diff --git a/Shorewall-Website/seattlefirewall_index.htm b/Shorewall-Website/seattlefirewall_index.htm deleted file mode 100755 index 7f9388b7e..000000000 --- a/Shorewall-Website/seattlefirewall_index.htm +++ /dev/null @@ -1,365 +0,0 @@ - - - - - - Shoreline Firewall (Shorewall) 1.4 - - - -
- - - - - - - - - -
-

Introduction to Shorewall

-

This is the Shorewall 1.4 Web Site

-
Preparing for Shorewall 2.2 -- End of -support life for Shorewall 1.4 is Near!
-
-The information on this site -applies only to 1.4.x releases of -Shorewall. For older versions:
-
-
    -
      -
    • The 1.3 site is here.
      • -
    • The 1.2 site is here.
      • -
    -
-

Glossary

-
    -
  • Netfilter -- the -packet filter facility built into the 2.4 and later Linux kernels.
    • -
  • ipchains - the packet filter facility built into the 2.2 -Linux kernels. Also the name of the utility program used to configure -and control that facility. Netfilter can be used in ipchains -compatibility mode.
    • -
  • iptables - the utility program used to configure and -control Netfilter. The term 'iptables' is often used to refer to the -combination of iptables+Netfilter (with Netfilter not in ipchains -compatibility mode).
    • -
-

What is Shorewall?

-
The Shoreline Firewall, more -commonly known as "Shorewall", is -high-level tool for configuring Netfilter. You describe your -firewall/gateway requirements using entries in a set of configuration -files. Shorewall reads those configuration files and with the help of -the iptables utility, Shorewall configures Netfilter to match your -requirements. Shorewall can be used on a dedicated firewall system, a -multi-function gateway/router/server or on a standalone GNU/Linux -system. Shorewall does not use Netfilter's ipchains compatibility mode -and can thus take advantage of Netfilter's connection -state tracking -capabilities.
-
-Shorewall is not a -daemon. Once Shorewall has configured Netfilter, it's job is complete -although the /sbin/shorewall -program can be used at any time to monitor the Netfilter firewall.
-
-

Getting Started with Shorewall

-
New to Shorewall? Start by -selecting the QuickStart Guide -that most -closely match your environment and follow the step by step instructions.
-
-

Looking for Information?

-
The Documentation -Index is a good place to start as is the Quick Search in the frame -above.
-

Running Shorewall on Mandrake with a two-interface setup?

-
If so, the documentation on this -site will not apply directly -to your setup. If you want to use the documentation that you find here, -you will want to consider uninstalling what you have and installing a -setup that matches the documentation on this site. See the Two-interface QuickStart Guide for -details.
-

License

-
This program is free software; -you can redistribute it and/or modify it -under the terms of Version -2 of the GNU General Public License as published by the Free -Software Foundation.
-
-

This program is distributed in the -hope that it will be -useful, but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more detail.

-
-

You should have received a copy of -the GNU General Public -License along with this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

-
Permission is granted to copy, -distribute and/or modify this document -under the terms of the GNU Free Documentation License, Version 1.2 or -any later version published by the Free Software Foundation; with no -Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. -A copy of the license is included in the section entitled "GNU Free -Documentation License".
-

Copyright © 2001-2004 Thomas M. Eastep

-
-

News

-

3/16/2004 - Shorewall 1.4.10d (New)

-

Corrects one problem:
-

-
    -
  • Rules involving user-defined actions often resulted in a -warning that the rule was a POLICY.
    -
    • -
-

2/15/2004 - Shorewall 1.4.10c 

-

Corrects one problem:
-

-
    -
  • Entries in /etc/shorewall/tcrules with an empty USER/GROUP -column would cause a startup error.
    -
    • -
-

2/12/2004 - Shorewall 1.4.10b 

-

Corrects one problem:
-

-
    -
  • In the /etc/shorewall/masq entry “eth0:!10.1.1.150 -   0.0.0.0/0!10.1.0.0/16     10.1.2.16”, the -“!10.1.0.0/16” is ignored.
    • -
-

2/8/2004 - Shorewall 1.4.10a 

-

Corrects two problems:
-

-
    -
  • A problem which can cause [re]start to fail inexplicably -while processing /etc/shorewall/masq.
    • -
  • Interfaces using the Atheros WiFi card to use the 'maclist' -option.
    -
    • -
-

