holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Version 1.3.9b

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@290 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-10-09 15:47:48 +00:00
parent ad21569d2a
commit 53d582d396
16 changed files with 3710 additions and 3479 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
STABLE/documentation/FAQ.htm
View File

@ -29,7 +29,7 @@
</tbody>
</table>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
@ -37,31 +37,31 @@
but it doesn't work.</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local
network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
clients can't</b>.</a></p>
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local
network. <b>External clients can browse</b> http://www.mydomain.com but <b>internal
clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts
in Z. Hosts in Z cannot communicate with each other using their external
in Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other using their DNS
names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN
Messenger </b>with Shorewall. What do I do?</a></p>
Messenger </b>with Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
to check my firewall and it shows <b>some ports as 'closed' rather than
'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
I <b> can't ping</b> through the firewall</a></p>
I <b> can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and  how do I <b>change the destination</b>?</a></p>
written and how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
@ -71,13 +71,13 @@ I <b> can't ping</b> through the firewall</a></p>
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
on RedHat 7.x</b>, I get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p>
my interfaces </b>properly?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does
it work with?</a></p>
it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
@ -87,31 +87,32 @@ support?</a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor it
but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
and it has an internel web server that allows me to configure/monitor it
but as expected if I enable <b> rfc1918 blocking</b> for my eth0 interface,
it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, <b>my DHCP client cannot renew its
lease</b>.</a></p>
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, <b>my DHCP client cannot renew
its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p>
out to the net</b></a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!</a></p>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere and
can't find how to do it.</h4>
my my personal PC with IP address 192.168.1.5. I've looked everywhere and
can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. Assuming that you have a dynamic external
IP address, the format of a port-forwarding rule to a local system is as follows:</p>
do port forwarding under Shorewall. Assuming that you have a dynamic external
IP address, the format of a port-forwarding rule to a local system is as
follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -132,8 +133,10 @@ IP address, the format of a port-forwarding rule to a local system is as follows
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -141,7 +144,7 @@ IP address, the format of a port-forwarding rule to a local system is as follows
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5,
the rule is:</p>
the rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -162,8 +165,10 @@ the rule is:</p>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td> </td>
<td> </td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
@ -205,32 +210,33 @@ address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</
</blockquote>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
but it doesn't work</h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
incorrect default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
can browse http://www.mydomain.com but internal clients can't.</h4>
(IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients
can browse http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network is
like raising foxes in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal systems.
For the cost of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems - assuming
that the Server can be located near the Firewall, of course :-)</li>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall, of course
:-)</li>
<li>The accessibility problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> (or using
a separate DNS server for local clients) such that www.mydomain.com resolves
@ -241,8 +247,8 @@ I do here at shorewall.net for my local systems that use static NAT.</li>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is
eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, do the following:</p>
eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1.</p>
@ -281,13 +287,13 @@ with subnet 192.168.1.0/24, do the following:</p>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254</font></pre>
<pre align="left"> <font face="Courier">DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are running Shorewall 1.3.4
or later then include this in /etc/shorewall/params:</p>
IP address. If you have a dynamic IP address and are running Shorewall
1.3.4 or later then include this in /etc/shorewall/params:</p>
</div>
<div align="left">
@ -334,17 +340,17 @@ or later then include this in /etc/shorewall/params:</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
Hosts in Z cannot communicate with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS names.</h4>
subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z.
Hosts in Z cannot communicate with each other using their external (non-RFC1918
addresses) so they can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
using Bind Version 9 "views". It allows both external and internal clients
to access a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses
and can be accessed externally and internally using the same address. </p>
and can be accessed externally and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
@ -398,7 +404,8 @@ traffic through your firewall then:</p>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td> </td>
<td> <br>
</td>
</tr>
</tbody>
@ -406,7 +413,7 @@ traffic through your firewall then:</p>
</blockquote>
<div align="left">
<pre align="left"> dmz    dmz    ACCEPT</pre>
<pre align="left"> dmz dmz ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
@ -423,7 +430,8 @@ traffic through your firewall then:</p>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120"> </td>
<td width="120"> <br>
</td>
</tr>
</tbody>
@ -431,46 +439,46 @@ traffic through your firewall then:</p>
</blockquote>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger
with Shorewall. What do I do?</h4>
with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter mailing list
archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
tracking/NAT module</a> that may help. Also check the Netfilter mailing list
archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>.
</p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather than 'blocked'.
to check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139. These
are ports that are used by Windows (Windows <u>can</u> be configured to
use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
always rejects connection requests on TCP port 113 rather than dropping
them. This is necessary to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting users. Shorewall
also rejects TCP ports 135, 137 and 139 as well as UDP ports 137-139.
These are ports that are used by Windows (Windows <u>can</u> be configured
to use the DCE cell locator on port 135). Rejecting these connection requests
rather than dropping them cuts down slightly on the amount of Windows
chatter on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation of your
Service Agreement.</p>
your ISP preventing you from running a web server in violation of your
Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back from your firewall
then it reports the port as open. If you want to see which UDP ports are
really open, temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
section about UDP scans. If nmap gets <b>nothing</b> back from your firewall
then it reports the port as open. If you want to see which UDP ports are
really open, temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
can't ping through the firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open
for "ping": </p>
for "ping": </p>
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
@ -478,24 +486,24 @@ for "ping": </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request
-j ACCEPT </p>
-j ACCEPT </p>
</blockquote>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and  how do I change the destination?</h4>
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged logged
by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). When
you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat
system, "service syslog restart"). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewall.conf
-- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""</pre>
@ -505,7 +513,7 @@ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewal
with Shorewall?</h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful:
</p>
</p>
<blockquote>
<p align="left"><a
@ -518,21 +526,21 @@ through <a href="Documentation.htm#Conf">settings</a> in /etc/shorewall/shorewal
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
a safe state whereby only those interfaces/hosts having the 'routestopped'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated.
If you want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like
this:</p>
this:</p>
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br> Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br> iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br> Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands:
</p>
</p>
<div align="left">
<pre align="left"> service ipchains stop<br> chkconfig --delete ipchains<br> rmmod ipchains</pre>
@ -540,13 +548,14 @@ this:</p>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a>
for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</p>
</div>
<h4 align="left">
<h4 align="left"> </h4>
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
properly?</h4>
</h4>
properly?</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
@ -573,7 +582,7 @@ properly?</h4>
<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall
Feature List</a>.</p>
Feature List</a>.</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
@ -586,17 +595,17 @@ them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
(<a href="http://www.cityofshoreline.com">the city where I live</a>)
and "Fire<u>wall</u>".</p>
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor it
but as expected if I enable rfc1918 blocking for my eth0 interface (the internet
one), it also blocks the cable modems web server.</h4>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor it
but as expected if I enable rfc1918 blocking for my eth0 interface (the
internet one), it also blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the modem
in/out but still block all other rfc1918 addresses.</p>
that will let all traffic to and from the 192.168.100.1 address of the modem
in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
@ -630,7 +639,41 @@ than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.</p>
<p align="left">Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.<br>
</p>
<p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an entry
in /etc/shorewall/rfc1918 for that address. For example, if you configure
the address 192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
<blockquote>
<table cellpadding="2" border="1" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><u><b>SUBNET</b></u><br>
</td>
<td valign="top"><u><b>TARGET</b></u><br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.1<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
<tr>
<td valign="top">192.168.100.2<br>
</td>
<td valign="top">RETURN<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
@ -646,17 +689,17 @@ lease.</h4>
</div>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to
the net</h4>
the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes and what those
computers will "see" when things are working properly. That aside, the most
common causes of this problem are:</p>
the net", I wonder where the poster bought computers with eyes and what
those computers will "see" when things are working properly. That aside,
the most common causes of this problem are:</p>
<ol>
<li>
<p align="left">The default gateway on each local system isn't set to
the IP address of the local firewall interface.</p>
the IP address of the local firewall interface.</p>
</li>
<li>
<p align="left">The entry for the local network in the /etc/shorewall/masq
@ -665,29 +708,27 @@ the IP address of the local firewall interface.</p>
<li>
<p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and
TCP port 53 from the firewall to the internet.</p>
TCP port 53 from the firewall to the internet.</p>
</li>
</ol>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages
all over my console making it unusable!</h4>
all over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. Under RedHat,
the max log level that is sent to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.</p>
to your startup scripts or place it in /etc/shorewall/start. Under RedHat,
the max log level that is sent to the console is specified in /etc/sysconfig/init
in the LOGLEVEL variable.</p>
<div align="left">
<p align="left"></p>
</div>
<div align="left"> </div>
<p align="left"><font size="2">Last updated 9/23/2002 - <a
<p align="left"><font size="2">Last updated 10/8/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</body>
</html>

