diff --git a/Lrp2/etc/shorewall/actions b/Lrp2/etc/shorewall/actions
index 8fb669752..9f6bca91f 100644
--- a/Lrp2/etc/shorewall/actions
+++ b/Lrp2/etc/shorewall/actions
@@ -1,5 +1,5 @@
#
-# Shorewall 2.0 /etc/shorewall/actions
+# Shorewall 2.1 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@@ -8,10 +8,12 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
-# they must need the requirements of a Netfilter chain
-# name as well as the requirements for a Bourne Shell identifier
-# (must begin with a letter and be composed of letters, digits
-# and underscore characters).
+# they must need the requirements of a Netfilter chain. If
+# you intend to log from the action then the name must be
+# no longer than 11 character in length. Names must also
+# meet the requirements for a Bourne Shell identifier (must
+# begin with a letter and be composed of letters, digits and
+# underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or
diff --git a/Lrp2/etc/shorewall/masq b/Lrp2/etc/shorewall/masq
index 0acffd87e..e00044725 100644
--- a/Lrp2/etc/shorewall/masq
+++ b/Lrp2/etc/shorewall/masq
@@ -42,6 +42,13 @@
# will automatically add this address to the
# INTERFACE named in the first column.
#
+# If you have set ADD_SNAT_ALIASES=Yes in
+# /etc/shorewall/shorewall.conf then DO NOT
+# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
+# ADDRESS IN THIS COLUMN -- If you do so, you
+# will loose your default route when Shorewall
+# starts.
+#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
diff --git a/Lrp2/etc/shorewall/rules b/Lrp2/etc/shorewall/rules
index 74a4c1ea0..ec70e947f 100644
--- a/Lrp2/etc/shorewall/rules
+++ b/Lrp2/etc/shorewall/rules
@@ -195,8 +195,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
-# specify an ADDRESS in the next column, then place "-"
-# in this column.
+# specify an ORIGINAL DEST in the next column, then place
+# "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
diff --git a/Lrp2/usr/share/shorewall/bogons b/Lrp2/usr/share/shorewall/bogons
index 8043d0d02..7b96cefde 100644
--- a/Lrp2/usr/share/shorewall/bogons
+++ b/Lrp2/usr/share/shorewall/bogons
@@ -14,7 +14,9 @@
#
# Columns are:
#
-# SUBNET The subnet (host addresses also allowed)
+# SUBNET The subnet (host addresses also allowed as are IP
+# address ranges provided that your kernel and iptables
+# include iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
@@ -47,8 +49,9 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
-71.0.0.0/8 logdrop # Reserved
-72.0.0.0/5 logdrop # Reserved
+73.0.0.0/8 logdrop # Reserved
+74.0.0.0/7 logdrop # Reserved
+76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved
diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index 28fd28713..8de9d460b 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -2075,6 +2075,8 @@ process_tc_rule()
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
+ [ "x$proto" = "x-" ] && proto=all
+ [ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version
index 815e68dd2..09843e3be 100644
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@@ -1 +1 @@
-2.0.8
+2.0.9
diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index b9b568290..39972f8be 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2004-08-10
+ 2004-09-102001-2004
@@ -1759,6 +1759,17 @@ DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp
address), the original source address is used. If you want any
destination address to match the rule but want to specify SNAT,
simply use a colon followed by the SNAT address.
+
+
+ Shorewall does not take any steps to ensure that IP
+ addresses entered in this column are added to the appropriate
+ firewall interface. Unless traffic for this address is
+ automatically routed to the firewall by another router, it is your
+ responsibility to add the address using your distributions network
+ configuration facilities. See this article
+ for additional information.
+
@@ -3553,7 +3564,7 @@ eth1 -
No - Only traffic to/from some of the hosts in this zone
is encrypted. Those encrypted hosts are designated using the
ipsec option in /etc/shorewall/hosts.
+ linkend="Hosts">/etc/shorewall/hosts.
diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index 123d01137..752a24d15 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2004-07-20
+ 2004-09-232001-2004
@@ -31,14 +31,21 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License.
+ GNU Free Documentation
+ License.
+
+ The complete Shorewall Documentation is available for download
+ in both Docbook XML and HTML formats.
+
+
Are you running Shorewall on Mandrake Linux
- with a two-interface setup?
+ url="http://www.mandrakesoft.com">Mandrake
+ Linux with a two-interface setup?
