: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT POP(ACCEPT) loc net:pop.gmail.com If your firewall rules include DNS names then: @@ -2418,7 +2412,7 @@ POP(ACCEPT) loc net:pop.gmail.com - Must not have any embedded white space. Valid: routefilter,dhcp,arpfilter + Must not have any embedded white space.+ Valid: routefilter,dhcp,arpfilter Invalid: routefilter,     dhcp,     arpfilter @@ -2608,7 +2602,7 @@ redirect => 137 to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORTS(S) + #ACTION SOURCE DESTINATION PROTO DPORT DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you @@ -2790,8 +2784,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100< Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on. - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH -# PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
@@ -2822,17 +2815,16 @@ DNAT net dmz:$BACKUP tcp 80 - - Here is an example: - #ZONE INTERFACE BROADCAST OPTIONS -net COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,#ZONE INTERFACE OPTIONS +net COM_IF dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0 -net EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,EXT_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2 -loc INT_IF detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,INT_IF dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1 -dmz VPS_IF detect logmartians=1,routefilter=0,routeback,VPS_IF logmartians=1,routefilter=0,routeback,physical=venet0 -loc TUN_IF detect physical=tun+ +loc TUN_IF physical=tun+ In this example, COM_IF is a logical interface name that refers to Ethernet interface eth0, EXT_IF is diff --git a/docs/dhcp.xml b/docs/dhcp.xml index c4f06b760..9af0ea421 100644 --- a/docs/dhcp.xml +++ b/docs/dhcp.xml @@ -154,15 +154,13 @@ Allow UDP ports 67 and 68 ("67:68") between the client zone and the server zone: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT ZONEA ZONEB udp 67:68 ACCEPT ZONEB ZONEA udp 67:68 Alternatively, use the DHCPfwd macro: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT DHCPfwd(ACCEPT) ZONEA ZONEB diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 468761d07..620f92113 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -107,13 +107,13 @@ Example 1: Blacklist all hosts in an ipset named "blacklist" - /etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT -+blacklist + /etc/shorewall/blrules#ACTION SOURCE DEST PROTO DPORT +DROP net:+blacklist Example 2: Allow SSH from all hosts in an ipset named "sshok: - /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT net:+sshok $FW tcp 22 + /etc/shorewall/rules#ACTION SOURCE DEST PROTO DPORT +ACCEPT net:+sshok $FW tcp 22 The name of the ipset can be optionally followed by a comma-separated list of flags enclosed in square brackets ([...]). Each diff --git a/docs/netmap.xml b/docs/netmap.xml index 3b1dea834..b5efdd8e6 100644 --- a/docs/netmap.xml +++ b/docs/netmap.xml @@ -54,7 +54,7 @@ Shorewall NETMAP support is designed to supply a solution. The basic situation is as shown in the following diagram. + fileref="images/netmap.png"/> While the link between the two firewalls is shown here as a VPN, it could be any type of interconnection that allows routing of - DEST PORT(S) (Optional - Added in - Shorewall 4.4.23.2) - + DPORT (Optional - Added in Shorewall + 4.4.23.2) - port-number-or-name-list @@ -190,8 +190,8 @@ - DEST PORT(S) (Optional - Added in - Shorewall 4.4.23.2) - + SPORT (Optional - Added in Shorewall + 4.4.23.2) - port-number-or-name-list @@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B192.168.1.27 - + @@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B192.168.1.4 - + @@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24IPv6 Netmap has been verified at shorewall.net using the configuration shown below. - + IPv6 support is supplied from Hurricane Electric; the IPv6 address block is 2001:470:b:227::/64. diff --git a/docs/ping.xml b/docs/ping.xml index ab382dd94..9ab8d5cfb 100644 --- a/docs/ping.xml +++ b/docs/ping.xml @@ -55,7 +55,7 @@ policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shorewall/rules of the form: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Ping(ACCEPT) z1 z2 @@ -63,7 +63,7 @@ Ping(ACCEPT) z1 z2 To permit ping from the local zone to the firewall: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Ping(ACCEPT) loc $FW @@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW With that rule in place, if you want to ignore ping from z1 to z2 then you need a rule of the form: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Ping(DROP) z1 z2 @@ -88,7 +88,7 @@ Ping(DROP) z1 z2 To drop ping from the Internet, you would need this rule in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Ping(DROP) net $FW diff --git a/docs/ports.xml b/docs/ports.xml index 500d41f73..03890e9d7 100644 --- a/docs/ports.xml +++ b/docs/ports.xml @@ -61,7 +61,7 @@ from the dmz zone to the net zone: - #ACTION SOURCE DESTINATION + #ACTION SOURCE DEST DNS(ACCEPT) dmz net @@ -74,12 +74,12 @@ DNS(ACCEPT) dmz net Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT FTP(ACCEPT) <source> <destination> You would code your rule as follows: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT FTP(DNAT) net dmz:192.168.1.4 @@ -93,7 +93,7 @@ FTP(DNAT) net dmz:192.168.1.4 anymore. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Auth(ACCEPT) <source> <destination> @@ -110,14 +110,14 @@ Auth(ACCEPT) <source> <destination& port(s) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT BitTorrent(ACCEPT)<source> <destination>
DNS - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) <source> <destination> Note that if you are setting up a DNS server that supports recursive @@ -128,7 +128,7 @@ DNS(ACCEPT) <source> <destination& a public DNS server in your DMZ that supports recursive resolution for local clients then you would need: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) all dmz DNS(ACCEPT) dmz net @@ -174,7 +174,7 @@ DNS(ACCEPT) dmz net /etc/shorewall/rules: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Edonkey(DNAT) net loc:192.168.1.4 #if you wish to enable the Emule webserver, add this rule too. DNAT net loc:192.168.1.4 tcp 4711 @@ -183,7 +183,7 @@ DNAT net loc:192.168.1.4 tcp 4711
FTP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT FTP(ACCEPT) <source> <destination> Look here for much more @@ -212,14 +212,14 @@ FTP(ACCEPT) <source> <destination> Your loc->net policy is ACCEPT - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Gnutella(DNAT) net loc:192.168.1.4
ICQ/AIM - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ICQ(ACCEPT) <source> net
@@ -236,7 +236,7 @@ ICQ(ACCEPT) <source> net This information is valid only for Shorewall 3.2 or later. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT IMAP(ACCEPT) <source> <destination> # Unsecure IMAP IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.