273
STABLE/documentation/Install.htm
View File

@ -1,147 +1,176 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation and Upgrade</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the
<a href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration and
the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. You can check your rules and host file for 1.3 compatibility
using the "shorewall check" command after installing the latest version
of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
@ -156,19 +185,23 @@ QuickStart Guides</a> contain all of the information you need.</p>
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 9/13/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>
</ul>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

455
STABLE/documentation/News.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall News</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -26,13 +27,21 @@
</tbody>
</table>
<p><b>9/30/2002 - Shorewall 1.3.9a</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>10/9/2002 - Shorewall 1.3.9b</b></p>
This release rolls up fixes to the installer and to the firewall script.<br>
<p><b>10/6/2002 - Shorewall.net now running on RH8.0<br>
</b><br>
The firewall and server here at shorewall.net are now running RedHat release
8.0.<br>
<b><br>
9/30/2002 - Shorewall 1.3.9a</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b></p>
There is an updated firewall script at <a
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b>9/28/2002 - Shorewall 1.3.9</b></p>
@ -41,15 +50,16 @@ There is an updated firewall script at <a
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface and
IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation until
the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises
during reboot for users who install Shorewall but don't configure it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic link
have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises during reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
@ -75,8 +85,8 @@ using them).</li>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored<br>
</b></p>
A couple of recent configuration changes at www.shorewall.net had the
negative effect of breaking the Search facility:<br>
A couple of recent configuration changes at www.shorewall.net had
the negative effect of breaking the Search facility:<br>
<ol>
<li>Mailing List Archive Search was not available.</li>
@ -98,13 +108,13 @@ using them).</li>
</p>
<ul>
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option has
been added to shorewall.conf. This option determines whether Shorewall
accepts TCP packets which are not part of an established connection and
that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>A <a href="Documentation.htm#Conf">NEWNOTSYN</a> option
has been added to shorewall.conf. This option determines whether Shorewall
accepts TCP packets which are not part of an established connection
and that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate between zones
za and zb on the same interface is removed in the case where the chain
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:</li>
<ul>
<li> There is a policy for za to zb; or </li>
@ -117,8 +127,8 @@ using them).</li>
<ul>
<li>The /etc/shorewall/blacklist file now contains three columns.
In addition to the SUBNET/ADDRESS column, there are optional PROTOCOL
and PORT columns to block only certain applications from the blacklisted
addresses.<br>
and PORT columns to block only certain applications from the blacklisted
addresses.<br>
</li>
</ul>
@ -175,7 +185,7 @@ addresses.<br>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file
were required in ipchains firewalls but are not required in Shorewall.
were required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in <a
href="Documentation.htm#Conf">shorewall.conf</a> should see the <a
href="errata.htm#Upgrade">Upgrade Issues</a>.</li>
@ -189,7 +199,7 @@ were required in ipchains firewalls but are not required in Shorewall.
to the rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7</li>
<li>The documentation and web site no longer uses FrontPage
themes.</li>
themes.</li>
</ul>
@ -207,7 +217,8 @@ the Frontpage files have been removed.</p>
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p>
so you can always update from this branch to get the latest stable
tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p>
@ -221,15 +232,15 @@ the Frontpage files have been removed.</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart
Guides </a> including the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of
or related to an existing connection and that are not SYN packets. These
"New not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
Guides </a> including the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part
of or related to an existing connection and that are not SYN packets.
These "New not SYN" packets may be optionally logged by setting the
LOGNEWNOTSYN option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of "New not SYN" packets may be extended
by commands in the new <a href="shorewall_extension_scripts.htm">newnotsyn
extension script</a>.</li>
by commands in the new <a
href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul>
@ -238,10 +249,10 @@ by commands in the new <a href="shorewall_extension_scripts.htm">newnots
<p>This interim release:</p>
<ul>
<li>Causes the firewall script to remove the lock file if it
is killed.</li>
<li>Once again allows lists in the second column of the <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
<li>Causes the firewall script to remove the lock file if
it is killed.</li>
<li>Once again allows lists in the second column of the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
<li>Includes the latest <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>.</li>
@ -254,7 +265,7 @@ is killed.</li>
The guide is intended for use by people who are setting up Shorewall
to manage multiple public IP addresses and by people who want to learn
more about Shorewall than is described in the single-address guides.
Feedback on the new guide is welcome.</p>
Feedback on the new guide is welcome.</p>
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
@ -275,7 +286,7 @@ Feedback on the new guide is welcome.</p>
<ul>
<li>Empty and invalid source and destination qualifiers are
now detected in the rules file. It is a good idea to use the 'shorewall
now detected in the rules file. It is a good idea to use the 'shorewall
check' command before you issue a 'shorewall restart' command be
be sure that you don't have any configuration problems that will
prevent a successful restart.</li>
@ -289,8 +300,8 @@ prevent a successful restart.</li>
This option facilitates Proxy ARP sub-netting as described in the Proxy
ARP subnetting mini-HOWTO (<a
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
Specifying the proxyarp option for an interface causes Shorewall to
set /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
Specifying the proxyarp option for an interface causes Shorewall
to set /proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
<li>The Samples have been updated to reflect the new capabilities
in this release. </li>
@ -307,21 +318,21 @@ prevent a successful restart.</li>
<ul>
<li>A new <a href="Documentation.htm#Routestopped"> /etc/shorewall/routestopped</a>
file has been added. This file is intended to eventually replace the
<b>routestopped</b> option in the /etc/shorewall/interface and
/etc/shorewall/hosts files. This new file makes remote firewall administration
easier by allowing any IP or subnet to be enabled while Shorewall is
stopped.</li>
file has been added. This file is intended to eventually replace
the <b>routestopped</b> option in the /etc/shorewall/interface
and /etc/shorewall/hosts files. This new file makes remote firewall
administration easier by allowing any IP or subnet to be enabled while
Shorewall is stopped.</li>
<li>An /etc/shorewall/stopped <a
href="Documentation.htm#Scripts">extension script</a> has been added.
This script is invoked after Shorewall has stopped.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to <a
href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
option is selected, DNAT rules only apply when the destination address
is the external interface's primary IP address.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When
this option is selected, DNAT rules only apply when the destination
address is the external interface's primary IP address.</li>
<li>The <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> has been broken into three guides and has been almost entirely
rewritten.</li>
Guide</a> has been broken into three guides and has been almost
entirely rewritten.</li>
<li>The Samples have been updated to reflect the new capabilities
in this release. </li>
@ -340,15 +351,15 @@ rewritten.</li>
<li>Entries in /etc/shorewall/interface that use the wildcard
character ("+") now have the "multi" option assumed.</li>
<li>The 'rfc1918' chain in the mangle table has been renamed
'man1918' to make log messages generated from that chain distinguishable
from those generated by the 'rfc1918' chain in the filter table.</li>
'man1918' to make log messages generated from that chain distinguishable
from those generated by the 'rfc1918' chain in the filter table.</li>
<li>Interface names appearing in the hosts file are now validated
against the interfaces file.</li>
<li>The TARGET column in the rfc1918 file is now checked for
correctness.</li>
<li>The chain structure in the nat table has been changed to
reduce the number of rules that a packet must traverse and to correct
problems with NAT_BEFORE_RULES=No</li>
correctness.</li>
<li>The chain structure in the nat table has been changed
to reduce the number of rules that a packet must traverse and to
correct problems with NAT_BEFORE_RULES=No</li>
<li>The "hits" command has been enhanced.</li>
</ul>
@ -376,12 +387,12 @@ problems with NAT_BEFORE_RULES=No</li>
<ul>
<li>A <a href="Documentation.htm#Starting">logwatch command</a>
has been added to /sbin/shorewall.</li>
<li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a>
has been added.</li>
<li>A <a href="blacklisting_support.htm">dynamic blacklist
facility</a> has been added.</li>
<li>Support for the <a href="Documentation.htm#Conf">Netfilter
multiport match function</a> has been added.</li>
<li>The files <b>firewall, functions </b>and <b>version</b>
have been moved from /etc/shorewall to /var/lib/shorewall.</li>
have been moved from /etc/shorewall to /var/lib/shorewall.</li>
</ul>
@ -402,8 +413,8 @@ copying tools like HTTrack and WebStripper. These mindless tools:</p>
<p>These tools/weapons are particularly damaging when combined with CVS Web
because they doggedly follow every link in the cgi-generated HTML resulting
in 1000s of executions of the cvsweb.cgi script. Yesterday, I spend
several hours implementing measures to block these tools but unfortunately,
these measures resulted in my server OOM-ing under even moderate load.</p>
several hours implementing measures to block these tools but unfortunately,
these measures resulted in my server OOM-ing under even moderate load.</p>
<p>Until I have the time to understand the cause of the OOM (or until I buy
more RAM if that is what is required), CVS Web access will remain Password
@ -426,9 +437,9 @@ these measures resulted in my server OOM-ing under even moderate load.</p>
<ul>
<li>Corrects a serious problem with "all <i>&lt;zone&gt;</i>
CONTINUE" policies. This problem is present in all versions of Shorewall
that support the CONTINUE policy. These previous versions optimized
away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all"
CONTINUE" policies. This problem is present in all versions of Shorewall
that support the CONTINUE policy. These previous versions optimized
away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all"
chain with the usual result that a policy of REJECT was enforced rather
than the intended CONTINUE policy.</li>
<li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
@ -455,8 +466,8 @@ away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all
incorporates the following:</p>
<ul>
<li>Support for the /etc/shorewall/whitelist file has been withdrawn.
If you need whitelisting, see <a
<li>Support for the /etc/shorewall/whitelist file has been
withdrawn. If you need whitelisting, see <a
href="/1.3/whitelisting_under_shorewall.htm">these instructions</a>.</li>
</ul>
@ -468,11 +479,11 @@ away the "all2<i>&lt;zone&gt;</i>" chain and replaced it with the "all2all
<ul>
<li>The structure of the firewall is changed markedly. There
is now an INPUT and a FORWARD chain for each interface; this reduces
is now an INPUT and a FORWARD chain for each interface; this reduces
the number of rules that a packet must traverse, especially in complicated
setups.</li>
<li><a href="Documentation.htm#Exclude">Sub-zones may now be
excluded from DNAT and REDIRECT rules.</a></li>
<li><a href="Documentation.htm#Exclude">Sub-zones may now
be excluded from DNAT and REDIRECT rules.</a></li>
<li>The names of the columns in a number of the configuration
files have been changed to be more consistent and self-explanatory
and the documentation has been updated accordingly.</li>
@ -486,15 +497,15 @@ excluded from DNAT and REDIRECT rules.</a></li>
features:</p>
<ul>
<li>Simplified rule syntax which makes the intent of each rule
clearer and hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files has been
maintained so that current users can migrate to the new syntax at
their convenience.</li>
<li><b><font color="#cc6666">WARNING:  Compatibility with the
old parameterized sample configurations has NOT been maintained. Users
still running those configurations should migrate to the new sample
configurations before upgrading to 1.3 Beta 1.</font></b></li>
<li>Simplified rule syntax which makes the intent of each
rule clearer and hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files has
been maintained so that current users can migrate to the new syntax
at their convenience.</li>
<li><b><font color="#cc6666">WARNING:  Compatibility with
the old parameterized sample configurations has NOT been maintained.
Users still running those configurations should migrate to the new
sample configurations before upgrading to 1.3 Beta 1.</font></b></li>
</ul>
@ -504,16 +515,16 @@ their convenience.</li>
<ul>
<li><a href="Documentation.htm#Whitelist">White-listing</a>
is supported.</li>
is supported.</li>
<li><a href="Documentation.htm#Policy">SYN-flood protection
</a>is added.</li>
<li>IP addresses added under <a
href="Documentation.htm#Conf">ADD_IP_ALIASES and ADD_SNAT_ALIASES</a>
now inherit the VLSM and Broadcast Address of the interface's primary
IP address.</li>
now inherit the VLSM and Broadcast Address of the interface's primary
IP address.</li>
<li>The order in which port forwarding DNAT and Static DNAT
<a href="Documentation.htm#Conf">can now be reversed</a> so that port
forwarding rules can override the contents of <a
<a href="Documentation.htm#Conf">can now be reversed</a> so that
port forwarding rules can override the contents of <a
href="Documentation.htm#NAT"> /etc/shorewall/nat</a>. </li>
</ul>
@ -562,17 +573,17 @@ Unstable Branch</a></li>
<p>In this version:</p>
<ul>
<li>The 'try' command now accepts an optional timeout. If the
timeout is given in the command, the standard configuration will
automatically be restarted after the new configuration has been running
for that length of time. This prevents a remote admin from being locked
out of the firewall in the case where the new configuration starts
but prevents access.</li>
<li>The 'try' command now accepts an optional timeout. If
the timeout is given in the command, the standard configuration
will automatically be restarted after the new configuration has been
running for that length of time. This prevents a remote admin from
being locked out of the firewall in the case where the new configuration
starts but prevents access.</li>
<li>Kernel route filtering may now be enabled globally using
the new ROUTE_FILTER parameter in <a
the new ROUTE_FILTER parameter in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Individual IP source addresses and/or subnets may now be
excluded from masquerading/SNAT.</li>
<li>Individual IP source addresses and/or subnets may now
be excluded from masquerading/SNAT.</li>
<li>Simple "Yes/No" and "On/Off" values are now case-insensitive
in /etc/shorewall/shorewall.conf.</li>
@ -600,9 +611,9 @@ excluded from masquerading/SNAT.</li>
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart
Guide</a> is now available. This Guide and its accompanying sample configurations
are expected to provide a replacement for the recently withdrawn parameterized
samples. </p>
Guide</a> is now available. This Guide and its accompanying sample
configurations are expected to provide a replacement for the recently
withdrawn parameterized samples. </p>
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
@ -652,12 +663,12 @@ Unstable Distribution</a>.</li>
<li>A "shorewall try" command has been added (syntax: shorewall
try <i> &lt;configuration directory&gt;</i>). This command attempts
"shorewall -c <i> &lt;configuration directory&gt;</i> start" and if
that results in the firewall being stopped due to an error, a "shorewall
start" command is executed. The 'try' command allows you to create
that results in the firewall being stopped due to an error, a "shorewall
start" command is executed. The 'try' command allows you to create
a new <a href="Documentation.htm#Configs"> configuration</a> and attempt
to start it; if there is an error that leaves your firewall in the
stopped state, it will automatically be restarted using the default
configuration (in /etc/shorewall).</li>
to start it; if there is an error that leaves your firewall in the
stopped state, it will automatically be restarted using the default
configuration (in /etc/shorewall).</li>
<li>A new variable ADD_SNAT_ALIASES has been added to <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. If this
variable is set to "Yes", Shorewall will automatically add IP addresses
@ -714,12 +725,13 @@ configuration (in /etc/shorewall).</li>
<ul>
<li>UPnP probes (UDP destination port 1900) are now silently
dropped in the <i>common</i> chain</li>
dropped in the <i>common</i> chain</li>
<li>RFC 1918 checking in the mangle table has been streamlined
to no longer require packet marking. RFC 1918 checking in the filter
table has been changed to require half as many rules as previously.</li>
<li>A 'shorewall check' command has been added that does a cursory
validation of the zones, interfaces, hosts, rules and policy files.</li>
<li>A 'shorewall check' command has been added that does a
cursory validation of the zones, interfaces, hosts, rules and policy
files.</li>
</ul>
@ -734,14 +746,14 @@ dropped in the <i>common</i> chain</li>
<ul>
<li>$-variables may now be used anywhere in the configuration
files except /etc/shorewall/zones.</li>
<li>The interfaces and hosts files now have their contents validated
before any changes are made to the existing Netfilter configuration.
<li>The interfaces and hosts files now have their contents
validated before any changes are made to the existing Netfilter configuration.
The appearance of a zone name that isn't defined in /etc/shorewall/zones
causes "shorewall start" and "shorewall restart" to abort without changing
the Shorewall state. Unknown options in either file cause a warning
to be issued.</li>
causes "shorewall start" and "shorewall restart" to abort without
changing the Shorewall state. Unknown options in either file cause
a warning to be issued.</li>
<li>A problem occurring when BLACKLIST_LOGLEVEL was not set
has been corrected.</li>
has been corrected.</li>
</ul>
@ -762,17 +774,17 @@ has been corrected.</li>
<li>A "shorewall version" command has been added</li>
<li>The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf
has been changed to /var/lib/shorewall in order to conform to the
GNU/Linux File Hierarchy Standard, Version 2.2.</li>
GNU/Linux File Hierarchy Standard, Version 2.2.</li>
</ul>
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
<ul>
<li>The "fw" zone <a href="Documentation.htm#FW">may now be given
a different name</a>.</li>
<li>The "fw" zone <a href="Documentation.htm#FW">may now be
given a different name</a>.</li>
<li>You may now place end-of-line comments (preceded by '#')
in any of the configuration files</li>
in any of the configuration files</li>
<li>There is now protection against against two state changing
operations occuring concurrently. This is implemented using the
'lockfile' utility if it is available (lockfile is part of procmail);
@ -810,7 +822,7 @@ name "lock".</li>
<ul>
<li>The "shorewall status" command no longer hangs.</li>
<li>The "shorewall monitor" command now displays the icmpdef
chain</li>
chain</li>
<li>The CLIENT PORT(S) column in tcrules is no longer ignored</li>
</ul>
@ -840,20 +852,20 @@ chain</li>
<li>Support for IP blacklisting has been added
<ul>
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a
<li>You specify whether you want packets from blacklisted
hosts dropped or rejected using the <a
href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION </a>setting
in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
<li>You specify whether you want packets from blacklisted
hosts logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting
in /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist
in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
<li>You specify the interfaces you want checked against the
blacklist using the new "<a
blacklist using the new "<a
href="Documentation.htm#BLInterface">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
/etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist
by the "shorewall refresh" command.</li>
@ -862,16 +874,17 @@ blacklist using the new "<a
<li>Use of TCP RST replies has been expanded 
<ul>
<li>TCP connection requests rejected because of a REJECT policy
are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a REJECT
policy are now replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a protocol=all
rule in /etc/shorewall/rules are now replied with a TCP RST packet.</li>
rule in /etc/shorewall/rules are now replied with a TCP RST
packet.</li>
</ul>
</li>
<li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification
has been added to /etc/shorewall/shorewall.conf. LOGFILE is used to
tell the /sbin/shorewall program where to look for Shorewall messages.</li>
has been added to /etc/shorewall/shorewall.conf. LOGFILE is used
to tell the /sbin/shorewall program where to look for Shorewall messages.</li>
</ul>
@ -882,8 +895,8 @@ blacklist using the new "<a
<ul>
<li>Unless you have explicitly enabled Auth connections (tcp
port 113) to your firewall, these connections will be REJECTED rather
than DROPPED. This speeds up connection establishment to some servers.</li>
port 113) to your firewall, these connections will be REJECTED rather
than DROPPED. This speeds up connection establishment to some servers.</li>
<li>Orphan DNS replies are now silently dropped.</li>
</ul>
@ -904,8 +917,8 @@ than DROPPED. This speeds up connection establishment to some servers.</
<p>In version 1.2.1:</p>
<ul>
<li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
Packets</a> is added. </li>
<li><a href="Documentation.htm#LogUncleanOption">Logging of
Mangled/Invalid Packets</a> is added. </li>
<li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
<li>'shorewall show tc' now correctly handles tunnels.</li>
@ -919,14 +932,14 @@ than DROPPED. This speeds up connection establishment to some servers.</
<ul>
<li>Support for <a href="traffic_shaping.htm">Traffic Control/Shaping</a></li>
<li>Support for <a href="Documentation.htm#Unclean">Filtering
of Mangled/Invalid Packets</a></li>
of Mangled/Invalid Packets</a></li>
<li>Support for <a href="IPIP.htm">GRE Tunnels</a></li>
</ul>
<p>For the next month or so, I will continue to provide corrections to version
1.1.18 as necessary so that current version 1.1.x users will not be
forced into a quick upgrade to 1.2.0 just to have access to bug fixes.</p>
forced into a quick upgrade to 1.2.0 just to have access to bug fixes.</p>
<p>For those of you who have installed one of the Beta RPMS, you will need
to use the "--oldpackage" option when upgrading to 1.2.0:</p>
@ -936,8 +949,8 @@ forced into a quick upgrade to 1.2.0 just to have access to bug fixes.</p>
</blockquote>
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site
is mirrored at <a href="http://www.infohiiway.com/shorewall"
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web
site is mirrored at <a href="http://www.infohiiway.com/shorewall"
target="_top">http://www.infohiiway.com/shorewall</a> and the ftp site
is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b> </b></p>
@ -948,7 +961,7 @@ Configurations</a> has been released</b>. In this version:</p>
<ul>
<li>Ping is now allowed between the zones.</li>
<li>In the three-interface configuration, it is now possible
to configure the internet services that are to be available to servers
to configure the internet services that are to be available to servers
in the DMZ. </li>
</ul>
@ -959,11 +972,11 @@ to configure the internet services that are to be available to servers
<ul>
<li>The spelling of ADD_IP_ALIASES has been corrected in the
shorewall.conf file</li>
shorewall.conf file</li>
<li>The logic for deleting user-defined chains has been simplified
so that it avoids a bug in the LRP version of the 'cut' utility.</li>
<li>The /var/lib/lrpkg/shorwall.conf file has been corrected
to properly display the NAT entry in that file.</li>
to properly display the NAT entry in that file.</li>
</ul>
@ -1006,13 +1019,13 @@ to properly display the NAT entry in that file.</li>
<li>A new "shorewall show connections" command has been added.</li>
<li>In the "shorewall monitor" output, the currently tracked
connections are now shown on a separate page.</li>
<li>Prior to this release, Shorewall unconditionally added the
external IP adddress(es) specified in /etc/shorewall/nat. Beginning
<li>Prior to this release, Shorewall unconditionally added
the external IP adddress(es) specified in /etc/shorewall/nat. Beginning
with version 1.1.16, a new parameter (<a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>) may be set
to "no" (or "No") to inhibit this behavior. This allows IP aliases
created using your distribution's network configuration tools to
be used in static NAT. </li>
created using your distribution's network configuration tools
to be used in static NAT. </li>
</ul>
@ -1034,21 +1047,21 @@ to properly display the NAT entry in that file.</li>
<li>Shorewall now supports alternate configuration directories.
When an alternate directory is specified when starting or restarting
Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall
will first look for configuration files in the alternate directory then
in /etc/shorewall. To create an alternate configuration simply:<br>
will first look for configuration files in the alternate directory then
in /etc/shorewall. To create an alternate configuration simply:<br>
1. Create a New Directory<br>
2. Copy to that directory any of your configuration files that
you want to change.<br>
2. Copy to that directory any of your configuration files
that you want to change.<br>
3. Modify the copied files as needed.<br>
4. Restart Shorewall specifying the new directory.</li>
<li>The rules for allowing/disallowing icmp echo-requests (pings)
are now moved after rules created when processing the rules file.
This allows you to add rules that selectively allow/deny ping based
on source or destination address.</li>
This allows you to add rules that selectively allow/deny ping based
on source or destination address.</li>
<li>Rules that specify multiple client ip addresses or subnets
no longer cause startup failures.</li>
<li>Zone names in the policy file are now validated against the
zones file.</li>
<li>Zone names in the policy file are now validated against
the zones file.</li>
<li>If you have <a href="Documentation.htm#MangleEnabled">packet
mangling</a> support enabled, the "<a
href="Documentation.htm#Interfaces">norfc1918</a>" interface option
@ -1062,15 +1075,15 @@ on source or destination address.</li>
<ul>
<li>Shell variables can now be used to parameterize Shorewall
rules.</li>
rules.</li>
<li>The second column in the hosts file may now contain a comma-separated
list.<br>
<br>
Example:<br>
    sea    eth0:130.252.100.0/24,206.191.149.0/24</li>
<li>Handling of multi-zone interfaces has been improved. See
the <a href="Documentation.htm#Interfaces">documentation for the
/etc/shorewall/interfaces file</a>.</li>
the <a href="Documentation.htm#Interfaces">documentation for the
/etc/shorewall/interfaces file</a>.</li>
</ul>
@ -1093,13 +1106,15 @@ the <a href="Documentation.htm#Interfaces">documentation for the
<li>A "shorewall refresh" command has been added to allow for
refreshing the rules associated with the broadcast address on a dynamic
interface. This command should be used in place of "shorewall
restart" when the internet interface's IP address changes.</li>
<li>The /etc/shorewall/start file (if any) is now processed after
all temporary rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.</li>
restart" when the internet interface's IP address changes.</li>
<li>The /etc/shorewall/start file (if any) is now processed
after all temporary rules have been deleted. This change prevents
the accidental removal of rules added during the processing of that
file.</li>
<li>The "dhcp" interface option is now applicable to firewall
interfaces used by a DHCP server running on the firewall.</li>
<li>The RPM can now be built from the .tgz file using "rpm -tb" </li>
<li>The RPM can now be built from the .tgz file using "rpm
-tb" </li>
</ul>
@ -1107,14 +1122,14 @@ restart" when the internet interface's IP address changes.</li>
<ul>
<li>Shorewall now enables Ipv4 Packet Forwarding by default.
Packet forwarding may be disabled by specifying IP_FORWARD=Off in
Packet forwarding may be disabled by specifying IP_FORWARD=Off in
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable
or disable packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf
file.</li>
<li>The "shorewall hits" command no longer lists extraneous service
names in its last report.</li>
or disable packet forwarding, add IP_FORWARDING=Keep to your
/etc/shorewall/shorewall.conf file.</li>
<li>The "shorewall hits" command no longer lists extraneous
service names in its last report.</li>
<li>Erroneous instructions in the comments at the head of the
firewall script have been corrected.</li>
firewall script have been corrected.</li>
</ul>
@ -1123,18 +1138,18 @@ firewall script have been corrected.</li>
<ul>
<li>The "tunnels" file <u>really</u> is in the RPM now.</li>
<li>SNAT can now be applied to port-forwarded connections.</li>
<li>A bug which would cause firewall start failures in some dhcp
configurations has been fixed.</li>
<li>A bug which would cause firewall start failures in some
dhcp configurations has been fixed.</li>
<li>The firewall script now issues a message if you have the
name of an interface in the second column in an entry in /etc/shorewall/masq
name of an interface in the second column in an entry in /etc/shorewall/masq
and that interface is not up.</li>
<li>You can now configure Shorewall so that it<a
href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or mangle
netfilter modules</a>.</li>
<li>Thanks to Alex  Polishchuk, the "hits" command from seawall
is now in shorewall.</li>
<li>Thanks to Alex  Polishchuk, the "hits" command from
seawall is now in shorewall.</li>
<li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been
added.</li>
added.</li>
</ul>
@ -1155,11 +1170,11 @@ added.</li>
<ul>
<li>The TOS rules are now deleted when the firewall is stopped.</li>
<li>The .rpm will now install regardless of which version of
iptables is installed.</li>
iptables is installed.</li>
<li>The .rpm will now install without iproute2 being installed.</li>
<li>The documentation has been cleaned up.</li>
<li>The sample configuration files included in Shorewall have
been formatted to 80 columns for ease of editing on a VGA console.</li>
been formatted to 80 columns for ease of editing on a VGA console.</li>
</ul>
@ -1168,22 +1183,22 @@ been formatted to 80 columns for ease of editing on a VGA console.</li
<ul>
<li><a href="Documentation.htm#lograte">You may now rate-limit
the packet log.</a></li>
<li><font face="Century Gothic, Arial, Helvetica"> Previous versions
of Shorewall have an implementation of Static NAT which violates
the principle of least surprise.  NAT only occurs for packets arriving
at (DNAT) or send from (SNAT) the interface named in the INTERFACE
column of /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective
regardless of which interface packets come from or are destined to.
To get compatibility with prior versions, I have added a new "ALL <a
href="NAT.htm#AllInterFaces">"ALL INTERFACES"  column to /etc/shorewall/nat</a>.
<li><font face="Century Gothic, Arial, Helvetica"> Previous
versions of Shorewall have an implementation of Static NAT which
violates the principle of least surprise.  NAT only occurs for packets
arriving at (DNAT) or send from (SNAT) the interface named in the
INTERFACE column of /etc/shorewall/nat. Beginning with version 1.1.6,
NAT effective regardless of which interface packets come from or are
destined to. To get compatibility with prior versions, I have added a
new "ALL <a href="NAT.htm#AllInterFaces">"ALL INTERFACES"  column to /etc/shorewall/nat</a>.
By placing "no" or "No" in the new column, the NAT behavior of
prior versions may be retained. </font></li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels
where the remote gateway is a standalone system has been improved</a>.
Previously, it was necessary to include an additional rule allowing
UDP port 500 traffic to pass through the tunnel. Shorewall will now
create this rule automatically when you place the name of the remote
peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. </li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC
Tunnels where the remote gateway is a standalone system has been
improved</a>. Previously, it was necessary to include an additional
rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall
will now create this rule automatically when you place the name of
the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. </li>
</ul>
@ -1192,11 +1207,11 @@ peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels.
<ul>
<li><a href="Documentation.htm#modules">You may now pass parameters
when loading netfilter modules and you can specify the modules to
load.</a></li>
load.</a></li>
<li>Compressed modules are now loaded. This requires that you
modutils support loading compressed modules.</li>
modutils support loading compressed modules.</li>
<li><a href="Documentation.htm#TOS">You may now set the Type
of Service (TOS) field in packets.</a></li>
of Service (TOS) field in packets.</a></li>
<li>Corrected rules generated for port redirection (again).</li>
</ul>
@ -1211,7 +1226,7 @@ of Service (TOS) field in packets.</a></li>
error messages were reported.</li>
<li>Corrected rules generated for port redirection.</li>
<li>The order in which iptables kernel modules are loaded has
been corrected (Thanks to Mark Pavlidis). </li>
been corrected (Thanks to Mark Pavlidis). </li>
</ul>
@ -1223,21 +1238,21 @@ been corrected (Thanks to Mark Pavlidis).
<li>/tmp/shorewallpolicy-$$ is now removed if there is an error
while starting the firewall.</li>
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are
now used to define the icmpdef and common chains unless overridden by
the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been
corrected. An extra space after "/etc/shorwall/policy" has been removed
and "/etc/shorwall/rules" has been added.</li>
now used to define the icmpdef and common chains unless overridden
by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has
been corrected. An extra space after "/etc/shorwall/policy" has been
removed and "/etc/shorwall/rules" has been added.</li>
<li>When a sub-shell encounters a fatal error and has stopped
the firewall, it now kills the main shell so that the main shell will
the firewall, it now kills the main shell so that the main shell will
not continue.</li>
<li>A problem has been corrected where a sub-shell stopped the
firewall and main shell continued resulting in a perplexing error message
referring to "common.so" resulted.</li>
<li>A problem has been corrected where a sub-shell stopped
the firewall and main shell continued resulting in a perplexing error
message referring to "common.so" resulted.</li>
<li>Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules
resulted in an error message during start. This has been corrected.</li>
<li>The first line of "install.sh" has been corrected -- I had
inadvertently deleted the initial "#".</li>
<li>The first line of "install.sh" has been corrected -- I
had inadvertently deleted the initial "#".</li>
</ul>
@ -1247,9 +1262,9 @@ the firewall, it now kills the main shell so that the main shell will
<li>Port redirection now works again.</li>
<li>The icmpdef and common chains <a
href="Documentation.htm#Icmpdef">may now be user-defined</a>.</li>
<li>The firewall no longer fails to start if "routefilter" is
specified for an interface that isn't started. A warning message is
now issued in this case.</li>
<li>The firewall no longer fails to start if "routefilter"
is specified for an interface that isn't started. A warning message
is now issued in this case.</li>
<li>The LRP Version is renamed "shorwall" for 8,3 MSDOS file
system compatibility.</li>
<li>A couple of LRP-specific problems were corrected.</li>
@ -1268,9 +1283,9 @@ the firewall, it now kills the main shell so that the main shell will
<li>The common chain is traversed from INPUT, OUTPUT and FORWARD
before logging occurs</li>
<li>The source has been cleaned up dramatically</li>
<li>DHCP DISCOVER packets with RFC1918 source addresses no longer
generate log messages. Linux DHCP clients generate such packets and
it's annoying to see them logged. </li>
<li>DHCP DISCOVER packets with RFC1918 source addresses no
longer generate log messages. Linux DHCP clients generate such packets
and it's annoying to see them logged. </li>
</ul>
@ -1279,19 +1294,19 @@ the firewall, it now kills the main shell so that the main shell will
<ul>
<li>Log messages now indicate the packet disposition.</li>
<li>Error messages have been improved.</li>
<li>The ability to define zones consisting of an enumerated set
of hosts and/or subnetworks has been added.</li>
<li>The ability to define zones consisting of an enumerated
set of hosts and/or subnetworks has been added.</li>
<li>The zone-to-zone chain matrix is now sparse so that only
those chains that contain meaningful rules are defined.</li>
those chains that contain meaningful rules are defined.</li>
<li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
subnetworks whose packets are dropped under the <i>norfc1918</i>
interface option.</li>
<li>Exits are now provided for executing an user-defined script
when a chain is defined, when the firewall is initialized, when
the firewall is started, when the firewall is stopped and when the
firewall is cleared.</li>
<li>The Linux kernel's route filtering facility can now be specified
selectively on network interfaces.</li>
the firewall is started, when the firewall is stopped and when the
firewall is cleared.</li>
<li>The Linux kernel's route filtering facility can now be
specified selectively on network interfaces.</li>
</ul>
@ -1306,7 +1321,7 @@ firewall is cleared.</li>
<li>Adds the ability to specify logging in entries in the
/etc/shorewall/rules file.</li>
<li>Correct handling of the icmp-def chain so that only ICMP
packets are sent through the chain.</li>
packets are sent through the chain.</li>
<li>Compresses the output of "shorewall monitor" if awk is
installed. Allows the command to work if awk isn't installed (although
it's not pretty).</li>
@ -1319,8 +1334,8 @@ packets are sent through the chain.</li>
<ul>
<li>The PATH variable in the firewall script now includes /usr/local/bin
and /usr/local/sbin.</li>
<li>DMZ-related chains are now correctly deleted if the DMZ is
deleted.</li>
<li>DMZ-related chains are now correctly deleted if the DMZ
is deleted.</li>
<li>The interface OPTIONS for "gw" interfaces are no longer
ignored.</li>
@ -1329,9 +1344,9 @@ packets are sent through the chain.</li>
<p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
additional "gw" (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available
now.</b></p>
now.</b></p>
<p><font size="2">Updated 9/23/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> Copyright</font>
@ -1346,5 +1361,7 @@ now.</b></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

12
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -37,7 +37,8 @@
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
@ -50,8 +51,8 @@
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak
Republic</a></li>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
@ -59,6 +60,7 @@
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" href="http://france.shorewall.net">France</a></li>
</ul>
</li>
@ -80,7 +82,7 @@
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0100-0200 GMT.<br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text"
@ -106,5 +108,7 @@
<br>
<br>
<br>
<br>
<br>
</body>
</html>

16
STABLE/documentation/blacklisting_support.htm
View File

@ -31,8 +31,7 @@
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
@ -50,8 +49,8 @@ names in the blacklist file.<br>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
@ -59,10 +58,10 @@ against the blacklist using the "<a
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
/sbin/shorewall commands:</p>
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be rejected by the firewall.</li>
@ -76,7 +75,7 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
@ -86,10 +85,11 @@ be automatically restored the next time that the firewall is restarted.</li>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

170
STABLE/documentation/errata.htm
View File

@ -20,6 +20,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -38,59 +39,95 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in Version
1.3</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script at
<a href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall
</a>-- copy that file to /usr/lib/shorewall/firewall as descripbed above.<br>
<br>
Version 1.3.8
<h3>Version 1.3.9a</h3>
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of the
policy file doesn't work.</li>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions.
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of
the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
25 - 10.1.1.1")<br>
</li>
</ul>
@ -131,12 +168,12 @@ different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp
<ol>
<li>If the firewall is running a DHCP
server, the client won't be able to obtain
an IP address lease from that server.</li>
server, the client won't be able to obtain
an IP address lease from that server.</li>
<li>With this order of checking, the
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic and
static clients on a LAN segment.</li>
"dhcp" option cannot be used as a noise-reduction
measure where there are both dynamic
and static clients on a LAN segment.</li>
</ol>
@ -165,9 +202,10 @@ an IP address lease from that server.</li>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an SNAT
alias. </p>
an error occurs when the firewall script attempts to add an
SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
@ -235,10 +273,10 @@ an IP address lease from that server.</li>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -248,22 +286,22 @@ it's a good idea to run that command after you have made configuratio
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error message
in this case.</p>
Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just like
"NAT_BEFORE_RULES=Yes".</li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -274,6 +312,7 @@ it's a good idea to run that command after you have made configuratio
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
@ -290,22 +329,24 @@ it's a good idea to run that command after you have made configuratio
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option.
For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped'
option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT
today should download and install the corrected script again
to ensure that this second problem is corrected.</li>
Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li>
</ul>
@ -348,13 +389,13 @@ bullet affects the following options: dhcp, dropunclean, logunclea
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
@ -396,6 +437,7 @@ from<font color="#ff6633"> <a
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
@ -429,7 +471,22 @@ from<font color="#ff6633"> <a
</ul>
<p><font size="2"> Last updated 9/28/2002 -
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
@ -438,5 +495,8 @@ from<font color="#ff6633"> <a
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

68
STABLE/documentation/mailing_list_problems.htm
View File

@ -1,59 +1,49 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
familie-fleischhacker.de - (connection timed out)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
initialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)
littleblue.de - (connection timed out)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>familie-fleischhacker.de - (connection timed out)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
</blockquote>
<p align="left"><font size="2">Last updated 8/23/2002 17:16 GMT -
<a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font size="2">Last updated 10/6/2002 20:30 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm">
<font face="Trebuchet MS">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left">&nbsp;</p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p>
<br>
<br>
</body>
</html>

42
STABLE/documentation/myfiles.htm
View File

@ -34,7 +34,7 @@
<blockquote>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24)
and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br>
@ -42,9 +42,9 @@ is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1
<ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP addresses:
192.168.1.3/24 and 206.124.146.179/24.</li>
and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for 
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
@ -53,15 +53,15 @@ my Wife's system (tarry) and the Wireless Access Point (wap)</li>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p>
own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through the
PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
old and current ISPs. That server is managed through Proxy ARP.</p>
@ -72,7 +72,7 @@ Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
<p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p>
in the DMZ.</p>
<p align="center"> <img border="0"
src="images/network.png" width="764" height="846">
@ -87,14 +87,14 @@ in the DMZ.</p>
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see below).</p>
of the entry in /etc/shorewall/proxyarp (see below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall version
1.3.4.</font></p>
use features not available before Shorewall
version 1.3.4.</font></p>
</blockquote>
<h3>Shorewall.conf</h3>
@ -108,8 +108,8 @@ of the entry in /etc/shorewall/proxyarp (see below).</
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp<br> dmz eth1 206.124.146.255 -<br> net eth3 206.124.146.255 norfc1918<br> - texas -<br> loc ppp+<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -140,10 +140,11 @@ Ethernet interfaces. </p>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
@ -151,18 +152,21 @@ Ethernet interfaces. </p>
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br> 206.124.146.179 eth2 eth0 No<br></font><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 9/19/2002 - </font><font size="2">
<p><font size="2"> Last updated 10/1/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
</body>
</html>

31
STABLE/documentation/quotes.htm
View File

@ -29,17 +29,19 @@
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple and
well documented thing for something as huge as iptables." -- JV, Spain.
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
@ -51,25 +53,25 @@ scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, save and useful
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kericki, Toronto </p>
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
7 machines up and running with shorewall on several versions - starting
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
-- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
by checkpoint, some of them are running....Shorewall." -- Name withheld by
request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
@ -90,12 +92,13 @@ people recommending it. :-)<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/24/2002
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

