diff --git a/docs/standalone.xml b/docs/standalone.xml
index 56b32d0b3..956032785 100644
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -119,19 +119,18 @@
Conventions
Points at which configuration changes are recommended are flagged
- with .
+ with .
Configuration notes that are unique to Debian and it's derivatives
are marked with .
+ format="GIF"/>.
PPTP/ADSL
-
+
If you have an ADSL Modem and you use
PPTP to communicate with a server in that modem, you
@@ -144,7 +143,7 @@
Shorewall Concepts
-
+
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple
@@ -177,7 +176,7 @@
- ![]()
If
+ ![]()
If
you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/one-interface..
@@ -352,7 +351,7 @@ root@lists:~#
the external interface.
-
+
The Shorewall one-interface sample configuration assumes that the
external interface is eth0. If
@@ -460,7 +459,7 @@ root@lists:~#
-
+
If you are running a distribution that logs Netfilter messages to a
log other than /var/log/messages, then modify the
@@ -500,7 +499,7 @@ root@lists:~#
/usr/share/shorewall/modules then copy the file to
/etc/shorewall and modify the copy.
-
+
Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -564,33 +563,16 @@ ACCEPT net $FW tcp 143
SSH(ACCEPT) net $FW
-
+
At this point, edit /etc/shorewall/rules to add
other connections as desired.
-
- Disabling your existing Firewall
-
- Before starting Shorewall for the first time, it's a good idea to
- stop your existing firewall. On Redhat/CentOS/Fedora:
-
- service iptables stop
-
- If you are running SuSE, use Yast or Yast2 to stop
- SuSEFirewall.
-
- Once you have Shorewall running to your satisfaction, you should
- totally disable your existing firewall. On /Redhat/CentOS/Fedora:
-
- chkconfig --del iptables
-
-
Starting and Stopping Your Firewall
-
+
The installation procedure
configures your system to start Shorewall at system boot but startup is
@@ -598,7 +580,7 @@ SSH(ACCEPT) net $FW
configuration is complete. Once you have completed configuration of your
firewall, you must edit /etc/shorewall/shorewall.conf and set
STARTUP_ENABLED=Yes.![]()
+ fileref="images/openlogo-nd-25.png"/>
Users of the .deb package must edit
@@ -675,6 +657,44 @@ SSH(ACCEPT) net $FW
+
+ Disabling your existing Firewall
+
+ Before starting Shorewall for the first time, it's a good idea to
+ stop your existing firewall. On older Redhat/CentOS/Fedora:
+
+ service iptables stop
+
+ On recent Fedora systems that run systemd, the command is:
+
+ systemctl stop iptables.service
+
+ If you are running SuSE, use Yast or Yast2 to stop
+ SuSEFirewall.
+
+ On other systems that use a classic SysV init system:
+
+ /etc/init.d/iptables stop
+
+ Once you have Shorewall running to your satisfaction, you should
+ totally disable your existing firewall. On older
+ Redhat/CentOS/Fedora:
+
+ chkconfig --del iptables
+
+ On Debian systems:
+
+ update-rc.d iptables disable
+
+ On recent Fedora system running systemd:
+
+ systemctl disable iptables.service
+
+
+
+ At this point, disable your existing firewall service.
+
+
Additional Recommended Reading
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index ae4f8ae0b..c891b2592 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -90,7 +90,7 @@
-
+
@@ -147,19 +147,18 @@
Conventions
Points at which configuration changes are recommended are flagged
- with .
+ with .
Configuration notes that are unique to Debian and it's derivatives
are marked with .
+ format="GIF"/>.
PPTP/ADSL
-
+
If you have an ADSL Modem and you use PPTP to communicate with a
server in that modem, you must make the /etc/shorewall -- for simple setups, you will only
need to deal with a few of these as described in this guide.
-
+
After you have installed Shorewall, locate the three-interface
Sample configuration:
@@ -210,7 +209,7 @@
- ![]()
If
+ ![]()
If
you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/three-interfaces.
@@ -363,7 +362,7 @@ $FW loc ACCEPT
net zone even though connections are not allowed from
the loc zone to the firewall itself.
-
+
At this point, edit your /etc/shorewall/policy
file and make any changes that you wish.
@@ -377,7 +376,7 @@ $FW loc ACCEPT
-
+
@@ -421,7 +420,7 @@ root@lists:~#
the external interface.
-
+
If your external interface is ppp0 or
exactly one default route via your ISP's Router.
-
+
The Shorewall three-interface sample configuration assumes that the
external interface is eth0, the
@@ -528,7 +527,7 @@ root@lists:~#
Example sub-network
-
+
@@ -573,7 +572,7 @@ root@lists:~#
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).
