forked from extern/shorewall_code
Shorewall 1.4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@504 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
09aed118b3
commit
52629f9049
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Blacklist File
|
# Shorewall 1.4 -- Blacklist File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/blacklist
|
# /etc/shorewall/blacklist
|
||||||
#
|
#
|
||||||
@ -9,7 +9,7 @@
|
|||||||
#
|
#
|
||||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||||
#
|
#
|
||||||
# MAC addresses must be prefixed with "~" and use "-"
|
# MAC addresses must be prefixed with "~" and use "-"
|
||||||
# as a separator.
|
# as a separator.
|
||||||
#
|
#
|
||||||
# Example: ~00-A0-C9-15-39-78
|
# Example: ~00-A0-C9-15-39-78
|
||||||
@ -27,7 +27,7 @@
|
|||||||
# /etc/shorewall/shorewall.conf
|
# /etc/shorewall/shorewall.conf
|
||||||
#
|
#
|
||||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#
|
#
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 1.3 -- /etc/shorewall/common.def
|
# Shorewall 1.4 -- /etc/shorewall/common.def
|
||||||
#
|
#
|
||||||
# This file defines the rules that are applied before a policy of
|
# This file defines the rules that are applied before a policy of
|
||||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||||
# the firewall will also define a DROP rule for each subnet broadcast
|
# the firewall will also define a DROP rule for each subnet broadcast
|
||||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||||
@ -14,14 +14,12 @@
|
|||||||
#
|
#
|
||||||
run_iptables -A common -p icmp -j icmpdef
|
run_iptables -A common -p icmp -j icmpdef
|
||||||
############################################################################
|
############################################################################
|
||||||
# Drop invalid state TCP packets
|
|
||||||
#
|
|
||||||
run_iptables -A common -m state -p tcp --state INVALID -j DROP
|
|
||||||
############################################################################
|
|
||||||
# NETBIOS chatter
|
# NETBIOS chatter
|
||||||
#
|
#
|
||||||
run_iptables -A common -p udp --dport 137:139 -j REJECT
|
run_iptables -A common -p udp --dport 137:139 -j REJECT
|
||||||
run_iptables -A common -p udp --dport 445 -j REJECT
|
run_iptables -A common -p udp --dport 445 -j REJECT
|
||||||
|
run_iptables -A common -p tcp --dport 139 -j REJECT
|
||||||
|
run_iptables -A common -p tcp --dport 445 -j REJECT
|
||||||
run_iptables -A common -p tcp --dport 135 -j reject
|
run_iptables -A common -p tcp --dport 135 -j reject
|
||||||
############################################################################
|
############################################################################
|
||||||
# UPnP
|
# UPnP
|
||||||
@ -36,5 +34,9 @@ run_iptables -A common -d 224.0.0.0/4 -j DROP
|
|||||||
# AUTH -- Silently reject it so that connections don't get delayed.
|
# AUTH -- Silently reject it so that connections don't get delayed.
|
||||||
#
|
#
|
||||||
run_iptables -A common -p tcp --dport 113 -j reject
|
run_iptables -A common -p tcp --dport 113 -j reject
|
||||||
|
############################################################################
|
||||||
|
# DNS -- Silenty drop late replies
|
||||||
|
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 - /etc/shorewall/hosts
|
# Shorewall 1.4 - /etc/shorewall/hosts
|
||||||
#
|
#
|
||||||
# WARNING: 90% of Shorewall users don't need to add entries to this
|
# WARNING: 90% of Shorewall users don't need to add entries to this
|
||||||
# file and 80% of those who try to add such entries get it
|
# file and 80% of those who try to add such entries get it
|
||||||
@ -18,23 +18,18 @@
|
|||||||
# a) The IP address of a host
|
# a) The IP address of a host
|
||||||
# b) A subnetwork in the form
|
# b) A subnetwork in the form
|
||||||
# <subnet-address>/<mask width>
|
# <subnet-address>/<mask width>
|
||||||
#
|
#
|
||||||
# The interface must be defined in the
|
# The interface must be defined in the
|
||||||
# /etc/shorewall/interfaces file.
|
# /etc/shorewall/interfaces file.
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#
|
#
|
||||||
# eth1:192.168.1.3
|
# eth1:192.168.1.3
|
||||||
# eth2:192.168.2.0/24
|
# eth2:192.168.2.0/24
|
||||||
#
|
#
|
||||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||||
# options are:
|
# options are:
|
||||||
#
|
#
|
||||||
# routestopped - (Deprecated -- use
|
|
||||||
# /etc/shorewall/routestopped)
|
|
||||||
# route messages to and from this
|
|
||||||
# member when the firewall is in the
|
|
||||||
# stopped state
|
|
||||||
# maclist - Connection requests from these hosts
|
# maclist - Connection requests from these hosts
|
||||||
# are compared against the contents of
|
# are compared against the contents of
|
||||||
# /etc/shorewall/maclist. If this option
|
# /etc/shorewall/maclist. If this option
|
||||||
@ -43,5 +38,5 @@
|
|||||||
# Shorewall is started.
|
# Shorewall is started.
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
#ZONE HOST(S) OPTIONS
|
#ZONE HOST(S) OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 1.3 -- /etc/shorewall/init
|
# Shorewall 1.4 -- /etc/shorewall/init
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the beginning of
|
# Add commands below that you want to be executed at the beginning of
|
||||||
# a "shorewall start" or "shorewall restart" command.
|
# a "shorewall start" or "shorewall restart" command.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Interfaces File
|
# Shorewall 1.4 -- Interfaces File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/interfaces
|
# /etc/shorewall/interfaces
|
||||||
#
|
#
|
||||||
@ -14,7 +14,7 @@
|
|||||||
# If the interface serves multiple zones that will be
|
# If the interface serves multiple zones that will be
|
||||||
# defined in the /etc/shorewall/hosts file, you should
|
# defined in the /etc/shorewall/hosts file, you should
|
||||||
# place "-" in this column.
|
# place "-" in this column.
|
||||||
#
|
#
|
||||||
# INTERFACE Name of interface. Each interface may be listed only
|
# INTERFACE Name of interface. Each interface may be listed only
|
||||||
# once in this file. You may NOT specify the name of
|
# once in this file. You may NOT specify the name of
|
||||||
# an alias (e.g., eth0:0) here; see
|
# an alias (e.g., eth0:0) here; see
|
||||||
@ -27,14 +27,14 @@
|
|||||||
# column is left black.If the interface has multiple
|
# column is left black.If the interface has multiple
|
||||||
# addresses on multiple subnets then list the broadcast
|
# addresses on multiple subnets then list the broadcast
|
||||||
# addresses as a comma-separated list.
|
# addresses as a comma-separated list.
|
||||||
#
|
#
|
||||||
# If you use the special value "detect", the firewall
|
# If you use the special value "detect", the firewall
|
||||||
# will detect the broadcast address for you. If you
|
# will detect the broadcast address for you. If you
|
||||||
# select this option, the interface must be up before
|
# select this option, the interface must be up before
|
||||||
# the firewall is started, you must have iproute
|
# the firewall is started, you must have iproute
|
||||||
# installed and the interface must only be associated
|
# installed and the interface must only be associated
|
||||||
# with a single subnet.
|
# with a single subnet.
|
||||||
#
|
#
|
||||||
# If you don't want to give a value for this column but
|
# If you don't want to give a value for this column but
|
||||||
# you want to enter a value in the OPTIONS column, enter
|
# you want to enter a value in the OPTIONS column, enter
|
||||||
# "-" in this column.
|
# "-" in this column.
|
||||||
@ -46,11 +46,6 @@
|
|||||||
# a DHCP server running on the firewall or
|
# a DHCP server running on the firewall or
|
||||||
# you have a static IP but are on a LAN
|
# you have a static IP but are on a LAN
|
||||||
# segment with lots of Laptop DHCP clients.
|
# segment with lots of Laptop DHCP clients.
|
||||||
# routestopped - (Deprecated -- use
|
|
||||||
# /etc/shorewall/routestopped)
|
|
||||||
# When the firewall is stopped, allow
|
|
||||||
# and route traffic to and from this
|
|
||||||
# interface.
|
|
||||||
# norfc1918 - This interface should not receive
|
# norfc1918 - This interface should not receive
|
||||||
# any packets whose source is in one
|
# any packets whose source is in one
|
||||||
# of the ranges reserved by RFC 1918
|
# of the ranges reserved by RFC 1918
|
||||||
@ -59,9 +54,6 @@
|
|||||||
# enabled in shorewall.conf, packets
|
# enabled in shorewall.conf, packets
|
||||||
# whose destination addresses are
|
# whose destination addresses are
|
||||||
# reserved by RFC 1918 are also rejected.
|
# reserved by RFC 1918 are also rejected.
|
||||||
# multi - This interface has multiple IP
|
|
||||||
# addresses and you want to be able to
|
|
||||||
# route between them.
|
|
||||||
# routefilter - turn on kernel route filtering for this
|
# routefilter - turn on kernel route filtering for this
|
||||||
# interface (anti-spoofing measure). This
|
# interface (anti-spoofing measure). This
|
||||||
# option can also be enabled globally in
|
# option can also be enabled globally in
|
||||||
@ -87,8 +79,8 @@
|
|||||||
# TCP_FLAGS_DISPOSITION after having been
|
# TCP_FLAGS_DISPOSITION after having been
|
||||||
# logged according to the setting of
|
# logged according to the setting of
|
||||||
# TCP_FLAGS_LOG_LEVEL.
|
# TCP_FLAGS_LOG_LEVEL.
|
||||||
# proxyarp -
|
# proxyarp -
|
||||||
# Sets
|
# Sets
|
||||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||||
# Do NOT use this option if you are
|
# Do NOT use this option if you are
|
||||||
# employing Proxy ARP through entries in
|
# employing Proxy ARP through entries in
|
||||||
@ -96,7 +88,7 @@
|
|||||||
# intended soley for use with Proxy ARP
|
# intended soley for use with Proxy ARP
|
||||||
# sub-networking as described at:
|
# sub-networking as described at:
|
||||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||||
#
|
#
|
||||||
# The order in which you list the options is not
|
# The order in which you list the options is not
|
||||||
# significant but the list should have no embedded white
|
# significant but the list should have no embedded white
|
||||||
# space.
|
# space.
|
||||||
@ -106,27 +98,25 @@
|
|||||||
# local subnet is 192.168.1.0/24. The interface gets
|
# local subnet is 192.168.1.0/24. The interface gets
|
||||||
# it's IP address via DHCP from subnet
|
# it's IP address via DHCP from subnet
|
||||||
# 206.191.149.192/27. You have a DMZ with subnet
|
# 206.191.149.192/27. You have a DMZ with subnet
|
||||||
# 192.168.2.0/24 using eth2. You want to be able to
|
# 192.168.2.0/24 using eth2.
|
||||||
# access the firewall from the local network when the
|
|
||||||
# firewall is stopped.
|
|
||||||
#
|
#
|
||||||
# Your entries for this setup would look like:
|
# Your entries for this setup would look like:
|
||||||
#
|
#
|
||||||
# net eth0 206.191.149.223 dhcp
|
# net eth0 206.191.149.223 dhcp
|
||||||
# local eth1 192.168.1.255 routestopped
|
# local eth1 192.168.1.255
|
||||||
# dmz eth2 192.168.2.255
|
# dmz eth2 192.168.2.255
|
||||||
#
|
#
|
||||||
# Example 2: The same configuration without specifying broadcast
|
# Example 2: The same configuration without specifying broadcast
|
||||||
# addresses is:
|
# addresses is:
|
||||||
#
|
#
|
||||||
# net eth0 detect noping,dhcp
|
# net eth0 detect dhcp
|
||||||
# loc eth1 detect routestopped
|
# loc eth1 detect
|
||||||
# dmz eth2 detect
|
# dmz eth2 detect
|
||||||
#
|
#
|
||||||
# Example 3: You have a simple dial-in system with no ethernet
|
# Example 3: You have a simple dial-in system with no ethernet
|
||||||
# connections and you want to ignore ping requests.
|
# connections.
|
||||||
#
|
#
|
||||||
# net ppp0 - noping
|
# net ppp0 -
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#ZONE INTERFACE BROADCAST OPTIONS
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 - MAC list file
|
# Shorewall 1.4 - MAC list file
|
||||||
#
|
#
|
||||||
# /etc/shorewall/maclist
|
# /etc/shorewall/maclist
|
||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# INTERFACE Network interface to a host
|
# INTERFACE Network interface to a host
|
||||||
#
|
#
|
||||||
# MAC MAC address of the host -- you do not need to use
|
# MAC MAC address of the host -- you do not need to use
|
||||||
# the Shorewall format for MAC addresses here
|
# the Shorewall format for MAC addresses here
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 - Masquerade file
|
# Shorewall 1.4 - Masquerade file
|
||||||
#
|
#
|
||||||
# /etc/shorewall/masq
|
# /etc/shorewall/masq
|
||||||
#
|
#
|
||||||
@ -13,8 +13,8 @@
|
|||||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||||
# a digit to indicate that you want the alias added with
|
# a digit to indicate that you want the alias added with
|
||||||
# that name (e.g., eth0:0). This will allow the alias to
|
# that name (e.g., eth0:0). This will allow the alias to
|
||||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||||
#
|
#
|
||||||
# This may be qualified by adding the character
|
# This may be qualified by adding the character
|
||||||
@ -25,7 +25,7 @@
|
|||||||
# a subnet or as an interface. If you give the name of an
|
# a subnet or as an interface. If you give the name of an
|
||||||
# interface, you must have iproute installed and the interface
|
# interface, you must have iproute installed and the interface
|
||||||
# must be up before you start the firewall.
|
# must be up before you start the firewall.
|
||||||
#
|
#
|
||||||
# In order to exclude a subset of the specified SUBNET, you
|
# In order to exclude a subset of the specified SUBNET, you
|
||||||
# may append "!" and a comma-separated list of IP addresses
|
# may append "!" and a comma-separated list of IP addresses
|
||||||
# and/or subnets that you wish to exclude.
|
# and/or subnets that you wish to exclude.
|
||||||
@ -37,17 +37,17 @@
|
|||||||
#
|
#
|
||||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
||||||
# used and this will be the source address. If
|
# used and this will be the source address. If
|
||||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
# ADD_SNAT_ALIASES is set to Yes or yes in
|
||||||
# /etc/shorewall/shorewall.conf then Shorewall
|
# /etc/shorewall/shorewall.conf then Shorewall
|
||||||
# will automatically add this address to the
|
# will automatically add this address to the
|
||||||
# INTERFACE named in the first column.
|
# INTERFACE named in the first column.
|
||||||
#
|
#
|
||||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||||
# the address given in this column is the primary
|
# the address given in this column is the primary
|
||||||
# IP address for the interface in the INTERFACE
|
# IP address for the interface in the INTERFACE
|
||||||
# column.
|
# column.
|
||||||
#
|
#
|
||||||
# This column may not contain a DNS Name.
|
# This column may not contain a DNS Name.
|
||||||
#
|
#
|
||||||
# Example 1:
|
# Example 1:
|
||||||
#
|
#
|
||||||
@ -83,7 +83,7 @@
|
|||||||
#
|
#
|
||||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||||
# primary address of eth0. You want 206.124.146.176 added to
|
# primary address of eth0. You want 206.124.146.176 added to
|
||||||
# be added to eth0 with name eth0:0.
|
# be added to eth0 with name eth0:0.
|
||||||
#
|
#
|
||||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||||
|
@ -1,7 +1,12 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
# Shorewall 1.3 /etc/shorewall/modules
|
# Shorewall 1.4 /etc/shorewall/modules
|
||||||
#
|
#
|
||||||
# This file loads the modules needed by the firewall.
|
# This file loads the modules needed by the firewall.
|
||||||
|
#
|
||||||
|
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
||||||
|
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
||||||
|
# you load M2.
|
||||||
|
#
|
||||||
|
|
||||||
loadmodule ip_tables
|
loadmodule ip_tables
|
||||||
loadmodule iptable_filter
|
loadmodule iptable_filter
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Network Address Translation Table
