Shorewall 1.4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-18 01:13:38 +00:00
parent 09aed118b3
commit 52629f9049
43 changed files with 4952 additions and 9553 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Blacklist File # Shorewall 1.4 -- Blacklist File
# #
# /etc/shorewall/blacklist # /etc/shorewall/blacklist
# #
@ -9,7 +9,7 @@
# #
# ADDRESS/SUBNET - Host address, subnetwork or MAC address # ADDRESS/SUBNET - Host address, subnetwork or MAC address
# #
# MAC addresses must be prefixed with "~" and use "-" # MAC addresses must be prefixed with "~" and use "-"
# as a separator. # as a separator.
# #
# Example: ~00-A0-C9-15-39-78 # Example: ~00-A0-C9-15-39-78
@ -27,7 +27,7 @@
# /etc/shorewall/shorewall.conf # /etc/shorewall/shorewall.conf
# #
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked. # the protocol (and one of the ports if PORTS supplied) are blocked.
# #
# Example: # Example:
# #

View File

@ -1,7 +1,7 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def # Shorewall 1.4 -- /etc/shorewall/common.def
# #
# This file defines the rules that are applied before a policy of # This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file, # DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast # the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect"). # address defined in /etc/shorewall/interfaces (including "detect").
@ -14,14 +14,12 @@
# #
run_iptables -A common -p icmp -j icmpdef run_iptables -A common -p icmp -j icmpdef
############################################################################ ############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter # NETBIOS chatter
# #
run_iptables -A common -p udp --dport 137:139 -j REJECT run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 139 -j REJECT
run_iptables -A common -p tcp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject run_iptables -A common -p tcp --dport 135 -j reject
############################################################################ ############################################################################
# UPnP # UPnP
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
# AUTH -- Silently reject it so that connections don't get delayed. # AUTH -- Silently reject it so that connections don't get delayed.
# #
run_iptables -A common -p tcp --dport 113 -j reject run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - /etc/shorewall/hosts # Shorewall 1.4 - /etc/shorewall/hosts
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it # file and 80% of those who try to add such entries get it
@ -18,23 +18,18 @@
# a) The IP address of a host # a) The IP address of a host
# b) A subnetwork in the form # b) A subnetwork in the form
# <subnet-address>/<mask width> # <subnet-address>/<mask width>
# #
# The interface must be defined in the # The interface must be defined in the
# /etc/shorewall/interfaces file. # /etc/shorewall/interfaces file.
# #
# Examples: # Examples:
# #
# eth1:192.168.1.3 # eth1:192.168.1.3
# eth2:192.168.2.0/24 # eth2:192.168.2.0/24
# #
# OPTIONS - A comma-separated list of options. Currently-defined # OPTIONS - A comma-separated list of options. Currently-defined
# options are: # options are:
# #
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# route messages to and from this
# member when the firewall is in the
# stopped state
# maclist - Connection requests from these hosts # maclist - Connection requests from these hosts
# are compared against the contents of # are compared against the contents of
# /etc/shorewall/maclist. If this option # /etc/shorewall/maclist. If this option
@ -43,5 +38,5 @@
# Shorewall is started. # Shorewall is started.
# #
# #
#ZONE HOST(S) OPTIONS #ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/init # Shorewall 1.4 -- /etc/shorewall/init
# #
# Add commands below that you want to be executed at the beginning of # Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command. # a "shorewall start" or "shorewall restart" command.

