| + |
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions - but it doesn't work.
- + but it doesn't work. + - + to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local + network. External clients can browse http://www.mydomain.com but internal + clients can't. + - + subnet and I use static NAT to assign non-RFC1918 addresses to hosts + in Z. Hosts in Z cannot communicate with each other using their external + (non-RFC1918 addresses) so they can't access each other using their DNS + names. +3. I want to use Netmeeting/MSN -Messenger with Shorewall. What do I do?
- + Messenger with Shorewall. What do I do? + - + to check my firewall and it shows some ports as 'closed' rather than +'blocked'. Why? +4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!
- + of my firewall and it showed 100s of ports as open!!!! +5. I've installed Shorewall and now -I can't ping through the firewall
- + I can't ping through the firewall +6. Where are the log messages - written and how do I change the destination?
- + written and how do I change the destination? +6a. Are there any log parsers - that work with Shorewall?
- + that work with Shorewall? + - + work? +8. When I try to start Shorewall -on RedHat 7.x, I get messages about insmod failing -- what's wrong?
- + on RedHat 7.x, I get messages about insmod failing -- what's wrong? +9. Why can't Shorewall detect -my interfaces properly?
- + my interfaces properly? +10. What distributions does -it work with?
- + it work with? +11. What features does it support?
- + - +13. Why do you call it "Shorewall"?
- - - - - -15. My local systems can't see -out to the net
- -16. Shorewall is writing log messages - all over my console making it unusable!
-15. My local systems can't see + out to the net
+ +16. Shorewall is writing log messages + all over my console making it unusable!
+ +Answer: The first example in the rules file documentation shows how to -do port forwarding under Shorewall. Assuming that you have a dynamic external -IP address, the format of a port-forwarding rule to a local system is as follows:
- -+ do port forwarding under Shorewall. Assuming that you have a dynamic external + IP address, the format of a port-forwarding rule to a local system is as +follows: + ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:<local IP address>[:<local port>] -<protocol> -<port #> -- - + +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + +DNAT +net +loc:<local IP address>[:<local port>] +<protocol> +<port #> ++
++
+
So to forward UDP port 7777 to internal system 192.168.1.5, -the rule is:
- -+ the rule is: + +- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:192.168.1.5 -udp -7777 -- - + +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
++ + ++- +DNAT net loc:192.168.1.5 udp 7777-If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system:
- -+ ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -net -loc:<local IP address>[:<local port>] -<protocol> -<port #> -- -<external IP> -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + +DNAT +net +loc:<local IP address>[:<local port>] +<protocol> +<port #> +- +<external IP> +1a. Ok -- I followed those instructions -but it doesn't work
- + but it doesn't work +Answer: That is usually the result of one of two things:
- +-
- +- You are trying to test from inside your firewall (no, that won't -work -- see FAQ #2).
-- You have a more basic problem with your local system such as an -incorrect default gateway configured (it should be set to the IP address -of your firewall's internal interface).
- +- You are trying to test from inside your firewall (no, that won't + work -- see FAQ #2).
+- You have a more basic problem with your local system such as an + incorrect default gateway configured (it should be set to the IP address + of your firewall's internal interface).
+2. I port forward www requests to www.mydomain.com -(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients -can browse http://www.mydomain.com but internal clients can't.
- + (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients + can browse http://www.mydomain.com but internal clients can't. +Answer: I have two objections to this setup.
- +-
- +- Having an internet-accessible server in your local network is -like raising foxes in the corner of your hen house. If the server is compromised, -there's nothing between that server and your other internal systems. -For the cost of another NIC and a cross-over cable, you can put your -server in a DMZ such that it is isolated from your local systems - assuming -that the Server can be located near the Firewall, of course :-)
-- The accessibility problem is best solved using Having an internet-accessible server in your local network +is like raising foxes in the corner of your hen house. If the server is + compromised, there's nothing between that server and your other internal + systems. For the cost of another NIC and a cross-over cable, you can put + your server in a DMZ such that it is isolated from your local systems +- assuming that the Server can be located near the Firewall, of course +:-)
+- The accessibility problem is best solved using Bind Version 9 "views" (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's what I do here at shorewall.net for my local systems that use static NAT.