@@ -244,7 +244,7 @@ IMAPS(ACCEPT) <source> <destination> # IMAP over SSL. IPSEC - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 @@ -263,9 +263,9 @@ ACCEPT <destination> <source>This information is valid only for Shorewall 3.2 or later. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT LDAP(ACCEPT) <source> <destination> #Insecure LDAP -LDAPS(ACCEPT) <source> <destination> # LDAP over SSL +LDAPS(ACCEPT) <source> <destination> # LDAP over SSL
@@ -284,14 +284,14 @@ LDAPS(ACCEPT) <source> & how to deal with the consequences, you have been warned. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT MySQL(ACCEPT) <source> <destination>
NFS - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111 ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp @@ -302,14 +302,14 @@ ACCEPT <z1>:<list of client IPs> NTP (Network Time Protocol) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT NTP(ACCEPT) <source> <destination>
<trademark>PCAnywhere</trademark> - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT PCA(ACCEPT) <source> <destination>
@@ -325,7 +325,7 @@ PCA(ACCEPT) <source> <destination> This information is valid only for Shorewall 3.2 or later - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT POP3(ACCEPT) <source> <destination> # Secure POP3S(ACCEPT) <source> <destination> #Unsecure Pop3 @@ -333,7 +333,7 @@ POP3S(ACCEPT) <source> <destination> #Unsecure Pop3 PPTP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723 @@ -344,14 +344,14 @@ ACCEPT <source> <destination> rdate - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Rdate(ACCEPT) <source> <destination>
rsync - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Rsync(ACCEPT) <source> <destination>
@@ -363,16 +363,16 @@ Rsync(ACCEPT) <source> <destination& firewall and is using the default ports. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT REDIRECT loc 5060 udp 5060 ACCEPT net fw udp 5060 -ACCEPT net fw udp 7070:7089 +ACCEPT net fw udp 7070:7089
SSH/SFTP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SSH(ACCEPT)<source> <destination>
@@ -380,7 +380,7 @@ SSH(ACCEPT)<source> <destination>SMB/NMB (Samba/Windows Browsing/File Sharing) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SMB(ACCEPT) <source> <destination> SMB(ACCEPT) <destination> <source> @@ -394,7 +394,7 @@ SMB(ACCEPT) <destination> <source> This information is valid only for Shorewall 3.2 or later. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SMTP(ACCEPT) <source> <destination> #Insecure SMTP SMTPS(ACCEPT) <source> <destination> #SMTP over SSL (TLS) @@ -402,7 +402,7 @@ SMTPS(ACCEPT) <source> <destination&
SNMP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SNMP(ACCEPT) <source> <destination>
@@ -418,7 +418,7 @@ SNMP(ACCEPT) <source> <destination&g role="bold">svnserve mode only. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SVN(ACCEPT) <source> <destination> @@ -430,7 +430,7 @@ SVN(ACCEPT) <source> <destination> insecure, don't use it. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Telnet(ACCEPT) <source> <destination> @@ -447,14 +447,14 @@ Telnet(ACCEPT) <source> <destination that the /etc/shorewall/modules file released with recent Shorewall versions contains entries for these modules. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> udp 69
Traceroute - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Trcrt(ACCEPT) <source> <destination> #Good for 10 hops UDP traceroute uses ports 33434 through 33434+<max number of @@ -464,7 +464,7 @@ Trcrt(ACCEPT) <source> <destination& automatically since those sample configurations enable all ICMP packet types originating on the firewall itself. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT fw ... @@ -473,7 +473,7 @@ ACCEPT fw ...