|
# Shorewall 1.4 -- Network Address Translation Table
|
||||||
#
|
#
|
||||||
# /etc/shorewall/nat
|
# /etc/shorewall/nat
|
||||||
#
|
#
|
||||||
@ -17,7 +17,7 @@
|
|||||||
# column and must not be a DNS Name.
|
# column and must not be a DNS Name.
|
||||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||||
# follow the interface name with ":" and a digit to
|
# follow the interface name with ":" and a digit to
|
||||||
# indicate that you want Shorewall to add the alias
|
# indicate that you want Shorewall to add the alias
|
||||||
# with this name (e.g., "eth0:0"). That allows you to
|
# with this name (e.g., "eth0:0"). That allows you to
|
||||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 /etc/shorewall/params
|
# Shorewall 1.4 /etc/shorewall/params
|
||||||
#
|
#
|
||||||
# Assign any variables that you need here.
|
# Assign any variables that you need here.
|
||||||
#
|
#
|
||||||
@ -11,7 +11,7 @@
|
|||||||
#
|
#
|
||||||
# NET_IF=eth0
|
# NET_IF=eth0
|
||||||
# NET_BCAST=130.252.100.255
|
# NET_BCAST=130.252.100.255
|
||||||
# NET_OPTIONS=noping,norfc1918
|
# NET_OPTIONS=routefilter,norfc1918
|
||||||
#
|
#
|
||||||
# Example (/etc/shorewall/interfaces record):
|
# Example (/etc/shorewall/interfaces record):
|
||||||
#
|
#
|
||||||
@ -19,25 +19,7 @@
|
|||||||
#
|
#
|
||||||
# The result will be the same as if the record had been written
|
# The result will be the same as if the record had been written
|
||||||
#
|
#
|
||||||
# net eth0 130.252.100.255 noping,norfc1918
|
# net eth0 130.252.100.255 routefilter,norfc1918
|
||||||
#
|
#
|
||||||
# Variables can be used in the following places in the other configuration
|
|
||||||
# files:
|
|
||||||
#
|
|
||||||
# /etc/shorewall/interfaces:
|
|
||||||
# /etc/shorewall/hosts
|
|
||||||
#
|
|
||||||
# All except the first column.
|
|
||||||
#
|
|
||||||
# /etc/shorewall/rules
|
|
||||||
#
|
|
||||||
# First column after ":".
|
|
||||||
# All remaining columns
|
|
||||||
#
|
|
||||||
# /etc/shorewall/tunnels
|
|
||||||
# /etc/shorewall/proxyarp
|
|
||||||
# /etc/shorewall/nat
|
|
||||||
#
|
|
||||||
# All columns
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Policy File
|
# Shorewall 1.4 -- Policy File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/policy
|
# /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Proxy ARP
|
# Shorewall 1.4 -- Proxy ARP
|
||||||
#
|
#
|
||||||
# /etc/shorewall/proxyarp
|
# /etc/shorewall/proxyarp
|
||||||
#
|
#
|
||||||
# This file is used to define Proxy ARP.
|
# This file is used to define Proxy ARP.
|
||||||
#
|
#
|
||||||
# Columns must be separated by white space and are:
|
# Columns must be separated by white space and are:
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 -- RFC1918 File
|
# Shorewall 1.4 -- RFC1918 File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rfc1918
|
# /etc/shorewall/rfc1918
|
||||||
#
|
#
|
||||||
@ -25,7 +25,7 @@
|
|||||||
192.0.2.0/24 logdrop # Example addresses
|
192.0.2.0/24 logdrop # Example addresses
|
||||||
192.168.0.0/16 logdrop # RFC 1918
|
192.168.0.0/16 logdrop # RFC 1918
|
||||||
#
|
#
|
||||||
# The following are generated using the Python program found at:
|
# The following are generated with the help of the Python program found at:
|
||||||
#
|
#
|
||||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
||||||
#
|
#
|
||||||
@ -43,6 +43,8 @@
|
|||||||
39.0.0.0/8 logdrop # Reserved
|
39.0.0.0/8 logdrop # Reserved
|
||||||
41.0.0.0/8 logdrop # Reserved
|
41.0.0.0/8 logdrop # Reserved
|
||||||
42.0.0.0/8 logdrop # Reserved
|
42.0.0.0/8 logdrop # Reserved
|
||||||
|
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||||
|
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
||||||
58.0.0.0/7 logdrop # Reserved
|
58.0.0.0/7 logdrop # Reserved
|
||||||
60.0.0.0/8 logdrop # Reserved
|
60.0.0.0/8 logdrop # Reserved
|
||||||
70.0.0.0/7 logdrop # Reserved
|
70.0.0.0/7 logdrop # Reserved
|
||||||
@ -53,7 +55,8 @@
|
|||||||
96.0.0.0/3 logdrop # Reserved
|
96.0.0.0/3 logdrop # Reserved
|
||||||
127.0.0.0/8 logdrop # Loopback
|
127.0.0.0/8 logdrop # Loopback
|
||||||
197.0.0.0/8 logdrop # Reserved
|
197.0.0.0/8 logdrop # Reserved
|
||||||
222.0.0.0/7 logdrop # Reserved
|
198.18.0.0/15 logdrop # Reserved
|
||||||
|
201.0.0.0/8 logdrop # Reserved - Central & South America
|
||||||
240.0.0.0/4 logdrop # Reserved
|
240.0.0.0/4 logdrop # Reserved
|
||||||
#
|
#
|
||||||
# End of generated entries
|
# End of generated entries
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
|
# Shorewall 1.4 -- Hosts Accessible when the Firewall is Stopped
|
||||||
#
|
#
|
||||||
# /etc/shorewall/routestopped
|
# /etc/shorewall/routestopped
|
||||||
#
|
#
|
||||||
# This file is used to define the hosts that are accessible when the
|
# This file is used to define the hosts that are accessible when the
|
||||||
# firewall is stopped
|
# firewall is stopped
|
||||||
#
|
#
|
||||||
# Columns must be separated by white space and are:
|
# Columns must be separated by white space and are:
|
||||||
@ -12,7 +12,7 @@
|
|||||||
# INTERFACE - Interface through which host(s) communicate with
|
# INTERFACE - Interface through which host(s) communicate with
|
||||||
# the firewall
|
# the firewall
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
# addresses. If left empty or supplied as "-",
|
# If left empty or supplied as "-",
|
||||||
# 0.0.0.0/0 is assumed.
|
# 0.0.0.0/0 is assumed.
|
||||||
#
|
#
|
||||||
# Example:
|
# Example:
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 1.3 - Rules File
|
# Shorewall version 1.4 - Rules File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rules
|
# /etc/shorewall/rules
|
||||||
#
|
#
|
||||||
@ -24,24 +24,31 @@
|
|||||||
# DNAT -- Forward the request to another
|
# DNAT -- Forward the request to another
|
||||||
# system (and optionally another
|
# system (and optionally another
|
||||||
# port).
|
# port).
|
||||||
# DNAT- -- Advanced users only.
|
# DNAT- -- Advanced users only.
|
||||||
# Like DNAT but only generates the
|
# Like DNAT but only generates the
|
||||||
# DNAT iptables rule and not
|
# DNAT iptables rule and not
|
||||||
# the companion ACCEPT rule.
|
# the companion ACCEPT rule.
|
||||||
# REDIRECT -- Redirect the request to a local
|
# REDIRECT -- Redirect the request to a local
|
||||||
# port on the firewall.
|
# port on the firewall.
|
||||||
|
# CONTINUE -- (For experts only). Do not process
|
||||||
|
# any of the following rules for this
|
||||||
|
# (source zone,destination zone). If
|
||||||
|
# The source and/or destination IP
|
||||||
|
# address falls into a zone defined
|
||||||
|
# later in /etc/shorewall/zones, this
|
||||||
|
# connection request will be passed
|
||||||
|
# to the rules defined for that
|
||||||
|
# (those) zone(s).
|
||||||
#
|
#
|
||||||
# May optionally be followed by ":" and a syslog log
|
# May optionally be followed by ":" and a syslog log
|
||||||
# level (e.g, REJECT:info). This causes the packet to be
|
# level (e.g, REJECT:info). This causes the packet to be
|
||||||
# logged at the specified level.
|
# logged at the specified level.
|
||||||
#
|
#
|
||||||
# Beginning with Shorewall version 1.3.12, you may
|
# You may also specify ULOG (must be in upper case) as a
|
||||||
# also specify ULOG (must be in upper case) as a log level.\
|
# log level.This will log to the ULOG target for routing
|
||||||
# This will log to the ULOG target and sent to a separate log
|
# to a separate log through use of ulogd
|
||||||
# through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
#
|
#
|
||||||
#
|
|
||||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||||
# firewall itself, or "all" If the ACTION is DNAT or
|
# firewall itself, or "all" If the ACTION is DNAT or
|
||||||
@ -90,6 +97,8 @@
|
|||||||
# 2. In DNAT rules, only IP addresses are
|
# 2. In DNAT rules, only IP addresses are
|
||||||
# allowed; no FQDNs or subnet addresses
|
# allowed; no FQDNs or subnet addresses
|
||||||
# are permitted.
|
# are permitted.
|
||||||
|
# 3. You may not specify both an interface and
|
||||||
|
# an address.
|
||||||
#
|
#
|
||||||
# The port that the server is listening on may be
|
# The port that the server is listening on may be
|
||||||
# included and separated from the server's IP address by
|
# included and separated from the server's IP address by
|
||||||
@ -106,10 +115,8 @@
|
|||||||
# contain the port number on the firewall that the
|
# contain the port number on the firewall that the
|
||||||
# request should be redirected to.
|
# request should be redirected to.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||||
# "all" or "related". If "related", the remainder of the
|
# "all".
|
||||||
# entry must be omitted and connection requests that are
|
|
||||||
# related to existing requests will be accepted.
|
|
||||||
#
|
#
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
@ -117,7 +124,7 @@
|
|||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
# A port range is expressed as <low port>:<high port>.
|
# A port range is expressed as <low port>:<high port>.
|
||||||
#
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
# entered if any of the following ields are supplied.
|
# entered if any of the following ields are supplied.
|
||||||
# In that case, it is suggested that this field contain
|
# In that case, it is suggested that this field contain
|
||||||
@ -148,7 +155,7 @@
|
|||||||
# Otherwise, a separate rule will be generated for each
|
# Otherwise, a separate rule will be generated for each
|
||||||
# port.
|
# port.
|
||||||
#
|
#
|
||||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
|
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
|
||||||
# REDIRECT) If included and different from the IP
|
# REDIRECT) If included and different from the IP
|
||||||
# address given in the SERVER column, this is an address
|
# address given in the SERVER column, this is an address
|
||||||
# on some interface on the firewall and connections to
|
# on some interface on the firewall and connections to
|
||||||
|
@ -1,22 +1,17 @@
|
|||||||
##############################################################################
|
##############################################################################
|
||||||
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
|
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
|
||||||
# match your setup
|
# match your setup
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# This file should be placed in /etc/shorewall
|
# This file should be placed in /etc/shorewall
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||||
|
##############################################################################
|
||||||
|
# L O G G I N G
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#
|
#
|
||||||
# You should not have to change the variables in this section -- they are set
|
# General note about log levels. Log levels are a method of describing
|
||||||
# by the packager of your Shorewall distribution
|
|
||||||
#
|
|
||||||
SHARED_DIR=/usr/lib/shorewall
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# General note about log levels. Log levels are a method of describing
|
|
||||||
# to syslog (8) the importance of a message and a number of parameters
|
# to syslog (8) the importance of a message and a number of parameters
|
||||||
# in this file have log levels as their value.
|
# in this file have log levels as their value.
|
||||||
#
|
#
|
||||||
@ -32,72 +27,32 @@ SHARED_DIR=/usr/lib/shorewall
|
|||||||
# 0 emerg
|
# 0 emerg
|
||||||
#
|
#
|
||||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||||
# log messages are generated by NetFilter and are logged using facility
|
# log messages are generated by NetFilter and are logged using facility
|
||||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
# 'kern' and the level that you specifify. If you are unsure of the level
|
||||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||||
# number.
|
# number.
|
||||||
#
|
#
|
||||||
# If you have build your kernel with ULOG target support, you may also
|
# If you have build your kernel with ULOG target support, you may also
|
||||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
# specify a log level of ULOG (must be all caps). Rather than log its
|
||||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
||||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
# via the ULOG target which will send them to a process called 'ulogd'.
|
||||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
||||||
# configured to log all Shorewall message to their own log file
|
# configured to log all Shorewall message to their own log file
|
||||||
################################################################################
|
################################################################################
|
||||||
#
|
#
|
||||||
# PATH - Change this if you want to change the order in which Shorewall
|
# LOG FILE LOCATION
|
||||||
# searches directories for executable files.
|
|
||||||
#
|
#
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
||||||
|
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
||||||
|
# /var/log/messages is assumed.
|
||||||
|
#
|
||||||
|
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
||||||
|
# look for Shorewall messages.It does NOT control the destination for
|
||||||
|
# these messages. For information about how to do that, see
|
||||||
|
#
|
||||||
|
# http://www.shorewall.net/shorewall_logging.html
|
||||||
|
|
||||||
#
|
LOGFILE=/var/log/messages
|
||||||
# NAME OF THE FIREWALL ZONE
|
|
||||||
#
|
|
||||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
|
||||||
# is assumed.
|
|
||||||
#
|
|
||||||
FW=fw
|
|
||||||
|
|
||||||
#
|
|
||||||
# SUBSYSTEM LOCK FILE
|
|
||||||
#
|
|
||||||
# Set this to the name of the lock file expected by your init scripts. For
|
|
||||||
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
|
||||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
|
||||||
# set this to "".
|
|
||||||
#
|
|
||||||
|
|
||||||
SUBSYSLOCK=/var/run/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
|
||||||
#
|
|
||||||
# This is the directory where the firewall maintains state information while
|
|
||||||
# it is running
|
|
||||||
#
|
|
||||||
|
|
||||||
STATEDIR=/tmp/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# ALLOW RELATED CONNECTIONS
|
|
||||||
#
|
|
||||||
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
|
||||||
# that are related to already established connections. For example, you want
|
|
||||||
# to accept FTP data connections. If you say "no" here, then to accept
|
|
||||||
# these connections between particular zones or hosts, you must include
|
|
||||||
# explicit "related" rules in /etc/shorewall/rules.
|
|
||||||
#
|
|
||||||
|
|
||||||
ALLOWRELATED=yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# KERNEL MODULE DIRECTORY