If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply
@@ -51,7 +58,8 @@
- Introduction to Shorewall
+ Introduction to
+ Shorewall
@@ -107,48 +115,167 @@
Common configuration
- file features Comments in configuration
- filesLine ContinuationINCLUDE DirectivePort Numbers/Service Namesconfiguration_file_basics.htm#PortsPort RangesUsing Shell VariablesUsing DNS NamesComplementing an IP
- address or SubnetShorewall Configurations
- (making a test configuration)Using MAC Addresses in Shorewall
+ file features
+
+ Comments
+ in configuration files
+
+
+
+ Line
+ Continuation
+
+
+
+ INCLUDE
+ Directive
+
+
+
+ Port
+ Numbers/Service
+ Namesconfiguration_file_basics.htm#Ports
+
+
+
+ Port
+ Ranges
+
+
+
+ Using
+ Shell Variables
+
+
+
+ Using
+ DNS Names
+
+
+
+ Complementing an IP
+ address or Subnet
+
+
+
+ Shorewall
+ Configurations (making a test configuration)
+
+
+
+ Using MAC
+ Addresses in Shorewall
+
+ Configuration File Reference Manual
- paramszonesinterfaceshostspolicyrulesmasqproxyarpnattunnelstcrulesshorewall.confmodulestosblacklistrfc1918routestoppedaccountingusersets and usersmaclistactions and action.templatebogonsnetmap
+
+
+ params
+
+
+
+ zones
+
+
+
+ interfaces
+
+
+
+ hosts
+
+
+
+ policy
+
+
+
+ rules
+
+
+
+ masq
+
+
+
+ proxyarp
+
+
+
+ nat
+
+
+
+ tunnels
+
+
+
+ tcrules
+
+
+
+ shorewall.conf
+
+
+
+ modules
+
+
+
+ tos
+
+
+
+ blacklist
+
+
+
+ rfc1918
+
+
+
+ routestopped
+
+
+
+ accounting
+
+
+
+ usersets and users
+
+
+
+ maclist
+
+
+
+ actions and
+ action.template
+
+
+
+ bogons
+
+
+
+ netmap
+
+
@@ -161,7 +288,8 @@
- ECN Disabling by host or subnet
+ ECN Disabling by host or
+ subnet
@@ -169,9 +297,9 @@
- Extension Scripts
- (How to extend Shorewall without modifying Shorewall code through the
- use of files in /etc/shorewall -- /etc/shorewall/start,
+ Extension
+ Scripts (How to extend Shorewall without modifying Shorewall
+ code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)
@@ -197,7 +325,8 @@
- Getting help or answers to questions
+ Getting help or answers to
+ questions
@@ -209,7 +338,8 @@
- Kazaa Filtering
+ Kazaa
+ Filtering
@@ -235,7 +365,8 @@
- Netfilter Overview
+ Netfilter
+ Overview
@@ -261,7 +392,7 @@
- 'Ping' Management
+ 'Ping' Management
@@ -291,11 +422,13 @@
- Requirements
+ Requirements
- Routing on One Interface
+ Routing on One
+ Interface
@@ -303,29 +436,117 @@
- Shorewall Setup GuideIntroductionShorewall ConceptsNetwork InterfacesAddressing, Subnets and
- RoutingIP AddressesSubnetsRoutingAddress Resolution Protocol (ARP)RFC 1918Setting up your NetworkRoutedNon-routedSNATDNATProxy ARPOne-to-one NATRulesOdds and EndsDNSStarting and Stopping the
- Firewall
+ Shorewall Setup
+ Guide
+
+ Introduction
+
+
+
+ Shorewall
+ Concepts
+
+
+
+ Network
+ Interfaces
+
+
+
+ Addressing, Subnets and
+ Routing
+
+
+
+ IP
+ Addresses
+
+
+
+ Subnets
+
+
+
+ Routing
+
+
+
+ Address
+ Resolution Protocol (ARP)
+
+
+
+ RFC
+ 1918
+
+
+
+
+
+ Setting up
+ your Network
+
+
+
+ Routed
+
+
+
+ Non-routed
+
+
+
+ SNAT
+
+
+
+ DNAT
+
+
+
+ Proxy
+ ARP
+
+
+
+ One-to-one
+ NAT
+
+
+
+
+
+ Rules
+
+
+
+ Odds
+ and Ends
+
+
+
+
+
+ DNS
+
+
+
+ Starting
+ and Stopping the Firewall
+
+
@@ -334,13 +555,20 @@
Starting/stopping
- the FirewallDescription of all
- /sbin/shorewall commandsHow to safely
- test a Shorewall configuration change
+ the Firewall
+
+ Description of all /sbin/shorewall commands
+
+
+
+ How to safely test a Shorewall configuration change
+
+
- Squid with Shorewall
+ Squid with
+ Shorewall
@@ -352,16 +580,18 @@
- Traffic Shaping/QOS
+ Traffic
+ Shaping/QOSTroubleshooting (Things to
- try if it doesn't work)
+ try if it doesn't work)
- User-defined Actions
+ User-defined
+ Actions
@@ -402,13 +632,15 @@
- Other VPN types
+ Other VPN
+ types
- White List Creation
+ White List
+ Creation
\ No newline at end of file
diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 4ab719827..1a53f46da 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2004-08-31
+ 2004-09-232001-2004
@@ -617,6 +617,10 @@ to debug/develop the newnat interface.