- +If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external interface is -eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254 -with subnet 192.168.1.0/24, do the following:
- + rather than a DNS solution, then assuming that your external interface is + eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254 + with subnet 192.168.1.0/24, do the following: +a) In /etc/shorewall/interfaces, specify "multi" as an option - for eth1.
- -+ for eth1. + ++- -b) In /etc/shorewall/rules, add:
--+ +++- --- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -130.151.100.69:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +130.151.100.69:192.168.1.254 +-- -DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254-+ ++ +++ +DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254+- -That rule only works of course if you have a static external -IP address. If you have a dynamic IP address and are running Shorewall 1.3.4 -or later then include this in /etc/shorewall/params:
-+ IP address. If you have a dynamic IP address and are running Shorewall +1.3.4 or later then include this in /etc/shorewall/params: ++ +- -ETH0_IP=`find_interface_address eth0`-++ +- -and make your DNAT rule:
--+ +++- --- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- - - + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -$ETH0_IP:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 ++ ++ +- + client to automatically restart Shorewall each time that you get a new IP + address. +Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time that you get a new IP - address.
-2a. I have a zone "Z" with an RFC1918 -subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. -Hosts in Z cannot communicate with each other using their external (non-RFC1918 -addresses) so they can't access each other using their DNS names.
- + subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. + Hosts in Z cannot communicate with each other using their external (non-RFC1918 + addresses) so they can't access each other using their DNS names. +Answer: This is another problem that is best solved -using Bind Version 9 "views". It allows both external and internal clients -to access a NATed host using the host's DNS name.
- + using Bind Version 9 "views". It allows both external and internal clients + to access a NATed host using the host's DNS name. +Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses -and can be accessed externally and internally using the same address.
- + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses + and can be accessed externally and internally using the same address. +If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:
- +a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces.
- + b) Set the Z->Z policy to ACCEPT.
- b) Set the Z->Z policy to ACCEPT.
- c) Masquerade Z to itself.
-
- Example:
+ c) Masquerade Z to itself.
+
+ Example: +Zone: dmz
- + Interface: eth2
- Interface: eth2
- Subnet: 192.168.2.0/24
+ Subnet: 192.168.2.0/24 +In /etc/shorewall/interfaces:
- -+ ++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - + +dmz -eth2 -192.168.2.255 -multi -+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + +dmz +eth2 +192.168.2.255 +multi +In /etc/shorewall/policy:
- -+ ++ +- -- -
-- -SOURCE -DESTINATION -POLICY -LIMIT:BURST -- - - + +dmz -dmz -ACCEPT -- + +SOURCE +DESTINATION +POLICY +LIMIT:BURST ++ + +dmz +dmz +ACCEPT ++
+-- +dmz dmz ACCEPT-++dmz dmz ACCEPT+In /etc/shorewall/masq:
- -+ ++- +- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth2 -192.168.2.0/24 -- + +INTERFACE +SUBNET +ADDRESS ++ + +eth2 +192.168.2.0/24 ++
+3. I want to use Netmeeting/MSN Messenger -with Shorewall. What do I do?
- + with Shorewall. What do I do? +Answer: There is an H.323 connection -tracking/NAT module that may help. Also check the Netfilter mailing list -archives at http://netfilter.samba.org. -
- + tracking/NAT module that may help. Also check the Netfilter mailing list + archives at http://netfilter.samba.org. + +4. I just used an online port scanner -to check my firewall and it shows some ports as 'closed' rather than 'blocked'. - Why?
- + to check my firewall and it shows some ports as 'closed' rather than 'blocked'. + Why? +Answer: The common.def included with version 1.3.x -always rejects connection requests on TCP port 113 rather than dropping -them. This is necessary to prevent outgoing connection problems to services -that use the 'Auth' mechanism for identifying requesting users. Shorewall -also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. These -are ports that are used by Windows (Windows can be configured to -use the DCE cell locator on port 135). Rejecting these connection requests -rather than dropping them cuts down slightly on the amount of Windows chatter -on LAN segments connected to the Firewall.