1/30/2004 - Shorewall 1.4.10

-

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not -match the column headings. That has been corrected.
    2. -
  2. The presence of IPV6 addresses on devices generated error -messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes -are specified in /etc/shorewall/shorewall.conf. These messages have -been eliminated.
    3. -
  3. The CONTINUE action in /etc/shorewall/rules now works -correctly. A couple of problems involving rate limiting have been -corrected. These bug fixes courtesy of Steven Jan Springl.
    4. -
  4. Shorewall now tried to avoid sending an ICMP response to -broadcasts and smurfs.
    5. -
  5. Specifying "-" or "all" in the PROTO column of an action no -longer causes a startup error.
    -
    -
    6. -
-Migragion Issues:
-
-    None.
-
-New Features:
-
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may -now specify a destination list.
    -
    -Example:
    -
    -    #INTERFACE        -    SUBNET        ADDRESS
    -    eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    -If the list begins with "!" then SNAT will occur only if the -destination IP address is NOT included in the list.
    -
    -
    2. -
  2. Output traffic control rules (those with the firewall as -the source) may now be qualified by the effective userid and/or -effective group id of the program generating the output. This feature -is courtesy of  Frédéric LESPEZ.
    -
    -A new USER column has been added to /etc/shorewall/tcrules. It may -contain :
    -
    -      [<user name or number>]:[<group -name or number>]
    -
    -The colon is optional when specifying only a user.
    -
    -       Examples : john: / john / :users / -john:users
    -
    -
    3. -
  3. A "detectnets" interface option has been added for entries -in /etc/shorewall/interfaces. This option automatically taylors the -definition of the zone named in the ZONE column to include just  -those hosts that have routes through the interface named in the -INTERFACE column. The named interface must be UP when Shorewall is -[re]started.
    -
    - WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!
    -
    4. -
-

1/17/2004 - FAQ Wiki Available 

-

It has been asserted that the use of CVS for maintaining the -Shorewall documentation has been a barrier to community participation. -To test this theory, Alex Martin has -created a Wiki and with the help of Mike Noyes has populated the -Wiki with the Shorewall FAQ.
-

-

1/13/2004 - Shorewall 1.4.9 

-

Problems Corrected since version 1.4.8:

-
    -
  1. There has been a low continuing level of confusion over the -terms "Source NAT" (SNAT) and "Static NAT". To avoid future confusion, -all instances of "Static NAT" have been replaced with "One-to-one NAT" -in the documentation and configuration files.
    2. -
  2. The description of NEWNOTSYN in shorewall.conf has been -reworded for clarity.
    3. -
  3. Wild-card rules (those involving "all" as SOURCE or DEST) -will no longer produce an error if they attempt to add a rule that -would override a NONE policy. The logic for expanding these wild-card -rules now simply skips those (SOURCE,DEST) pairs that have a NONE -policy.
    4. -
  4. DNAT rules that also specified SNAT now work reliably. -Previously, there were cases where the SNAT specification was -effectively ignored.
    -
    5. -
-

Migration Issues:

-

    None.
-
-New Features:

-
    -
  1. The documentation has been completely rebased to Docbook -XML. The documentation is now released as separate HTML and XML -packages.
    -
    2. -
  2. To cut down on the number of "Why are these ports closed -rather than stealthed?" questions, the SMB-related rules in -/etc/shorewall/common.def have been changed from 'reject' to 'DROP'.
    3. -
  3. For easier identification, packets logged under the -'norfc1918' interface option are now logged out of chains named -'rfc1918'. Previously, such packets were logged under chains named -'logdrop'.
    4. -
  4. Distributors and developers seem to be regularly inventing -new naming conventions for kernel modules. To avoid the need to change -Shorewall code for each new convention, the MODULE_SUFFIX option has -been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix -for module names in your particular distribution. If MODULE_SUFFIX is -not set in shorewall.conf, Shorewall will use the list "o gz ko o.gz".
    -
    -To see what suffix is used by your distribution:
    -
    -ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    -
    -All of the files listed should have the same suffix (extension). Set -MODULE_SUFFIX to that suffix.
    -
    -Examples:
    -
    -     If all files end in ".kzo" then set -MODULE_SUFFIX="kzo"
    -     If all files end in ".kz.o" then set -MODULE_SUFFIX="kz.o"
    5. -
  5. Support for user defined rule ACTIONS has been implemented -through two new files:
    -
    -/etc/shorewall/actions - used to list the user-defined ACTIONS.
    -/etc/shorewall/action.template - For each user defined <action>, -copy this file to /etc/shorewall/action.<action> and add the -appropriate rules for that <action>. Once an <action> has -been defined, it may be used like any of the builtin ACTIONS (ACCEPT, -DROP, etc.) in /etc/shorewall/rules.
    -
    -Example: You want an action that logs a packet at the 'info' level and -accepts the connection.
    -
    -In /etc/shorewall/actions, you would add:
    -
    -     LogAndAccept
    -
    -You would then copy /etc/shorewall/action.template to -/etc/shorewall/action.LogAndAccept and in that file, you would add the -two -rules:
    -        LOG:info
    -        ACCEPT
    -
    6. -
  6. The default value for NEWNOTSYN in shorewall.conf is now -"Yes" (non-syn TCP packets that are not part of an existing connection -are filtered according to the rules and policies rather than being -dropped). I have made this change for two reasons:
    -
    -a) NEWNOTSYN=No tends to result in lots of "stuck" connections since -any timeout during TCP session tear down results in the firewall -dropping all of the retries.
    -
    -b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in -lots of confusing messages when a connection got "stuck". While I could -have changed the default value of LOGNEWNOTSYN to suppress logging, I -dislike defaults that silently throw away packets.
    7. -
  7. The common.def file now contains an entry that silently -drops ICMP packets with a null source address. Ad Koster reported a -case where these were occuring frequently as a result of a broken -system on his external network.
    -
    -
    8. -
-

More News

-
-

(Leaf Logo) Jacques Nilo and Eric Wolzak -have a LEAF -(router/firewall/gateway on a floppy, CD or compact flash) distribution -called Bering that features Shorewall-1.4.2 and Kernel-2.4.20. -You can find their work at: http://leaf.sourceforge.net/devel/jnilo
-

- Congratulations to Jacques and Eric on the recent release of -Bering 1.2!!!
-
-
-
-
-

Donations
-

-

(Alzheimer's Association Logo)Shorewall is free but -if you -try it and find it useful, -please consider making a donation to the Alzheimer's Association. Thanks!

-

-
-
-

Updated 04/03/2004 - Tom Eastep
-

- - diff --git a/Shorewall-Website/sourceforge_index.htm b/Shorewall-Website/sourceforge_index.htm deleted file mode 100644 index 601aa9ab5..000000000 --- a/Shorewall-Website/sourceforge_index.htm +++ /dev/null @@ -1,353 +0,0 @@ - - - - - - Shoreline Firewall (Shorewall) 1.4 - - - -
-
- - - - - - -
-

Introduction
-

-
    -
  • Netfilter - the -packet -filter facility built into the 2.4 and later Linux kernels.
    • -
  • ipchains - the packet filter facility built into the 2.2 -Linux -kernels. Also the name of the utility program used to configure and -control that facility. Netfilter can be used in ipchains -compatibility mode.
    -
    • -
  • iptables - the utility program used to configure and -control -Netfilter. The term 'iptables' is often used to refer to the -combination of iptables+Netfilter (with Netfilter not in ipchains -compatibility mode).
    -
    • -
-The Shoreline Firewall, more commonly known as "Shorewall", is -high-level tool for configuring Netfilter. You describe your -firewall/gateway requirements using entries in a set of -configuration files. Shorewall reads those configuration files and -with the help of the iptables utility, Shorewall configures -Netfilter to match your requirements. Shorewall can be used on a -dedicated firewall system, a multi-function gateway/router/server -or on a standalone GNU/Linux system. Shorewall does not use -Netfilter's ipchains compatibility mode and can thus take advantage -of Netfilter's connection -state tracking capabilities. -

This program is free software; you can redistribute it and/or -modify it under the terms of Version 2 of the GNU -General -Public License as published by the Free Software -Foundation.
-
-This program is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more details.
-
-You should have received a copy of the GNU General Public License -along with this program; if not, write to the Free Software -Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

-

Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, with no Front-Cover, and with no Back-Cover -Texts. A copy of the license is included in the section entitled "GNU -Free Documentation License".

-

Copyright © 2001-2004 Thomas M. Eastep

-

This is the Shorewall 1.4 Web Site

-The information on this site applies only to 1.4.x releases of -Shorewall. For older versions:
-
    -
  • The 1.3 site is here.
    • -
  • The 1.2 site is here.
    -
    • -
-

Read about

-You can prepare -for 2.0 while you are still running Shorewall 1.4.
-
-The Shorewall 2.0.0 -RC2 is available!
-
-Here's the Shorewall -2.0.0 Documentation.
-

Getting Started with Shorewall

-New to Shorewall? Start by selecting the QuickStart Guide that most -closely match your environment and follow the step by step -instructions.
-

Looking for Information?

-The Documentation -Index is a good place to start as is the Quick Search in the -frame above. -

Running Shorewall on Mandrake with a two-interface setup?

-If so, the documentation on this site will not apply -directly to your setup. If you want to use the documentation that -you find here, you will want to consider uninstalling what you have -and installing a setup that matches the documentation on this site. -See the Two-interface QuickStart -Guide for details. -

News

-

2/15/2004 - Shorewall 1.4.10c (New)

-

Corrects one problem:
-

-Entries in /etc/shorewall/tcrules with an empty USER/GROUP column would -cause a startup error. -

2/12/2004 - Shorewall 1.4.10b (New)

-

Corrects one problem:
-

-
    -
  • In the /etc/shorewall/masq entry “eth0:!10.1.1.150 -   0.0.0.0/0!10.1.0.0/16     10.1.2.16”, the -“!10.1.0.0/16” is ignored.
    • -
-

2/8/2004 - Shorewall 1.4.10a (New)

-

Corrects two problems:
-

-
    -
  • A problem which can cause [re]start to fail inexplicably -while processing /etc/shorewall/masq.
    • -
  • Interfaces using the Atheros WiFi card to use the 'maclist' -option.
    -
    • -
-

1/30/2004 - Shorewall 1.4.10

-

Problems Corrected since version 1.4.9

-
    -
  1. The column descriptions in the action.template file did not -match the column headings. That has been corrected.
    2. -
  2. The presence of IPV6 addresses on devices generated error -messages during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes -are specified in /etc/shorewall/shorewall.conf. These messages have -been eliminated.
    3. -
  3. The CONTINUE action in /etc/shorewall/rules now -works -correctly. A couple of problems involving rate limiting have been -corrected. These bug fixes courtesy of Steven Jan Springl.
    4. -
  4. Shorewall now tried to avoid sending an ICMP response to -broadcasts and smurfs.
    5. -
  5. Specifying "-" or "all" in the PROTO column of an action no -longer causes a startup error.
    6. -
-Migragion Issues:
-
-    None.
-
-New Features:
-
    -
  1. The INTERFACE column in the /etc/shorewall/masq file may -now specify a destination list.
    -
    -Example:
    -
    -    #INTERFACE        -    SUBNET        ADDRESS
    -    eth0:192.0.2.3,192.0.2.16/28    eth1
    -
    -If the list begins with "!" then SNAT will occur only if the -destination IP address is NOT included in the list.
    -
    -
    2. -
  2. Output traffic control rules (those with the firewall as -the -source) may now be qualified by the effective userid and/or effective -group id of the program generating the output. This feature is courtesy -of  Frédéric LESPEZ.
    -
    -A new USER column has been added to /etc/shorewall/tcrules. It may -contain :
    -
    -      [<user name or number>]:[<group -name or number>]
    -
    -The colon is optional when specifying only a user.
    -
    -       Examples : john: / john / :users / -john:users
    -
    -
    3. -
  3. A "detectnets" interface option has been added for entries -in -/etc/shorewall/interfaces. This option automatically taylors the -definition of the zone named in the ZONE column to include just  -those -hosts that have routes through the interface named in the INTERFACE -column. The named interface must be UP when Shorewall is [re]started.
    -
    - WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE! -  
    4. -
-

1/17/2004 - FAQ Wiki Available 

-It has been asserted that the use of CVS for maintaining the -Shorewall documentation has been a barrier to community participation. -To test this theory, Alex Martin has -created a Wiki and with the help of Mike Noyes has populated the -Wiki with the Shorewall FAQ. -