Usenet (NNTP) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT NNTP(ACCEPT) <source> <destination> NNTPS(ACCEPT) <source> <destination> # secure NNTP @@ -493,13 +493,13 @@ NNTPS(ACCEPT) <source> <destination> # secure NNTPthe following rule handles VNC traffic for VNC displays 0 - 9. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT VNC(ACCEPT) <source> <destination> Vncserver to Vncviewer in listen mode -- TCP port 5500. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT VNCL(ACCEPT) <source> <destination>
@@ -519,7 +519,7 @@ VNCL(ACCEPT) <source> <destination&g This information is valid for Shorewall 3.2 or later. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT HTTP(ACCEPT) <source> <destination> #Insecure HTTP HTTPS(ACCEPT) <source> <destination> #Secure HTTP
@@ -527,7 +527,7 @@ HTTPS(ACCEPT) <source> <destination> #Secure HTTP Webmin - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Webmin(ACCEPT) <source> <destination> Webmin use TCP port 10000. @@ -535,7 +535,7 @@ Webmin(ACCEPT) <source> <destination
Whois - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT Whois(ACCEPT) <source> <destination>
@@ -546,7 +546,7 @@ Whois(ACCEPT) <source> <destination& <chooser> and the Display Manager/X applications are running at <apps>. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <chooser> <apps> udp 177 #XDMCP ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9 diff --git a/docs/samba.xml b/docs/samba.xml index 97549e92e..e60dbe3d0 100644 --- a/docs/samba.xml +++ b/docs/samba.xml @@ -44,15 +44,13 @@ If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT SMB(ACCEPT) $FW loc SMB(ACCEPT) loc $FW To pass traffic SMB/Samba traffic between zones Z1 and Z2: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT SMB(ACCEPT) Z1 Z2 SMB(ACCEPT) Z2 Z1 diff --git a/docs/shorewall_features.xml b/docs/shorewall_features.xml index 7441d390e..fa038b632 100644 --- a/docs/shorewall_features.xml +++ b/docs/shorewall_features.xml @@ -5,7 +5,7 @@ - Shorewall 4.4/4.5/4.6 Features + Shorewall 5.0 Features Tom @@ -16,7 +16,7 @@ - 2001-2014 + 2001-2016 Thomas M Eastep @@ -32,13 +32,6 @@ - - This article applies to Shorewall 4.3 and - later. If you are running a version of Shorewall earlier than Shorewall - 4.3.5 then please see the documentation for that - release. - -
Features @@ -278,6 +271,10 @@ LXC + + + Docker (Shorewall 5.0.6 and later) + diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index 9b989c208..d84fe2139 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -314,14 +314,34 @@ gateway:/etc/shorewall# /etc/shorewall/shorewall.conf: MACLIST_LOG_LEVEL=NFLOG(1,0,1) - /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST -# PORT(S) + /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 Shorewall considers ULOG(...) and NFLOG(...) to be log levels, just like info, debug, etc. even though they are not defined by syslog. + + Here is a copy of a ulogd.conf file that logs to + /var/log/firewall. It was contributed by a Shorewall user on IRC: + + [global] +user="ulogd" +logfile="/var/log/ulogd/ulogd.log" +loglevel=7 + +plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so" +plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so" +plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so" +plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so" +plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so" +plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" + +stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU + +[firewall] +file="/var/log/firewall" +sync=1
diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml index de44d7869..0f3e8906b 100644 --- a/docs/shorewall_setup_guide.xml +++ b/docs/shorewall_setup_guide.xml @@ -106,19 +106,13 @@ Note to Debian Users If you install using the .deb, you will find that your /etc/shorewall directory is empty. This - is intentional. The released configuration file skeletons may be found - on your system in the directory /usr/share/doc/shorewall-common/default-config. + class="directory">/etc/shorewall directory is almost empty. + This is intentional. The released configuration file skeletons may be + found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. - - Note that you must copy /usr/share/doc/shorewall-common/default-config/shorewall.conf - and /usr/share/doc/shorewall-common/default-config/modules to - /etc/shorewall even if you do - not modify those files. As each file is introduced, I suggest that you look through the @@ -269,8 +263,7 @@ dmz ipv4 /etc/shorewall/policy file had the following policies: - #SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST -# LEVEL + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT info @@ -416,10 +409,11 @@ all all REJECT info url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces file, that file would might contain: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect -loc eth1 detect -dmz eth2 detect + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth0 +loc eth1 +dmz eth2 Note that the $FW zone has no entry in the /etc/shorewall/interfaces file. @@ -435,10 +429,11 @@ dmz eth2 detect Multiple Interfaces to a Zone - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect -loc eth1 detect -loc eth2 detect + ?FORMAT 2 +#ZONE INTERFACE BROADCAST OPTIONS +net eth0 +loc eth1 +loc eth2 @@ -1409,8 +1404,7 @@ eth0 192.168.201.0/29 192.0.2.176 /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.201.4 tcp www If one of your daughter's friends at address This example used the firewall's external IP address for DNAT. You can use another of your public IP addresses (place it in the - ORIGINAL DEST column in the rule above) but Shorewall will not add - that address to the firewall's external interface for you. + ORIGDEST column in the rule above) but Shorewall will not add that + address to the firewall's external interface for you. When testing DNAT rules like those shown above, you must test @@ -1489,7 +1483,7 @@ DNAT net loc:192.168.201.4 tcp www url="ProxyARP.htm">/etc/shorewall/proxyarp file. - #ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.0.2.177 eth2 eth0 No 192.0.2.178 eth2 eth0 No @@ -1608,7 +1602,7 @@ eth0 192.168.201.0/29 192.0.2.176 You would do that by adding an entry in /etc/shorewall/nat. - #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL + #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 192.0.2.179 eth0 192.168.201.4 No No With this entry in place, you daughter has her own IP address @@ -1622,8 +1616,7 @@ eth0 192.168.201.0/29 192.0.2.176 to use a DNAT rule for you daughter's web server -- you would rather just use an ACCEPT rule: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST ACCEPT net loc:192.168.201.4 tcp www A word of warning is in order here. ISPs typically configure @@ -1719,14 +1712,13 @@ ACCEPT net loc:192.168.201.4 tcp www rules. - Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in - this section, they won't be shown + Since the SPORT and ORIGDEST. Columns aren't used in this + section, they won't be shown You probably want to allow ping between your zones: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz icmp echo-request ACCEPT net loc icmp echo-request ACCEPT dmz loc icmp echo-request @@ -1735,8 +1727,7 @@ ACCEPT loc dmz icmp echo-request Let's suppose that you run mail and pop3 servers on DMZ 2 and a Web Server on DMZ 1. The rules that you would need are: - #ACTION SOURCE DEST PROTO DEST COMMENTS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from #Internet ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from @@ -1760,8 +1751,7 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW If you run a public DNS server on 192.0.2.177, you would need to add the following rules: - #ACTION SOURCE DEST PROTO DEST COMMENTS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from #Internet ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from @@ -1784,8 +1774,7 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to scp utility can also do publishing and software update distribution. - #ACTION SOURCE DEST PROTO DEST COMMENTS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT loc dmz tcp ssh #SSH to the DMZ ACCEPT net $FW tcp ssh #SSH to the #Firewall @@ -1816,22 +1805,11 @@ ACCEPT net $FW tcp ssh #SSH to the /etc/shorewall/interfaces (The options will be very site-specific). - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect routefilter -loc eth1 detect -dmz eth2 detect - - The setup described here requires that your network interfaces be - brought up before Shorewall can start. This opens a short window during - which you have no firewall protection. If you replace - detect with the actual broadcast addresses in the entries - above, you can bring up Shorewall before you bring up your network - interfaces. - - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 192.0.2.255 -loc eth1 192.168.201.7 -dmz eth2 192.168.202.7 + ?FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth0 routefilter +loc eth1 +dmz eth2 /etc/shorewall/masq - Local Subnet @@ -1851,8 +1829,7 @@ eth0 192.168.201.0/29 192.0.2.176 /etc/shorewall/rules - #ACTION SOURCE DEST PROTO DEST COMMENTS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz icmp echo-request ACCEPT net loc icmp echo-request ACCEPT dmz loc icmp echo-request diff --git a/docs/simple_traffic_shaping.xml b/docs/simple_traffic_shaping.xml index e2d2488fa..81e187999 100644 --- a/docs/simple_traffic_shaping.xml +++ b/docs/simple_traffic_shaping.xml @@ -194,7 +194,7 @@ eth0 External band 2. - When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS + When an INTERFACE is specified, the PROTO, DPORT and ADDRESS column must contain '-'. @@ -203,14 +203,14 @@ eth0 External Assign traffic from a particular IP address to a specific priority band: - #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER + #BAND PROTO DPORT ADDRESS INTERFACE HELPER 1 - - 192.168.1.44 In this example, traffic from 192.168.1.44 will be assigned to priority band 1. - When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE + When an ADDRESS is specified, the PROTO, DPORT and INTERFACE columns must be empty. @@ -219,7 +219,7 @@ eth0 External Assign traffic to/from a particular application to a specific priority band: - #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER + #BAND PROTO DPORT ADDRESS INTERFACE HELPER 1 udp 1194 In that example, OpenVPN traffic is assigned to priority band @@ -230,7 +230,7 @@ eth0 External Assign traffic that uses a particular Netfilter helper to a particular priority band: - #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER + #BAND PROTO DPORT ADDRESS INTERFACE HELPER 1 - - - - sip In this example, SIP and associated RTP traffic will be assigned @@ -318,11 +318,11 @@ tun0 Internal Example: - /etc/shorewall/tcinterfaces#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH + /etc/shorewall/tcinterfaces#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516 etc/shorewall/tcpri: - #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER + #BAND PROTO DPORT ADDRESS INTERFACE HELPER COMMENT All DMZ traffic in band 3 by default 3 - - 70.90.191.124/31 COMMENT Bit Torrent is in band 3 @@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports etc/shorewall6/tcpri: - #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER + #BAND PROTO DPORT ADDRESS INTERFACE HELPER COMMENT All DMZ traffic in band 3 by default 3 - - 2001:470:b:227::40/124 COMMENT But give a boost to DNS queries diff --git a/docs/standalone.xml b/docs/standalone.xml index d47e46754..521925f4a 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -277,7 +277,7 @@ net ipv4 The /etc/shorewall/policy file included with the one-interface sample has the following policies: - #SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT net all DROP info all all REJECT info @@ -517,20 +517,19 @@ root@lists:~# /usr/share/shorewall/macro.*, the general format of a rule in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) net $FW Be sure to add your rules after the line that reads SECTION NEW (?SECTION NEW in Shorewall 4.6.0 and - later). + role="bold">?SECTION NEW. You want to run a Web Server and a IMAP Server on your firewall system: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW @@ -546,14 +545,14 @@ IMAP(ACCEPT)net $FW a pre-defined macro that meets your requirements. In that case the general format of a rule in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW <protocol> <port> You want to run a Web Server and a IMAP Server on your firewall system: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143 @@ -566,7 +565,7 @@ ACCEPT net $FW tcp 143 uses clear text (even for login!). If you want shell access to your firewall from the Internet, use SSH: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DPORT SSH(ACCEPT) net $FW @@ -615,7 +614,7 @@ SSH(ACCEPT) net $FW (/etc/shorewall/routestopped in Shorewall 4.5.7 and earlier). A running firewall may be restarted using - the shorewall restart command. If you + the shorewall reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. @@ -639,7 +638,7 @@ SSH(ACCEPT) net $FW Also, I don't recommend using shorewall - restart; it is better to create an ; it is better to create an alternate configuration and test it using the shorewall diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index dc514a74e..b6ed1b60c 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -165,7 +165,7 @@ If you change your configuration and want to install the - changes, use the shorewall restart command. + changes, use the shorewall reload command. @@ -616,7 +616,7 @@ /sbin/shorewall Command - Resulting /usr/share/shorewall/firewall + Resulting /var/lib/shorewall/firewall Command Effect if the Command Succeeds @@ -646,6 +646,15 @@ firewall are accepted. + + shorewall reload + + firewall reload + + Very similar to start, replacing the existing ruleset with + one that reflects the current configuration file contents. + + shorewall restart @@ -721,15 +730,15 @@ transition while the compiler is running. If compilation fails, the state remains unchanged. - Also, shorewall start and shorewall - restart involve compilation followed by execution of the - compiled script. So it is the compiled script that performs the state - transition in these commands rather than - /usr/share/shorewall/firewall. + Also, shorewall start, shorewall + reload and shorewall restart involve + compilation followed by execution of the compiled script. So it is the + compiled script that performs the state transition in these commands + rather than /usr/share/shorewall/firewall. The compiled script is placed in /var/lib/shorewall and is named either - .start or .restart depending on - the command. + .start, .reload or .restart + depending on the command. diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 64303f913..e8e673ff5 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -90,7 +90,7 @@ - + @@ -148,19 +148,18 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . Configuration notes that are unique to Debian and it's derivatives are marked with . + format="GIF"/>.