-
+
Your local computers (Local Computers 1 & 2) should be
configured with their default gateway set to the IP address of the
@@ -596,7 +595,7 @@ root@lists:~#
-
+
The default gateway for the DMZ computers would be
@@ -652,7 +651,7 @@ root@lists:~#
class="directory">/etc/shorewall/masq
file.
-
+
If your external firewall interface is eth0 then you do not need to modify the file
@@ -665,7 +664,7 @@ root@lists:~#
modify the SOURCE column to list just your local interface (10.10.10.0/24
in the above example).
-
+
If your external IP is static, you can enter it in the third column
in the
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes processing
outgoing packets a little more efficient.![]()
+ fileref="images/openlogo-nd-25.png"/>
If you are using the Debian package, please
check your shorewall.conf file to ensure that the
@@ -736,7 +735,7 @@ root@lists:~#
-
+
If you are running a distribution that logs netfilter messages to a
log other than /var/log/messages, then modify the
@@ -776,7 +775,7 @@ root@lists:~#
/usr/share/shorewall/modules then copy the file to
/etc/shorewall and modify the copy.
-
+
Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -886,7 +885,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP
-
+
At this point, add the DNAT and ACCEPT rules for your
servers.
@@ -924,7 +923,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP
+ format="GIF"/>
You can configure a Caching Name Server
on your firewall or in your DMZ. Red Hat has
@@ -1026,7 +1025,7 @@ ACCEPT net $FW udp 53
SSH(ACCEPT) net $FW
- Bering
+ Bering
users will want to add the following two rules to be compatible with
Jacques's Shorewall configuration: #ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW udp 53
@@ -1039,7 +1038,7 @@ ACCEPT net $FW tcp 80 Entry 2 allows the weblet
to work.
+ format="GIF"/>
Now modify /etc/shorewall/rules to add or
remove other connections as required.
@@ -1101,27 +1100,10 @@ ACCEPT net $FW tcp 80
-
- Disabling your existing Firewall
-
- Before starting Shorewall for the first time, it's a good idea to
- stop your existing firewall. On Redhat/CentOS/Fedora:
-
- service iptables stop
-
- If you are running SuSE, use Yast or Yast2 to stop
- SuSEFirewall.
-
- Once you have Shorewall running to your satisfaction, you should
- totally disable your existing firewall. On /Redhat/CentOS/Fedora:
-
- chkconfig --del iptables
-
-
Starting and Stopping Your Firewall
-
+
The installation procedure
configures your system to start Shorewall at system boot but startup is
@@ -1130,7 +1112,7 @@ ACCEPT net $FW tcp 80 /etc/shorewall/shorewall.conf and setting
STARTUP_ENABLED=Yes.![]()
+ fileref="images/openlogo-nd-25.png"/>
Users of the .deb package must edit
/etc/default/shorewall and set
startup=1.
@@ -1151,7 +1133,7 @@ ACCEPT net $FW tcp 80 shorewall
clear.
-
+
The three-interface sample assumes that you want to enable routing
to/from eth1 (your local network)
@@ -1205,6 +1187,44 @@ ACCEPT net $FW tcp 80
+
+ Disabling your existing Firewall
+
+ Before starting Shorewall for the first time, it's a good idea to
+ stop your existing firewall. On older Redhat/CentOS/Fedora:
+
+ service iptables stop
+
+ On recent Fedora systems that run systemd, the command is:
+
+ systemctl stop iptables.service
+
+ If you are running SuSE, use Yast or Yast2 to stop
+ SuSEFirewall.
+
+ On other systems that use a classic SysV init system:
+
+ /etc/init.d/iptables stop
+
+ Once you have Shorewall running to your satisfaction, you should
+ totally disable your existing firewall. On older
+ Redhat/CentOS/Fedora:
+
+ chkconfig --del iptables
+
+ On Debian systems:
+
+ update-rc.d iptables disable
+
+ On recent Fedora system running systemd:
+
+ systemctl disable iptables.service
+
+
+
+ At this point, disable your existing firewall service.
+
+
Additional Recommended Reading
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 6236a4848..e5b29197d 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -74,7 +74,7 @@
-
+
@@ -121,19 +121,18 @@
Conventions
Points at which configuration changes are recommended are flagged
- with .
+ with .
Configuration notes that are unique to Debian and it's derivatives
are marked with .
+ format="GIF"/>.
PPTP/ADSL
-
+
If you have an ADSL Modem and you use
PPTP to communicate with a server in that modem, you
@@ -146,7 +145,7 @@
Shorewall Concepts
-
+
The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple
@@ -154,7 +153,7 @@
this guide.
+ format="GIF"/>
After you have installed
Shorewall, locate the two-interfaces samples:
@@ -190,7 +189,7 @@
![]()
If you installed using a
+ fileref="images/openlogo-nd-25.png"/>If you installed using a
Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall-common/examples/two-interfaces.