1/13/2004 - Shorewall 1.4.9
-

-

Problems Corrected since version 1.4.8:
-

-
    -
  1. There has been a low continuing level of confusion over the -terms "Source NAT" (SNAT) and "Static NAT". To avoid future -confusion, all instances of "Static NAT" have been replaced with -"One-to-one NAT" in the documentation and configuration files.
    2. -
  2. The description of NEWNOTSYN in shorewall.conf has been -reworded for clarity.
    3. -
  3. Wild-card rules (those involving "all" as SOURCE or DEST) -will -no longer produce an error if they attempt to add a rule that would -override a NONE policy. The logic for expanding these wild-card -rules now simply skips those (SOURCE,DEST) pairs that have a NONE -policy.
    4. -
  4. DNAT rules that also specified SNAT now work reliably. -Previously, -there were cases where the SNAT specification was effectively ignored.
    5. -
-

Migration Issues:
-
-    None.
-
-New Features:
-

-
    -
  1. The documentation has been completely rebased to Docbook -XML. The -documentation is now released as separate HTML and XML packages.
    2. -
  2. To cut down on the number of "Why are these ports closed -rather -than stealthed?" questions, the SMB-related rules in -/etc/shorewall/common.def have been changed from 'reject' to -'DROP'.
    3. -
  3. For easier identification, packets logged under the -'norfc1918' -interface option are now logged out of chains named 'rfc1918'. -Previously, such packets were logged under chains named -'logdrop'.
    4. -
  4. Distributors and developers seem to be regularly inventing -new -naming conventions for kernel modules. To avoid the need to change -Shorewall code for each new convention, the MODULE_SUFFIX option -has been added to shorewall.conf. MODULE_SUFFIX may be set to the -suffix for module names in your particular distribution. If -MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the -list "o gz ko o.gz".
    -
    -To see what suffix is used by your distribution:
    -
    -ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    -
    -All of the files listed should have the same suffix (extension). -Set MODULE_SUFFIX to that suffix.
    -
    -Examples:
    -
    -     If all files end in ".kzo" then set -MODULE_SUFFIX="kzo"
    -     If all files end in ".kz.o" then set -MODULE_SUFFIX="kz.o"
    5. -
  5. Support for user defined rule ACTIONS has been implemented -through two new files:
    -
    -/etc/shorewall/actions - used to list the user-defined ACTIONS.
    -/etc/shorewall/action.template - For each user defined -<action>, copy this file to -/etc/shorewall/action.<action> and add the appropriate rules -for that <action>. Once an <action> has been defined, -it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.) -in /etc/shorewall/rules.
    -
    -Example: You want an action that logs a packet at the 'info' level -and accepts the connection.
    -
    -In /etc/shorewall/actions, you would add:
    -
    -     LogAndAccept
    -
    -You would then copy /etc/shorewall/action.template to -/etc/shorewall/action.LogAndAccept and in that file, you would add the -two -rules:
    -        LOG:info
    -        ACCEPT
    6. -
  6. The default value for NEWNOTSYN in shorewall.conf is now -"Yes" (non-syn -TCP packets that are not part of an existing connection are filtered -according to the rules and policies rather than being dropped). I have -made this change for two reasons:
    -
    -a) NEWNOTSYN=No tends to result in lots of "stuck" connections since -any timeout during TCP session tear down results in the firewall -dropping all of the retries.
    -
    -b) The old default of NEWNOTSYN=No and LOGNEWNOTSYN=info resulted in -lots of confusing messages when a connection got "stuck". While I could -have changed the default value of LOGNEWNOTSYN to suppress logging, I -dislike defaults that silently throw away packets.
    7. -
  7. The common.def file now contains an entry that silently -drops ICMP -packets with a null source address. Ad Koster reported a case where -these were occuring frequently as a result of a broken system on his -external network.
    8. -
-

More News

-

(Leaf Logo) Jacques Nilo and Eric Wolzak have a LEAF -(router/firewall/gateway on a floppy, CD or compact flash) -distribution called Bering that features Shorewall-1.4.2 and -Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

- Congratulations to Jacques and Eric on the recent release of -Bering 1.2!!!
-

SourceForge Logo

-

This site is hosted by the generous folks at SourceForge.net

-
-
-

Donations

- (Alzheimer's Association Logo)Shorewall -is free but -if you try it and find it useful, -please consider making a donation to the Alzheimer's Association. Thanks!
-
-
-
-
-

Updated 03/08/2004 - Tom -Eastep
-

- -