|
|
||||||
#
|
|
||||||
# If your netfilter kernel modules are in a directory other than
|
|
||||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
|
||||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# LOG RATE LIMITING
|
# LOG RATE LIMITING
|
||||||
@ -132,25 +87,122 @@ LOGBURST=
|
|||||||
# packets are logged under the 'logunclean' interface option. If the variable
|
# packets are logged under the 'logunclean' interface option. If the variable
|
||||||
# is empty, these packets will still be logged at the 'info' level.
|
# is empty, these packets will still be logged at the 'info' level.
|
||||||
#
|
#
|
||||||
# See the comment at the top of this file for a description of log levels
|
# See the comment at the top of this section for a description of log levels
|
||||||
#
|
#
|
||||||
|
|
||||||
LOGUNCLEAN=info
|
LOGUNCLEAN=info
|
||||||
|
|
||||||
#
|
#
|
||||||
# LOG FILE LOCATION
|
# BLACKLIST LOG LEVEL
|
||||||
#
|
#
|
||||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
# (beware of DOS attacks resulting from such logging). If not set, no logging
|
||||||
# /var/log/messages is assumed.
|
# of blacklist packets occurs.
|
||||||
#
|
#
|
||||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
# See the comment at the top of this section for a description of log levels
|
||||||
# look for Shorewall messages.It does NOT control the destination for
|
|
||||||
# these messages. For information about how to do that, see
|
|
||||||
#
|
#
|
||||||
# http://www.shorewall.net/FAQ.htm#faq6
|
BLACKLIST_LOGLEVEL=
|
||||||
|
|
||||||
LOGFILE=/var/log/messages
|
#
|
||||||
|
# LOGGING 'New not SYN' rejects
|
||||||
|
#
|
||||||
|
# This variable only has an effect when NEWNOTSYN=No (see below).
|
||||||
|
#
|
||||||
|
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
||||||
|
# flags clear then unless the packet is part of an established connection,
|
||||||
|
# it will be rejected by the firewall. If you want these rejects logged,
|
||||||
|
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
||||||
|
#
|
||||||
|
# See the comment at the top of this section for a description of log levels
|
||||||
|
#
|
||||||
|
# Example: LOGNEWNOTSYN=debug
|
||||||
|
|
||||||
|
|
||||||
|
LOGNEWNOTSYN=
|
||||||
|
|
||||||
|
#
|
||||||
|
# MAC List Log Level
|
||||||
|
#
|
||||||
|
# Specifies the logging level for connection requests that fail MAC
|
||||||
|
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
||||||
|
# such connection requests will not be logged.
|
||||||
|
#
|
||||||
|
# See the comment at the top of this section for a description of log levels
|
||||||
|
#
|
||||||
|
|
||||||
|
MACLIST_LOG_LEVEL=info
|
||||||
|
|
||||||
|
#
|
||||||
|
# TCP FLAGS Log Level
|
||||||
|
#
|
||||||
|
# Specifies the logging level for packets that fail TCP Flags
|
||||||
|
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
||||||
|
# such packets will not be logged.
|
||||||
|
#
|
||||||
|
# See the comment at the top of this section for a description of log levels
|
||||||
|
#
|
||||||
|
|
||||||
|
TCP_FLAGS_LOG_LEVEL=info
|
||||||
|
|
||||||
|
#
|
||||||
|
# RFC1918 Log Level
|
||||||
|
#
|
||||||
|
# Specifies the logging level for packets that fail RFC 1918
|
||||||
|
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
||||||
|
# RFC1918_LOG_LEVEL=info is assumed.
|
||||||
|
#
|
||||||
|
# See the comment at the top of this section for a description of log levels
|
||||||
|
#
|
||||||
|
|
||||||
|
RFC1918_LOG_LEVEL=info
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# PATH - Change this if you want to change the order in which Shorewall
|
||||||
|
# searches directories for executable files.
|
||||||
|
#
|
||||||
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
# SUBSYSTEM LOCK FILE
|
||||||
|
#
|
||||||
|
# Set this to the name of the lock file expected by your init scripts. For
|
||||||
|
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
|
||||||
|
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||||
|
# set this to "".
|
||||||
|
#
|
||||||
|
|
||||||
|
SUBSYSLOCK=/var/run/shorewall
|
||||||
|
|
||||||
|
#
|
||||||
|
# SHOREWALL TEMPORARY STATE DIRECTORY
|
||||||
|
#
|
||||||
|
# This is the directory where the firewall maintains state information while
|
||||||
|
# it is running
|
||||||
|
#
|
||||||
|
|
||||||
|
STATEDIR=/tmp/shorewall
|
||||||
|
|
||||||
|
#
|
||||||
|
# KERNEL MODULE DIRECTORY
|
||||||
|
#
|
||||||
|
# If your netfilter kernel modules are in a directory other than
|
||||||
|
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||||
|
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||||
|
|
||||||
|
MODULESDIR=
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# F I R E W A L L O P T I O N S
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
# NAME OF THE FIREWALL ZONE
|
||||||
|
#
|
||||||
|
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
||||||
|
# is assumed.
|
||||||
|
#
|
||||||
|
FW=fw
|
||||||
|
|
||||||
#
|
#
|
||||||
# ENABLE NAT SUPPORT
|
# ENABLE NAT SUPPORT
|
||||||
@ -214,24 +266,40 @@ ADD_SNAT_ALIASES=No
|
|||||||
TC_ENABLED=No
|
TC_ENABLED=No
|
||||||
|
|
||||||
#
|
#
|
||||||
# BLACKLIST DISPOSITION
|
# Clear Traffic Shapping/Control
|
||||||
#
|
#
|
||||||
# Set this variable to the action that you want to perform on packets from
|
# If this option is set to 'No' then Shorewall won't clear the current
|
||||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
# traffic control rules during [re]start. This setting is intended
|
||||||
# DROP is assumed.
|
# for use by people that prefer to configure traffic shaping when
|
||||||
|
# the network interfaces come up rather than when the firewall
|
||||||
|
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||||
|
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||||
|
# way, your traffic shaping rules can still use the 'fwmark'
|
||||||
|
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||||
#
|
#
|
||||||
BLACKLIST_DISPOSITION=DROP
|
# If omitted, CLEAR_TC=Yes is assumed.
|
||||||
|
|
||||||
|
CLEAR_TC=Yes
|
||||||
|
|
||||||
#
|
#
|
||||||
# BLACKLIST LOG LEVEL
|
# Mark Packets in the forward chain
|
||||||
#
|
#
|
||||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
# When processing the tcrules file, Shorewall normally marks packets in the
|
||||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
||||||
# of blacklist packets occurs.
|
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
||||||
|
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
||||||
#
|
#
|
||||||
# See the comment at the top of this file for a description of log levels
|
# Marking packets in the FORWARD chain has the advantage that inbound
|
||||||
|
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
||||||
|
# address rewritten so they can be marked based on their destination. When
|
||||||
|
# packets are marked in the PREROUTING chain, packets destined for
|
||||||
|
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
||||||
|
# to the firewall's external interface.
|
||||||
#
|
#
|
||||||
BLACKLIST_LOGLEVEL=
|
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
||||||
|
# setting this variable to Yes may cause startup problems.
|
||||||
|
|
||||||
|
MARK_IN_FORWARD_CHAIN=No
|
||||||
|
|
||||||
#
|
#
|
||||||
# MSS CLAMPING
|
# MSS CLAMPING
|
||||||
@ -311,63 +379,30 @@ MULTIPORT=No
|
|||||||
# DNAT net loc:192.168.1.3 tcp 80
|
# DNAT net loc:192.168.1.3 tcp 80
|
||||||
#
|
#
|
||||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
||||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
||||||
# convenient for two reasons:
|
# convenient for two reasons:
|
||||||
#
|
#
|
||||||
# a) If the the network interface has a dynamic IP address, the
|
# a) If the the network interface has a dynamic IP address, the
|
||||||
# firewall configuration will work even when the address
|
# firewall configuration will work even when the address
|
||||||
# changes.
|
# changes.
|
||||||
#
|
#
|
||||||
# b) It saves having to configure the IP address in the rule
|
# b) It saves having to configure the IP address in the rule
|
||||||
# while still allowing the firewall to be started before the
|
# while still allowing the firewall to be started before the
|
||||||
# internet interface is brought up.
|
# internet interface is brought up.
|
||||||
#
|
#
|
||||||
# This default behavior can also have a negative effect. If the
|
# This default behavior can also have a negative effect. If the
|
||||||
# internet interface has more than one IP address then the above
|
# internet interface has more than one IP address then the above
|
||||||
# rule will forward connection requests on all of these addresses;
|
# rule will forward connection requests on all of these addresses;
|
||||||
# that may not be what is desired.
|
# that may not be what is desired.
|
||||||
#
|
#
|
||||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
||||||
# only if the original destination address is the primary IP address of
|
# only if the original destination address is the primary IP address of
|
||||||
# one of the interfaces associated with the source zone. Note that this
|
# one of the interfaces associated with the source zone. Note that this
|
||||||
# requires all interfaces to the source zone to be up when the firewall
|
# requires all interfaces to the source zone to be up when the firewall
|
||||||
# is [re]started.
|
# is [re]started.
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
DETECT_DNAT_IPADDRS=No
|
||||||
|
|
||||||
#
|
|
||||||
# MERGE HOSTS FILE
|
|
||||||
#
|
|
||||||
# The traditional behavior of the /etc/shorewall/hosts file has been that
|
|
||||||
# if that file has ANY entry for a zone then the zone must be defined
|
|
||||||
# entirely in the hosts file. This is counter-intuitive and has caused
|
|
||||||
# people some problems.
|
|
||||||
#
|
|
||||||
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
|
|
||||||
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
|
|
||||||
# are added to the contents described in the /etc/shorewall/interfaces file.
|
|
||||||
#
|
|
||||||
# Example: Suppose that we have the following interfaces and hosts files:
|
|
||||||
#
|
|
||||||
# Interfaces:
|
|
||||||
#
|
|
||||||
# net eth0
|
|
||||||
# loc eth1
|
|
||||||
# - ppp+
|
|
||||||
#
|
|
||||||
# Hosts:
|
|
||||||
#
|
|
||||||
# loc ppp+:192.168.1.0/24
|
|
||||||
# wrk ppp+:!192.168.1.0/24
|
|
||||||
#
|
|
||||||
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
|
|
||||||
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
|
|
||||||
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
|
|
||||||
#
|
|
||||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
|
||||||
|
|
||||||
MERGE_HOSTS=Yes
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# MUTEX TIMEOUT
|
# MUTEX TIMEOUT
|
||||||
#
|
#
|
||||||
@ -383,36 +418,6 @@ MERGE_HOSTS=Yes
|
|||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
MUTEX_TIMEOUT=60
|
||||||
|
|
||||||
#
|
|
||||||
# LOGGING 'New not SYN' rejects
|
|
||||||
#
|
|
||||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
|
||||||
#
|
|
||||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
|
||||||
# flags clear then unless the packet is part of an established connection,
|
|
||||||
# it will be rejected by the firewall. If you want these rejects logged,
|
|
||||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this file for a description of log levels
|
|
||||||
#
|
|
||||||
# Example: LOGNEWNOTSYN=debug
|
|
||||||
|
|
||||||
|
|
||||||
LOGNEWNOTSYN=
|
|
||||||
|
|
||||||
#
|
|
||||||
# Old Ping Handling
|
|
||||||
#
|
|
||||||
# If this option is set to "Yes" then Shorewall will use its old ping handling
|
|
||||||
# facility including the FORWARDPING option in this file and the 'noping' and
|
|
||||||
# 'filterping' interface options. If this option is set to 'No' then ping
|
|
||||||
# is handled via policy and rules just like any other connection request.
|
|
||||||
#
|
|
||||||
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
|
|
||||||
# DON'T DELETE IT!!!!!!
|
|
||||||
#
|
|
||||||
OLD_PING_HANDLING=No
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# NEWNOTSYN
|
# NEWNOTSYN
|
||||||
#
|
#
|
||||||
@ -427,9 +432,21 @@ OLD_PING_HANDLING=No
|
|||||||
# Users with a High-availability setup with two firewall's and one acting
|
# Users with a High-availability setup with two firewall's and one acting
|
||||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
||||||
# also need to select NEWNOTSYN=Yes.
|
# also need to select NEWNOTSYN=Yes.
|
||||||
|
|
||||||
NEWNOTSYN=No
|
NEWNOTSYN=No
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# P A C K E T D I S P O S I T I O N
|
||||||
|
################################################################################
|
||||||
|
#
|
||||||
|
# BLACKLIST DISPOSITION
|
||||||
|
#
|
||||||
|
# Set this variable to the action that you want to perform on packets from
|
||||||
|
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||||
|
# DROP is assumed.
|
||||||
|
#
|
||||||
|
BLACKLIST_DISPOSITION=DROP
|
||||||
|
|
||||||
#
|
#
|
||||||
# MAC List Disposition
|
# MAC List Disposition
|
||||||
#
|
#
|
||||||
@ -441,86 +458,14 @@ NEWNOTSYN=No
|
|||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
MACLIST_DISPOSITION=REJECT
|
||||||
|
|
||||||
#
|
|
||||||
# MAC List Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for connection requests that fail MAC
|
|
||||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
|
||||||
# such connection requests will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this file for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL=info
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# TCP FLAGS Disposition
|
# TCP FLAGS Disposition
|
||||||
#
|
#
|
||||||
# This variable determins the disposition of packets having an invalid
|
# This variable determins the disposition of packets having an invalid
|
||||||
# combination of TCP flags that are received on interfaces having the
|
# combination of TCP flags that are received on interfaces having the
|
||||||
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
|
||||||
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
TCP_FLAGS_DISPOSITION=DROP
|
||||||
|
|
||||||
#
|
|
||||||
# TCP FLAGS Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail TCP Flags
|
|
||||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
|
||||||
# such packets will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this file for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=info
|
|
||||||
|
|
||||||
#
|
|
||||||
# RFC1918 Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail RFC 1918
|
|
||||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
|
||||||
# RFC1918_LOG_LEVEL=info is assumed.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this file for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
RFC1918_LOG_LEVEL=info
|
|
||||||
|
|
||||||
#
|
|
||||||
# Mark Packets in the forward chain
|
|
||||||
#
|
|
||||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
|
||||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
|
||||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
|
||||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
|
||||||
#
|
|
||||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
|
||||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
|
||||||
# address rewritten so they can be marked based on their destination. When
|
|
||||||
# packets are marked in the PREROUTING chain, packets destined for
|
|
||||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
|
||||||
# to the firewall's external interface.
|
|
||||||
#
|
|
||||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
|
||||||
# setting this variable to Yes may cause startup problems.
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# Clear Traffic Shapping/Control
|
|
||||||
#
|
|
||||||
# If this option is set to 'No' then Shorewall won't clear the current
|
|
||||||
# traffic control rules during [re]start. This setting is intended
|
|
||||||
# for use by people that prefer to configure traffic shaping when
|
|
||||||
# the network interfaces come up rather than when the firewall
|
|
||||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
|
||||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
|
||||||
# way, your traffic shaping rules can still use the 'fwmark'
|
|
||||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
|
||||||
#
|
|
||||||
# If omitted, CLEAR_TC=Yes is assumed.
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
#LAST LINE -- DO NOT REMOVE
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 1.3 -- /etc/shorewall/start
|
# Shorewall 1.4 -- /etc/shorewall/start
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed after shorewall has
|
# Add commands below that you want to be executed after shorewall has
|
||||||
# been started or restarted.
|
# been started or restarted.
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 1.3 -- /etc/shorewall/stop
|
# Shorewall 1.4 -- /etc/shorewall/stop
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the beginning of a
|
# Add commands below that you want to be executed at the beginning of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
############################################################################
|
############################################################################
|
||||||
# Shorewall 1.3 -- /etc/shorewall/stopped
|
# Shorewall 1.4 -- /etc/shorewall/stopped
|
||||||
#
|
#
|
||||||
# Add commands below that you want to be executed at the completion of a
|
# Add commands below that you want to be executed at the completion of a
|
||||||
# "shorewall stop" command.
|
# "shorewall stop" command.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 1.3 - Traffic Control Rules File
|
# Shorewall version 1.4 - Traffic Control Rules File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/tcrules
|
# /etc/shorewall/tcrules
|
||||||
#
|
#
|
||||||
@ -26,10 +26,10 @@
|
|||||||
# /etc/shorewall/shorewall.conf.
|
# /etc/shorewall/shorewall.conf.
|
||||||
#
|
#
|
||||||
# SOURCE Source of the packet. A comma-separated list of
|
# SOURCE Source of the packet. A comma-separated list of
|
||||||
# interface names, IP addresses, MAC addresses
|
# interface names, IP addresses, MAC addresses
|
||||||
# and/or subnets. Use $FW if the packet originates on
|
# and/or subnets. Use $FW if the packet originates on
|
||||||
# the firewall in which case the MARK column may NOT
|
# the firewall in which case the MARK column may NOT
|
||||||
# specify either ":P" or ":F" (marking always occurs
|
# specify either ":P" or ":F" (marking always occurs
|
||||||
# in the OUTPUT chain).
|
# in the OUTPUT chain).
|
||||||
#
|
#
|
||||||
# MAC addresses must be prefixed with "~" and use
|
# MAC addresses must be prefixed with "~" and use
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 -- /etc/shorewall/tos
|
# Shorewall 1.4 -- /etc/shorewall/tos
|
||||||
#
|
#
|
||||||
# This file defines rules for setting Type Of Service (TOS)
|
# This file defines rules for setting Type Of Service (TOS)
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 - /etc/shorewall/tunnels
|
# Shorewall 1.4 - /etc/shorewall/tunnels
|
||||||
#
|
#
|
||||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||||
#
|
#
|
||||||
@ -25,7 +25,7 @@
|
|||||||
# remote getway has no fixed address (Road Warrior)
|
# remote getway has no fixed address (Road Warrior)
|
||||||
# then specify the gateway as 0.0.0.0/0.
|
# then specify the gateway as 0.0.0.0/0.
|
||||||
#
|
#
|
||||||
# GATEWAY
|
# GATEWAY
|
||||||
# ZONES -- Optional. If the gateway system specified in the third
|
# ZONES -- Optional. If the gateway system specified in the third
|
||||||
# column is a standalone host then this column should
|
# column is a standalone host then this column should
|
||||||
# contain a comma-separated list of the names of the
|
# contain a comma-separated list of the names of the
|
||||||
|
@ -1,14 +1,14 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 1.3 /etc/shorewall/zones
|
# Shorewall 1.4 /etc/shorewall/zones
|
||||||
#
|
#
|
||||||
# This file determines your network zones. Columns are:
|
# This file determines your network zones. Columns are:
|
||||||
#
|
#
|
||||||
# ZONE Short name of the zone
|
# ZONE Short name of the zone
|
||||||
# DISPLAY Display name of the zone
|
# DISPLAY Display name of the zone
|
||||||
# COMMENTS Comments about the zone
|
# COMMENTS Comments about the zone
|
||||||
#
|
#
|
||||||
#ZONE DISPLAY COMMENTS
|
#ZONE DISPLAY COMMENTS
|
||||||
net Net Internet
|
net Net Internet
|
||||||
loc Local Local networks
|
loc Local Local networks
|
||||||
dmz DMZ Demilitarized zone
|
dmz DMZ Demilitarized zone
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Shorewall Packet Filtering Firewall Control Program - V1.3 - 6/14/2002
|
# Shorewall Packet Filtering Firewall Control Program - V1.4 - 3/14/2003
|
||||||
#
|
#
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||||
#
|
#
|
||||||
@ -12,7 +12,7 @@
|
|||||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||||
#
|
#
|
||||||
# This program is free software; you can redistribute it and/or modify
|
# This program is free software; you can redistribute it and/or modify
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
# it under the terms of Version 2 of the GNU General Public License
|
||||||
# as published by the Free Software Foundation.
|
# as published by the Free Software Foundation.
|
||||||
#
|
#
|
||||||
# This program is distributed in the hope that it will be useful,
|
# This program is distributed in the hope that it will be useful,
|
||||||
@ -23,7 +23,7 @@
|
|||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||||
#
|
#
|
||||||
# If an error occurs while starting or restarting the firewall, the
|
# If an error occurs while starting or restarting the firewall, the
|
||||||
# firewall is automatically stopped.
|
# firewall is automatically stopped.
|
||||||
#
|
#
|
||||||
@ -34,13 +34,13 @@
|
|||||||
#
|
#
|
||||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||||
# shorewall start Starts the firewall
|
# shorewall start Starts the firewall
|
||||||
# shorewall restart Restarts the firewall
|
# shorewall restart Restarts the firewall
|
||||||
# shorewall stop Stops the firewall
|
# shorewall stop Stops the firewall
|
||||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||||
# plus the last 20 "interesting"
|
# plus the last 20 "interesting"
|
||||||
# packets
|
# packets
|
||||||
# shorewall status Displays firewall status
|
# shorewall status Displays firewall status
|
||||||
# shorewall reset Resets iptables packet and
|
# shorewall reset Resets iptables packet and
|
||||||
# byte counts
|
# byte counts
|
||||||
# shorewall clear Open the floodgates by
|
# shorewall clear Open the floodgates by
|
||||||
@ -75,7 +75,7 @@
|
|||||||
# listed address(es)
|
# listed address(es)
|
||||||
# shorewall reject <address> ... Temporarily reject all packets from the
|
# shorewall reject <address> ... Temporarily reject all packets from the
|
||||||
# listed address(es)
|
# listed address(es)
|
||||||
# shorewall allow <address> ... Reenable address(es) previously
|
# shorewall allow <address> ... Reenable address(es) previously
|
||||||
# disabled with "drop" or "reject"
|
# disabled with "drop" or "reject"
|
||||||
# shorewall save Save the list of "rejected" and
|
# shorewall save Save the list of "rejected" and
|
||||||
# "dropped" addresses so that it will
|
# "dropped" addresses so that it will
|
||||||
@ -84,6 +84,7 @@
|
|||||||
#
|
#
|
||||||
# Display a chain if it exists
|
# Display a chain if it exists
|
||||||
#
|
#
|
||||||
|
|
||||||
showfirstchain() # $1 = name of chain
|
showfirstchain() # $1 = name of chain
|
||||||
{
|
{
|
||||||
awk \
|
awk \
|
||||||
@ -142,7 +143,7 @@ get_config() {
|
|||||||
display_chains()
|
display_chains()
|
||||||
{
|
{
|
||||||
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
|
trap "rm -f /tmp/chains-$$; exit 1" 1 2 3 4 5 6 9
|
||||||
|
|
||||||
if [ "$haveawk" = "Yes" ]; then
|
if [ "$haveawk" = "Yes" ]; then
|
||||||
#
|
#
|
||||||
# Send the output to a temporary file since ash craps if we try to store
|
# Send the output to a temporary file since ash craps if we try to store
|
||||||
@ -170,11 +171,11 @@ display_chains()
|
|||||||
echo
|
echo
|
||||||
|
|
||||||
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
|
||||||
|
|
||||||
for chain in $chains; do
|
for chain in $chains; do
|
||||||
showchain $chain
|
showchain $chain
|
||||||
done
|
done
|
||||||
|
|
||||||
timed_read
|
timed_read
|
||||||
|
|
||||||
for zone in $zones; do
|
for zone in $zones; do
|
||||||
@ -242,7 +243,7 @@ display_chains()
|
|||||||
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
|
# Delay $timeout seconds -- if we're running on a recent bash2 then allow
|
||||||
# <enter> to terminate the delay
|
# <enter> to terminate the delay
|
||||||
#
|
#
|
||||||
timed_read ()
|
timed_read ()
|
||||||
{
|
{
|
||||||
read -t $timeout foo 2> /dev/null
|
read -t $timeout foo 2> /dev/null
|
||||||
|
|
||||||
@ -252,7 +253,7 @@ timed_read ()
|
|||||||
#
|
#
|
||||||
# Display the last $1 packets logged
|
# Display the last $1 packets logged
|
||||||
#
|
#
|
||||||
packet_log() # $1 = number of messages
|
packet_log() # $1 = number of messages
|
||||||
{
|
{
|
||||||
local options
|
local options
|
||||||
|
|
||||||
@ -334,7 +335,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
get_config
|
get_config
|
||||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
let "timeout=- $1"
|
let "timeout=- $1"
|
||||||
pause="Yes"
|
pause="Yes"
|
||||||
@ -347,7 +348,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
display_chains
|
display_chains
|
||||||
|
|
||||||
clear
|
clear
|
||||||
echo "$banner `date`"
|
echo "$banner `date`"
|
||||||
echo
|
echo
|
||||||
@ -361,7 +362,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
|||||||
|
|
||||||
if [ "$rejects" != "$oldrejects" ]; then
|
if [ "$rejects" != "$oldrejects" ]; then
|
||||||
oldrejects="$rejects"
|
oldrejects="$rejects"
|
||||||
|
|
||||||
$RING_BELL
|
$RING_BELL
|
||||||
|
|
||||||
packet_log 20
|
packet_log 20
|
||||||
@ -435,7 +436,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
|||||||
get_config
|
get_config
|
||||||
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
host=`echo $HOSTNAME | sed 's/\..*$//'`
|
||||||
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
oldrejects=`iptables -L -v -n | grep 'LOG'`
|
||||||
|
|
||||||
if [ $1 -lt 0 ]; then
|
if [ $1 -lt 0 ]; then
|
||||||
timeout=$((- $1))
|
timeout=$((- $1))
|
||||||
pause="Yes"
|
pause="Yes"
|
||||||
@ -570,24 +571,11 @@ fi
|
|||||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
SHARED_DIR=/usr/lib/shorewall
|
|
||||||
MUTEX_TIMEOUT=
|
MUTEX_TIMEOUT=
|
||||||
|
|
||||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
|
|
||||||
config=$SHOREWALL_DIR/shorewall.conf
|
|
||||||
else
|
|
||||||
config=/etc/shorewall/shorewall.conf
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f $config ]; then
|
|
||||||
. $config
|
|
||||||
else
|
|
||||||
echo "$config does not exist!" >&2
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||||
|
|
||||||
|
SHARED_DIR=/usr/share/shorewall
|
||||||
FIREWALL=$SHARED_DIR/firewall
|
FIREWALL=$SHARED_DIR/firewall
|
||||||
FUNCTIONS=$SHARED_DIR/functions
|
FUNCTIONS=$SHARED_DIR/functions
|
||||||
VERSION_FILE=$SHARED_DIR/version
|
VERSION_FILE=$SHARED_DIR/version
|
||||||
@ -599,6 +587,15 @@ else
|
|||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
config=`find_file shorewall.conf`
|
||||||
|
|
||||||
|
if [ -f $config ]; then
|
||||||
|
. $config
|
||||||
|
else
|
||||||
|
echo "$config does not exist!" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ! -f $FIREWALL ]; then
|
if [ ! -f $FIREWALL ]; then
|
||||||
echo "ERROR: Shorewall is not properly installed"
|
echo "ERROR: Shorewall is not properly installed"
|
||||||
if [ -L $FIREWALL ]; then
|
if [ -L $FIREWALL ]; then
|
||||||
@ -754,7 +751,7 @@ case "$1" in
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
echo " HITS PORT SERVICE(S)"
|
echo " HITS PORT SERVICE(S)"
|
||||||
echo " ---- ----- ----------"
|
echo " ---- ----- ----------"
|
||||||
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
grep 'Shorewall:.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
|
||||||
while read count port ; do
|
while read count port ; do
|
||||||
# List all services defined for the given port
|
# List all services defined for the given port
|
||||||
@ -853,4 +850,4 @@ case "$1" in
|
|||||||
*)
|
*)
|
||||||
usage 1
|
usage 1
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
etc/init.d/shorewall
|
etc/init.d/shorewall
|
||||||
etc/shorewall
|
etc/shorewall
|
||||||
sbin/shorewall
|
sbin/shorewall
|
||||||
usr/lib/shorewall
|
usr/share/shorewall
|
||||||
var/lib/lrpkg/shorwall.*
|
var/lib/lrpkg/shorwall.*
|
||||||
|
@ -1 +1 @@
|
|||||||
1.3.14
|
1.4.0
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -2,170 +2,162 @@
|
|||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
|
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Shorewall Index</title>
|
<title>Shorewall Index</title>
|
||||||
|
|
||||||
<base
|
<base
|
||||||
target="main">
|
target="main">
|
||||||
|
|
||||||
<meta name="Microsoft Theme" content="none">
|
<meta name="Microsoft Theme" content="none">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||||
bgcolor="#4b017c" height="90">
|
bgcolor="#4b017c" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%" height="90">
|
<td width="100%" height="90">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%" bgcolor="#ffffff">
|
<td width="100%"
|
||||||
|
bgcolor="#ffffff">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> <a
|
|
||||||
href="seattlefirewall_index.htm">Home</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_features.htm">Features</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
|
||||||
<li> <a href="download.htm">Download</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
|
||||||
<a href="Install.htm">Configuration</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <b><a
|
|
||||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
|
||||||
<li> <a href="Documentation.htm">Reference
|
|
||||||
Manual</a></li>
|
|
||||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
|
||||||
<li><a href="useful_links.html">Useful
|
|
||||||
Links</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
|
||||||
<li> <a href="errata.htm">Errata</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
|
||||||
<li> <a href="support.htm">Support</a></li>
|
|
||||||
<li><a href="Forum.html">Support Forum</a> <img
|
|
||||||
src="images/new10.gif" alt="(New)" width="28" height="12">
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li> <a
|
|
||||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_mirrors.htm">Mirrors</a>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://germany.shorewall.net">Germany</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://france.shorewall.net">France</a></li>
|
|
||||||
<li><a href="http://www.shorewall.net"
|
|
||||||
target="_top">Washington State, USA</a><br>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> <a
|
||||||
|
href="seattlefirewall_index.htm">Home</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_features.htm">Features</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||||
|
<li> <a href="download.htm">Download</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||||
|
<a href="Install.htm">Configuration</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <b><a
|
||||||
|
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||||
|
<li> <a
|
||||||
|
href="Documentation.htm">Reference Manual</a></li>
|
||||||
|
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||||
|
<li><a
|
||||||
|
href="useful_links.html">Useful Links</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a
|
||||||
|
href="troubleshoot.htm">Troubleshooting</a></li>
|
||||||
|
<li> <a href="errata.htm">Errata</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||||
|
<li> <a href="support.htm">Getting
|
||||||
|
help or Answers to Questions</a><br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://germany.shorewall.net">Germany</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://france.shorewall.net">France</a></li>
|
||||||
|
<li><a href="http://www.shorewall.net"
|
||||||
|
target="_top">Washington State, USA</a><br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li> <a href="News.htm">News Archive</a></li>
|
<li> <a href="News.htm">News
|
||||||
<li> <a
|
Archive</a></li>
|
||||||
|
<li> <a
|
||||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||||
<li> <a href="quotes.htm">Quotes
|
<li> <a href="quotes.htm">Quotes
|
||||||
from Users</a></li>
|
from Users</a></li>
|
||||||
<li> <a href="shoreline.htm">About
|
<li> <a href="shoreline.htm">About
|
||||||
the Author</a></li>
|
the Author</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||||
<strong><br>
|
<strong><br>
|
||||||
<b>Note: </b></strong>Search is unavailable
|
<b>Note: </b></strong>Search is unavailable
|
||||||
Daily 0200-0330 GMT.<br>
|
Daily 0200-0330 GMT.<br>
|
||||||
<strong></strong>
|
<strong></strong>
|
||||||
|
|
||||||
<p><strong>Quick Search</strong><br>
|
<p><strong>Quick Search</strong><br>
|
||||||
<font face="Arial" size="-1"> <input
|
<font face="Arial" size="-1"> <input
|
||||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||||
value="Search"></font> </p>
|
value="Search"></font> </p>
|
||||||
<font face="Arial"> <input
|
<font face="Arial"> <input
|
||||||
type="hidden" name="exclude"
|
type="hidden" name="exclude"
|
||||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||||
|
|
||||||
|
|
||||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
|
size="2">2001-2003 Thomas M. Eastep.</font></a><a
|
||||||
|
href="http://www.shorewall.net" target="_top"> </a></p>
|
||||||
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
|
|
||||||
src="images/shorewall.jpg" width="119" height="38" hspace="0">
|
|
||||||
</a><br>
|
|
||||||
</p>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -2,165 +2,166 @@
|
|||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
|
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
<title>Shorewall Index</title>
|
<title>Shorewall Index</title>
|
||||||
|
|
||||||
<base
|
|
||||||
target="main">
|
<base target="main">
|
||||||
|
|
||||||
<meta name="Microsoft Theme" content="none">
|
<meta name="Microsoft Theme" content="none">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||||
bgcolor="#4b017c" height="90">
|
bgcolor="#4b017c" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%" height="90">
|
<td width="100%" height="90">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%"
|
<td width="100%"
|
||||||
bgcolor="#ffffff">
|
bgcolor="#ffffff">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> <a
|
|
||||||
href="seattlefirewall_index.htm">Home</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_features.htm">Features</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
|
||||||
<li> <a href="download.htm">Download</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
|
||||||
<a href="Install.htm">Configuration</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <b><a
|
|
||||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
|
||||||
<li> <a
|
|
||||||
href="Documentation.htm">Reference Manual</a></li>
|
|
||||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
|
||||||
<li><a
|
|
||||||
href="useful_links.html">Useful Links</a><br>
|
|
||||||
</li>
|
|
||||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
|
||||||
<li> <a href="errata.htm">Errata</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
|
||||||
<li> <a href="support.htm">Support</a></li>
|
|
||||||
<li><a href="Forum.html">Support Forum</a> <img
|
|
||||||
src="images/new10.gif" alt="(New)" width="28" height="12">
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li> <a
|
|
||||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
|
||||||
<li> <a
|
|
||||||
href="shorewall_mirrors.htm">Mirrors</a>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://germany.shorewall.net">Germany</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
|
||||||
<li><a target="_top"
|
|
||||||
href="http://france.shorewall.net">France</a></li>
|
|
||||||
<li><a href="http://www.shorewall.net"
|
|
||||||
target="_top">Washington State, USA</a><br>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> <a
|
||||||
|
href="sourceforge_index.htm">Home</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_features.htm">Features</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||||
|
<li> <a href="download.htm">Download</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||||
|
<a href="Install.htm">Configuration</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a
|
||||||
|
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <b><a
|
||||||
|
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||||
|
<li> <a
|
||||||
|
href="Documentation.htm">Reference Manual</a></li>
|
||||||
|
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||||
|
<li><a
|
||||||
|
href="useful_links.html">Useful Links</a><br>
|
||||||
|
</li>
|
||||||
|
<li> <a
|
||||||
|
href="troubleshoot.htm">Troubleshooting</a></li>
|
||||||
|
<li> <a href="errata.htm">Errata</a></li>
|
||||||
|
<li> <a
|
||||||
|
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||||
|
<li> <a href="support.htm">Getting
|
||||||
|
Help or Answers to Questions</a></li>
|
||||||
|
|
||||||
|
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://germany.shorewall.net">Germany</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||||
|
<li><a target="_top"
|
||||||
|
href="http://france.shorewall.net">France</a></li>
|
||||||
|
<li><a href="http://www.shorewall.net"
|
||||||
|
target="_top">Washington State, USA</a><br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li> <a href="News.htm">News Archive</a></li>
|
<li> <a href="News.htm">News
|
||||||
<li> <a
|
Archive</a></li>
|
||||||
|
<li> <a
|
||||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||||
<li> <a href="quotes.htm">Quotes
|
<li> <a href="quotes.htm">Quotes
|
||||||
from Users</a></li>
|
from Users</a></li>
|
||||||
<li> <a href="shoreline.htm">About
|
<li> <a href="shoreline.htm">About
|
||||||
the Author</a></li>
|
the Author</a></li>
|
||||||
<li> <a
|
<li> <a
|
||||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</ul>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||||
<strong><br>
|
<strong><br>
|
||||||
<b>Note: </b></strong>Search is unavailable
|
<b>Note: </b></strong>Search is unavailable
|
||||||
Daily 0200-0330 GMT.<br>
|
Daily 0200-0330 GMT.<br>
|
||||||
<strong></strong>
|
<strong></strong>
|
||||||
|
|
||||||
<p><strong>Quick Search</strong><br>
|
<p><strong>Quick Search</strong><br>
|
||||||
<font face="Arial" size="-1"> <input
|
<font face="Arial" size="-1">
|
||||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
<input type="text" name="words" size="15"></font><font size="-1"> </font>
|
||||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
<font face="Arial" size="-1"> <input type="hidden" name="format"
|
||||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||||
value="Search"></font> </p>
|
value="Search"></font> </p>
|
||||||
<font face="Arial"> <input
|
<font face="Arial"> <input
|
||||||
type="hidden" name="exclude"
|
type="hidden" name="exclude"
|
||||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||||
|
|
||||||
|
|
||||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||||
|
|
||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||||
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
|
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||||
<br>
|
</p>
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
<br>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
File diff suppressed because it is too large
Load Diff
Binary file not shown.
@ -6,7 +6,8 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
||||||
@ -15,25 +16,24 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
<base
|
|
||||||
target="_self">
|
<base target="_self">
|
||||||
<meta name="author" content="Tom Eastep">
|
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="4"
|
<table border="0" cellpadding="0" cellspacing="4"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||||
bgcolor="#4b017c">
|
bgcolor="#4b017c">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="100%"
|
<td width="100%"
|
||||||
height="90">
|
height="90">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -43,14 +43,28 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h1 align="center"> <font size="4"><i> <a
|
<h1 align="center"> <font size="4"><i> <a
|
||||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||||
src="images/washington.jpg" border="0">
|
src="images/washington.jpg" border="0">
|
||||||
|
|
||||||
</a></i></font><font
|
</a></i></font><a
|
||||||
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
|
href="http://www.shorewall.net" target="_top"><img border="1"
|
||||||
made easy"</i></font></font></h1>
|
src="images/shorewall.jpg" width="119" height="38" hspace="4"
|
||||||
|
alt="(Shorewall Logo)" align="right" vspace="4">
|
||||||
|
</a></h1>
|
||||||
|
<small><small><small><small><a
|
||||||
|
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
|
||||||
|
|
||||||
|
<div align="center">
|
||||||
|
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
|
||||||
|
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
<p><a href="http://www.shorewall.net" target="_top">
|
||||||
|
</a> </p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -61,43 +75,42 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<div align="center"><a
|
|
||||||
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
|
|
||||||
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
|
|
||||||
|
|
||||||
</div>
|
|
||||||
|
|
||||||
|
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
|
||||||
|
color="#ffffff">Shorewall 1.3 Site is here</font></a>
|
||||||
|
<br>
|
||||||
|
|
||||||
<br>
|
</div>
|
||||||
|
</td>
|
||||||
|
|
||||||
</td>
|
</tr>
|
||||||
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<div align="center">
|
<div align="center">
|
||||||
|
|
||||||
<center>
|
<center>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="90%">
|
<td width="90%">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -108,7 +121,7 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2 align="left">What is it?</h2>
|
<h2 align="left">What is it?</h2>
|
||||||
|
|
||||||
|
|
||||||
@ -121,11 +134,12 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
|
||||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
that can be used on a dedicated firewall system, a multi-function
|
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
firewall that can be used on a dedicated firewall system, a multi-function
|
||||||
|
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -137,29 +151,30 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>This program is free software; you can redistribute it and/or modify
|
|
||||||
it under the terms
|
|
||||||
of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
||||||
2 of the GNU General Public License</a> as published by the Free Software
|
|
||||||
Foundation.<br>
|
|
||||||
|
|
||||||
<br>
|
|
||||||
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the
|
||||||
|
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||||
|
2 of the GNU General Public License</a> as published by the Free
|
||||||
|
Software Foundation.<br>
|
||||||
|
|
||||||
This program is distributed
|
<br>
|
||||||
in the hope that it will be useful, but
|
|
||||||
WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
warranty of MERCHANTABILITY or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. See the GNU General Public License
|
|
||||||
for more details.<br>
|
|
||||||
|
|
||||||
<br>
|
This program is distributed
|
||||||
|
in the hope that it will be useful, but
|
||||||
|
WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
warranty of MERCHANTABILITY or FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
for more details.<br>
|
||||||
|
|
||||||
You should have received
|
<br>
|
||||||
a copy of the GNU General Public License
|
|
||||||
along with this program; if not, write to
|
You should have received
|
||||||
the Free Software Foundation, Inc., 675 Mass
|
a copy of the GNU General Public License
|
||||||
Ave, Cambridge, MA 02139, USA</p>
|
along with this program; if not, write
|
||||||
|
to the Free Software Foundation, Inc., 675
|
||||||
|
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -171,7 +186,8 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||||
|
|
||||||
|
|
||||||
@ -184,253 +200,338 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||||
|
|
||||||
</a>Jacques Nilo and
|
</a>Jacques Nilo
|
||||||
Eric Wolzak have a LEAF (router/firewall/gateway
|
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||||
on a floppy, CD or compact flash) distribution called
|
on a floppy, CD or compact flash) distribution
|
||||||
<i>Bering</i> that features Shorewall-1.3.14
|
called <i>Bering</i> that features
|
||||||
and Kernel-2.4.20. You can find their work at:
|
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
their work at: <a
|
||||||
</a></p>
|
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||||
|
</a></p>
|
||||||
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
|
||||||
1.1!!!</b><br>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||||
|
Bering 1.1!!! </b><br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
|
||||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2>News</h2>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2></h2>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
|
|
||||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
|
||||||
</b></p>
|
|
||||||
|
|
||||||
|
|
||||||
<p></p>
|
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||||
Shorewall 1.4 represents the next step in the evolution of Shorewall.
|
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||||
The main thrust of the initial release is simply to remove the cruft that
|
|
||||||
has accumulated in Shorewall over time.<br>
|
<h2>News</h2>
|
||||||
<br>
|
|
||||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
|
||||||
('ip' utility).</b><br>
|
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<br>
|
</b><b> </b></p>
|
||||||
Function from 1.3 that has been omitted from this version include:<br>
|
Shorewall 1.4 represents
|
||||||
|
the next step in the evolution of Shorewall. The main thrust of the
|
||||||
|
initial release is simply to remove the cruft that has accumulated in
|
||||||
|
Shorewall over time. <br>
|
||||||
|
<br>
|
||||||
|
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||||
|
('ip' utility).</b><br>
|
||||||
|
<br>
|
||||||
|
Function from 1.3 that has been omitted from this version
|
||||||
|
include:<br>
|
||||||
|
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
|
||||||
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Interface names of the form <device>:<integer>
|
<li>Interface names of the form <device>:<integer>
|
||||||
in /etc/shorewall/interfaces now generate an error.<br>
|
in /etc/shorewall/interfaces now generate an error.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||||
of the 'noping' or 'filterping' interface options.<br>
|
of the 'noping' or 'filterping' interface options.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||||
an error at startup if specified.<br>
|
an error at startup if specified.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
|
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||||||
is no longer accepted.<br>
|
longer accepted.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The icmp.def file has been removed.<br>
|
<li>The icmp.def file has been removed.<br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
Changes for 1.4 include:<br>
|
||||||
|
|
||||||
|
|
||||||
|
<ol>
|
||||||
|
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||||
|
reorganized into logical sections.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>The firewall script, common functions file and version file
|
||||||
|
are now installed in /usr/share/shorewall.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Late arriving DNS replies are now silently dropped in the
|
||||||
|
common chain by default.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||||
|
1.4 no longer unconditionally accepts outbound ICMP packets. So if
|
||||||
|
you want to 'ping' from the firewall, you will need the appropriate rule
|
||||||
|
or policy.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||||
|
now support the 'maclist' option.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
|
||||||
|
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||||
|
file. To use this facility:<br>
|
||||||
|
<br>
|
||||||
|
a) You must be running kernel 2.4.20<br>
|
||||||
|
b) You must have applied the patch in<br>
|
||||||
|
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||||
|
c) You must have iptables 1.2.7a installed.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li value="8">The 'multi' interface option is no longer supported.
|
<li>The /etc/shorewall/params file is now processed first so that
|
||||||
Shorewall will generate rules for sending packets back out the same interface
|
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||||||
that they arrived on in two cases:</li>
|
|
||||||
|
|
||||||
</ol>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>There is an <u>explicit</u> policy for the source zone to
|
|
||||||
or from the destination zone. An explicit policy names both zones and does
|
|
||||||
not use the 'all' reserved word.</li>
|
|
||||||
<li>There are one or more rules for traffic for the source zone
|
|
||||||
to or from the destination zone including rules that use the 'all' reserved
|
|
||||||
word. Exception: if the source zone and destination zone are the same then
|
|
||||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
|
||||||
DESTINATION columns.<br>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
|
|
||||||
</ol>
|
|
||||||
Changes for 1.4 include:<br>
|
|
||||||
|
|
||||||
<ol>
|
|
||||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
|
||||||
reorganized into logical sections.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>The firewall script and version file are now installed
|
|
||||||
in /usr/share/shorewall.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>Late arriving DNS replies are now silently dropped in
|
|
||||||
the common chain by default.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
|
||||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
|
||||||
want to 'ping' from the firewall, you will need the appropriate rule or
|
|
||||||
policy.<br>
|
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
<li value="10">Shorewall now gives a more helpful diagnostic when
|
||||||
|
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
|
||||||
|
command is issued.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
<li>The SHARED_DIR variable has been removed from shorewall.conf.
|
||||||
now support the 'maclist' option.<br>
|
This variable was for use by package maintainers and was not documented
|
||||||
|
for general use.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
|
<li>Shorewall now ignores 'default' routes when detecting masq'd
|
||||||
now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
networks.<br>
|
||||||
file. To use this facility:<br>
|
</li>
|
||||||
<br>
|
|
||||||
a) You must be running kernel 2.4.20<br>
|
|
||||||
b) You must have applied the patch in<br>
|
|
||||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
|
||||||
c) You must have iptables 1.2.7a installed.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>The /etc/shorewall/params file is now processed first so that
|
|
||||||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||||
|
target="_top"></a>
|
||||||
|
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
|
||||||
|
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
|
</b></p>
|
||||||
|
|
||||||
|
<p>A roleup of the following bug fixes and other updates:</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
|
<li>There is an updated rfc1918 file that reflects the resent
|
||||||
|
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
|
||||||
|
<li>The documentation for the routestopped file claimed that a
|
||||||
|
comma-separated list could appear in the second column while the code
|
||||||
|
only supported a single host or network address.</li>
|
||||||
|
<li>Log messages produced by 'logunclean' and 'dropunclean' were
|
||||||
|
not rate-limited. 802.11b devices with names of the form <i>wlan</i><n>
|
||||||
|
don't support the 'maclist' interface option.</li>
|
||||||
|
<li>Log messages generated by RFC 1918 filtering are not rate
|
||||||
|
limited.</li>
|
||||||
|
<li>The firewall fails to start in the case
|
||||||
|
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
|
||||||
|
is through eth1.</li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
|
||||||
|
|
||||||
|
|
||||||
|
<p>New features include</p>
|
||||||
|
|
||||||
|
|
||||||
|
<ol>
|
||||||
|
<li>An OLD_PING_HANDLING option has been added
|
||||||
|
to shorewall.conf. When set to Yes, Shorewall ping handling is
|
||||||
|
as it has always been (see http://www.shorewall.net/ping.html).<br>
|
||||||
|
<br>
|
||||||
|
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
|
||||||
|
via rules and policies just like any other connection request.
|
||||||
|
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
|
||||||
|
'filterping' options in /etc/shorewall/interfaces will all generate
|
||||||
|
an error.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>It is now possible to direct Shorewall to create
|
||||||
|
a "label" such as "eth0:0" for IP addresses that it creates under
|
||||||
|
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
|
||||||
|
the label instead of just the interface name:<br>
|
||||||
|
<br>
|
||||||
|
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||||
|
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||||
|
</li>
|
||||||
|
<li>Support for OpenVPN Tunnels.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Support for VLAN devices with names of the
|
||||||
|
form $DEV.$VID (e.g., eth0.0)<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>In /etc/shorewall/tcrules, the MARK value may
|
||||||
|
be optionally followed by ":" and either 'F' or 'P' to designate that
|
||||||
|
the marking will occur in the FORWARD or PREROUTING chains respectively.
