holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Revise instructions for disabling iptables

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-17 16:48:15 -07:00
parent c0e4d4093c
commit 55519bd9ac
3 changed files with 178 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
docs/standalone.xml
View File

@ -119,19 +119,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -144,7 +143,7 @@
<section id="Concepts">
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
@ -177,7 +176,7 @@
</listitem>
<listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..</emphasis>
@ -352,7 +351,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall one-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>. If
@ -460,7 +459,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs Netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -500,7 +499,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -564,33 +563,16 @@ ACCEPT net $FW tcp 143</programlisting></para>
SSH(ACCEPT) net $FW </programlisting>
</important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit <filename>/etc/shorewall/rules</filename> to add
other connections as desired.</para>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
</section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -598,7 +580,7 @@ SSH(ACCEPT) net $FW </programlisting>
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para>
fileref="images/openlogo-nd-25.png"/></para>
<important>
<para>Users of the .deb package must edit
@ -675,6 +657,44 @@ SSH(ACCEPT) net $FW </programlisting>
</itemizedlist>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>On recent Fedora systems that run systemd, the command is:</para>
<programlisting><command>systemctl stop iptables.service</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>On other systems that use a classic SysV init system:</para>
<programlisting><command>/etc/init.d/iptables stop</command></programlisting>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On older
Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
<para>On Debian systems:</para>
<programlisting><command>update-rc.d iptables disable</command></programlisting>
<para>On recent Fedora system running systemd:</para>
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>
<section id="Other">
<title>Additional Recommended Reading</title>

106
docs/three-interface.xml
View File

@ -90,7 +90,7 @@
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure>
@ -147,19 +147,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an ADSL Modem and you use PPTP to communicate with a
server in that modem, you must make the <ulink
@ -175,7 +174,7 @@
<filename>/etc/shorewall</filename> -- for simple setups, you will only
need to deal with a few of these as described in this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>After you have installed Shorewall, locate the three-interface
Sample configuration:</para>
@ -210,7 +209,7 @@
</listitem>
<listitem>
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
@ -363,7 +362,7 @@ $FW loc ACCEPT</programlisting>
<emphasis>net</emphasis> zone even though connections are not allowed from
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
file and make any changes that you wish.</para>
@ -377,7 +376,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure>
@ -421,7 +420,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename
@ -463,7 +462,7 @@ root@lists:~# </programlisting>
exactly one default route via your ISP's Router.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The Shorewall three-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename>, the
@ -528,7 +527,7 @@ root@lists:~# </programlisting>
<title>Example sub-network</title>
<tgroup cols="2">
<colspec align="left" />
<colspec align="left"/>
<tbody>
<row>
@ -573,7 +572,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (Local Computers 1 &amp; 2) should be
configured with their default gateway set to the IP address of the
@ -596,7 +595,7 @@ root@lists:~# </programlisting>
<mediaobject>
<imageobject>
<imagedata fileref="images/dmz2.png" />
<imagedata fileref="images/dmz2.png"/>
</imageobject>
<caption><para>The default gateway for the DMZ computers would be
@ -652,7 +651,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename>
file.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename
class="devicefile">eth0</filename> then you do not need to modify the file
@ -665,7 +664,7 @@ root@lists:~# </programlisting>
modify the SOURCE column to list just your local interface (10.10.10.0/24
in the above example).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external IP is static, you can enter it in the third column
in the <filename
@ -673,7 +672,7 @@ root@lists:~# </programlisting>
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes processing
outgoing packets a little more efficient.<graphic align="left"
fileref="images/openlogo-nd-25.png" /></para>
fileref="images/openlogo-nd-25.png"/></para>
<para><emphasis role="bold">If you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the
@ -736,7 +735,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -776,7 +775,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -886,7 +885,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</itemizedlist></para>
</example>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, add the DNAT and ACCEPT rules for your
servers.</para>
@ -924,7 +923,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
<listitem>
<para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>You can configure a <emphasis>Caching Name Server</emphasis>
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
@ -1026,7 +1025,7 @@ ACCEPT net $FW udp 53 </programlisting>
SSH(ACCEPT) net $FW</programlisting></para>
</important>
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
users will want to add the following two rules to be compatible with
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW udp 53
@ -1039,7 +1038,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
</listitem>
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
remove other connections as required.</para>
@ -1101,27 +1100,10 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
</section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -1130,7 +1112,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
firewall, you can enable Shorewall startup by editing
<filename>/etc/shorewall/shorewall.conf</filename> and setting
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important>
fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para>
@ -1151,7 +1133,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
Shorewall from your Netfilter configuration, use <command>shorewall
clear</command>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The three-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (your local network)
@ -1205,6 +1187,44 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>On recent Fedora systems that run systemd, the command is:</para>
<programlisting><command>systemctl stop iptables.service</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>On other systems that use a classic SysV init system:</para>
<programlisting><command>/etc/init.d/iptables stop</command></programlisting>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On older
Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
<para>On Debian systems:</para>
<programlisting><command>update-rc.d iptables disable</command></programlisting>
<para>On recent Fedora system running systemd:</para>
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>
<section id="Reading">
<title>Additional Recommended Reading</title>