173
STABLE/documentation/seattlefirewall_index.htm
View File

@ -20,12 +20,13 @@
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
</a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
@ -49,31 +50,36 @@
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.<br>
This program is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for
more details.<br>
<br>
You should have received a copy of the GNU General
Public License along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
You should have received a copy of the
GNU General Public License along with this program; if
not, write to the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
@ -81,12 +87,14 @@ it will be useful, but WITHOUT ANY WARRANTY; without even the
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF
distribution called <i>Bering</i> that features Shorewall-1.3.3
and Kernel-2.4.18. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
</a>Jacques Nilo and Eric Wolzak have
a LEAF distribution called <i>Bering</i> that features
Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
@ -94,51 +102,79 @@ it will be useful, but WITHOUT ANY WARRANTY; without even the
<p><b>9/30/2002 - Shorewall 1.3.9a </b><b><img border="0"
<h2></h2>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
This release rolls up fixes to the installer and to the firewall script.<br>
<b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
<br>
The firewall and server here at shorewall.net are now running RedHat release
8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!! </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p>
There is an updated firewall script at <a
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
There is an updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b>9/28/2002 - Shorewall 1.3.9 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
-- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b> </b></p>
<p>In this version:<br>
</p>
<ul>
<li><a href="configuration_file_basics.htm#dnsnames">DNS Names</a>
are now allowed in Shorewall config files (although I recommend against
using them).</li>
<li>The connection SOURCE may now be qualified by both interface
and IP address in a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li><a href="configuration_file_basics.htm#dnsnames">DNS
Names</a> are now allowed in Shorewall config files (although I recommend
against using them).</li>
<li>The connection SOURCE may now be qualified by both
interface and IP address in a <a href="Documentation.htm#Rules">Shorewall
rule</a>.</li>
<li>Shorewall startup is now disabled after initial installation
until the file /etc/shorewall/startup_disabled is removed. This avoids nasty
surprises at reboot for users who install Shorewall but don't configure
it.</li>
<li>The 'functions' and 'version' files and the 'firewall' symbolic
link have been moved from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
until the file /etc/shorewall/startup_disabled is removed. This avoids
nasty surprises at reboot for users who install Shorewall but don't
configure it.</li>
<li>The 'functions' and 'version' files and the 'firewall'
symbolic link have been moved from /var/lib/shorewall to /usr/lib/shorewall
to appease the LFS police at Debian.<br>
</li>
</ul>
<p><b>9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
Restored</b><b> </b><br>
</p>
<img src="images/j0233056.gif" alt="Brown Paper Bag"
width="50" height="86" align="left">
A couple of recent configuration changes at www.shorewall.net broke
the Search facility:<br>
A couple of recent configuration changes at www.shorewall.net
broke the Search facility:<br>
<blockquote>
<ol>
<li>Mailing List Archive Search was not available.</li>
<li>The Site Search index was incomplete</li>
@ -149,38 +185,45 @@ it.</li>
</blockquote>
Hopefully these problems are now corrected.
<p><b>9/18/2002 - Debian 1.3.8 Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<b> </b>
<p><b>9/16/2002 - Shorewall 1.3.8</b><b> </b></p>
<p>In this version:<br>
</p>
<ul>
<li>A NEWNOTSYN option has been added to shorewall.conf.
This option determines whether Shorewall accepts TCP packets which
are not part of an established connection and that are not 'SYN' packets
(SYN flag on and ACK flag off).</li>
<li>A NEWNOTSYN option has been added to
shorewall.conf. This option determines whether Shorewall accepts
TCP packets which are not part of an established connection and
that are not 'SYN' packets (SYN flag on and ACK flag off).</li>
<li>The need for the 'multi' option to communicate
between zones za and zb on the same interface is removed in the
case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist
if:
case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will
exist if:
<ul>
<li>There is a policy for za to zb; or</li>
<li>There is at least one rule for za to zb.
</li>
<li>There is at least one rule for za
to zb. </li>
@ -188,72 +231,88 @@ if:
</li>
</ul>
<ul>
<li>The /etc/shorewall/blacklist file now contains
three columns. In addition to the SUBNET/ADDRESS column, there are
optional PROTOCOL and PORT columns to block only certain applications
from the blacklisted addresses.<br>
<li>The /etc/shorewall/blacklist file now
contains three columns. In addition to the SUBNET/ADDRESS column,
there are optional PROTOCOL and PORT columns to block only certain
applications from the blacklisted addresses.<br>
</li>
</ul>
<p><b>9/11/2002 - Debian 1.3.7c Packages Available </b></p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>9/2/2002 - Shorewall 1.3.7c</b></p>
<p>This is a role up of a fix for "DNAT" rules where the source zone
is $FW (fw).</p>
<p><b>8/26/2002 - Shorewall 1.3.7b</b></p>
<p>This is a role up of the "shorewall refresh" bug fix and the change
which reverses the order of "dhcp" and "norfc1918" checking.</p>
<p><b>8/26/2002 - French FTP Mirror is Operational</b></p>
<p><a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
is now available.</p>
<p><b>8/25/2002 - Shorewall Mirror in France </b></p>
<p>Thanks to a Shorewall user in Paris, the Shorewall web site is now
mirrored at <a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>.</p>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a
@ -266,6 +325,7 @@ if:
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
@ -274,6 +334,7 @@ if:
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
@ -281,8 +342,8 @@ if:
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -292,9 +353,11 @@ but if you try it and find it useful, please consider making a donation
</tbody>
</table>
<p><font size="2">Updated 9/30/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 10/9/2002 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</p>
<br>
</body>
</html>

50
STABLE/documentation/shoreline.htm
View File

@ -29,7 +29,7 @@
<p align="center"> <img border="3" src="images/Hiking1.jpg"
alt="Tom on the PCT - 1991" width="374" height="365">
</p>
</p>
<p align="center">Tom on the Pacific Crest Trail north of Stevens Pass,
Washington  -- Sept 1991.<br>
@ -41,9 +41,9 @@
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a> 1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -54,10 +54,10 @@ of Washington</a> 1969</li>
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated ipchains
and developed the scripts which are now collectively known as <a
in 1999 and had DSL service installed in our home. I investigated ipchains
and developed the scripts which are now collectively known as <a
href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
@ -67,22 +67,23 @@ Shorewall. </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC -
My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
and LNE100TX (Tulip) NIC - My personal Windows system. Also has SuSE
8.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC
- My personal Linux System which runs Samba configured as a WINS server.
This system also has <a href="http://www.vmware.com/">VMware</a> installed
and can run both <a href="http://www.debian.org">Debian</a> and
<a href="http://www.suse.com">SuSE</a> in virtual machines.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix
&amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li>
<li>PII/233, RH7.3 with 2.4.20-pre6 kernel, 256MB MB RAM, 2GB SCSI HD
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.3.9 (Yep -- I run them before I release them) and a DHCP server.  Also
runs PoPToP for road warrior access.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail
(Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.9a  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's
personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
</ul>
@ -95,17 +96,20 @@ and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.</li>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img border="0"
</a><font size="4"><a href="http://www.apache.org"><img border="0"
src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a> </font></p>
</a> </font></p>
<p><font size="2">Last updated 9/19/2002 - </font><font size="2"> <a
<p><font size="2">Last updated 10/6/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
</body>
</html>

40
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -30,22 +30,22 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
in common firewall setups.</p>
<p>The following guides are for users who have a single public IP address:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting
as a firewall/router for a small local network and a DMZ.</li>
as a firewall/router for a small local network and a DMZ.</li>
</ul>
@ -54,15 +54,15 @@ as a firewall/router for a small local network and a DMZ.</li>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public
IP addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
@ -77,8 +77,8 @@ Protocol</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
@ -102,15 +102,16 @@ Protocol</a></li>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above.</p>
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above. Please review the appropriate guide before trying to use this documentation
directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
@ -121,7 +122,7 @@ above.</p>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>
features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
@ -162,13 +163,13 @@ features</a>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
use Shorewall)</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
@ -188,7 +189,7 @@ use Shorewall)</li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your firewall
to a remote network.</li>
to a remote network.</li>
</ul>
</li>
@ -199,11 +200,12 @@ to a remote network.</li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/16/2002 - <a
<p><font size="2">Last modified 10/5/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
</body>
</html>