|
||||||
|
If this additional specification is omitted, the chain used to mark packets
|
||||||
|
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
|
||||||
|
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>When an interface name is entered in the SUBNET
|
||||||
|
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
|
||||||
|
traffic from only the first subnet defined on that interface. It
|
||||||
|
did not masquerade traffic from:<br>
|
||||||
|
<br>
|
||||||
|
a) The subnets associated with other addresses
|
||||||
|
on the interface.<br>
|
||||||
|
b) Subnets accessed through local routers.<br>
|
||||||
|
<br>
|
||||||
|
Beginning with Shorewall 1.3.14, if you enter an interface
|
||||||
|
name in the SUBNET column, shorewall will use the firewall's routing
|
||||||
|
table to construct the masquerading/SNAT rules.<br>
|
||||||
|
<br>
|
||||||
|
Example 1 -- This is how it works in 1.3.14.<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><b></b><a href="News.htm">More News</a></p>
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||||
|
<br>
|
||||||
|
When upgrading to Shorewall 1.3.14, if you have multiple
|
||||||
|
local subnets connected to an interface that is specified in the
|
||||||
|
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||||||
|
file will need changing. In most cases, you will simply be able to remove
|
||||||
|
redundant entries. In some cases though, you might want to change from
|
||||||
|
using the interface name to listing specific subnetworks if the change
|
||||||
|
described above will cause masquerading to occur on subnetworks that you
|
||||||
|
don't wish to masquerade.<br>
|
||||||
|
<br>
|
||||||
|
Example 2 -- Suppose that your current config is as
|
||||||
|
follows:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||||
|
<br>
|
||||||
|
In this case, the second entry in /etc/shorewall/masq
|
||||||
|
is no longer required.<br>
|
||||||
|
<br>
|
||||||
|
Example 3 -- What if your current configuration is
|
||||||
|
like this?<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||||
|
<br>
|
||||||
|
In this case, you would want to change the entry
|
||||||
|
in /etc/shorewall/masq to:<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
|
||||||
|
</b></p>
|
||||||
|
Webmin version 1.060 now has Shorewall support included
|
||||||
|
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
|
||||||
|
</b>
|
||||||
|
|
||||||
|
<p><a href="News.htm">More News</a></p>
|
||||||
|
|
||||||
<h2><a name="Donations"></a>Donations</h2>
|
<h2><a name="Donations"></a>Donations</h2>
|
||||||
|
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
<td width="88"
|
<td width="88"
|
||||||
bgcolor="#4b017c" valign="top" align="center"> <a
|
bgcolor="#4b017c" valign="top" align="center"> <a
|
||||||
href="http://sourceforge.net">M</a></td>
|
href="http://sourceforge.net">M</a></td>
|
||||||
|
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
</center>
|
</center>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<table border="0" cellpadding="5" cellspacing="0"
|
<table border="0" cellpadding="5" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||||
bgcolor="#4b017c">
|
bgcolor="#4b017c">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="100%"
|
<td width="100%"
|
||||||
style="margin-top: 1px;">
|
style="margin-top: 1px;">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -440,12 +541,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center"><a href="http://www.starlight.org"> <img
|
<p align="center"><a href="http://www.starlight.org"> <img
|
||||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||||
hspace="10">
|
hspace="10">
|
||||||
|
|
||||||
</a></p>
|
</a></p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -457,33 +558,32 @@ variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||||
if you try it and find it useful, please consider making a donation
|
but if you try it and find it useful, please consider making a donation
|
||||||
to <a
|
to <a
|
||||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||||
Foundation.</font></a> Thanks!</font></p>
|
Children's Foundation.</font></a> Thanks!</font></p>
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -2,313 +2,320 @@
|
|||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||||
|
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
<title>Shorewall QuickStart Guide</title>
|
<title>Shorewall QuickStart Guide</title>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta name="Microsoft Theme" content="none">
|
<meta name="Microsoft Theme" content="none">
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||||
bgcolor="#400169" height="90">
|
bgcolor="#400169" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%">
|
<td width="100%">
|
||||||
|
|
||||||
|
|
||||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
|
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
|
||||||
(HOWTO's)<br>
|
(HOWTO's)<br>
|
||||||
Version 4.0</font></h1>
|
Version 4.0</font></h1>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<p align="center">With thanks to Richard who reminded me once again that we
|
|
||||||
must all first walk before we can run.<br>
|
|
||||||
The French Translations are courtesy of Patrice Vetsel<br>
|
|
||||||
</p>
|
|
||||||
|
|
||||||
<h2>The Guides</h2>
|
|
||||||
|
|
||||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
|
||||||
in common firewall setups.</p>
|
|
||||||
|
|
||||||
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a href="standalone.htm">Standalone</a> Linux
|
|
||||||
System (<a href="standalone_fr.html">Version Française</a>)</li>
|
|
||||||
<li><a href="two-interface.htm">Two-interface</a>
|
|
||||||
Linux System acting as a firewall/router for a small local network
|
|
||||||
(<a href="two-interface_fr.html">Version Française</a>)</li>
|
|
||||||
<li><a href="three-interface.htm">Three-interface</a>
|
|
||||||
Linux System acting as a firewall/router for a small local network
|
|
||||||
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<p>The above guides are designed to get your first firewall up and running
|
|
||||||
quickly in the three most common Shorewall configurations.</p>
|
|
||||||
|
|
||||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
|
||||||
the steps necessary to set up a firewall where <b>there are multiple
|
|
||||||
public IP addresses involved or if you want to learn more about
|
|
||||||
Shorewall than is explained in the single-address guides above.</b></p>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
|
|
||||||
Shorewall Concepts</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
|
|
||||||
and Routing</a>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4
|
|
||||||
Address Resolution Protocol</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#Options">5.0
|
|
||||||
Setting up your Network</a>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1
|
|
||||||
Routed</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
|
||||||
SNAT</a></li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
|
||||||
DNAT</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
|
||||||
Static NAT</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3
|
|
||||||
Rules</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
|
||||||
<li><a
|
|
||||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
|
||||||
Stopping the Firewall</a></li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
|
||||||
|
|
||||||
<p>The following documentation covers a variety of topics and <b>supplements
|
|
||||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
|
||||||
described above</b>. Please review the appropriate guide before trying
|
|
||||||
to use this documentation directly.</p>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
|
|
||||||
(e.g., eth0:0)</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
|
||||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="configuration_file_basics.htm">Common
|
|
||||||
configuration file features</a>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Comments">Comments in configuration
|
|
||||||
files</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
|
||||||
or Subnet</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#Configs">Shorewall Configurations
|
|
||||||
(making a test configuration)</a></li>
|
|
||||||
<li><a
|
|
||||||
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="Documentation.htm">Configuration File
|
|
||||||
Reference Manual</a>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Zones">zones</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Policy">policy</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Rules">rules</a></font></li>
|
|
||||||
<li><a href="Documentation.htm#Common">common</a></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Masq">masq</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#NAT">nat</a></font></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
|
||||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
|
||||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
|
||||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
|
||||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
|
||||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
|
||||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
</li>
|
|
||||||
<li><a href="dhcp.htm">DHCP</a></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
|
|
||||||
(How to extend Shorewall without modifying Shorewall code)</li>
|
|
||||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
|
||||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
|
||||||
Structure</a></li>
|
|
||||||
<li><font color="#000099"><a href="kernel.htm">Kernel
|
|
||||||
Configuration</a></font></li>
|
|
||||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="myfiles.htm">My Shorewall Configuration
|
|
||||||
(How I personally use Shorewall)</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="ping.html">'Ping' Management</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="ports.htm">Port Information</a>
|
|
||||||
|
|
||||||
|
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<p align="center">With thanks to Richard who reminded me once again that
|
||||||
|
we must all first walk before we can run.<br>
|
||||||
|
The French Translations are courtesy of Patrice Vetsel<br>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<h2>The Guides</h2>
|
||||||
|
|
||||||
|
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||||
|
in common firewall setups.</p>
|
||||||
|
|
||||||
|
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a href="standalone.htm">Standalone</a> Linux
|
||||||
|
System (<a href="standalone_fr.html">Version Française</a>)</li>
|
||||||
|
<li><a href="two-interface.htm">Two-interface</a>
|
||||||
|
Linux System acting as a firewall/router for a small local network
|
||||||
|
(<a href="two-interface_fr.html">Version Française</a>)</li>
|
||||||
|
<li><a href="three-interface.htm">Three-interface</a>
|
||||||
|
Linux System acting as a firewall/router for a small local network
|
||||||
|
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>The above guides are designed to get your first firewall up and running
|
||||||
|
quickly in the three most common Shorewall configurations.</p>
|
||||||
|
|
||||||
|
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||||
|
the steps necessary to set up a firewall where <b>there are multiple
|
||||||
|
public IP addresses involved or if you want to learn more about
|
||||||
|
Shorewall than is explained in the single-address guides above.</b></p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
|
||||||
|
and Routing</a>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>Which applications use which ports</li>
|
<li><a
|
||||||
<li>Ports used by Trojans</li>
|
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||||
|
<li><a href="shorewall_setup_guide.htm#ARP">4.4
|
||||||
|
Address Resolution Protocol</a></li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
|
||||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
|
||||||
<li><a href="samba.htm">Samba</a></li>
|
|
||||||
<li><font color="#000099"><a
|
|
||||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>Description of all /sbin/shorewall commands</li>
|
|
||||||
<li>How to safely test a Shorewall configuration change<br>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
<li><font color="#000099"><a href="NAT.htm">Static
|
|
||||||
NAT</a></font></li>
|
|
||||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
|
|
||||||
with Shorewall</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
|
||||||
<li>VPN
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
<li><a
|
||||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
|
||||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
|
||||||
</li>
|
|
||||||
<li><a href="PPTP.htm">PPTP</a></li>
|
</ul>
|
||||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
|
</li>
|
||||||
|
<li><a href="shorewall_setup_guide.htm#Options">5.0
|
||||||
|
Setting up your Network</a>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
|
||||||
|
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
||||||
|
Static NAT</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="shorewall_setup_guide.htm#Rules">5.3
|
||||||
|
Rules</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="shorewall_setup_guide.htm#DNS">6.0
|
||||||
|
DNS</a></li>
|
||||||
|
<li><a
|
||||||
|
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||||
|
Stopping the Firewall</a></li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||||
|
|
||||||
|
<p>The following documentation covers a variety of topics and <b>supplements
|
||||||
|
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||||
|
described above</b>. Please review the appropriate guide before
|
||||||
|
trying to use this documentation directly.</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
|
||||||
|
(e.g., eth0:0)</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||||
|
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="configuration_file_basics.htm">Common
|
||||||
|
configuration file features</a>
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Comments">Comments in configuration
|
||||||
|
files</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
||||||
|
or Subnet</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
|
||||||
|
a test configuration)</a></li>
|
||||||
|
<li><a
|
||||||
|
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="Documentation.htm">Configuration File
|
||||||
|
Reference Manual</a>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Zones">zones</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Policy">policy</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Rules">rules</a></font></li>
|
||||||
|
<li><a href="Documentation.htm#Common">common</a></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Masq">masq</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#NAT">nat</a></font></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||||
|
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||||
|
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||||
|
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||||
|
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||||
|
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||||
|
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="dhcp.htm">DHCP</a></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
|
||||||
|
to extend Shorewall without modifying Shorewall code through the use of
|
||||||
|
files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
|
||||||
|
etc.)</li>
|
||||||
|
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||||
|
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||||
|
Structure</a></li>
|
||||||
|
<li><font color="#000099"><a href="kernel.htm">Kernel
|
||||||
|
Configuration</a></font></li>
|
||||||
|
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="myfiles.htm">My Shorewall Configuration
|
||||||
|
(How I personally use Shorewall)</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="ping.html">'Ping' Management</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="ports.htm">Port Information</a>
|
||||||
|
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Which applications use which ports</li>
|
||||||
|
<li>Ports used by Trojans</li>
|
||||||
|
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||||
|
<li><a href="samba.htm">Samba</a></li>
|
||||||
|
<li><font color="#000099"><a
|
||||||
|
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Description of all /sbin/shorewall commands</li>
|
||||||
|
<li>How to safely test a Shorewall configuration change<br>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
<li><font color="#000099"><a href="NAT.htm">Static
|
||||||
|
NAT</a></font></li>
|
||||||
|
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
|
||||||
|
Proxy with Shorewall</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||||
|
<li>VPN
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||||
|
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||||
|
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||||
|
</li>
|
||||||
|
<li><a href="PPTP.htm">PPTP</a></li>
|
||||||
|
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
|
||||||
behind your firewall to a remote network.</li>
|
behind your firewall to a remote network.</li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="whitelisting_under_shorewall.htm">White
|
<li><a href="whitelisting_under_shorewall.htm">White
|
||||||
List Creation</a></li>
|
List Creation</a></li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||||
|
|
||||||
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||||
|
|
||||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
|
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
|
||||||
Eastep</font></a><br>
|
Eastep</font></a><br>
|
||||||
</p>
|
</p>
|
||||||
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -7,34 +7,33 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<base target="_self">
|
<base target="_self">
|
||||||
<meta name="author" content="Tom Eastep">
|
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="4"
|
<table border="0" cellpadding="0" cellspacing="4"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||||
bgcolor="#4b017c">
|
bgcolor="#4b017c">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="100%"
|
<td width="100%"
|
||||||
height="90">
|
height="90">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -44,15 +43,15 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h1 align="center"> <font size="4"><i> <a
|
<h1 align="center"> <font size="4"><i> <a
|
||||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||||
src="images/washington.jpg" border="0">
|
src="images/washington.jpg" border="0">
|
||||||
|
|
||||||
</a></i></font><font
|
</a></i></font><font
|
||||||
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
|
color="#ffffff">Shorewall 1.4 - <font
|
||||||
made easy"</i></font></font><a
|
size="4">"<i>iptables made easy"</i></font></font><a
|
||||||
href="http://www.sf.net"> </a></h1>
|
href="http://www.sf.net"> </a></h1>
|
||||||
|
|
||||||
|
|
||||||
@ -64,35 +63,37 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<div align="center"><a href="/1.3/index.html" target="_top"><font
|
<div align="center"><a href="/1.3/index.html" target="_top"><font
|
||||||
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
|
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<div align="center">
|
<div align="center">
|
||||||
|
|
||||||
<center>
|
<center>
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="90%">
|
<td width="90%">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -103,7 +104,8 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2 align="left">What is it?</h2>
|
<h2 align="left">What is it?</h2>
|
||||||
|
|
||||||
|
|
||||||
@ -117,12 +119,12 @@
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
||||||
based firewall that can be used on a dedicated firewall system,
|
based firewall that can be used on a dedicated firewall system,
|
||||||
a multi-function gateway/router/server or on a standalone
|
a multi-function gateway/router/server or on a standalone
|
||||||
GNU/Linux system.</p>
|
GNU/Linux system.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -135,29 +137,29 @@ GNU/Linux system.</p>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>This program is free software; you can redistribute it and/or modify
|
<p>This program is free software; you can redistribute it and/or modify
|
||||||
it under the
|
it under the
|
||||||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||||
2 of the GNU General Public License</a> as published by the Free
|
2 of the GNU General Public License</a> as published by the Free Software
|
||||||
Software Foundation.<br>
|
Foundation.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
This program is distributed
|
This program is distributed
|
||||||
in the hope that it will be useful, but
|
in the hope that it will be useful, but
|
||||||
WITHOUT ANY WARRANTY; without even the implied
|
WITHOUT ANY WARRANTY; without even the implied
|
||||||
warranty of MERCHANTABILITY or FITNESS FOR
|
warranty of MERCHANTABILITY or FITNESS FOR
|
||||||
A PARTICULAR PURPOSE. See the GNU General Public License
|
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
for more details.<br>
|
for more details.<br>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
You should have received
|
You should have received
|
||||||
a copy of the GNU General Public License
|
a copy of the GNU General Public License
|
||||||
along with this program; if not, write
|
along with this program; if not, write
|
||||||
to the Free Software Foundation, Inc., 675
|
to the Free Software Foundation, Inc., 675
|
||||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -170,7 +172,7 @@ to the Free Software Foundation, Inc., 675
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||||
|
|
||||||
|
|
||||||
@ -184,25 +186,26 @@ to the Free Software Foundation, Inc., 675
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||||
|
|
||||||
</a>Jacques Nilo
|
</a>Jacques
|
||||||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||||
on a floppy, CD or compact flash) distribution
|
on a floppy, CD or compact flash) distribution
|
||||||
called <i>Bering</i> that features
|
called <i>Bering</i> that features
|
||||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||||
their work at: <a
|
their work at: <a
|
||||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||||
<b>
|
<b>Congratulations
|
||||||
</b>
|
to Jacques and Eric on the recent release of Bering
|
||||||
|
1.1!!! <br>
|
||||||
|
</b>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<b>Congratulations to Jacques and
|
|
||||||
Eric on the recent release of Bering 1.1!!!</b><br>
|
|
||||||
|
|
||||||
<h2>News</h2>
|
<h2>News</h2>
|
||||||
|
|
||||||
|
|
||||||
@ -218,128 +221,267 @@ Eric on the recent release of Bering 1.1!!!</b><br>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
|
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
|
||||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
</b></p>
|
</b><b> </b></p>
|
||||||
Shorewall 1.4 represents
|
Shorewall 1.4 represents
|
||||||
the next step in the evolution of Shorewall. The main thrust of the initial
|
the next step in the evolution of Shorewall. The main thrust of the
|
||||||
release is simply to remove the cruft that has accumulated in Shorewall
|
initial release is simply to remove the cruft that has accumulated in
|
||||||
over time. <br>
|
Shorewall over time. <br>
|
||||||
<br>
|
<br>
|
||||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||||
('ip' utility).</b><br>
|
('ip' utility).</b><br>
|
||||||
<br>
|
<br>
|
||||||
Function from 1.3 that has been omitted from this version include:<br>
|
Function from 1.3 that has been omitted from this version
|
||||||
|
include:<br>
|
||||||
|
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
|
||||||
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Interface names of the form <device>:<integer>
|
<li>Interface names of the form <device>:<integer>
|
||||||
in /etc/shorewall/interfaces now generate an error.<br>
|
in /etc/shorewall/interfaces now generate an error.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||||
of the 'noping' or 'filterping' interface options.<br>
|
of the 'noping' or 'filterping' interface options.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||||
an error at startup if specified.<br>
|
an error at startup if specified.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
|
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
|
||||||
no longer accepted.<br>
|
longer accepted.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
|
||||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The icmp.def file has been removed.<br>
|
<li>The icmp.def file has been removed.<br>
|
||||||
<br>
|
</li>
|
||||||
</li>
|
|
||||||
<li value="8">The 'multi' interface option is no longer supported.
|
|
||||||
Shorewall will generate rules for sending packets back out the same interface
|
|
||||||
that they arrived on in two cases:</li>
|
|
||||||
|
|
||||||
</ol>
|
</ol>
|
||||||
|
Changes for 1.4 include:<br>
|
||||||
<ul>
|
|
||||||
<li>There is an <u>explicit</u> policy for the source zone to
|
|
||||||
or from the destination zone. An explicit policy names both zones and does
|
|
||||||
not use the 'all' reserved word.</li>
|
|
||||||
<li>There are one or more rules for traffic for the source zone
|
|
||||||
to or from the destination zone including rules that use the 'all' reserved
|
|
||||||
word. Exception: if the source zone and destination zone are the same then
|
|
||||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
|
||||||
DESTINATION columns.</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
Changes for 1.4 include:<br>
|
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||||
reorganized into logical sections.<br>
|
reorganized into logical sections.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
|
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The firewall script and version file are now installed
|
<li>The firewall script, common functions file and version file
|
||||||
in /usr/share/shorewall.<br>
|
are now installed in /usr/share/shorewall.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>Late arriving DNS replies are now silently dropped in
|
<li>Late arriving DNS replies are now silently dropped in the
|
||||||
the common chain by default.<br>
|
common chain by default.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
|
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
||||||
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
|
want to 'ping' from the firewall, you will need the appropriate rule or
|
||||||
<br>
|
policy.<br>
|
||||||
</li>
|
<br>
|
||||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
</li>
|
||||||
<br>
|
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||||
</li>
|
<br>
|
||||||
|
</li>
|
||||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||||
now support the 'maclist' option.<br>
|
now support the 'maclist' option.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
|
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
|
||||||
now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||||
file. To use this facility:<br>
|
file. To use this facility:<br>
|
||||||
<br>
|
<br>
|
||||||
a) You must be running kernel 2.4.20<br>
|
a) You must be running kernel 2.4.20<br>
|
||||||
b) You must have applied the patch in<br>
|
b) You must have applied the patch in<br>
|
||||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||||
c) You must have iptables 1.2.7a installed.<br>
|
c) You must have iptables 1.2.7a installed.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>The /etc/shorewall/params file is now processed first so that
|
<li>The /etc/shorewall/params file is now processed first so that
|
||||||
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li value="10">Shorewall now gives a more helpful diagnostic when
|
||||||
|
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
|
||||||
|
command is issued.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>The SHARED_DIR variable has been removed from shorewall.conf.
|
||||||
|
This variable was for use by package maintainers and was not documented
|
||||||
|
for general use.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Shorewall now ignores 'default' routes when detecting masq'd
|
||||||
|
networks.<br>
|
||||||
|
</li>
|
||||||
</ol>
|
</ol>
|
||||||
|
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
|
||||||
|
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
|
||||||
<p></p>
|
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||||
<b> </b>
|
</b></p>
|
||||||
|
|
||||||
|
<p>A roleup of the following bug fixes and other updates:</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>There is an updated rfc1918 file that reflects the resent
|
||||||
|
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
|
||||||
|
<li>The documentation for the routestopped file claimed that a comma-separated
|
||||||
|
list could appear in the second column while the code only supported a
|
||||||
|
single host or network address. </li>
|
||||||
|
<li>Log messages produced by 'logunclean' and 'dropunclean' were
|
||||||
|
not rate-limited. </li>
|
||||||
|
<li>802.11b devices with names of the form <i>wlan</i><n>
|
||||||
|
don't support the 'maclist' interface option. </li>
|
||||||
|
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
|
||||||
|
<li>The firewall fails to start in the case where you have "eth0
|
||||||
|
eth1" in /etc/shorewall/masq and the default route is through eth1
|
||||||
|
</li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
|
||||||
|
|
||||||
|
|
||||||
|
<p>New features include</p>
|
||||||
|
|
||||||
|
|
||||||
|
<ol>
|
||||||
|
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
|
||||||
|
When set to Yes, Shorewall ping handling is as it has always been
|
||||||
|
(see http://www.shorewall.net/ping.html).<br>
|
||||||
|
<br>
|
||||||
|
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
|
||||||
|
via rules and policies just like any other connection request. The
|
||||||
|
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
|
||||||
|
options in /etc/shorewall/interfaces will all generate an error.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>It is now possible to direct Shorewall to create
|
||||||
|
a "label" such as "eth0:0" for IP addresses that it creates under
|
||||||
|
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
|
||||||
|
the label instead of just the interface name:<br>
|
||||||
|
<br>
|
||||||
|
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||||
|
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||||
|
</li>
|
||||||
|
<li>Support for OpenVPN Tunnels.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Support for VLAN devices with names of the form
|
||||||
|
$DEV.$VID (e.g., eth0.0)<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>In /etc/shorewall/tcrules, the MARK value may be
|
||||||
|
optionally followed by ":" and either 'F' or 'P' to designate that the
|
||||||
|
marking will occur in the FORWARD or PREROUTING chains respectively.
|
||||||
|
If this additional specification is omitted, the chain used to mark packets
|
||||||
|
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
|
||||||
|
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>When an interface name is entered in the SUBNET
|
||||||
|
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
|
||||||
|
traffic from only the first subnet defined on that interface. It
|
||||||
|
did not masquerade traffic from:<br>
|
||||||
|
<br>
|
||||||
|
a) The subnets associated with other addresses on the
|
||||||
|
interface.<br>
|
||||||
|
b) Subnets accessed through local routers.<br>
|
||||||
|
<br>
|
||||||
|
Beginning with Shorewall 1.3.14, if you enter an interface
|
||||||
|
name in the SUBNET column, shorewall will use the firewall's routing
|
||||||
|
table to construct the masquerading/SNAT rules.<br>
|
||||||
|
<br>
|
||||||
|
Example 1 -- This is how it works in 1.3.14.<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||||
|
<br>
|
||||||
|
When upgrading to Shorewall 1.3.14, if you have multiple
|
||||||
|
local subnets connected to an interface that is specified in the
|
||||||
|
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||||||
|
file will need changing. In most cases, you will simply be able to remove
|
||||||
|
redundant entries. In some cases though, you might want to change from
|
||||||
|
using the interface name to listing specific subnetworks if the change described
|
||||||
|
above will cause masquerading to occur on subnetworks that you don't wish
|
||||||
|
to masquerade.<br>
|
||||||
|
<br>
|
||||||
|
Example 2 -- Suppose that your current config is as follows:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||||
|
<br>
|
||||||
|
In this case, the second entry in /etc/shorewall/masq
|
||||||
|
is no longer required.<br>
|
||||||
|
<br>
|
||||||
|
Example 3 -- What if your current configuration is like
|
||||||
|
this?<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||||
|
<br>
|
||||||
|
In this case, you would want to change the entry in
|
||||||
|
/etc/shorewall/masq to:<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
|
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
|
||||||
|
</b></p>
|
||||||
|
Webmin version 1.060 now has Shorewall support included
|
||||||
|
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
|
||||||
|
<b> </b>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
|
|
||||||
|
|
||||||
@ -348,7 +490,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
@ -357,8 +500,8 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><a href="News.htm">More News</a></p>
|
<p><a href="News.htm">More News</a></p>
|
||||||
|
|
||||||
|
|
||||||
@ -372,7 +515,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2> </h2>
|
<h2> </h2>
|
||||||
|
|
||||||
|
|
||||||
@ -380,18 +523,18 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||||
alt="SourceForge Logo"
|
alt="SourceForge Logo"
|
||||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||||
</a></h1>
|
</a></h1>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h4> </h4>
|
<h4> </h4>
|
||||||
|
|
||||||
|
|
||||||
@ -399,7 +542,7 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2>This site is hosted by the generous folks at <a
|
<h2>This site is hosted by the generous folks at <a
|
||||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||||
|
|
||||||
@ -408,44 +551,45 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h2><a name="Donations"></a>Donations</h2>
|
<h2><a name="Donations"></a>Donations</h2>
|
||||||
|
|
||||||
|
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
<td width="88"
|
<td width="88"
|
||||||
bgcolor="#4b017c" valign="top" align="center"> <br>
|
bgcolor="#4b017c" valign="top" align="center"> <br>
|
||||||
</td>
|
</td>
|
||||||
|
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
|
||||||
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
</center>
|
</center>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<table border="0" cellpadding="5" cellspacing="0"
|
<table border="0" cellpadding="5" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||||
bgcolor="#4b017c">
|
bgcolor="#4b017c">
|
||||||
|
|
||||||
<tbody>
|
<tbody>
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
|
|
||||||
<td width="100%"
|
<td width="100%"
|
||||||
style="margin-top: 1px;">
|
style="margin-top: 1px;">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -455,12 +599,12 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center"><a href="http://www.starlight.org"> <img
|
<p align="center"><a href="http://www.starlight.org"> <img
|
||||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||||
hspace="10">
|
hspace="10">
|
||||||
|
|
||||||
</a></p>
|
</a></p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -472,32 +616,33 @@ variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
|
||||||
but if you try it and find it useful, please consider making a donation
|
|
||||||
to <a
|
|
||||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
|
||||||
Children's Foundation.</font></a> Thanks!</font></p>
|
|
||||||
|
|
||||||
</td>
|
|
||||||
|
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||||
|
if you try it and find it useful, please consider making a donation
|
||||||
|
to <a
|
||||||
|
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||||
|
Foundation.</font></a> Thanks!</font></p>
|
||||||
|
|
||||||
</tr>
|
</td>
|
||||||
|
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
|
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
<br>
|
||||||
</body>
|
</body>
|
||||||
|
@ -3,406 +3,337 @@
|
|||||||
<head>
|
<head>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Language" content="en-us">
|
<meta http-equiv="Content-Language" content="en-us">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta http-equiv="Content-Type"
|
<meta http-equiv="Content-Type"
|
||||||
content="text/html; charset=windows-1252">
|
content="text/html; charset=windows-1252">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|
||||||
<title>Shorewall Support Guide</title>
|
<title>Shorewall Support Guide</title>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<meta name="Microsoft Theme" content="none">
|
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
|
|
||||||
|
|
||||||
<table border="0" cellpadding="0" cellspacing="0"
|
<table border="0" cellpadding="0" cellspacing="0"
|
||||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||||
bgcolor="#400169" height="90">
|
bgcolor="#400169" height="90">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td width="100%">
|
<td width="100%">
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
|
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
|
||||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||||
</font></h1>
|
</font></h1>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
|
|
||||||
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall questions
|
<h2>Before Reporting a Problem or Asking a Question<br>
|
||||||
emailed directly to me, I try to spend some time each day answering questions
|
</h2>
|
||||||
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
|
There are a number
|
||||||
style="font-weight: 400;"></span></big></b></p>
|
of sources of Shorewall information. Please try these before you post.
|
||||||
|
|
||||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
|
|
||||||
|
|
||||||
<h1>Before Reporting a Problem</h1>
|
|
||||||
<i>"Well at least you tried to read the documentation, which is a lot
|
|
||||||
more than some people on this list appear to do.</i>"<br>
|
|
||||||
<br>
|
|
||||||
|
|
||||||
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
|
|
||||||
</div>
|
|
||||||
<br>
|
|
||||||
There are a number of sources
|
|
||||||
for problem solution information. Please try these before you
|
|
||||||
post.
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>More than half of the questions posted on the
|
<li>More than half of the questions posted
|
||||||
support list have answers directly accessible from the <a
|
on the support list have answers directly accessible from the <a
|
||||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||||
<br>
|
</li>
|
||||||
</li>
|
<li> The <a
|
||||||
<li> The <a
|
|
||||||
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
|
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
</ul>
|
<li> The <a
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> The <a
|
|
||||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||||
a number of tips to help you solve common problems. </li>
|
a number of tips to help you solve common problems.
|
||||||
|
</li>
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> The <a
|
|
||||||
href="errata.htm"> Errata</a> has links to download updated
|
|
||||||
components. </li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> The Mailing
|
|
||||||
List Archives search facility can locate posts about similar
|
|
||||||
problems: </li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h2> </h2>
|
|
||||||
|
|
||||||
<h2>Mailing List Archive Search</h2>
|
|
||||||
|
|
||||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
|
||||||
|
|
||||||
|
<li> The <a
|
||||||
<p> <font size="-1"> Match:
|
href="errata.htm"> Errata</a> has links to download updated
|
||||||
|
components. </li>
|
||||||
<select name="method">
|
|
||||||
<option value="and">All </option>
|
|
||||||
<option value="or">Any </option>
|
|
||||||
<option value="boolean">Boolean </option>
|
|
||||||
</select>
|
|
||||||
Format:
|
|
||||||
|
|
||||||
|
<li> The Site and Mailing
|
||||||
<select name="format">
|
List Archives search facility can locate documents and posts
|
||||||
<option value="builtin-long">Long </option>
|
about similar problems: </li>
|
||||||
<option value="builtin-short">Short </option>
|
|
||||||
</select>
|
|
||||||
Sort by:
|
|
||||||
|
|
||||||
|
|
||||||
<select name="sort">
|
|
||||||
<option value="score">Score </option>
|
|
||||||
<option value="time">Time </option>
|
|
||||||
<option value="title">Title </option>
|
|
||||||
<option value="revscore">Reverse Score </option>
|
|
||||||
<option value="revtime">Reverse Time </option>
|
|
||||||
<option value="revtitle">Reverse Title </option>
|
|
||||||
</select>
|
|
||||||
</font> <input type="hidden"
|
|
||||||
name="config" value="htdig"> <input type="hidden" name="restrict"
|
|
||||||
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
|
||||||
name="exclude" value=""> <br>
|
|
||||||
Search: <input type="text"
|
|
||||||
size="30" name="words" value=""> <input type="submit" value="Search">
|
|
||||||
</p>
|
|
||||||
</form>
|
|
||||||
|
|
||||||
<h2>Problem Reporting Guidelines </h2>
|
|
||||||
<i>"Let me see if I can translate your message into a
|
|
||||||
real-world example. It would be like saying that you have three
|
|
||||||
rooms at home, and when you walk into one of the rooms, you detect
|
|
||||||
this strange smell. Can anyone tell you what that strange smell is?<br>
|
|
||||||
<br>
|
|
||||||
Now, all of us could do some wonderful guessing as to
|
|
||||||
the smell and even what's causing it. You would be absolutely amazed
|
|
||||||
at the range and variety of smells we could come up with. Even more
|
|
||||||
amazing is that all of the explanations for the smells would be completely
|
|
||||||
plausible."<br>
|
|
||||||
</i><br>
|
|
||||||
|
|
||||||
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
|
|
||||||
</div>
|
|
||||||
<br>
|
|
||||||
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>Please remember we only know what is posted in your message.