112
docs/two-interface.xml
View File

@ -74,7 +74,7 @@
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" />
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject>
</mediaobject>
</figure> <caution>
@ -121,19 +121,18 @@
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
with <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" />.</para>
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
<para>Configuration notes that are unique to Debian and it's derivatives
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
format="GIF" />.</para>
format="GIF"/>.</para>
</section>
</section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you
@ -146,7 +145,7 @@
<section id="Concepts">
<title>Shorewall Concepts</title>
<para></para>
<para/>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
@ -154,7 +153,7 @@
this guide.</para>
<para><inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /><important>
format="GIF"/><important>
<para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, locate the two-interfaces samples:</para>
@ -190,7 +189,7 @@
<listitem>
<para><graphic align="left"
fileref="images/openlogo-nd-25.png" />If you installed using a
fileref="images/openlogo-nd-25.png"/>If you installed using a
Shorewall 4.x .deb, the samples are in <emphasis
role="bold"><filename
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis>
@ -337,7 +336,7 @@ $FW net ACCEPT</programlisting> The above policy will:
loc $FW ACCEPT
$FW loc ACCEPT</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>At this point, edit your <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename>
@ -349,7 +348,7 @@ $FW loc ACCEPT</programlisting>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics.png" format="PNG" />
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
</imageobject>
</mediaobject>
@ -393,7 +392,7 @@ root@lists:~# </programlisting>
the external interface.</para>
</caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>I<emphasis role="bold">f your external interface is <filename
class="devicefile">ppp0</filename> or <filename
@ -421,7 +420,7 @@ root@lists:~# </programlisting>
internal interface.</emphasis> Your firewall should have exactly one
default route via your ISP's Router.</para>
</warning> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>The Shorewall two-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename> and the
@ -533,7 +532,7 @@ root@lists:~# </programlisting>
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their default gateway to be the
@ -550,7 +549,7 @@ root@lists:~# </programlisting>
<para id="Diagram">The remainder of this guide will assume that you have
configured your network as shown here: <mediaobject>
<imageobject>
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
<imagedata align="center" fileref="images/basics1.png" format="PNG"/>
</imageobject>
</mediaobject> The default gateway for computer's 1 &amp; 2 would be
<systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
@ -607,7 +606,7 @@ root@lists:~# </programlisting>
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
<acronym>IP</acronym> is static.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external firewall interface is <filename
class="devicefile">eth0</filename>, you do not need to modify the file
@ -616,7 +615,7 @@ root@lists:~# </programlisting>
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
change the first column to the name of your external interface.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If your external <acronym>IP</acronym> is static, you can enter it
in the third column in the <filename
@ -626,7 +625,7 @@ root@lists:~# </programlisting>
column 3 (SNAT) makes the processing of outgoing packets a little more
efficient.</para>
<graphic align="left" fileref="images/openlogo-nd-25.png" />
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
<para>I<emphasis role="bold">f you are using the Debian package, please
check your <filename>shorewall.conf</filename> file to ensure that the
@ -689,7 +688,7 @@ root@lists:~# </programlisting>
</listitem>
</itemizedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>If you are running a distribution that logs netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the
@ -729,7 +728,7 @@ root@lists:~# </programlisting>
<filename>/usr/share/shorewall/modules</filename> then copy the file to
<filename>/etc/shorewall</filename> and modify the copy.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
</section>
@ -827,7 +826,7 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem>
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
format="GIF" /></para>
format="GIF"/></para>
<para>At this point, modify <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> to
@ -875,7 +874,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</listitem>
<listitem>
<para><anchor id="cachingdns" /> You can configure a
<para><anchor id="cachingdns"/> You can configure a
<emphasis>Caching Name Server</emphasis> on your firewall.
<trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
caching name server (the <acronym>RPM</acronym> also requires the
@ -954,11 +953,11 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH(ACCEPT) net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be
format="GIF"/>Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>Now edit your <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
@ -1021,27 +1020,10 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
</section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but startup is
@ -1049,7 +1031,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.<graphic align="left"
fileref="images/openlogo-nd-25.png" /><important>
fileref="images/openlogo-nd-25.png"/><important>
<para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para>
@ -1069,7 +1051,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
of Shorewall from your Netfilter configuration, use
<quote><command>shorewall clear</command></quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The two-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (the local network)
@ -1122,6 +1104,44 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist>
</section>
<section>
<title>Disabling your existing Firewall</title>
<para>Before starting Shorewall for the first time, it's a good idea to
stop your existing firewall. On older Redhat/CentOS/Fedora:</para>
<programlisting><command>service iptables stop</command></programlisting>
<para>On recent Fedora systems that run systemd, the command is:</para>
<programlisting><command>systemctl stop iptables.service</command></programlisting>
<para>If you are running SuSE, use Yast or Yast2 to stop
SuSEFirewall.</para>
<para>On other systems that use a classic SysV init system:</para>
<programlisting><command>/etc/init.d/iptables stop</command></programlisting>
<para>Once you have Shorewall running to your satisfaction, you should
totally disable your existing firewall. On older
Redhat/CentOS/Fedora:</para>
<programlisting><command>chkconfig --del iptables</command></programlisting>
<para>On Debian systems:</para>
<programlisting><command>update-rc.d iptables disable</command></programlisting>
<para>On recent Fedora system running systemd:</para>
<programlisting><command>systemctl disable iptables.service</command></programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
<para>At this point, disable your existing firewall service.</para>
</section>
<section id="Reading">
<title>Additional Recommended Reading</title>
@ -1161,9 +1181,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</caution></para>
<para>Your new network will look similar to what is shown in the following
figure.<graphic align="center" fileref="images/basics2.png" /></para>
figure.<graphic align="center" fileref="images/basics2.png"/></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN.
@ -1176,7 +1196,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
traffic may flow freely between the local wired network and the wireless
network.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
<para>There are only two changes that need to be made to the Shorewall
configuration:</para>