223
STABLE/documentation/two-interface.htm
View File

@ -35,7 +35,7 @@
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p>
in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
@ -52,10 +52,10 @@ in its most common configuration:</p>
</p>
<p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -69,23 +69,23 @@ this program:</p>
    If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p>
a configuration file from your Windows hard drive to a floppy disk, you must
run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
Version of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, download the <a
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for simple setups, you will only need to deal with a few of these as
described in this guide. After you have <a href="Install.htm">installed
Shorewall</a>, download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
@ -127,8 +127,8 @@ of these as described in this guide. After you have <a
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -136,14 +136,14 @@ of these as described in this guide. After you have <a
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -185,7 +185,7 @@ the following policies:</p>
<blockquote>
<p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers on
the internet, uncomment that line.</p>
the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -214,7 +214,7 @@ the internet, uncomment that line.</p>
<ol>
<li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall or local network</li>
firewall or local network</li>
<li>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
@ -231,9 +231,9 @@ the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
@ -243,14 +243,15 @@ your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
    If your external interface is <b>ppp0</b> or<b> ippp0</b>  then
you will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers
will be connected to the same hub/switch (note: If you have only a single
internal system, you can connect the firewall directly to the computer using
a <i>cross-over </i> cable).</p>
internal system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -262,11 +263,11 @@ your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
    The Shorewall two-interface sample configuration assumes that the
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list of options
that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -286,15 +287,15 @@ that are specified for the interfaces. Some hints:</p>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single
<i> Public</i> IP address. This address may be assigned via the<i> Dynamic
Host Configuration Protocol</i> (DHCP) or as part of establishing your connection
when you dial in (standard modem) or establish your PPP connection. In
rare cases, your ISP may assign you a<i> static</i> IP address; that means
that you configure your firewall's external interface to use that address
permanently.<i> </i>However your external address is assigned, it will be
shared by all of your systems when you access the Internet. You will have
to assign your own addresses in your internal network (the Internal Interface
on your firewall plus your other computers). RFC 1918 reserves several
<i>Private </i>IP address ranges for this purpose:</p>
Host Configuration Protocol</i> (DHCP) or as part of establishing your
connection when you dial in (standard modem) or establish your PPP connection.
In rare cases, your ISP may assign you a<i> static</i> IP address; that
means that you configure your firewall's external interface to use that
address permanently.<i> </i>However your external address is assigned, it
will be shared by all of your systems when you access the Internet. You
will have to assign your own addresses in your internal network (the Internal
Interface on your firewall plus your other computers). RFC 1918 reserves
several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -304,8 +305,8 @@ on your firewall plus your other computers). RFC 1918 reserves several
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.</p>
</div>
@ -313,13 +314,13 @@ remove the 'norfc1918' option from the external interface's entry in
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is
reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as the
<i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described
using <a href="subnet_masks.htm"><i>Classless InterDomain Routing </i>(CIDR)
notation</a> with consists of the subnet address followed by "/24". The
"24" refers to the number of consecutive leading "1" bits from the left
of the subnet mask. </p>
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is
described using <a href="subnet_masks.htm"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -362,23 +363,23 @@ remove the 'norfc1918' option from the external interface's entry in
<div align="left">
<p align="left">One of the purposes of subnetting is to allow all computers
in the subnet to understand which other computers can be communicated
with directly. To communicate with systems outside of the subnetwork, systems
send packets through a<i>  gateway</i>  (router).</p>
with directly. To communicate with systems outside of the subnetwork,
systems send packets through a<i>  gateway</i>  (router).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in the above diagram)
should be configured with their<i> default gateway</i> to be the IP address
of the firewall's internal interface.<i>      </i> </p>
should be configured with their<i> default gateway</i> to be the IP
address of the firewall's internal interface.<i>      </i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -398,18 +399,18 @@ A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
host, the firewall must perform <i>Network Address Translation </i>(NAT).
The firewall rewrites the source address in the packet to be the address
of the firewall's external interface; in other words, the firewall makes
it look as if the firewall itself is initiating the connection.  This is
necessary so that the destination host will be able to route return packets
back to the firewall (remember that packets whose destination address is
reserved by RFC 1918 can't be routed across the internet so the remote host
can't address its response to computer 1). When the firewall receives a
return packet, it rewrites the destination address back to 10.10.10.1 and
forwards the packet on to computer 1. </p>
it look as if the firewall itself is initiating the connection.  This
is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so
the remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -433,8 +434,8 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
height="13">
    If your external firewall interface is <b>eth0</b>, you do not need
to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq
and change the first column to the name of your external interface and the
second column to the name of your internal interface.</p>
and change the first column to the name of your external interface and
the second column to the name of your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -447,16 +448,16 @@ return packet, it rewrites the destination address back to 10.10.10.1 and
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it is
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address in
the response.</p>
not possible for clients on the internet to connect directly to them. It
is rather necessary for those clients to address their connection requests
to the firewall who rewrites the destination address to the address of
your server and forwards the packet to that server. When your server responds,
the firewall automatically performs SNAT to rewrite the source address
in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -523,13 +524,13 @@ port&gt;</i>]</td>
<ul>
<li>You must test the above rule from a client outside of your local
network (i.e., don't test from a browser running on computers 1 or 2
or on the firewall). If you want to be able to access your web server
using the IP address of your external interface, see <a
network (i.e., don't test from a browser running on computers 1 or 2 or
on the firewall). If you want to be able to access your web server using
the IP address of your external interface, see <a
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you
have problems connecting to your web server, try the following rule and
try connecting to port 5000.</li>
have problems connecting to your web server, try the following rule
and try connecting to port 5000.</li>
</ul>
@ -568,35 +569,35 @@ that you require.</p>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will be
written). Alternatively, your ISP may have given you the IP address of a
pair of DNS <i> name servers</i> for you to manually configure as your primary
and secondary name servers. Regardless of how DNS gets configured on your
firewall, it is <u>your</u> responsibility to configure the resolver in your
internal systems. You can take one of two approaches:</p>
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your
primary and secondary name servers. Regardless of how DNS gets configured
on your firewall, it is <u>your</u> responsibility to configure the resolver
in your internal systems. You can take one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or if
those addresses are available on their web site, you can configure your
internal systems to use those addresses. If that information isn't available,
look in /etc/resolv.conf on your firewall system -- the name servers are
given in "nameserver" records in that file. </p>
name servers. If you ISP gave you the addresses of their servers or
if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't
available, look in /etc/resolv.conf on your firewall system -- the name
servers are given in "nameserver" records in that file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also requires
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you take
this approach, you configure your internal systems to use the firewall
the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
take this approach, you configure your internal systems to use the firewall
itself as their primary (and only) name server. You use the internal IP
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network
to the firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
server address. To allow your local systems to talk to your caching
name server, you must open port 53 (both UDP and TCP) from the local
network to the firewall; you do that by adding the following rules in
/etc/shorewall/rules. </p>
</li>
</ul>
@ -685,7 +686,7 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
</div>
@ -806,12 +807,13 @@ firewall, it is <u>your</u> responsibility to configure the resolver in your
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on your firewall"</p>
listed above under "You can configure a Caching Name Server on your
firewall"</p>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, look <a href="ports.htm">here</a>.</p>
<p align="left">If you don't know what port and protocol a particular
application uses, look <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
@ -865,9 +867,9 @@ connections as required.</p>
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot  but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
version 1.3.9 startup is disabled so that your system won't try to start Shorewall
before configuration is complete. Once you have completed configuration of
your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -891,22 +893,22 @@ and set 'startup=1'.</font><br>
height="13">
    The two-interface sample assumes that you want to enable routing
to/from <b>eth1 </b>(the local network) when Shorewall is stopped. If
your local network isn't connected to <b>eth1</b> or if you wish to enable
your local network isn't connected to <b>eth1</b> or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a
<p align="left"><font size="2">Last updated 10/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
@ -915,5 +917,6 @@ try" command</a>.</p>
<br>
<br>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{

11
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{
@ -167,6 +167,8 @@ while [ $# -gt 0 ] ; do
ARGS="yes"
done
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# Determine where to install the firewall script
#
@ -282,13 +284,18 @@ fi
# Install the functions file
#
if [ -f ${PREFIX}/etc/shorewall/functions ]; then
backup_file ${PREFIX}/etc/shorewall/functions
rm -f ${PREFIX}/etc/shorewall/functions
fi
if [ -f ${PREFIX}/var/lib/shorewall/functions ]; then
backup_file ${PREFIX}/var/lib/shorewall/functions
rm -f ${PREFIX}/var/lib/shorewall/functions
fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
echo -e "\nCommon functions installed in ${PREFIX}/var/lib/shorewall/functions"
echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions"
#
# Install the common.def file
#

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.9a
VERSION=1.3.9b
usage() # $1 = exit status
{