Answer: Add the routeback option to
br0 in /etc/shorewall/interfaces.
+
+ For more information on this type of configuration, see the Shorewall Simple Bridge
+ documentation.
@@ -817,10 +821,11 @@ LOGBURST=""
- (FAQ 17) What does this log message mean?
+ (FAQ 17) Why are these packets being Dropped/Rejected?
- Answer: Logging occurs out of a
- number of chains (as indicated in the log message) in Shorewall:
+ Answer: Logging of
+ dropped/rejected packets occurs out of a number of chains (as indicated
+ in the log message) in Shorewall:
@@ -937,9 +942,14 @@ LOGBURST=""
The packet has a source IP address that isn't in any of your
defined zones (shorewall check and look at the
printed zone definitions) or the chain is FORWARD and the
- destination IP isn't in any of your defined zones. Also see for another cause of packets being logged in
- the FORWARD chain.
+ destination IP isn't in any of your defined zones. If the chain is
+ FORWARD and the IN and OUT interfaces are the same, then you
+ probably need the routeback
+ option on that interface in /etc/shorewall/interfaces
+ or you need the routeback option
+ in the relevant entry in /etc/shorewall/hosts.
@@ -976,7 +986,7 @@ LOGBURST=""
This packet was REJECTed out of the all2all chain -- the packet was rejected
under the all->all REJECT
- policy ( above).
+ policy (all2all above).
@@ -1820,6 +1830,27 @@ iptables: Invalid argument
Revision History
+
+ 1.32
+
+ 2004-09-23
+
+ TE
+
+ Add link to simple bridge documentation from FAQ
+ 35.
+
+
+
+ 1.31
+
+ 2004-09-12
+
+ TE
+
+ Rename FAQ 17.
+
+
1.30
diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml
index a80c7660e..589afc31e 100644
--- a/Shorewall-docs2/OPENVPN.xml
+++ b/Shorewall-docs2/OPENVPN.xml
@@ -21,7 +21,7 @@
- 2003-02-04
+ 2004-09-142003
@@ -37,7 +37,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License.
+ GNU Free Documentation
+ License.
@@ -45,8 +46,9 @@
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open
Source project and is licensed under the GPL.
- OpenVPN can be downloaded from http://openvpn.sourceforge.net/.
+ url="http://openvpn.sourceforge.net/license.html">licensed under the
+ GPL. OpenVPN can be downloaded from http://openvpn.sourceforge.net/.
OpenVPN support was added to Shorewall in version 1.3.14.
@@ -59,146 +61,73 @@
We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
- accomplished through use of the /etc/shorewall/tunnels file and the
- /etc/shorewall/policy file and OpenVPN.
+ accomplished through use of the
+ /etc/shorewall/tunnels file and the
+ /etc/shorewall/policy file and OpenVPN.
While it was possible to use the Shorewall start and stop script to
start and stop OpenVPN, I decided to use the init script of OpenVPN to
start and stop it.On each firewall, you will need to declare a zone to represent the
- remote subnet. We'll assume that this zone is called vpn
- and declare it in /etc/shorewall/zones on both systems as follows.
+ remote subnet. We'll assume that this zone is called vpn
+ and declare it in /etc/shorewall/zones on both
+ systems as follows.
-
- /etc/shorewall/zones system A & B
+
+ /etc/shorewall/zones — Systems A &
+ B
-
-
-
- ZONE
+ #ZONE DISPLAY COMMENTS
+vpn VPN Remote subnet
+
- DISPLAY
+ On system A, the 10.0.0.0/8 will comprise the vpn zone.