PPTP/ADSL - + If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you must make the /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. - + After you have installed Shorewall, locate the three-interface Sample configuration: @@ -210,7 +209,7 @@ - If + If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/three-interfaces. @@ -248,8 +247,7 @@ a set of zones. In the three-interface sample configuration, the following zone names are used: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 loc ipv4 @@ -305,7 +303,7 @@ dmz ipv4Zone names are defined in The /etc/shorewall/policy file included with the three-interface sample has the following policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT info @@ -315,7 +313,7 @@ all all REJECT info commented out. If you want your firewall system to have full access to servers on the Internet, uncomment that line. - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT @@ -351,7 +349,7 @@ $FW net ACCEPT local network from a security perspective. If you want to do this, add these two policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc $FW ACCEPT $FW loc ACCEPT @@ -363,7 +361,7 @@ $FW loc ACCEPT net zone even though connections are not allowed from the loc zone to the firewall itself. - + At this point, edit your /etc/shorewall/policy file and make any changes that you wish. @@ -377,7 +375,7 @@ $FW loc ACCEPT - + @@ -421,7 +419,7 @@ root@lists:~# the external interface. - + If your external interface is ppp0 or exactly one default route via your ISP's Router. - + The Shorewall three-interface sample configuration assumes that the external interface is eth0, the @@ -528,7 +526,7 @@ root@lists:~# Example sub-network - + @@ -573,7 +571,7 @@ root@lists:~# directly. To communicate with systems outside of the subnetwork, systems send packets through a gateway (router). - + Your local computers (Local Computers 1 & 2) should be configured with their default gateway set to the IP address of the @@ -596,7 +594,7 @@ root@lists:~# - + The default gateway for the DMZ computers would be @@ -652,7 +650,7 @@ root@lists:~# class="directory">/etc/shorewall/masq file. - + If your external firewall interface is eth0 then you do not need to modify the file @@ -665,7 +663,7 @@ root@lists:~# modify the SOURCE column to list just your local interface (10.10.10.0/24 in the above example). - + If your external IP is static, you can enter it in the third column in the entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing outgoing packets a little more efficient. + fileref="images/openlogo-nd-25.png"/> If you are using the Debian package, please check your shorewall.conf file to ensure that the @@ -736,7 +734,7 @@ root@lists:~# - + If you are running a distribution that logs netfilter messages to a log other than /var/log/messages, then modify the @@ -776,7 +774,7 @@ root@lists:~# /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. - + Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -801,7 +799,7 @@ root@lists:~# The general form of a simple port forwarding rule in /etc/shorewall/rules is: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net dmz:<server local IP address>[:<server port>] <protocol> <port> If you don't specify the <server port>, it is assumed to be the same as @@ -816,7 +814,7 @@ DNAT net dmz:<server local IP address>[:You run a Web Server on DMZ Computer 2 and you want to forward incoming TCP port 80 to that system - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(DNAT) net dmz:10.10.11.2 Web(ACCEPT) loc dmz:10.10.11.2 @@ -833,8 +831,7 @@ Web(ACCEPT) loc dmz:10.10.11.2 (10.10.11.2) or you must use DNAT from the loc zone as well (see below). - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST Web(DNAT) loc dmz:10.10.11.2 - - - external-ip-address where external-ip-address is the @@ -846,8 +843,7 @@ Web(DNAT) loc dmz:10.10.11.2 - - - you have problems connecting to your web server, try the following rule and try connecting to port 5000 (e.g., connect to http://w.x.y.z:5000 where w.x.y.z is your - external IP).#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE -# PORT(S) + external IP).#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net dmz:10.10.11.2:80 tcp 5000 @@ -855,8 +851,7 @@ DNAT net dmz:10.10.11.2:80 tcp 5000 If you want to be able to access your server from the local network using your external address, then if you have a static external IP you can replace the loc->dmz rule above - with:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + with:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT loc dmz:10.10.11.2 tcp 80 - <external IP>If you have a dynamic IP then you must ensure that your external interface is up before starting Shorewall and you must take steps @@ -871,8 +866,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - < Make your loc->dmz rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP @@ -886,7 +880,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP - + At this point, add the DNAT and ACCEPT rules for your servers. @@ -924,7 +918,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP + format="GIF"/> You can configure a Caching Name Server on your firewall or in your DMZ. Red Hat has @@ -942,10 +936,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP/etc/shorewall/rules. If you run the name server on the firewall: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) loc $FW DNS(ACCEPT) dmz $FW Run name server on DMZ - computer 1: #ACTION SOURCE DEST PROTO DEST PORT(S) + computer 1: #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) loc dmz:10.10.11.1 DNS(ACCEPT) $FW dmz:10.10.11.1 @@ -960,7 +954,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 /etc/shorewall/rules. The first example above (name server on the firewall) could also have been coded as follows: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW tcp 53 ACCEPT loc $FW udp 53 ACCEPT dmz $FW tcp 53 @@ -983,24 +977,24 @@ ACCEPT dmz $FW udp 53 Other Connections The three-interface sample includes the following rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) $FW net That rule allow DNS access from your firewall and may be removed if you commented out the line in /etc/shorewall/policy allowing all connections from the firewall to the Internet. - The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) + The sample also includes: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) loc $FW SSH(ACCEPT) loc dmz Those rules allow you to run an SSH server on your firewall and in each of your DMZ systems and to connect to those servers from your local systems. If you wish to enable other connections between your systems, the - general format for using a defined macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) + general format for using a defined macro is: #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) <source zone> <destination zone> The general format when not using a defined macro - is:#ACTION SOURCE DEST PROTO DEST PORT(S) + is:#ACTION SOURCE DEST PROTO DPORT ACCEPT <source zone> <destination zone> <protocol> <port> @@ -1009,12 +1003,12 @@ ACCEPT <source zone> <destination zone> <protocol&g Using defined macros: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) net $FW Not using defined macros: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW tcp 53 ACCEPT net $FW udp 53 @@ -1028,13 +1022,13 @@ ACCEPT net $FW udp 53 I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your - firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) + firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) net $FW - Bering + Bering users will want to add the following two rules to be compatible with - Jacques's Shorewall configuration: #ACTION SOURCE DEST PROTO DEST PORT(S) + Jacques's Shorewall configuration: #ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW udp 53 ACCEPT net $FW tcp 80 @@ -1045,7 +1039,7 @@ ACCEPT net $FW tcp 80 Entry 2 allows the weblet to work. + format="GIF"/> Now modify /etc/shorewall/rules to add or remove other connections as required. @@ -1110,7 +1104,7 @@ ACCEPT net $FW tcp 80 Starting and Stopping Your Firewall - + The installation procedure configures your system to start Shorewall at system boot but startup is @@ -1119,7 +1113,7 @@ ACCEPT net $FW tcp 80 /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes. + fileref="images/openlogo-nd-25.png"/> Users of the .deb package must edit /etc/default/shorewall and set startup=1. @@ -1138,11 +1132,11 @@ ACCEPT net $FW tcp 80 /etc/shorewall/routestopped on Shorewall 4.5.7 and earlier). A running firewall may be restarted using - the shorewall restart command. If you want to totally + the shorewall reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. - + The three-interface sample assumes that you want to enable routing to/from eth1 (your local network) @@ -1168,7 +1162,7 @@ ACCEPT net $FW tcp 80 Also, I don't recommend using shorewall - restart; it is better to create an alternate + reload; it is better to create an alternate configuration and test it using the shorewall try command. @@ -1239,7 +1233,7 @@ ACCEPT net $FW tcp 80 systemctl disable iptables.service - + At this point, disable your existing firewall service. diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index 0012fb676..bb61a405f 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit packets arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) + #ACTION SOURCE DEST PROTO DPORT MARK(1) eth1 0.0.0.0/0 all MARK(2) eth2 0.0.0.0/0 all MARK(2) eth3 0.0.0.0/0 all @@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all All GRE (protocol 47) packets destined for 155.186.235.151 should be marked with 12. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) + #ACTION SOURCE DEST PROTO DPORT MARK(12):T 0.0.0.0/0 155.182.235.151 47 @@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47 All SSH request packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) + #ACTION SOURCE DEST PROTO DPORT MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22 @@ -956,8 +956,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22 /etc/shorewall/tcdevices should be assigned to the class with mark value 10. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22 CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22 @@ -975,8 +974,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22 - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST -# PORT(S) GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply @@ -1002,8 +1000,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - ensure that all VOIP packets also receive that mark (assumes that nf_conntrack_sip is loaded). - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER -# PORT(S) GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip @@ -1235,7 +1232,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403 /etc/shorewall/tcdevices: - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH + #INTERFACE IN_BANDWIDTH OUT_BANDWIDTH eth0 100mbit 100mbit /etc/shorewall/tcclasses: @@ -1293,7 +1290,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0
tcdevices file - #INTERFACE IN-BANDWITH OUT-BANDWIDTH + #INTERFACE IN_BANDWITH OUT_BANDWIDTH ppp0 5000kbit 500kbit
@@ -1309,8 +1306,7 @@ ppp0 3 2*full/10 8*full/10 2
mangle file - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # mark traffic which should have a lower priority with a 3: @@ -1347,23 +1343,14 @@ NOPRIOPORTDST="6662 6663" This would result in the following additional settings to the mangle file: - MARK(3) 192.168.1.128/25 0.0.0.0/0 all + #ACTION SOURCE DEST PROTO DPORT SPORT USER +MARK(3) 192.168.1.128/25 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all MARK(3) 0.0.0.0/0 60.0.0.0/24 all MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663 - - Corresponding tcrules file entries are: - - 3 192.168.1.128/25 0.0.0.0/0 all -3 192.168.3.28 0.0.0.0/0 all -3 0.0.0.0/0 60.0.0.0/24 all -3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 -3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 -3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 -3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663
@@ -1378,7 +1365,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
tcdevices file - #INTERFACE IN-BANDWITH OUT-BANDWIDTH + #INTERFACE IN_BANDWITH OUT_BANDWIDTH ppp0 6000kbit 700kbit We have 6mbit down and 700kbit upstream. @@ -1403,8 +1390,7 @@ ppp0 4 90kbit 200kbit 3 default mangle file - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(2):F 192.168.2.23 0.0.0.0/0 all @@ -1412,8 +1398,7 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all Corresponding tcrules file: - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2:F 192.168.2.23 0.0.0.0/0 all @@ -1472,13 +1457,12 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all /etc/shorewall/tcdevices: - #INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS + #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS eth0 - 1000kbit hfsc /etc/shorewall/tcclasses: - #INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS -# DMAX:UMAX + #INTERFACE MARK RATE CEIL PRIORITY OPTIONS 1:10 1 500kbit full 1 1:20 2 500kbit full 1 1:10:11 3 400kbit:53ms:1500b full 2 @@ -1649,8 +1633,7 @@ ip link set ifb0 up Example: /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT(S) PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177 Requests redirected by this rule will have destination IP @@ -1721,7 +1704,7 @@ eth0 192.168.1.0/24 206.124.146.179 - DEST PORT(S) + DPORT Comma-separated list of destination port names or numbers. @@ -1731,7 +1714,7 @@ eth0 192.168.1.0/24 206.124.146.179 - SOURCE PORT + SPORT Comma-separated list of source port names or numbers. May @@ -1810,8 +1793,7 @@ qt ip link set dev ifb0 up /etc/shorewall/tcdevices: -#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -# INTERFACES +#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT 1:eth0 - 384kbit classify 2:ifb0 - 1300kbit - eth0 /etc/shorewall/tcclasses:#INTERFACE MARK RATE CEIL PRIORITY OPTIONS @@ -1820,8 +1802,7 @@ qt ip link set dev ifb0 up 1:130 - 2*full/10 6*full/10 3 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 2:120 - 2*full/10 6*full/10 2 default -2:130 - 2*full/10 6*full/10 3/etc/shorewall/tcfilters:#INTERFACE: SOURCE DEST PROTO DEST SOURCE -#CLASS PORT(S) PORT(S) +2:130 - 2*full/10 6*full/10 3/etc/shorewall/tcfilters:#INTERFACE: SOURCE DEST PROTO DPORT SPORT # # OUTGOING TRAFFIC # diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 23e46da41..1f40b8a44 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -74,7 +74,7 @@ - + @@ -121,19 +121,18 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . Configuration notes that are unique to Debian and it's derivatives are marked with . + format="GIF"/>.
PPTP/ADSL - + If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you @@ -146,7 +145,7 @@
Shorewall Concepts - + The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple @@ -154,7 +153,7 @@ this guide. + format="GIF"/> After you have installed Shorewall, locate the two-interfaces samples: @@ -189,10 +188,10 @@ If you installed using a + fileref="images/openlogo-nd-25.png"/>If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall-common/examples/two-interfaces. + class="directory">/usr/share/doc/shorewall/examples/two-interfaces. You do not need the shorewall-doc package to have access to the samples. @@ -230,8 +229,7 @@ a set of zones. In the two-interface sample configuration, the following zone names are used: - #ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS + #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 loc ipv4Zones are defined in the Zones are defined in the The /etc/shorewall/policy file included with the two-interface sample has the following policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT infoIn the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment - that line. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + that line. #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT The above policy will: @@ -333,11 +331,11 @@ $FW net ACCEPT The above policy will: local network from a security perspective. If you want to do this, add these two policies: - #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + #SOURCE DEST POLICY LOGLEVEL LIMIT loc $FW ACCEPT $FW loc ACCEPT - + At this point, edit your /etc/shorewall/policy @@ -349,7 +347,7 @@ $FW loc ACCEPT - + @@ -393,7 +391,7 @@ root@lists:~# the external interface. - + If your external interface is ppp0 or internal interface. Your firewall should have exactly one default route via your ISP's Router. + format="GIF"/> The Shorewall two-interface sample configuration assumes that the external interface is eth0 and the @@ -533,7 +531,7 @@ root@lists:~# directly. To communicate with systems outside of the subnetwork, systems send packets through a gateway (router). - + Your local computers (computer 1 and computer 2 in the above diagram) should be configured with their default gateway to be the @@ -550,7 +548,7 @@ root@lists:~# The remainder of this guide will assume that you have configured your network as shown here: - + The default gateway for computer's 1 & 2 would be 10.10.10.254. @@ -607,7 +605,7 @@ root@lists:~# IP is dynamic and SNAT if the IP is static. - + If your external firewall interface is eth0, you do not need to modify the file @@ -616,7 +614,7 @@ root@lists:~# class="directory">/etc/shorewall/masq and change the first column to the name of your external interface. - + If your external IP is static, you can enter it in the third column in the column 3 (SNAT) makes the processing of outgoing packets a little more efficient. - + If you are using the Debian package, please check your shorewall.conf file to ensure that the @@ -689,7 +687,7 @@ root@lists:~# - + If you are running a distribution that logs netfilter messages to a log other than /var/log/messages, then modify the @@ -729,7 +727,7 @@ root@lists:~# /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. - + Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -758,7 +756,7 @@ root@lists:~# a server in the loc zone, the general form of a simple port forwarding rule in /etc/shorewall/rules is: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> If you want to forward traffic from the loc zone to a server in the @@ -784,14 +782,14 @@ DNAT net loc:<server local ip address>[:You run a Web Server on computer 2 in the above diagram and you want