- + always rejects connection requests on TCP port 113 rather than dropping + them. This is necessary to prevent outgoing connection problems to services + that use the 'Auth' mechanism for identifying requesting users. Shorewall + also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. +These are ports that are used by Windows (Windows can be configured +to use the DCE cell locator on port 135). Rejecting these connection requests + rather than dropping them cuts down slightly on the amount of Windows +chatter on LAN segments connected to the Firewall. +If you are seeing port 80 being 'closed', that's probably -your ISP preventing you from running a web server in violation of your -Service Agreement.
- + your ISP preventing you from running a web server in violation of your + Service Agreement. +4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!
- + firewall and it showed 100s of ports as open!!!! +Answer: Take a deep breath and read the nmap man page -section about UDP scans. If nmap gets nothing back from your firewall -then it reports the port as open. If you want to see which UDP ports are -really open, temporarily change your net->all policy to REJECT, restart -Shorewall and do the nmap UDP scan again.
- + section about UDP scans. If nmap gets nothing back from your firewall + then it reports the port as open. If you want to see which UDP ports are + really open, temporarily change your net->all policy to REJECT, restart + Shorewall and do the nmap UDP scan again. +5. I've installed Shorewall and now I -can't ping through the firewall
- + can't ping through the firewall +Answer: If you want your firewall to be totally open -for "ping":
- + for "ping": +a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
- -
- b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
- c) Add the following to /etc/shorewall/icmpdef:+ b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef+
+ c) Add the following to /etc/shorewall/icmpdef: + +- + -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type echo-request --j ACCEPT
-6. Where are the log messages written - and how do I change the destination?
- + and how do I change the destination? +Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged -by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When -you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat + href="Documentation.htm#Rules">rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). +When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, "service syslog restart").
- +By default, older versions of Shorewall ratelimited log messages -through settings in /etc/shorewall/shorewall.conf --- If you want to log all messages, set:
- -+ through settings in /etc/shorewall/shorewall.conf + -- If you want to log all messages, set: + ++- +LOGLIMIT=""-
LOGBURST=""6a. Are there any log parsers that work - with Shorewall?
- + with Shorewall? +Answer: Here are several links that may be helpful: -
- -+ + ++- + http://www.fireparse.comhttp://www.shorewall.net/pub/shorewall/parsefw/
-
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
+ http://cert.uni-stuttgart.de/projects/fwlogwatch +7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that command work?
- + stop', I can't connect to anything. Why doesn't that command work? +The 'stop' command is intended to place your firewall into -a safe state whereby only those interfaces/hosts having the 'routestopped' -option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. -If you want to totally open up your firewall, you must use the 'shorewall -clear' command.
- + a safe state whereby only those interfaces/hosts having the 'routestopped' + option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. + If you want to totally open up your firewall, you must use the 'shorewall + clear' command. +8. When I try to start Shorewall on RedHat - 7.x, I get messages about insmod failing -- what's wrong?
- + 7.x, I get messages about insmod failing -- what's wrong? +Answer: The output you will see looks something like -this:
- + this: +/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy- +
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: -
- -+ + ++ +- -service ipchains stop-
chkconfig --delete ipchains
rmmod ipchains++ +- -Also, be sure to check the errata -for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.
-+ for problems concerning the version of iptables (v1.2.3) shipped with RH7.2. +
+
9. Why can't Shorewall detect my interfaces -properly?
- + properly? +I just installed Shorewall and when I issue the start command, - I see the following:
- -+ I see the following: + ++- -Processing /etc/shorewall/shorewall.conf ...-
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...++ +- -Why can't Shorewall detect my interfaces properly?
-++ +- +Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1
-10. What Distributions does it work with?
- +Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.
- + the proper prerequisites. +11. What Features does it have?
- +Answer: See the Shorewall -Feature List.
- + Feature List. +12. Why isn't there a GUI?
- +Answer: Every time I've started to work on one, I find myself doing other things. I guess I just don't care enough if Shorewall has a GUI to invest the effort to create one myself. There are several Shorewall GUI projects underway however and I will publish links to them when the authors feel that they are ready.
- +13. Why do you call it "Shorewall"?
- +Answer: Shorewall is a concatenation of "Shoreline" -(the city where I live) -and "Firewall".
- -14. I'm connected via a cable modem -and it has an internal web server that allows me to configure/monitor it -but as expected if I enable rfc1918 blocking for my eth0 interface (the internet -one), it also blocks the cable modems web server.
- + (the city where I live) + and "Firewall". + +14. I'm connected via a cable modem + and it has an internal web server that allows me to configure/monitor it + but as expected if I enable rfc1918 blocking for my eth0 interface (the +internet one), it also blocks the cable modems web server.
+Is there any way it can add a rule before the rfc1918 blocking -that will let all traffic to and from the 192.168.100.1 address of the modem -in/out but still block all other rfc1918 addresses.
- + that will let all traffic to and from the 192.168.100.1 address of the modem + in/out but still block all other rfc1918 addresses. +Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:
- -+ ++- -run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT-++ +- -If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:
--+ ++ following to /etc/shorewall/rfc1918: +++ ++- + +
++ +SUBNET +TARGET ++ + + +192.168.100.1 +RETURN ++- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+ +
+Note: If you add a second IP address to your external firewall +interface to correspond to the modem address, you must also make an entry +in /etc/shorewall/rfc1918 for that address. For example, if you configure +the address 192.168.100.2 on your firewall, then you would add two entries +to /etc/shorewall/rfc1918:
+ +
++-+
-- -SUBNET -TARGET -- - +192.168.100.1 -RETURN -SUBNET +
+TARGET + +
++ +192.168.100.1 +
+RETURN +
++ +192.168.100.2 +
+RETURN +
+-- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-+ ++ +- -14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease.
-++ +- + the IP address of your ISPs DHCP server. +The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.
-15. My local systems can't see out to -the net
- + the net +Answer: Every time I read "systems can't see out to -the net", I wonder where the poster bought computers with eyes and what those -computers will "see" when things are working properly. That aside, the most -common causes of this problem are:
- + the net", I wonder where the poster bought computers with eyes and what +those computers will "see" when things are working properly. That aside, +the most common causes of this problem are: +-
- +- +
- -
The default gateway on each local system isn't set to -the IP address of the local firewall interface.
-- + the IP address of the local firewall interface. +
+- -
The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.
-- + file is wrong or missing. +
+- - + user is running a DNS server on the firewall and hasn't enabled UDP and + TCP port 53 from the firewall to the internet. + +
The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and hasn't enabled UDP and -TCP port 53 from the firewall to the internet.
-16. Shorewall is writing log messages -all over my console making it unusable!
- + all over my console making it unusable! +Answer: "man dmesg" -- add a suitable 'dmesg' command -to your startup scripts or place it in /etc/shorewall/start. Under RedHat, -the max log level that is sent to the console is specified in /etc/sysconfig/init -in the LOGLEVEL variable.
- -- -- -Last updated 9/23/2002 - + +
+ diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm index 4e68cef62..9b5b55523 100644 --- a/STABLE/documentation/Install.htm +++ b/STABLE/documentation/Install.htm @@ -1,174 +1,207 @@ + - - -+ +Last updated 10/8/2002 - Tom Eastep
- +Copyright - © 2001, 2002 Thomas M. Eastep.
-
-
+ © 2001, 2002 Thomas M. Eastep.
+Shorewall Installation - - + + +Shorewall Installation + + + + - - --
- + + +- -Shorewall Installation and Upgrade
-+ +
- -+ + ++ +Shorewall Installation and +Upgrade
+Before upgrading, be sure to review the -Upgrade Issues
- + +Before upgrading, be sure to review the Upgrade Issues
+Install using RPM
+ Install using tarball
-Install -using tarball
-Upgrade using RPM
-Upgrade -using tarball
-Configuring Shorewall
-Uninstall/Fallback
+ Upgrade using RPM
+ Upgrade using tarball
+ Configuring Shorewall
+ Uninstall/Fallback +To install Shorewall using the RPM:
-If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell -prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 -either from the -RedHat update -site or from the Shorewall Errata page before -attempting to start Shorewall.
+ +If you have RedHat 7.2 and are running iptables version 1.2.3 (at a +shell prompt, type "/sbin/iptables --version"), you must upgrade to version +1.2.4 either from the RedHat update + site or from the Shorewall Errata page before + attempting to start Shorewall.
+-
-- Install the RPM (rpm -ivh <shorewall rpm>).
-
-
- Note: Some SuSE users have encountered a problem whereby rpm reports a - conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this - happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps <shorewall - rpm>).- Edit the configuration files to match your configuration. WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM -AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE -FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO -START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, -ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.
-- Start the firewall by typing "shorewall start"
+- Install the RPM (rpm -ivh <shorewall rpm>).
+
+
+ Note: Some SuSE users have encountered a problem whereby rpm reports +a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. +If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps +<shorewall rpm>).- Edit the configuration files to match +your configuration. WARNING - YOU CAN NOT +SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION +IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND +AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK +TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK +CONNECTIVITY.
+- Start the firewall by typing "shorewall start"
+To - install Shorewall using the tarball and install - script:
+ +To install Shorewall using the tarball +and install script:
+-
-- unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
-- cd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-1.1.10").
-- If you are using Caldera, RedHat, - Mandrake, Corel, - Slackware or - Debian - then type "./install.sh"
-- If you are using SuSe then type - "./install.sh /etc/init.d"
-- If your distribution has directory - /etc/rc.d/init.d or /etc/init.d then type - "./install.sh"
-- For other distributions, determine where your - distribution installs init scripts and type - "./install.sh <init script directory>
-- Edit the configuration files to match your configuration.
-- Start the firewall by typing "shorewall - start"
-- If the install script was unable to configure Shorewall to be started automatically at boot, - see these - instructions.
+- unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
+- cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-1.1.10").
+- If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
+- If you are using SuSe then type + "./install.sh /etc/init.d"
+- If your distribution has directory /etc/rc.d/init.d or +/etc/init.d then type "./install.sh"
+- For other distributions, determine where your distribution +installs init scripts and type "./install.sh <init script +directory>
+- Edit the configuration files to match +your configuration.
+- Start the firewall by typing "shorewall start"
+- If the install script was unable to configure Shorewall to be started +automatically at boot, see these instructions.
+If you already have the Shorewall RPM installed and are upgrading to a new -version:
-If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you -have entries in the /etc/shorewall/hosts file then please check your -/etc/shorewall/interfaces file to be sure that it contains an entry for each -interface mentioned in the hosts file. Also, there are certain 1.2 rule forms -that are no longer supported under 1.3 (you must use the new 1.3 syntax). See -the upgrade issues for details. You can check your rules and -host file for 1.3 compatibility using the "shorewall check" command after -installing the latest version of 1.3.
+ +If you already have the Shorewall RPM installed +and are upgrading to a new version:
+ +If you are upgrading from a 1.2 version of Shorewall to a 1.3 version +and you have entries in the /etc/shorewall/hosts file then please check +your /etc/shorewall/interfaces file to be sure that it contains an entry +for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.3 (you must use the +new 1.3 syntax). See the upgrade issues for +details. You can check your rules and host file for 1.3 compatibility using +the "shorewall check" command after installing the latest version of 1.3.
+-
-- Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you - are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, - you must use the "--oldpackage" option to rpm (e.g., "rpm - -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). -
-- Note: Some SuSE users have encountered a problem whereby rpm reports a - conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this - happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall - rpm>).
-- See if there are any incompatibilities between your configuration and the - new Shorewall version (type "shorewall check") and correct as necessary.
-- Restart the firewall (shorewall restart).
+- Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If +you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs +installed, you must use the "--oldpackage" option to rpm (e.g., "rpm + -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). +
+Note: Some SuSE users have encountered a problem whereby +rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel +is installed. If this happens, simply use the --nodeps option to rpm (rpm +-Uvh --nodeps <shorewall rpm>).
+
+- See if there are any incompatibilities between your configuration and +the new Shorewall version (type "shorewall check") and correct as necessary.
+- Restart the firewall (shorewall restart).
+If you already have Shorewall installed and are upgrading to a new version -using the tarball:
-If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you -have entries in the /etc/shorewall/hosts file then please check your -/etc/shorewall/interfaces file to be sure that it contains an entry for each -interface mentioned in the hosts file. Also, there are certain 1.2 rule -forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). -See the upgrade issues for details. You can check your rules -and host file for 1.3 compatibility using the "shorewall check" command after -installing the latest version of 1.3.
+ +If you already have Shorewall installed +and are upgrading to a new version using the tarball:
+ +If you are upgrading from a 1.2 version of Shorewall to a 1.3 version +and you have entries in the /etc/shorewall/hosts file then please check +your /etc/shorewall/interfaces file to be sure that it contains an entry +for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.3 (you must use the +new 1.3 syntax). See the upgrade issues +for details. You can check your rules and host file for 1.3 compatibility +using the "shorewall check" command after installing the latest version +of 1.3.
+-
-- unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
-- cd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-3.0.1").
-- If you are using Caldera, RedHat, - Mandrake, Corel, - Slackware or - Debian - then type "./install.sh"
-- If you are using SuSe then type - "./install.sh /etc/init.d"
-- If your distribution has directory - /etc/rc.d/init.d or /etc/init.d then type - "./install.sh"
-- For other distributions, determine where your - distribution installs init scripts and type - "./install.sh <init script directory>
-- See if there are any incompatibilities between your configuration and the - new Shorewall version (type "shorewall check") and correct as necessary.
-- Restart the firewall by typing "shorewall restart"
+- unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
+- cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1").
+- If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
+- If you are using SuSe then type + "./install.sh /etc/init.d"
+- If your distribution has directory /etc/rc.d/init.d or +/etc/init.d then type "./install.sh"
+- For other distributions, determine where your distribution +installs init scripts and type "./install.sh <init script +directory>
+- See if there are any incompatibilities between your configuration +and the new Shorewall version (type "shorewall check") and correct as +necessary.
+- Restart the firewall by typing "shorewall restart"
+Configuring Shorewall
-You will need to edit some or all of these configuration files to match your -setup. In most cases, the Shorewall -QuickStart Guides contain all of the information you need.
+ +Configuring Shorewall
+ +You will need to edit some or all of these configuration files to match +your setup. In most cases, the Shorewall + QuickStart Guides contain all of the information you need.
+-
-- /etc/shorewall/shorewall.conf - used to set several firewall - parameters.
-- /etc/shorewall/params - use this file to set shell variables that you will - expand in other files.
-- /etc/shorewall/zones - partition the firewall's view of the world - into zones.
-- /etc/shorewall/policy - establishes firewall high-level policy.
-- /etc/shorewall/interfaces - describes the interfaces on the - firewall system.
-- /etc/shorewall/hosts - allows defining zones in terms of individual +
- /etc/shorewall/shorewall.conf - used to set several firewall + parameters.
+- /etc/shorewall/params - use this file to set shell variables that +you will expand in other files.
+- /etc/shorewall/zones - partition the firewall's view of the world + into zones.
+- /etc/shorewall/policy - establishes firewall high-level policy.
+- /etc/shorewall/interfaces - describes the interfaces on the + firewall system.
+- /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks.
-- /etc/shorewall/masq - directs the firewall where to use many-to-one +
- /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) NAT a.k.a. Masquerading.
-- /etc/shorewall/modules - directs the firewall to load kernel modules.
-- /etc/shorewall/rules - defines rules that are exceptions to the - overall policies established in /etc/shorewall/policy.
-- /etc/shorewall/nat - defines static NAT rules.
-- /etc/shorewall/proxyarp - defines use of Proxy ARP.
-- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts - accessible when Shorewall is stopped.
-- /etc/shorewall/tcrules - defines marking of packets for later use by - traffic control/shaping.
-- /etc/shorewall/tos - defines rules for setting the TOS field in packet +
- /etc/shorewall/modules - directs the firewall to load kernel modules.
+- /etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy.
+- /etc/shorewall/nat - defines static NAT rules.
+- /etc/shorewall/proxyarp - defines use of Proxy ARP.
+- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines +hosts accessible when Shorewall is stopped.
+- /etc/shorewall/tcrules - defines marking of packets for later use +by traffic control/shaping.
+- /etc/shorewall/tos - defines rules for setting the TOS field in packet headers.
-- /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on - the firewall system.
-- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
+- /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on + the firewall system.
+- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
+Updated 9/13/2002 - Tom -Eastep
-Copyright -© 2001, 2002 Thomas M. Eastep.
- - \ No newline at end of file + +Updated 10/9/2002 - Tom Eastep +
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+
+ +