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Interfaces File # Shorewall 1.4 -- Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #
@ -14,7 +14,7 @@
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should
# place "-" in this column. # place "-" in this column.
# #
# INTERFACE Name of interface. Each interface may be listed only # INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
@ -27,14 +27,14 @@
# column is left black.If the interface has multiple # column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast # addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list. # addresses as a comma-separated list.
# #
# If you use the special value "detect", the firewall # If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you # will detect the broadcast address for you. If you
# select this option, the interface must be up before # select this option, the interface must be up before
# the firewall is started, you must have iproute # the firewall is started, you must have iproute
# installed and the interface must only be associated # installed and the interface must only be associated
# with a single subnet. # with a single subnet.
# #
# If you don't want to give a value for this column but # If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter # you want to enter a value in the OPTIONS column, enter
# "-" in this column. # "-" in this column.
@ -46,11 +46,6 @@
# a DHCP server running on the firewall or # a DHCP server running on the firewall or
# you have a static IP but are on a LAN # you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients. # segment with lots of Laptop DHCP clients.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive # norfc1918 - This interface should not receive
# any packets whose source is in one # any packets whose source is in one
# of the ranges reserved by RFC 1918 # of the ranges reserved by RFC 1918
@ -59,9 +54,6 @@
# enabled in shorewall.conf, packets # enabled in shorewall.conf, packets
# whose destination addresses are # whose destination addresses are
# reserved by RFC 1918 are also rejected. # reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this # routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This # interface (anti-spoofing measure). This
# option can also be enabled globally in # option can also be enabled globally in
@ -87,8 +79,8 @@
# TCP_FLAGS_DISPOSITION after having been # TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of # logged according to the setting of
# TCP_FLAGS_LOG_LEVEL. # TCP_FLAGS_LOG_LEVEL.
# proxyarp - # proxyarp -
# Sets # Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are # Do NOT use this option if you are
# employing Proxy ARP through entries in # employing Proxy ARP through entries in
@ -96,7 +88,7 @@
# intended soley for use with Proxy ARP # intended soley for use with Proxy ARP
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.
@ -106,27 +98,25 @@
# local subnet is 192.168.1.0/24. The interface gets # local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet # it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet # 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to # 192.168.2.0/24 using eth2.
# access the firewall from the local network when the
# firewall is stopped.
# #
# Your entries for this setup would look like: # Your entries for this setup would look like:
# #
# net eth0 206.191.149.223 dhcp # net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255 routestopped # local eth1 192.168.1.255
# dmz eth2 192.168.2.255 # dmz eth2 192.168.2.255
# #
# Example 2: The same configuration without specifying broadcast # Example 2: The same configuration without specifying broadcast
# addresses is: # addresses is:
# #
# net eth0 detect noping,dhcp # net eth0 detect dhcp
# loc eth1 detect routestopped # loc eth1 detect
# dmz eth2 detect # dmz eth2 detect
# #
# Example 3: You have a simple dial-in system with no ethernet # Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests. # connections.
# #
# net ppp0 - noping # net ppp0 -
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -1,12 +1,12 @@
# #
# Shorewall 1.3 - MAC list file # Shorewall 1.4 - MAC list file
# #
# /etc/shorewall/maclist # /etc/shorewall/maclist
# #
# Columns are: # Columns are:
# #
# INTERFACE Network interface to a host # INTERFACE Network interface to a host
# #
# MAC MAC address of the host -- you do not need to use # MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here # the Shorewall format for MAC addresses here
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - Masquerade file # Shorewall 1.4 - Masquerade file
# #
# /etc/shorewall/masq # /etc/shorewall/masq
# #
@ -13,8 +13,8 @@
# /etc/shorewall/shorewall.conf, you may add ":" and # /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with # a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to # that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR # be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION. # PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
@ -25,7 +25,7 @@
# a subnet or as an interface. If you give the name of an # a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface # interface, you must have iproute installed and the interface
# must be up before you start the firewall. # must be up before you start the firewall.
# #
# In order to exclude a subset of the specified SUBNET, you # In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses # may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude. # and/or subnets that you wish to exclude.
@ -37,17 +37,17 @@
# #
# ADDRESS -- (Optional). If you specify an address here, SNAT will be # ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If # used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in # ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall # /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary # the address given in this column is the primary
# IP address for the interface in the INTERFACE # IP address for the interface in the INTERFACE
# column. # column.
# #
# This column may not contain a DNS Name. # This column may not contain a DNS Name.
# #
# Example 1: # Example 1:
# #
@ -83,7 +83,7 @@
# #
# You want all outgoing traffic from 192.168.1.0/24 through # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the # eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to # primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0. # be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # eth0:0 192.168.1.0/24 206.124.146.176

View File

@ -1,7 +1,12 @@
############################################################################## ##############################################################################
# Shorewall 1.3 /etc/shorewall/modules # Shorewall 1.4 /etc/shorewall/modules
# #
# This file loads the modules needed by the firewall. # This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
#
loadmodule ip_tables loadmodule ip_tables
loadmodule iptable_filter loadmodule iptable_filter

View File

@ -1,6 +1,6 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Network Address Translation Table # Shorewall 1.4 -- Network Address Translation Table
# #
# /etc/shorewall/nat # /etc/shorewall/nat
# #
@ -17,7 +17,7 @@
# column and must not be a DNS Name. # column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear # INTERFACE Interface that we want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may # on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to # follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias # indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to # with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING # see the alias with ifconfig. THAT IS THE ONLY THING

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 /etc/shorewall/params # Shorewall 1.4 /etc/shorewall/params
# #
# Assign any variables that you need here. # Assign any variables that you need here.
# #
@ -11,7 +11,7 @@
# #
# NET_IF=eth0 # NET_IF=eth0
# NET_BCAST=130.252.100.255 # NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918 # NET_OPTIONS=routefilter,norfc1918
# #
# Example (/etc/shorewall/interfaces record): # Example (/etc/shorewall/interfaces record):
# #
@ -19,25 +19,7 @@
# #
# The result will be the same as if the record had been written # The result will be the same as if the record had been written
# #
# net eth0 130.252.100.255 noping,norfc1918 # net eth0 130.252.100.255 routefilter,norfc1918
# #
# Variables can be used in the following places in the other configuration
# files:
#
# /etc/shorewall/interfaces:
# /etc/shorewall/hosts
#
# All except the first column.
#
# /etc/shorewall/rules
#
# First column after ":".
# All remaining columns
#
# /etc/shorewall/tunnels
# /etc/shorewall/proxyarp
# /etc/shorewall/nat
#
# All columns
############################################################################## ##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- Policy File # Shorewall 1.4 -- Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #

View File

@ -1,10 +1,10 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Proxy ARP # Shorewall 1.4 -- Proxy ARP
# #
# /etc/shorewall/proxyarp # /etc/shorewall/proxyarp
# #
# This file is used to define Proxy ARP. # This file is used to define Proxy ARP.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- RFC1918 File # Shorewall 1.4 -- RFC1918 File
# #
# /etc/shorewall/rfc1918 # /etc/shorewall/rfc1918
# #
@ -25,7 +25,7 @@
192.0.2.0/24 logdrop # Example addresses 192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918
# #
# The following are generated using the Python program found at: # The following are generated with the help of the Python program found at:
# #
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
# #
@ -43,6 +43,8 @@
39.0.0.0/8 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved
@ -53,7 +55,8 @@
96.0.0.0/3 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback 127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved
222.0.0.0/7 logdrop # Reserved 198.18.0.0/15 logdrop # Reserved
201.0.0.0/8 logdrop # Reserved - Central & South America
240.0.0.0/4 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved
# #
# End of generated entries # End of generated entries

View File

@ -1,10 +1,10 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped # Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
@ -12,7 +12,7 @@
# INTERFACE - Interface through which host(s) communicate with # INTERFACE - Interface through which host(s) communicate with
# the firewall # the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet # HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-", # If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. # 0.0.0.0/0 is assumed.
# #
# Example: # Example:

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.3 - Rules File # Shorewall version 1.4 - Rules File
# #
# /etc/shorewall/rules # /etc/shorewall/rules
# #
@ -24,24 +24,31 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only. # DNAT- -- Advanced users only.
# Like DNAT but only generates the # Like DNAT but only generates the
# DNAT iptables rule and not # DNAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level.This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
@ -90,6 +97,8 @@
# 2. In DNAT rules, only IP addresses are # 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses # allowed; no FQDNs or subnet addresses
# are permitted. # are permitted.
# 3. You may not specify both an interface and
# an address.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -106,10 +115,8 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
@ -117,7 +124,7 @@
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -148,7 +155,7 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to