- COMMENTS
-
-
+
+ In /etc/shorewall/interfaces on system
+ A:
-
-
- vpn
+ #ZONE INTERFACE BROADCAST OPTIONS
+vpn tun0
+
- VPN
+ In /etc/shorewall/tunnels on system A, we need
+ the following:
- Remote Subnet
-
-
-
-
+
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+openvpn net 134.28.54.2
+
- On system A, the 10.0.0.0/8 will comprise the vpn
- zone. In /etc/shorewall/interfaces:
+
+ Some OpenVPN clients (notabley on Windows)
+ do not use the same source and destination ports which can cause
+ problems. If system B is a Windows system, then you will want the
+ following entry in /etc/shorewall/tunnels instead of the one
+ above:
-
- etc/shorewall/interfaces system A
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+generic:udp:5000 net 134.28.54.2
+
-
-
-
- ZONE
+ This entry in /etc/shorewall/tunnels opens the
+ firewall so that OpenVPN traffic on the default port 5000/udp will be
+ accepted to/from the remote gateway. If you change the port used by
+ OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:
- INTERFACE
+
+ /etc/shorewall/tunnels with port 7777:
- BROADCAST
-
- OPTIONS
-
-
-
-
-
- vpn
-
- tun0
-
-
-
-
-
-
-
-
-
- In /etc/shorewall/tunnels on system A, we need the following:
-
-
- /etc/shorewall/tunnels system A
-
-
-
-
- TYPE
-
- ZONE
-
- GATEWAY
-
- GATEWAY ZONE
-
-
-
-
-
- openvpn
-
- net
-
- 134.28.54.2
-
-
-
-
-
-
-
- This entry in /etc/shorewall/tunnels opens the firewall so that
- OpenVPN traffic on the default port 5000/udp will be accepted to/from the
- remote gateway. If you change the port used by OpenVPN to 7777, you can
- define /etc/shorewall/tunnels like this:
-
-
- /etc/shorewall/tunnels port 7777
-
-
-
-
- TYPE
-
- ZONE
-
- GATEWAY
-
- GATEWAY ZONE
-
-
-
-
-
- openvpn:7777
-
- net
-
- 134.28.54.2
-
-
-
-
-
-
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+openvpn:77777 net 134.28.54.2
+
This is the OpenVPN config on system A:
- dev tun
+
+ dev tun
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
@@ -210,75 +139,31 @@ cert my-a.crt
key my-a.key
comp-lzo
verb 5
+
Similarly, On system B the 192.168.1.0/24 subnet will comprise the
- vpn zone. In /etc/shorewall/interfaces:
+ vpn zone
-
- /etc/shorewall/interfaces system B
+
+ In /etc/shorewall/interfaces on system
+ B:
-
-
-
- ZONE
+ #ZONE INTERFACE BROADCAST OPTIONS
+vpn tun0 192.168.1.255
+
- INTERFACE
+ In /etc/shorewall/tunnels on system B, we
+ have:
- BROADCAST
-
- OPTIONS
-
-
-
-
-
- vpn
-
- tun0
-
- 192.168.1.255
-
-
-
-
-
-
-
- In /etc/shorewall/tunnels on system B, we have:
-
-
- /etc/shorewall/tunnels system B
-
-
-
-
- TYPE
-
- ZONE
-
- GATEWAY
-
- GATEWAY ZONE
-
-
-
-
-
- openvpn
-
- net
-
- 206.191.148.9
-
-
-
-
-
-
+
+ #TYPE ZONE GATEWAY GATEWAY ZONE
+openvpn net 206.191.148.9
+
And in the OpenVPN config on system B:
- dev tun
+
+ dev tun
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
@@ -289,50 +174,20 @@ cert my-b.crt
key my-b.key
comp-lzo
verb 5
+
You will need to allow traffic between the vpn zone
and the loc zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:
-
- /etc/shorewall/policy system A & B
+
+ /etc/shorewall/policy on systems A &
+ B
-
-
-
- SOURCE
-
- DEST
-
- POLICY
-
- LOG LEVEL
-
-
-
-
-
- loc
-
- vpn
-
- ACCEPT
-
-
-
-
-
- vpn
-
- loc
-
- ACCEPT
-
-
-
-
-
-
+ #SOURCE DEST POLICY LOG LEVEL
+loc vpn ACCEPT
+vpn loc ACCEPT
+
On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.
diff --git a/Shorewall-docs2/Shorewall_and_Kazaa.xml b/Shorewall-docs2/Shorewall_and_Kazaa.xml
index 7af47bdd0..1c715e2f9 100644
--- a/Shorewall-docs2/Shorewall_and_Kazaa.xml
+++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml
@@ -15,7 +15,7 @@
- 2004-02-04
+ 2004-09-162003-2004
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License.
+ GNU Free Documentation
+ License.
@@ -41,9 +42,8 @@
KazaaLite, iMash and Grokster.
To filter traffic from your loc zone with ftwall, you
- insert the following rules near the top of
- your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
- loc zone).
+ insert the following rules in /etc/shorewall/rules file after any DROP or
+ REJECT rules whose source is the loc zone.
#ACTION SOURCE DEST PROTO
QUEUE loc net tcp
@@ -54,8 +54,9 @@
and restart Shorewall.
- There are ftwall init scripts for use with SuSE
- and Debian Linux at There are ftwall init scripts for use with
+ SuSE and Debian Linux at
+ http://shorewall.net/pub/shorewall/contrib/ftwall.
\ No newline at end of file
diff --git a/Shorewall-docs2/SimpleBridge.xml b/Shorewall-docs2/SimpleBridge.xml
new file mode 100644
index 000000000..27f5bad9c
--- /dev/null
+++ b/Shorewall-docs2/SimpleBridge.xml
@@ -0,0 +1,119 @@
+
+
+
+
+
+
+ Shorewall and a Simple Bridge
+
+
+
+ Tom
+
+ Eastep
+
+
+
+ 2004-09-23
+
+
+ 2004
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License.
+
+
+
+
+ Background
+
+ Systems where Shorewall runs normally function as
+ routers. In the context of the Open System
+ Interconnect (OSI) reference model, a router operates at layer 3.
+ Shorewall may also be deployed on a GNU Linux System that acts as a
+ bridge. Bridges are layer-2 devices in the OSI
+ model (think of a bridge as an ethernet switch).
+
+ Some differences between routers and bridges are:
+
+
+
+ Routers determine packet destination based on the destination IP
+ address while bridges route traffic based on the destination MAC
+ address in the ethernet frame.
+
+
+
+ As a consequence of the first difference, routers can be
+ connected to more than one IP network while a bridge may be part of
+ only a single network.
+
+
+
+ A router cannot forward broadcast packets while a bridge
+ can.
+
+
+
+
+
+ Application
+
+ There are cases where you want to create a bridge to join two or
+ more LAN segments and you don't need to restrict the traffic between those
+ segments. This is the environment that is described in this article.
+
+
+ If you do need to restrict traffic through the bridge, please refer
+ to the Shorewall Bridge/Firewall
+ documentation. Also please refer to that documentation for
+ information about how to create a bridge.
+
+ The following diagram shows a firewall for two bridged LAN
+ segments.
+
+
+
+ This is fundimentally the Two-interface Firewall described in the
+ Two-interface Quickstart Guide. The
+ bridge-specific changes are restricted to the
+ /etc/shorewall/interfaces file.
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 detect ...
+loc br0 10.0.1.255 routeback,...
+
+ So the key points here are:
+
+
+
+ The loc interface is br0.
+
+
+
+ Neither eth1 nor
+ eth2 have IP addresses and
+ neither are mentioned in the Shorewall configuration.
+
+
+
+ The routeback option is
+ specified for br0.
+
+
+
+
\ No newline at end of file
diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml
index d18ce081e..e419c042a 100755
--- a/Shorewall-docs2/bridge.xml
+++ b/Shorewall-docs2/bridge.xml
@@ -15,7 +15,7 @@
- 2004-09-10
+ 2004-09-232004
@@ -70,7 +70,7 @@
Requirements
- In order to use Shorewall with a bridging firewall:
+ In order to use Shorewall as a bridging firewall:
@@ -103,6 +103,11 @@
You must be running Shorewall 2.0.1 Beta 1 or later.
+
+ Note that if you need a bridge but do not need to restrict the
+ traffic through the bridge then any version of Shorewall will work. See
+ the Simple Bridge documentation for
+ details.
diff --git a/Shorewall-docs2/images/SimpleBridge.dia b/Shorewall-docs2/images/SimpleBridge.dia
new file mode 100644
index 000000000..ee88bda57
Binary files /dev/null and b/Shorewall-docs2/images/SimpleBridge.dia differ
diff --git a/Shorewall-docs2/images/SimpleBridge.png b/Shorewall-docs2/images/SimpleBridge.png
new file mode 100644
index 000000000..d4d6efddc
Binary files /dev/null and b/Shorewall-docs2/images/SimpleBridge.png differ
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index c38910324..8de85790f 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -15,7 +15,7 @@
- 2004-09-06
+ 2004-09-072001-2004
@@ -78,11 +78,11 @@
I use SNAT through 206.124.146.179 for my Wife's Windows XP
- system Tarry, and our dual-booting (Windows
- XP/SuSE 9.1) laptop Tipper which connects through the
- Wireless Access Point (wap) via a Wireless Bridge (wet).
+ system Tarry, and our dual-booting (SuSE
+ 9.1/Windows XP) laptop Tipper which connects through
+ the Wireless Access Point (wap) via a Wireless Bridge (wet).While the distance between the WAP and where I usually use
- the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
+ the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
@@ -148,7 +148,8 @@
Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with IPSEC for tunnel mode
- road warrior access from Tipper.
+ access from our second home in Omak, Washington.
@@ -397,7 +398,7 @@ $EXT_IF:2 eth2 206.124.146.179
- Tunnels File (Shell variable TEXAS set in
+ <title>Tunnels File (Shell variables TEXAS and OMAK set in
/etc/shorewall/params)
@@ -653,6 +654,10 @@ ACCEPT tx loc:192.168.1.5 all
zones
+ Because loc is a sub-zone of
+ net, loc must be defined first.
+
#ZONE DISPLAY COMMENTS
loc Local Local networks
net Internet The Big Bad Internet
@@ -688,7 +693,7 @@ all all REJECT info
#ZONE INTERFACE BROADCAST OPTIONS
-- br0 192.168.1.255 dhcp
+- br0 192.168.1.255 dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This file is SuSE-specific and creates the bridge device
br0. A script for other
- disbributions would be similar.