to forward incoming TCP port 80 to that system: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(DNAT) net loc:10.10.10.2 FTP Server You run an FTP Server on computer 1 so you want to forward incoming - TCP port 21 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) + TCP port 21 to that system: #ACTION SOURCE DEST PROTO DPORT FTP(DNAT) net loc:10.10.10.1 For FTP, you will also need to have FTP connection tracking and NAT @@ -829,11 +827,11 @@ FTP(DNAT) net loc:10.10.10.1 For server, try the following rule and try connecting to port 5000. - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10.10.10.2:80 tcp 5000 + format="GIF"/> At this point, modify /etc/shorewall/rules to @@ -881,7 +879,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 - You can configure a + You can configure a Caching Name Server on your firewall. Red Hat has an RPM for a caching name server (the RPM also requires the @@ -897,7 +895,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000 network to the firewall; you do that by adding the following rules in /etc/shorewall/rules. - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT)loc $FW @@ -907,7 +905,7 @@ DNS(ACCEPT)loc $FW Other Connections The two-interface sample includes the following rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) $FW netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in This rule allows You don't have to use defined macros when coding a rule in /etc/shorewall/rules; Shorewall will start slightly faster if you code your rules directly rather than using macros. The the - rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DEST PORT(S) + rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 @@ -930,21 +928,21 @@ ACCEPT $FW net tcp 53 your needs, you can either define the macro yourself or you can simply code the appropriate rules directly. - The sample also includes: #ACTION SOURCE DEST PROTO DEST PORT(S) + The sample also includes: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) loc $FW That rule allows you to run an SSH server on your firewall and connect to that server from your local systems. If you wish to enable other connections from your firewall to other - systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) + systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) $FW <destination zone>The - general format when not using defined macros is:#ACTION SOURCE DEST PROTO DEST PORT(S) + general format when not using defined macros is:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW <destination zone> <protocol> <port> Web Server on Firewall You want to run a Web Server on your firewall system: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT Web(ACCEPT) net $FW Web(ACCEPT) loc $FW Those two rules would of course be in addition to the rules listed above under Those two rules would of shell access to your firewall from the Internet, use SSH: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) net $FW Bering users will want to add the following two rules to be - compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S) + format="GIF"/>Bering users will want to add the following two rules to be + compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW tcp 80 #Allow Weblet to work - + Now edit your /etc/shorewall/rules @@ -1030,7 +1028,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Starting and Stopping Your Firewall - + The installation procedure configures your system to start Shorewall at system boot but startup is @@ -1038,7 +1036,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work + fileref="images/openlogo-nd-25.png"/> Users of the .deb package must edit /etc/default/shorewall and set startup=1. @@ -1056,11 +1054,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work /etc/shorewall/stoppedrules. A running firewall may be restarted using the shorewall - restart command. If you want to totally remove any trace + reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. - + The two-interface sample assumes that you want to enable routing to/from eth1 (the local network) @@ -1087,7 +1085,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Also, I don't recommend using shorewall - restart; it is better to create an alternate + reload; it is better to create an alternate configuration and test it using the shorewall try command. @@ -1158,7 +1156,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to worksystemctl disable iptables.service - + At this point, disable your existing firewall service.
@@ -1202,9 +1200,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work Your new network will look similar to what is shown in the following - figure. + figure. - + The first thing to note is that the computers in your wireless network will be in a different subnet from those on your wired local LAN. @@ -1217,7 +1215,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work - + There are only two changes that need to be made to the Shorewall configuration: @@ -1229,8 +1227,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workwlan0, the entry might look like: - #ZONE INTERFACE BROADCAST OPTIONS -loc wlan0 detect maclist + #ZONE INTERFACE OPTIONS +loc wlan0 maclist As shown in the above entry, I recommend using the maclist option for the wireless @@ -1248,7 +1246,7 @@ loc wlan0 detect maclist from the wireless network to the Internet. If you file looks like this: - #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK + #INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK eth0 10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\ diff --git a/docs/whitelisting_under_shorewall.xml b/docs/whitelisting_under_shorewall.xml index f1f5445cb..2cbed2726 100644 --- a/docs/whitelisting_under_shorewall.xml +++ b/docs/whitelisting_under_shorewall.xml @@ -120,7 +120,7 @@ loc eth2:0.0.0.0/0 Policy File - #SOURCE DEST POLICY LOG LEVEL + #SOURCE DEST POLICY LOGLEVEL ops all ACCEPT all ops CONTINUE loc net ACCEPT @@ -134,7 +134,7 @@ all all REJECT info Rules File - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT loc!ops 3128 tcp http This is the rule that transparently redirects web traffic to the