View File

@ -1,22 +1,17 @@
############################################################################## ##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup # match your setup
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# This file should be placed in /etc/shorewall # This file should be placed in /etc/shorewall
# #
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
############################################################################## ##############################################################################
# #
# You should not have to change the variables in this section -- they are set # General note about log levels. Log levels are a method of describing
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.
# #
@ -32,72 +27,32 @@ SHARED_DIR=/usr/lib/shorewall
# 0 emerg # 0 emerg
# #
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility # log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level # 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by # to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number. # number.
# #
# If you have build your kernel with ULOG target support, you may also # If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its # specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages # messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'. # via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be # ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file # configured to log all Shorewall message to their own log file
################################################################################ ################################################################################
# #
# PATH - Change this if you want to change the order in which Shorewall # LOG FILE LOCATION
# searches directories for executable files.
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
# LOGFILE=/var/log/messages
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/tmp/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
# #
# LOG RATE LIMITING # LOG RATE LIMITING
@ -132,25 +87,122 @@ LOGBURST=
# packets are logged under the 'logunclean' interface option. If the variable # packets are logged under the 'logunclean' interface option. If the variable
# is empty, these packets will still be logged at the 'info' level. # is empty, these packets will still be logged at the 'info' level.
# #
# See the comment at the top of this file for a description of log levels # See the comment at the top of this section for a description of log levels
# #
LOGUNCLEAN=info LOGUNCLEAN=info
# #
# LOG FILE LOCATION # BLACKLIST LOG LEVEL
# #
# This variable tells the /sbin/shorewall program where to look for Shorewall # Set this variable to the syslogd level that you want blacklist packets logged
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then # (beware of DOS attacks resulting from such logging). If not set, no logging
# /var/log/messages is assumed. # of blacklist packets occurs.
# #
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # See the comment at the top of this section for a description of log levels
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# #
# http://www.shorewall.net/FAQ.htm#faq6 BLACKLIST_LOGLEVEL=
LOGFILE=/var/log/messages #
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this section for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this section for a description of log levels
#
RFC1918_LOG_LEVEL=info
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#
SUBSYSLOCK=/var/run/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/tmp/shorewall
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR=
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# #
# ENABLE NAT SUPPORT # ENABLE NAT SUPPORT
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
TC_ENABLED=No TC_ENABLED=No
# #
# BLACKLIST DISPOSITION # Clear Traffic Shapping/Control
# #
# Set this variable to the action that you want to perform on packets from # If this option is set to 'No' then Shorewall won't clear the current
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # traffic control rules during [re]start. This setting is intended
# DROP is assumed. # for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
# #
BLACKLIST_DISPOSITION=DROP # If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
# #
# BLACKLIST LOG LEVEL # Mark Packets in the forward chain
# #
# Set this variable to the syslogd level that you want blacklist packets logged # When processing the tcrules file, Shorewall normally marks packets in the
# (beward of DOS attacks resulting from such logging). If not set, no logging # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# of blacklist packets occurs. # this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
# #
# See the comment at the top of this file for a description of log levels # Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
# #
BLACKLIST_LOGLEVEL= # Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
# #
# MSS CLAMPING # MSS CLAMPING
@ -311,63 +379,30 @@ MULTIPORT=No
# DNAT net loc:192.168.1.3 tcp 80 # DNAT net loc:192.168.1.3 tcp 80
# #
# it will forward TCP port 80 connections from the net to 192.168.1.3 # it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons: # convenient for two reasons:
# #
# a) If the the network interface has a dynamic IP address, the # a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address # firewall configuration will work even when the address
# changes. # changes.
# #
# b) It saves having to configure the IP address in the rule # b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the # while still allowing the firewall to be started before the
# internet interface is brought up. # internet interface is brought up.
# #
# This default behavior can also have a negative effect. If the # This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above # internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses; # rule will forward connection requests on all of these addresses;
# that may not be what is desired. # that may not be what is desired.
# #
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of # only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this # one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall # requires all interfaces to the source zone to be up when the firewall
# is [re]started. # is [re]started.
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.
MERGE_HOSTS=Yes
# #
# MUTEX TIMEOUT # MUTEX TIMEOUT
# #
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
#
# LOGGING 'New not SYN' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN=
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping handling
# facility including the FORWARDPING option in this file and the 'noping' and
# 'filterping' interface options. If this option is set to 'No' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
# DON'T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
# #
# NEWNOTSYN # NEWNOTSYN
# #
@ -427,9 +432,21 @@ OLD_PING_HANDLING=No
# Users with a High-availability setup with two firewall's and one acting # Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes. # also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No NEWNOTSYN=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
# #
# MAC List Disposition # MAC List Disposition
# #
@ -441,86 +458,14 @@ NEWNOTSYN=No
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
# #
# TCP FLAGS Disposition # TCP FLAGS Disposition
# #
# This variable determins the disposition of packets having an invalid # This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the # combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified # 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the 'fwmark'
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

View File

@ -1,6 +1,6 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/start # Shorewall 1.4 -- /etc/shorewall/start
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been started or restarted. # been started or restarted.
# #

View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/stop # Shorewall 1.4 -- /etc/shorewall/stop
# #
# Add commands below that you want to be executed at the beginning of a # Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command. # "shorewall stop" command.

View File

@ -1,5 +1,5 @@
############################################################################ ############################################################################
# Shorewall 1.3 -- /etc/shorewall/stopped # Shorewall 1.4 -- /etc/shorewall/stopped
# #
# Add commands below that you want to be executed at the completion of a # Add commands below that you want to be executed at the completion of a
# "shorewall stop" command. # "shorewall stop" command.

View File

@ -1,5 +1,5 @@
# #
# Shorewall version 1.3 - Traffic Control Rules File # Shorewall version 1.4 - Traffic Control Rules File
# #
# /etc/shorewall/tcrules # /etc/shorewall/tcrules
# #
@ -26,10 +26,10 @@
# /etc/shorewall/shorewall.conf. # /etc/shorewall/shorewall.conf.
# #
# SOURCE Source of the packet. A comma-separated list of # SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses # interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on # and/or subnets. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT # the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always occurs # specify either ":P" or ":F" (marking always occurs
# in the OUTPUT chain). # in the OUTPUT chain).
# #
# MAC addresses must be prefixed with "~" and use # MAC addresses must be prefixed with "~" and use

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 -- /etc/shorewall/tos # Shorewall 1.4 -- /etc/shorewall/tos
# #
# This file defines rules for setting Type Of Service (TOS) # This file defines rules for setting Type Of Service (TOS)
# #

View File

@ -1,5 +1,5 @@
# #
# Shorewall 1.3 - /etc/shorewall/tunnels # Shorewall 1.4 - /etc/shorewall/tunnels
# #
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
# #
@ -25,7 +25,7 @@
# remote getway has no fixed address (Road Warrior) # remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. # then specify the gateway as 0.0.0.0/0.
# #
# GATEWAY # GATEWAY
# ZONES -- Optional. If the gateway system specified in the third # ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should # column is a standalone host then this column should
# contain a comma-separated list of the names of the # contain a comma-separated list of the names of the

View File

@ -1,14 +1,14 @@
# #
# Shorewall 1.3 /etc/shorewall/zones # Shorewall 1.4 /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
# ZONE Short name of the zone # ZONE Short name of the zone
# DISPLAY Display name of the zone # DISPLAY Display name of the zone
# COMMENTS Comments about the zone # COMMENTS Comments about the zone
# #
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local networks
dmz DMZ Demilitarized zone dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

View File

@ -1,8 +1,8 @@
#!/bin/sh #!/bin/sh
# #
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002 # Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
# #
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
# #
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
# #
@ -12,7 +12,7 @@
# Shorewall documentation is available at http://shorewall.sourceforge.net # Shorewall documentation is available at http://shorewall.sourceforge.net
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of Version 2 of the GNU General Public License # it under the terms of Version 2 of the GNU General Public License
# as published by the Free Software Foundation. # as published by the Free Software Foundation.
# #
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
@ -23,7 +23,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software # along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
# #
# If an error occurs while starting or restarting the firewall, the # If an error occurs while starting or restarting the firewall, the
# firewall is automatically stopped. # firewall is automatically stopped.
# #
@ -34,13 +34,13 @@
# #
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone # shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone # shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status # shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
# plus the last 20 "interesting" # plus the last 20 "interesting"
# packets # packets
# shorewall status Displays firewall status # shorewall status Displays firewall status
# shorewall reset Resets iptables packet and # shorewall reset Resets iptables packet and
# byte counts # byte counts
# shorewall clear Open the floodgates by # shorewall clear Open the floodgates by
@ -75,7 +75,7 @@
# listed address(es) # listed address(es)
# shorewall reject <address> ... Temporarily reject all packets from the # shorewall reject <address> ... Temporarily reject all packets from the
# listed address(es) # listed address(es)
# shorewall allow <address> ... Reenable address(es) previously # shorewall allow <address> ... Reenable address(es) previously
# disabled with "drop" or "reject" # disabled with "drop" or "reject"
# shorewall save Save the list of "rejected" and # shorewall save Save the list of "rejected" and
# "dropped" addresses so that it will # "dropped" addresses so that it will
@ -84,6 +84,7 @@
# #
# Display a chain if it exists # Display a chain if it exists
# #
showfirstchain() # $1 = name of chain showfirstchain() # $1 = name of chain
{ {
awk \ awk \
@ -142,7 +143,7 @@ get_config() {
display_chains() display_chains()
{ {
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9 trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
if [ "$haveawk" = "Yes" ]; then if [ "$haveawk" = "Yes" ]; then
# #
# Send the output to a temporary file since ash craps if we try to store # Send the output to a temporary file since ash craps if we try to store
@ -170,11 +171,11 @@ display_chains()
echo echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
for chain in $chains; do for chain in $chains; do
showchain $chain showchain $chain
done done
timed_read timed_read
for zone in $zones; do for zone in $zones; do
@ -242,7 +243,7 @@ display_chains()
# Delay $timeout seconds -- if we're running on a recent bash2 then allow # Delay $timeout seconds -- if we're running on a recent bash2 then allow
# <enter> to terminate the delay # <enter> to terminate the delay
# #
timed_read () timed_read ()
{ {
read -t $timeout foo 2> /dev/null read -t $timeout foo 2> /dev/null
@ -252,7 +253,7 @@ timed_read ()
# #
# Display the last $1 packets logged # Display the last $1 packets logged
# #
packet_log() # $1 = number of messages packet_log() # $1 = number of messages
{ {
local options local options
@ -334,7 +335,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'` oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
let "timeout=- $1" let "timeout=- $1"
pause="Yes" pause="Yes"
@ -347,7 +348,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
display_chains display_chains
clear clear
echo "$banner `date`" echo "$banner `date`"
echo echo
@ -361,7 +362,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
$RING_BELL $RING_BELL
packet_log 20 packet_log 20
@ -435,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
get_config get_config
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
oldrejects=`iptables -L -v -n | grep 'LOG'` oldrejects=`iptables -L -v -n | grep 'LOG'`
if [ $1 -lt 0 ]; then if [ $1 -lt 0 ]; then
timeout=$((- $1)) timeout=$((- $1))
pause="Yes" pause="Yes"
@ -570,24 +571,11 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
else
config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
SHARED_DIR=/usr/share/shorewall
FIREWALL=$SHARED_DIR/firewall FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version VERSION_FILE=$SHARED_DIR/version
@ -599,6 +587,15 @@ else
exit 2 exit 2
fi fi
config=`find_file shorewall.conf`
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $FIREWALL ]; then if [ -L $FIREWALL ]; then
@ -754,7 +751,7 @@ case "$1" in
echo "" echo ""
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
@ -853,4 +850,4 @@ case "$1" in
*) *)
usage 1 usage 1
;; ;;
esac esac

View File

@ -1,5 +1,5 @@
etc/init.d/shorewall etc/init.d/shorewall
etc/shorewall etc/shorewall
sbin/shorewall sbin/shorewall
usr/lib/shorewall usr/share/shorewall
var/lib/lrpkg/shorwall.* var/lib/lrpkg/shorwall.*

View File

@ -1 +1 @@
1.3.14 1.4.0

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -2,170 +2,162 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base
target="main"> target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News
<li> <a Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
</p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -2,165 +2,166 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base
target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
<ul>
<li> <a
href="sourceforge_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News
<li> <a Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a href="shoreline.htm">About
the Author</a></li> the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody> </ul>
</td>
</tr>
</tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable <b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font> <font <input type="text" name="words" size="15"></font><font size="-1"> </font>
face="Arial" size="-1"> <input type="hidden" name="format" <font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

File diff suppressed because it is too large Load Diff

Binary file not shown.

View File

@ -6,7 +6,8 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
@ -15,25 +16,24 @@
<base
target="_self"> <base target="_self">
<meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -43,14 +43,28 @@
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><a
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables href="http://www.shorewall.net" target="_top"><img border="1"
made easy"</i></font></font></h1> src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
@ -61,43 +75,42 @@
<div align="center"><a
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
</div>
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
<br> </div>
</td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -108,7 +121,7 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -121,11 +134,12 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <p>The Shoreline Firewall, more commonly known as "Shorewall", is
that can be used on a dedicated firewall system, a multi-function a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
gateway/router/server or on a standalone GNU/Linux system.</p> firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -137,29 +151,30 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
This program is distributed <br>
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br> This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
You should have received <br>
a copy of the GNU General Public License
along with this program; if not, write to You should have received
the Free Software Foundation, Inc., 675 Mass a copy of the GNU General Public License
Ave, Cambridge, MA 02139, USA</p> along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -171,7 +186,8 @@
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -184,253 +200,338 @@
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and </a>Jacques Nilo
Eric Wolzak have a LEAF (router/firewall/gateway and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.14 called <i>Bering</i> that features
and Kernel-2.4.20. You can find their work at: Shorewall-1.3.14 and Kernel-2.4.20. You can find
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> their work at: <a
</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!!</b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2>
<h2></h2>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p></p> <h2>This is a mirror of the main Shorewall web site at SourceForge
Shorewall 1.4 represents the next step in the evolution of Shorewall. (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time.<br> <h2>News</h2>
 <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
('ip' utility).</b><br> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<br> </b><b> </b></p>
Function from 1.3 that has been omitted from this version include:<br> Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br> <br>
</li> </li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br> in /etc/shorewall/interfaces now generate an error.<br>
<br> <br>
</li> </li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br> of the 'noping' or 'filterping' interface options.<br>
<br> <br>
</li> </li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces <li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
is no longer accepted.<br> longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br> supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br> <br>
</li> </li>
<li>The icmp.def file has been removed.<br> <li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if
you want to 'ping' from the firewall, you will need the appropriate rule
or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
a) You must be running kernel 2.4.20<br>
b) You must have applied the patch in<br>
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
c) You must have iptables 1.2.7a installed.<br>
<br> <br>
</li> </li>
<li value="8">The 'multi' interface option is no longer supported. <li>The /etc/shorewall/params file is now processed first so that
 Shorewall will generate rules for sending packets back out the same interface variables may be used in the /etc/shorewall/shorewall.conf file.<br>
that they arrived on in two cases:</li>
</ol>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.<br>
</li>
</ul>
<ol>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br> <br>
</li> </li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br> <li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br> <br>
</li> </li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>The SHARED_DIR variable has been removed from shorewall.conf.
now support the 'maclist' option.<br> This variable was for use by package maintainers and was not documented
for general use.<br>
<br> <br>
</li> </li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may <li>Shorewall now ignores 'default' routes when detecting masq'd
now be turned off on a host or network basis using the new /etc/shorewall/ecn networks.<br>
file. To use this facility:<br> </li>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
</li>
</ol> </ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul> <ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a
comma-separated list could appear in the second column while the code
only supported a single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. 802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate
limited.</li>
<li>The firewall fails to start in the case
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
is through eth1.</li>
</ul> </ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added
to shorewall.conf. When set to Yes, Shorewall ping handling is
as it has always been (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request.
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will all generate
an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
<br>
a) In the INTERFACE column of /etc/shorewall/masq<br>
b) In the INTERFACE column of /etc/shorewall/nat<br>
</li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the
form $DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may
be optionally followed by ":" and either 'F' or 'P' to designate that
the marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
<br>
a) The subnets associated with other addresses
on the interface.<br>
b) Subnets accessed through local routers.<br>
<br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
<br>
Example 1 -- This is how it works in 1.3.14.<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<p><b></b><a href="News.htm">More News</a></p> <pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
<br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
<br>