+ distributions would be similar (see the Shorewall Bridge documentation for
+ examples).
#!/bin/sh
################################################################################
-# Script to create a bridge between eth0, eth1 and eth2
+# Script to create a bridge
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@@ -766,6 +773,15 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
#
# Modify the following variables to match your configuration
#
+#### BEGIN INIT INFO
+# Provides: bridge
+# Required-Start: coldplug
+# Required-Stop:
+# Default-Start: 2 3 5
+# Default-Stop: 0 1 6
+# Description: starts and stops a bridge
+### END INIT INFO
+#
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
@@ -773,21 +789,29 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
+INTERFACES="eth0 eth1"
+BRIDGE="br0"
+
do_stop() {
- echo "Stopping Bridge"
- brctl delbr br0
- ip link set eth0 down
- ip link set eth1 down
+ echo "Stopping Bridge $BRIDGE"
+ brctl delbr $BRIDGE
+ for interface in $INTERFACES; do
+ ip link set $interface down
+ done
}
do_start() {
- echo "Starting Bridge"
- ip link set eth0 up
- ip link set eth1 up
- brctl addbr br0
- brctl addif br0 eth0
- brctl addif br0 eth1
+ echo "Starting Bridge $BRIDGE"
+ for interface in $INTERFACES; do
+ ip link set $interface up
+ done
+
+ brctl addbr $BRIDGE
+
+ for interface in $INTERFACES; do
+ brctl addif $BRIDGE $interface
+ done
}
case "$1" in
@@ -816,11 +840,7 @@ exit 0
This file is SuSE-specific
- BOOTPROTO='static'
-BROADCAST='192.168.1.255'
-IPADDR='192.168.1.5'
-NETWORK='192.168.1.0'
-NETMASK='255.255.255.0'
+ BOOTPROTO='dhcp'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C'
@@ -835,8 +855,9 @@ MTU=''
This file is SuSE-specific
- 192.168.1.0 - 255.255.255.0 br0
-default 192.168.1.254 - -
+ 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.5
+127.0.0.0/8 dev lo scope link
+default via 192.168.1.254 dev br0
diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml
index f9d4a5c77..940307f99 100644
--- a/Shorewall-docs2/ports.xml
+++ b/Shorewall-docs2/ports.xml
@@ -13,7 +13,7 @@
- 2004-07-31
+ 2004-09-212001-2002
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License.
+ GNU Free Documentation
+ License.
@@ -50,8 +51,8 @@
/usr/share/shorewall/actions.std file for a list of
the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the
- dmz zone to the net
- zone:
+ dmz zone to the net zone:
#ACTION SOURCE DESTINATION
AllowDNS dmz net
@@ -67,7 +68,7 @@ AllowDNS dmz net
at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 21
+ACCEPT <source><destination> tcp 21
You would code your rule as follows:
@@ -80,23 +81,23 @@ DNAT net dmz:192.168.1.4 tcp 21
Auth (identd)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 113
+ACCEPT <source><destination> tcp 113
DNS#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 53
-ACCEPT <source><destination> tcp 53
+ACCEPT <source><destination> udp 53
+ACCEPT <source><destination> tcp 53
Note that if you are setting up a DNS server that supports recursive
- resolution, the server is the <destination>
- for resolution requests (from clients) and is also the <source>
- of recursive resolution requests (usually to other servers in the
- 'net' zone). So for example, if you have a public DNS server in
- your DMZ that supports recursive resolution for local clients then you
- would need:
+ resolution, the server is the <destination> for
+ resolution requests (from clients) and is also the
+ <source> of recursive resolution requests
+ (usually to other servers in the 'net' zone). So for example, if you have
+ a public DNS server in your DMZ that supports recursive resolution for
+ local clients then you would need:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53
@@ -105,9 +106,9 @@ ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53
- Recursive Resolution means that if the server itself can't
- resolve the name presented to it, the server will attempt to resolve the
- name with the help of other servers.
+ Recursive Resolution means that if the server itself can't resolve
+ the name presented to it, the server will attempt to resolve the name
+ with the help of other servers.
@@ -115,36 +116,37 @@ ACCEPT dmz net tcp 53
FTP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 21
+ACCEPT <source><destination> tcp 21
- Look here for much more information.
+ Look here for much more
+ information.ICQ/AIM#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source> net tcp 5190
+ACCEPT <source> net tcp 5190
IMAP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 143 #Unsecure IMAP
-ACCEPT <source><destination> tcp 993 #Secure IMAP
+ACCEPT <source><destination> tcp 143 #Unsecure IMAP
+ACCEPT <source><destination> tcp 993 #Secure IMAP
IPSEC#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source> <destination> 50
-ACCEPT <source> <destination> 51
-ACCEPT <source> <destination> udp 500
-ACCEPT <destination><source> 50
-ACCEPT <destination><source> 51
-ACCEPT <destination><source> udp 500
+ACCEPT <source> <destination> 50
+ACCEPT <source> <destination> 51
+ACCEPT <source> <destination> udp 500
+ACCEPT <destination><source> 50
+ACCEPT <destination><source> 51
+ACCEPT <destination><source> udp 500
Lots more information here and here.
@@ -154,23 +156,23 @@ ACCEPT <destination><source>
NFS#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111
-ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp
+ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111
+ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp
NTP (Network Time Protocol)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 123
+ACCEPT <source><destination> udp 123
<trademark>PCAnywhere</trademark>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 5632
-ACCEPT <source><destination> tcp 5631
+ACCEPT <source><destination> udp 5632
+ACCEPT <source><destination> tcp 5631
@@ -179,16 +181,16 @@ ACCEPT <source><destination>
TCP Port 110 (Secure Pop3 is TCP Port 995)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 110 #Unsecure Pop3
-ACCEPT <source><destination> tcp 995 #Secure Pop3
+ACCEPT <source><destination> tcp 110 #Unsecure Pop3
+ACCEPT <source><destination> tcp 995 #Secure Pop3
PPTP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> 47
-ACCEPT <source><destination> tcp 1723
+ACCEPT <source><destination> 47
+ACCEPT <source><destination> tcp 1723
Lots more information here and here.
@@ -198,24 +200,24 @@ ACCEPT <source><destination>
rdate#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 37
+ACCEPT <source><destination> tcp 37
SSH#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 22
+ACCEPT <source><destination> tcp 22
SMB/NMB (Samba/Windows Browsing/File Sharing)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source> <destination> tcp 137,139,445
-ACCEPT <source> <destination> udp 137:139
-ACCEPT <destination><source> tcp 137,139,445
-ACCEPT <destination><source> udp 137:139
+ACCEPT <source> <destination> tcp 137,139,445
+ACCEPT <source> <destination> udp 137:139
+ACCEPT <destination><source> tcp 137,139,445
+ACCEPT <destination><source> udp 137:139
Also, see this page.
@@ -224,57 +226,67 @@ ACCEPT <destination><source>
SMTP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 25 #Insecure SMTP
-ACCEPT <source><destination> tcp 465 #SMTP over SSL (TLS)
+ACCEPT <source><destination> tcp 25 #Insecure SMTP
+ACCEPT <source><destination> tcp 465 #SMTP over SSL (TLS)
SNMP#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 161:162
-ACCEPT <source><destination> tcp 161
+ACCEPT <source><destination> udp 161:162
+ACCEPT <source><destination> tcp 161
Telnet#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 23
+ACCEPT <source><destination> tcp 23
TFTPYou must have TFTP connection tracking support in your kernel. If
- modularized, the modules are ip_conntrack_tftp
- (and ip_nat_tftp if any form of NAT is
- involved) These modules may be loaded using entries in
- /etc/shorewall/modules. The ip_conntrack_tftp
- module must be loaded first. Note that the /etc/shorewall/modules
- file released with recent Shorewall versions contains entries for these
- modules.
+ modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These
+ modules may be loaded using entries in
+ /etc/shorewall/modules. The ip_conntrack_tftp module must be loaded first. Note
+ that the /etc/shorewall/modules file released with
+ recent Shorewall versions contains entries for these modules.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 69
+ACCEPT <source><destination> udp 69
Traceroute#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> udp 33434:33443 #Good for 10 hops
-ACCEPT <source><destination> icmp 8
+ACCEPT <source><destination> udp 33434:33443 #Good for 10 hops
+ACCEPT <source><destination> icmp 8
- UDP traceroute uses ports 33434 through 33434+<max number of
- hops>-1
+ UDP traceroute uses ports 33434 through 33434+<max number of
+ hops>-1. Note that for the firewall to respond with a TTL expired ICMP
+ reply, you will need to allow ICMP 11 outbound from the firewall. The
+ standard Shorewall sample configurations all set this up for you
+ automatically since those sample configurations enable all ICMP packet
+ types originating on the firewall itself.
+
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ACCEPT fw net icmp
+ACCEPT fw loc icmp
+ACCEPT fw ...Usenet (NNTP)#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 119
+ACCEPT <source><destination> tcp 119
TCP Port 119
@@ -282,43 +294,60 @@ ACCEPT <source><destination>
VNC
- Vncviewer to Vncserver -- TCP port 5900 + <display number>.
+ Vncviewer to Vncserver -- TCP port 5900 + <display
+ number>.