|
|
||||||
Do not leave out any information that appears to be correct, or was
|
|
||||||
mentioned in a previous post. There have been countless posts by people
|
|
||||||
who were sure that some part of their configuration was correct when
|
|
||||||
it actually contained a small error. We tend to be skeptics where detail
|
|
||||||
is lacking.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
|
||||||
technical support. Any help we offer is an act of generosity, not
|
|
||||||
an obligation. Try to make it easy for us to help you. Follow good,
|
|
||||||
courteous practices in writing and formatting your e-mail. Provide
|
|
||||||
details that we need if you expect good answers. <em>Exact quoting </em>
|
|
||||||
of error messages, log entries, command output, and other output is better
|
|
||||||
than a paraphrase or summary.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li> Please don't describe
|
|
||||||
your environment and then ask us to send you custom
|
|
||||||
configuration files. We're here to answer your questions but
|
|
||||||
we can't do your job for you.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>When reporting a problem, <strong>ALWAYS</strong> include
|
|
||||||
this information:</li>
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
|
<h2>Site and Mailing List Archive Search</h2>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<form method="post"
|
||||||
|
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
|
||||||
|
|
||||||
|
<select name="method">
|
||||||
|
<option value="and">All </option>
|
||||||
|
<option value="or">Any </option>
|
||||||
|
<option value="boolean">Boolean </option>
|
||||||
|
</select>
|
||||||
|
Format:
|
||||||
|
<select name="format">
|
||||||
|
<option value="builtin-long">Long </option>
|
||||||
|
<option value="builtin-short">Short </option>
|
||||||
|
</select>
|
||||||
|
Sort by:
|
||||||
|
<select name="sort">
|
||||||
|
<option value="score">Score </option>
|
||||||
|
<option value="time">Time </option>
|
||||||
|
<option value="title">Title </option>
|
||||||
|
<option value="revscore">Reverse Score </option>
|
||||||
|
<option value="revtime">Reverse Time </option>
|
||||||
|
<option value="revtitle">Reverse Title </option>
|
||||||
|
</select>
|
||||||
|
</font><input type="hidden" name="config" value="htdig"><input
|
||||||
|
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
|
||||||
|
List Archives:
|
||||||
|
<select size="1" name="exclude">
|
||||||
|
<option value="">Yes</option>
|
||||||
|
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
|
||||||
|
</select>
|
||||||
|
</font><br>
|
||||||
|
Search: <input type="text" size="30" name="words" value=""> <input
|
||||||
|
type="submit" value="Search"><br>
|
||||||
|
</form>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<h2>Problem Reporting Guidelines<br>
|
||||||
|
</h2>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
|
<li>Please remember we only know what is posted
|
||||||
|
in your message. Do not leave out any information that appears to
|
||||||
|
be correct, or was mentioned in a previous post. There have been
|
||||||
|
countless posts by people who were sure that some part of their
|
||||||
|
configuration was correct when it actually contained a small error.
|
||||||
|
We tend to be skeptics where detail is lacking.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Please keep in mind that you're asking for
|
||||||
|
<strong>free</strong> technical support. Any help we offer
|
||||||
|
is an act of generosity, not an obligation. Try to make it easy
|
||||||
|
for us to help you. Follow good, courteous practices in writing
|
||||||
|
and formatting your e-mail. Provide details that we need if you expect
|
||||||
|
good answers. <em>Exact quoting </em> of error messages, log entries,
|
||||||
|
command output, and other output is better than a paraphrase or summary.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li> Please don't
|
||||||
|
describe your environment and then ask us to send you
|
||||||
|
custom configuration files. We're here to answer your
|
||||||
|
questions but we can't do your job for you.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>When reporting a problem, <strong>ALWAYS</strong>
|
||||||
|
include this information:</li>
|
||||||
|
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>the exact version of Shorewall you are running.<br>
|
<li>the exact version of Shorewall you are running.<br>
|
||||||
<br>
|
<br>
|
||||||
<b><font color="#009900">shorewall version</font><br>
|
<b><font color="#009900">shorewall version</font><br>
|
||||||
</b> <br>
|
</b> <br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>the exact kernel version you are running<br>
|
<li>the exact kernel version you are running<br>
|
||||||
<br>
|
<br>
|
||||||
<font color="#009900"><b>uname -a<br>
|
<font color="#009900"><b>uname -a<br>
|
||||||
<br>
|
<br>
|
||||||
</b></font></li>
|
</b></font></li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>the complete, exact output of<br>
|
<li>the complete, exact output of<br>
|
||||||
<br>
|
<br>
|
||||||
<font color="#009900"><b>ip addr show<br>
|
<font color="#009900"><b>ip addr show<br>
|
||||||
<br>
|
<br>
|
||||||
</b></font></li>
|
</b></font></li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>the complete, exact output of<br>
|
<li>the complete, exact output of<br>
|
||||||
<br>
|
<br>
|
||||||
<font color="#009900"><b>ip route show<br>
|
<font color="#009900"><b>ip route show<br>
|
||||||
<br>
|
<br>
|
||||||
</b></font></li>
|
</b></font></li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li>If your kernel is modularized, the exact output from<br>
|
<li>If your kernel is modularized, the exact
|
||||||
<br>
|
output from<br>
|
||||||
<font color="#009900"><b>lsmod</b></font><br>
|
<br>
|
||||||
<br>
|
<font color="#009900"><b>lsmod</b></font><br>
|
||||||
</li>
|
<br>
|
||||||
<li>the exact wording of any <code
|
</li>
|
||||||
|
<li>the exact wording of any <code
|
||||||
style="color: green; font-weight: bold;">ping</code> failure responses<br>
|
style="color: green; font-weight: bold;">ping</code> failure responses<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>If you installed Shorewall using one of the QuickStart Guides,
|
<li>If you installed Shorewall using one of the QuickStart
|
||||||
please indicate which one. <br>
|
Guides, please indicate which one. <br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li><b>If you are running Shorewall under Mandrake using the Mandrake
|
<li><b>If you are running Shorewall under Mandrake using
|
||||||
installation of Shorewall, please say so.</b><br>
|
the Mandrake installation of Shorewall, please say so.</b><br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><b>NEVER </b>include the output of "<b><font
|
<li><b>NEVER </b>include the output of "<b><font
|
||||||
color="#009900">iptables -L</font></b>". Instead,<font
|
color="#009900">iptables -L</font></b>". Instead,<font
|
||||||
color="#ff0000"><u><i><big> <b>if you are having connection problems of
|
color="#ff0000"><u><i><big> <b>if you are having connection problems of
|
||||||
any kind then:</b></big></i></u></font><br>
|
any kind then:</b></big></i></u></font><br>
|
||||||
<br>
|
<br>
|
||||||
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
||||||
<br>
|
<br>
|
||||||
2. Try the connection that is failing.<br>
|
2. Try the connection that is failing.<br>
|
||||||
<br>
|
<br>
|
||||||
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||||
<br>
|
<br>
|
||||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
4. Post the /tmp/status.txt file as an attachment.<br>
|
||||||
<br>
|
<br>
|
||||||
</li>
|
</li>
|
||||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
<li>As a general
|
||||||
information</strong> in an attempt to conceal your IP address, netmask,
|
matter, please <strong>do not edit the diagnostic information</strong>
|
||||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
in an attempt to conceal your IP address, netmask, nameserver addresses,
|
||||||
them often misleads us (and 80% of the time, a hacker could derive
|
domain name, etc. These aren't secrets, and concealing them often
|
||||||
them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
misleads us (and 80% of the time, a hacker could derive them anyway
|
||||||
|
from information contained in the SMTP headers of your post).<br>
|
||||||
|
<br>
|
||||||
|
<strong></strong></li>
|
||||||
|
<li>Do you see any "Shorewall" messages ("<b><font
|
||||||
|
color="#009900">/sbin/shorewall show log</font></b>") when
|
||||||
|
you exercise the function that is giving you problems? If so, include
|
||||||
|
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||||
|
file.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Please include any of the Shorewall configuration files
|
||||||
|
(especially the /etc/shorewall/hosts file if you have
|
||||||
|
modified that file) that you think are relevant. If you
|
||||||
|
include /etc/shorewall/rules, please include /etc/shorewall/policy
|
||||||
|
as well (rules are meaningless unless one also knows the policies).<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>If an error occurs when you try to "<font
|
||||||
|
color="#009900"><b>shorewall start</b></font>", include a
|
||||||
|
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||||
|
section for instructions).<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li><b>The list server limits posts to 120kb so don't post GIFs
|
||||||
|
of your network layout, etc. to the Mailing
|
||||||
|
List -- your post will be rejected.</b></li>
|
||||||
|
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<ul>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> Do you see
|
|
||||||
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
|
|
||||||
show log</font></b>") when you exercise the function that
|
|
||||||
is giving you problems? If so, include the message(s) in your post
|
|
||||||
along with a copy of your /etc/shorewall/interfaces file.<br>
|
|
||||||
<br>
|
|
||||||
</li>
|
|
||||||
<li>Please include any of the Shorewall configuration files
|
|
||||||
(especially the /etc/shorewall/hosts file if you have
|
|
||||||
modified that file) that you think are relevant. If you
|
|
||||||
include /etc/shorewall/rules, please include /etc/shorewall/policy
|
|
||||||
as well (rules are meaningless unless one also knows the policies).
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li> If an error occurs
|
|
||||||
when you try to "<font color="#009900"><b>shorewall start</b></font>",
|
|
||||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
|
||||||
section for instructions). </li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
|
|
||||||
<h3> </h3>
|
|
||||||
|
|
||||||
<ul>
|
|
||||||
<li>
|
|
||||||
|
|
||||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
|
||||||
your network layout, etc. to the Mailing List -- your
|
|
||||||
post will be rejected.</b></h3>
|
|
||||||
</li>
|
|
||||||
|
|
||||||
</ul>
|
|
||||||
The author gratefully acknowleges that the above list was heavily
|
|
||||||
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
|
||||||
found at <a
|
|
||||||
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
|
||||||
|
|
||||||
<h2>Please post in plain text</h2>
|
|
||||||
|
|
||||||
<blockquote> </blockquote>
|
|
||||||
A growing number of MTAs serving list subscribers are rejecting
|
|
||||||
all HTML traffic. At least one MTA has gone so far as to blacklist
|
|
||||||
shorewall.net "for continuous abuse" because it has been my policy to
|
|
||||||
allow HTML in list posts!!<br>
|
|
||||||
<br>
|
|
||||||
I think that blocking all HTML is a Draconian way to control
|
|
||||||
spam and that the ultimate losers here are not the spammers but the
|
|
||||||
list subscribers whose MTAs are bouncing all shorewall.net mail. As
|
|
||||||
one list subscriber wrote to me privately "These e-mail admin's need
|
|
||||||
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
|
|
||||||
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
|
|
||||||
posts as must as possible, I have now configured the list server at shorewall.net
|
|
||||||
to strip all HTML from outgoing posts.<br>
|
|
||||||
|
|
||||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
|
||||||
|
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
The author gratefully acknowleges that the above list was heavily
|
||||||
|
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
||||||
|
found at <a
|
||||||
|
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<h2>When using the mailing list, please post in plain text</h2>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
A growing number of MTAs serving list subscribers are rejecting
|
||||||
|
all HTML traffic. At least one MTA has gone so far as to blacklist
|
||||||
|
shorewall.net "for continuous abuse" because it has been my policy
|
||||||
|
to allow HTML in list posts!!<br>
|
||||||
|
<br>
|
||||||
|
I think that blocking all HTML is a Draconian
|
||||||
|
way to control spam and that the ultimate losers here are not
|
||||||
|
the spammers but the list subscribers whose MTAs are bouncing
|
||||||
|
all shorewall.net mail. As one list subscriber wrote to me privately
|
||||||
|
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
|
||||||
|
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
|
||||||
|
to allow subscribers to receive list posts as must as possible, I have
|
||||||
|
now configured the list server at shorewall.net to strip all HTML
|
||||||
|
from outgoing posts.<br>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
|
||||||
|
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||||
|
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
|
||||||
<h4>If you run Shorewall under Bering -- <span
|
<h4>If you run Shorewall under Bering -- <span
|
||||||
style="font-weight: 400;">please post your question or problem
|
style="font-weight: 400;">please post your question or problem
|
||||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
|
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
|
||||||
mailing list</a>.</span></h4>
|
Users mailing list</a>.</span></h4>
|
||||||
<b>If you run Shorewall under MandrakeSoft Multi Network
|
<b>If you run Shorewall under MandrakeSoft Multi
|
||||||
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
|
Network Firewall (MNF) and you have not purchased an MNF license
|
||||||
then you can post non MNF-specific Shorewall questions to the </b><a
|
from MandrakeSoft then you can post non MNF-specific Shorewall questions
|
||||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
|
||||||
list</a> or to the <a
|
users mailing list</a>. <b>Do not expect to get free MNF support
|
||||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
on the list or forum.</b><br>
|
||||||
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
|
|
||||||
|
|
||||||
|
|
||||||
<p>Otherwise, please post your question or problem to the <a
|
<p>Otherwise, please post your question or problem to the <a
|
||||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||||
list</a> or to the <a
|
list</a>.</p>
|
||||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
</blockquote>
|
||||||
Forum</a>.</p>
|
|
||||||
</blockquote>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<p>To Subscribe to the mailing list go to <a
|
<p>To Subscribe to the mailing list go to <a
|
||||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
|
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||||
.</p>
|
.<br>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p>For information on other Shorewall mailing lists, go to <a
|
||||||
|
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
|
||||||
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
|
<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
|
||||||
|
|
||||||
|
|
||||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||||
</p>
|
</p>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -60,3 +60,7 @@ Changes since 1.3.14
|
|||||||
27. Remove stale comments in the params file.
|
27. Remove stale comments in the params file.
|
||||||
|
|
||||||
28. Silently drop INVALID state packets
|
28. Silently drop INVALID state packets
|
||||||
|
|
||||||
|
29. Ignore the 'default' route when detecting masq'd networks.
|
||||||
|
|
||||||
|
30. REALLY process the params file first now (honest).
|
||||||
|
@ -28,7 +28,7 @@
|
|||||||
# shown below. Simply run this script to revert to your prior version of
|
# shown below. Simply run this script to revert to your prior version of
|
||||||
# Shoreline Firewall.
|
# Shoreline Firewall.
|
||||||
|
|
||||||
VERSION=1.4.0-RC2
|
VERSION=1.4.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -54,7 +54,7 @@
|
|||||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||||
#
|
#
|
||||||
|
|
||||||
VERSION=1.4.0-RC2
|
VERSION=1.4.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
@ -77,6 +77,18 @@ Changes for 1.4 include:
|
|||||||
10) The /etc/shorewall/params file is now processed first so that
|
10) The /etc/shorewall/params file is now processed first so that
|
||||||
variables may be used in the /etc/shorewall/shorewall.conf file.
|
variables may be used in the /etc/shorewall/shorewall.conf file.
|
||||||
|
|
||||||
|
11) Packets with state INVALID are now silently dropped.
|
||||||
|
|
||||||
|
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
|
||||||
|
compatibility kernel module is loaded and a 'shorewall start'
|
||||||
|
command is issued.
|
||||||
|
|
||||||
|
13) The SHARED_DIR variable has been removed from shorewall.conf. This
|
||||||
|
variable was for use by package maintainers and was not documented
|
||||||
|
for general use.
|
||||||
|
|
||||||
|
14) Shorewall now ignores 'default' routes when detecting masq'd
|
||||||
|
networks.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
%define name shorewall
|
%define name shorewall
|
||||||
%define version 1.4.0
|
%define version 1.4.0
|
||||||
%define release 0RC2
|
%define release 1
|
||||||
%define prefix /usr
|
%define prefix /usr
|
||||||
|
|
||||||
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
|
||||||
@ -105,6 +105,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
- Changed version to 1.4.0-1
|
||||||
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>
|
||||||
- Changed version to 1.4.0-0RC2
|
- Changed version to 1.4.0-0RC2
|
||||||
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
|
* Wed Mar 05 2003 Tom Eastep <tom@shorewall.net>
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
# You may only use this script to uninstall the version
|
# You may only use this script to uninstall the version
|
||||||
# shown below. Simply run this script to remove Seattle Firewall
|
# shown below. Simply run this script to remove Seattle Firewall
|
||||||
|
|
||||||
VERSION=1.4.0-RC2
|
VERSION=1.4.0
|
||||||
|
|
||||||
usage() # $1 = exit status
|
usage() # $1 = exit status
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user