Example 2 -- Suppose that your current config is as
follows:<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
<br>
Example 3 -- What if your current configuration is
like this?<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, you would want to change the entry
in /etc/shorewall/masq to:<br>
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -440,12 +541,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p> </a></p>
@ -457,33 +558,32 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -2,313 +2,320 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul> <ul>
<li>Which applications use which ports</li> <li><a
<li>Ports used by Trojans</li> href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul> </ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a
<li><a href="IPIP.htm">GRE and IPIP</a></li> href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li> </ul>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
to extend Shorewall without modifying Shorewall code through the use of
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li> behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li> List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -7,34 +7,33 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
<meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -44,15 +43,15 @@
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables color="#ffffff">Shorewall 1.4 - <font
made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1> href="http://www.sf.net"> </a></h1>
@ -64,35 +63,37 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font <div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div> color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -103,7 +104,8 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -117,12 +119,12 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p> GNU/Linux system.</p>
@ -135,29 +137,29 @@ GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free Software
Software Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -170,7 +172,7 @@ to the Free Software Foundation, Inc., 675
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -184,25 +186,26 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques
and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b> <b>Congratulations
</b> to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.1!!!</b><br>
<h2>News</h2> <h2>News</h2>
@ -218,128 +221,267 @@ Eric on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img <p><b>3/17/2003 - Shorewall 1.4.0  </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>  </b><b> </b></p>
Shorewall 1.4 represents Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial the next step in the evolution of Shorewall. The main thrust of the
release is simply to remove the cruft that has accumulated in Shorewall initial release is simply to remove the cruft that has accumulated in
over time. <br> Shorewall over time. <br>
<br> <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
Function from 1.3 that has been omitted from this version include:<br> Function from 1.3 that has been omitted from this version
include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br> <br>
</li> </li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br> in /etc/shorewall/interfaces now generate an error.<br>
<br> <br>
</li> </li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br> of the 'noping' or 'filterping' interface options.<br>
<br> <br>
</li> </li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces <li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
no longer accepted.<br> longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br> <br>
</li> </li>
<li>The icmp.def file has been removed.<br> <li>The icmp.def file has been removed.<br>
<br> </li>
</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol> </ol>
Changes for 1.4 include:<br>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<ul>
</ul>
Changes for 1.4 include:<br>
<ol> <ol>
<li>The /etc/shorewall/shorewall.conf file has been completely <li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br> reorganized into logical sections.<br>
<br> <br>
</li> </li>
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br> <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>The firewall script and version file are now installed <li>The firewall script, common functions file and version file
in /usr/share/shorewall.<br> are now installed in /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in <li>Late arriving DNS replies are now silently dropped in the
the common chain by default.<br> common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 1.4 no longer unconditionally accepts outbound ICMP packets. So if you
to 'ping' from the firewall, you will need the appropriate rule or policy.<br> want to 'ping' from the firewall, you will need the appropriate rule or
<br> policy.<br>
</li> <br>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br> </li>
<br> <li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
</li> <br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br> now support the 'maclist' option.<br>
<br> <br>
</li> </li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may <li value="8">Explicit Congestion Notification (ECN - RFC 3168)
now be turned off on a host or network basis using the new /etc/shorewall/ecn may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br> file. To use this facility:<br>
<br> <br>
   a) You must be running kernel 2.4.20<br>    a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>    b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>    http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>    c) You must have iptables 1.2.7a installed.<br>
<br> <br>
</li> </li>
<li>The /etc/shorewall/params file is now processed first so that <li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li> variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol> </ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
<p></p> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<b> </b>  </b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address. </li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. </li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option. </li>
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
<li>The firewall fails to start in the case where you have "eth0
eth1" in /etc/shorewall/masq and the default route is through eth1
</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been
(see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request. The
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
options in /etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as  "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the form
$DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be
optionally followed by ":" and either 'F' or 'P' to designate that the
marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the
interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change described
above will cause masquerading to occur on subnetworks that you don't wish
to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
 <br>
Example 3 -- What if your current configuration is like
this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in 
/etc/shorewall/masq to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
<b> </b>
<ul> <ul>
@ -348,7 +490,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ul> </ul>
@ -357,8 +500,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -372,7 +515,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<h2> </h2> <h2> </h2>
@ -380,18 +523,18 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
<h4> </h4> <h4> </h4>
@ -399,7 +542,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
@ -408,44 +551,45 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -455,12 +599,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -472,32 +616,33 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</tr> </td>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
</body> </body>

View File

@ -3,406 +3,337 @@
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Support Guide</title> <title>Shorewall Support Guide</title>
<meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <h2>Before Reporting a Problem or Asking a Question<br>
emailed directly to me, I try to spend some time each day answering questions </h2>
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span There are a number
style="font-weight: 400;"></span></big></b></p> of sources of Shorewall information. Please try these before you post.
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot
more than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources
for problem solution information. Please try these before you
post.
<h3> </h3>
<h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the <li>More than half of the questions posted
support list have answers directly accessible from the <a on the support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> </li>
</li> <li> The <a
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li> </li>
</ul> <li> The <a
<h3> </h3>
<ul>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li> a number of tips to help you solve common problems.
</li>
</ul>
<h3> </h3>
<ul>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
</ul>
<h3> </h3>
<ul>
<li> The Mailing
List Archives search facility can locate posts about similar
problems: </li>
</ul>
<h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<li> The <a
<p> <font size="-1"> Match: href="errata.htm"> Errata</a> has links to download updated
components. </li>
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<li> The Site and Mailing
<select name="format"> List Archives search facility can locate documents and posts
<option value="builtin-long">Long </option> about similar problems: </li>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text"
size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</form>
<h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a
real-world example. It would be like saying that you have three
rooms at home, and when you walk into one of the rooms, you detect
this strange smell. Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to
the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div>
<br>
<h3> </h3>
<ul>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when
it actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not
an obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li>
</ul> </ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
<option value="title">Title </option>
<option value="revscore">Reverse Score </option>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
<ul> <ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears to
be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't
describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
</ul>
<ul>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact output from<br> <li>If your kernel is modularized, the exact
<br> output from<br>
<font color="#009900"><b>lsmod</b></font><br> <br>
<br> <font color="#009900"><b>lsmod</b></font><br>
</li> <br>
<li>the exact wording of any <code </li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, <li>If you installed Shorewall using one of the QuickStart
please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using
installation of Shorewall, please say so.</b><br> the Mandrake installation of Shorewall, please say so.</b><br>
<br> <br>
</li> </li>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br> any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general
information</strong> in an attempt to conceal your IP address, netmask, matter, please <strong>do not edit the diagnostic information</strong>
nameserver addresses, domain name, etc. These aren't secrets, and concealing in an attempt to conceal your IP address, netmask, nameserver addresses,
them often misleads us (and 80% of the time, a hacker could derive domain name, etc. These aren't secrets, and concealing them often
them anyway from information contained in the SMTP headers of your post).<strong></strong></li> misleads us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul> </ul>
<ul>
</ul>
<h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> Do you see
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that
is giving you problems? If so, include the message(s) in your post
along with a copy of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).
</li>
</ul>
<h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
</li>
</ul>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2>
<blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network <b>If you run Shorewall under MandrakeSoft Multi
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft Network Firewall (MNF) and you have not purchased an MNF license
then you can post non MNF-specific Shorewall questions to the </b><a from MandrakeSoft then you can post non MNF-specific Shorewall questions
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
list</a> or to the <a users mailing list</a>. <b>Do not expect to get free MNF support
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support on the list or forum.</b><br>
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a>.</p>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support </blockquote>
Forum</a>.</p>
</blockquote>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .<br>
</p>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

View File

@ -60,3 +60,7 @@ Changes since 1.3.14
27. Remove stale comments in the params file. 27. Remove stale comments in the params file.
28. Silently drop INVALID state packets 28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.0-RC2 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.0-RC2 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -77,6 +77,18 @@ Changes for 1.4 include:
10) The /etc/shorewall/params file is now processed first so that 10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file. variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.0 %define version 1.4.0
%define release 0RC2 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net> * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-0RC2 - Changed version to 1.4.0-0RC2
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net> * Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.0-RC2 VERSION=1.4.0
usage() # $1 = exit status usage() # $1 = exit status
{ {