+
+ Vncviewer to Vncserver -- TCP port 5900 + <display
+ number>.#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 5901 #Display Number 1
-ACCEPT <source><destination> tcp 5902 #Display Number 2
+ACCEPT <source><destination> tcp 5901 #Display Number 1
+ACCEPT <source><destination> tcp 5902 #Display Number 2
...Vncserver to Vncviewer in listen mode -- TCP port 5500.#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 5500
+ACCEPT <source><destination> tcp 5500
+
+
+
+ <trademark>Vonage</trademark>
+
+ The standard Shorewall loc->net ACCEPT policy is all that is
+ required for Vonage IP phone service to work,
+ provided that you have loaded the tftp helper modules (add the following
+ entries to /etc/shorewall/modules if they are not there already):
+
+ loadmodule ip_conntrack_tftp
+ loadmodule ip_nat_tftpWeb Access#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <source><destination> tcp 80 #Insecure HTTP
-ACCEPT <source><destination> tcp 443 #Secure HTTP
+ACCEPT <source><destination> tcp 80 #Insecure HTTP
+ACCEPT <source><destination> tcp 443 #Secure HTTP
X/XDMCP
- Assume that the Choser and/or X Server are running at <chooser>
- and the Display Manager/X applications are running at <apps>.
+ Assume that the Choser and/or X Server are running at
+ <chooser> and the Display Manager/X
+ applications are running at <apps>.#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <chooser> <apps> udp 177 #XDMCP
-ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9
+ACCEPT <chooser> <apps> udp 177 #XDMCP
+ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9
Other Source of Port Information
- Didn't find what you are looking for -- have you looked in your
- own /etc/services file?
+ Didn't find what you are looking for -- have you looked in your own
+ /etc/services file?Still looking? Try http://www.networkice.com/advice/Exploits/Ports
@@ -327,16 +356,138 @@ ACCEPT <apps> <chooser
Revision History
- 1.112004-05-28TECorrected
- directory for actions.std and enhanced the DNS section.1.102004-05-09TEAdded
- TFTP.1.92004-04-24TERevised
- ICQ/AIM.1.82004-04-23TEAdded
- SNMP.1.72004-02-18TEMake
- NFS work for everyone.1.62004-02-14TEAdd
- PCAnywhere.1.52004-02-05TEAdded
- information about VNC viewers in listen mode.1.42004-01-26TECorrect
- ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd
- rules file entries.1.12002-07-30TEInitial
- version converted to Docbook XML
+
+
+ 1.13
+
+ 2004-09-21
+
+ TE
+
+ Add note about ICMP type 11 to Traceroute.
+
+
+
+ 1.12
+
+ 2004-09-09
+
+ TE
+
+ Add note about Vonage.
+
+
+
+ 1.11
+
+ 2004-05-28
+
+ TE
+
+ Corrected directory for actions.std and enhanced the DNS
+ section.
+
+
+
+ 1.10
+
+ 2004-05-09
+
+ TE
+
+ Added TFTP.
+
+
+
+ 1.9
+
+ 2004-04-24
+
+ TE
+
+ Revised ICQ/AIM.
+
+
+
+ 1.8
+
+ 2004-04-23
+
+ TE
+
+ Added SNMP.
+
+
+
+ 1.7
+
+ 2004-02-18
+
+ TE
+
+ Make NFS work for everyone.
+
+
+
+ 1.6
+
+ 2004-02-14
+
+ TE
+
+ Add PCAnywhere.
+
+
+
+ 1.5
+
+ 2004-02-05
+
+ TE
+
+ Added information about VNC viewers in listen
+ mode.
+
+
+
+ 1.4
+
+ 2004-01-26
+
+ TE
+
+ Correct ICQ.
+
+
+
+ 1.3
+
+ 2004-01-04
+
+ TE
+
+ Alphabetize
+
+
+
+ 1.2
+
+ 2004-01-03
+
+ TE
+
+ Add rules file entries.
+
+
+
+ 1.1
+
+ 2002-07-30
+
+ TE
+
+ Initial version converted to Docbook XML
+
+
\ No newline at end of file
diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml
index 43350149a..c1d3a0488 100644
--- a/Shorewall-docs2/support.xml
+++ b/Shorewall-docs2/support.xml
@@ -15,7 +15,7 @@
- 2004-09-04
+ 2004-09-072001-2004
@@ -175,14 +175,6 @@
other output is better than a paraphrase or summary.
-
- Please don't describe your problem as Computer A can't
- see Computer B. Of course it can't -- it hasn't any eyes! If
- ping from A to B fails, say so (and see below for information about
- reporting ping problems). If Computer B doesn't show up
- in Network Neighborhood then say so.
-
-
Please give details about what doesn't work. Reports that say
I followed the directions and it didn't work will
@@ -220,7 +212,8 @@
(/sbin/shorewall show log) when you
exercise the function that is giving you problems? If so, include the
message(s) in your post along with a copy of your
- /etc/shorewall/interfaces file.
+ /etc/shorewall/interfaces file (and /etc/shorewall/hosts file if you
+ have entries in that file).