@@ -337,7 +336,7 @@ $FW net ACCEPT The above policy will:
loc $FW ACCEPT
$FW loc ACCEPT
-
+
At this point, edit your /etc/shorewall/policy
@@ -349,7 +348,7 @@ $FW loc ACCEPT
-
+
@@ -393,7 +392,7 @@ root@lists:~#
the external interface.
-
+
If your external interface is ppp0 or
internal interface. Your firewall should have exactly one
default route via your ISP's Router.
+ format="GIF"/>
The Shorewall two-interface sample configuration assumes that the
external interface is eth0 and the
@@ -533,7 +532,7 @@ root@lists:~#
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).
-
+
Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their default gateway to be the
@@ -550,7 +549,7 @@ root@lists:~#
The remainder of this guide will assume that you have
configured your network as shown here:
-
+
The default gateway for computer's 1 & 2 would be
10.10.10.254.
@@ -607,7 +606,7 @@ root@lists:~#
IP is dynamic and SNAT if the
IP is static.
-
+
If your external firewall interface is eth0, you do not need to modify the file
@@ -616,7 +615,7 @@ root@lists:~#
class="directory">/etc/shorewall/masq and
change the first column to the name of your external interface.
-
+
If your external IP is static, you can enter it
in the third column in the
column 3 (SNAT) makes the processing of outgoing packets a little more
efficient.
- ![]()
+ ![]()
If you are using the Debian package, please
check your shorewall.conf file to ensure that the
@@ -689,7 +688,7 @@ root@lists:~#
-
+
If you are running a distribution that logs netfilter messages to a
log other than /var/log/messages, then modify the
@@ -729,7 +728,7 @@ root@lists:~#
/usr/share/shorewall/modules then copy the file to
/etc/shorewall and modify the copy.
-
+
Modify the setting of LOAD_HELPER_ONLY as necessary.
@@ -827,7 +826,7 @@ FTP(DNAT) net loc:10.10.10.1 For
DNAT net loc:10.10.10.2:80 tcp 5000
+ format="GIF"/>
At this point, modify /etc/shorewall/rules to
@@ -875,7 +874,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000
- You can configure a
+ You can configure a
Caching Name Server on your firewall.
Red Hat has an RPM for a
caching name server (the RPM also requires the
@@ -954,11 +953,11 @@ Web(ACCEPT) loc $FW Those two rules would of
#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH(ACCEPT) net $FW
Bering users will want to add the following two rules to be
+ format="GIF"/>Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
Now edit your /etc/shorewall/rules
@@ -1021,27 +1020,10 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
- Disabling your existing Firewall
-
- Before starting Shorewall for the first time, it's a good idea to
- stop your existing firewall. On Redhat/CentOS/Fedora:
-
- service iptables stop
-
- If you are running SuSE, use Yast or Yast2 to stop
- SuSEFirewall.
-
- Once you have Shorewall running to your satisfaction, you should
- totally disable your existing firewall. On /Redhat/CentOS/Fedora:
-
- chkconfig --del iptables
-
-
Starting and Stopping Your Firewall
-
+
The installation procedure
configures your system to start Shorewall at system boot but startup is
@@ -1049,7 +1031,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
+ fileref="images/openlogo-nd-25.png"/>
Users of the .deb package must edit /etc/default/shorewall
and set startup=1.
@@ -1069,7 +1051,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workshorewall clear.
-
+
The two-interface sample assumes that you want to enable routing
to/from eth1 (the local network)
@@ -1122,6 +1104,44 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
+
+ Disabling your existing Firewall
+
+ Before starting Shorewall for the first time, it's a good idea to
+ stop your existing firewall. On older Redhat/CentOS/Fedora:
+
+ service iptables stop
+
+ On recent Fedora systems that run systemd, the command is:
+
+ systemctl stop iptables.service
+
+ If you are running SuSE, use Yast or Yast2 to stop
+ SuSEFirewall.
+
+ On other systems that use a classic SysV init system:
+
+ /etc/init.d/iptables stop
+
+ Once you have Shorewall running to your satisfaction, you should
+ totally disable your existing firewall. On older
+ Redhat/CentOS/Fedora:
+
+ chkconfig --del iptables
+
+ On Debian systems:
+
+ update-rc.d iptables disable
+
+ On recent Fedora system running systemd:
+
+ systemctl disable iptables.service
+
+
+
+ At this point, disable your existing firewall service.
+
+
Additional Recommended Reading
@@ -1161,9 +1181,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
Your new network will look similar to what is shown in the following
- figure.![]()
+ figure.![]()
-
+
The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN.
@@ -1176,7 +1196,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
There are only two changes that need to be made to the Shorewall
configuration: