holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update for Shorewall 2.0.9

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1641 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-23 22:50:12 +00:00
parent 1e86648628
commit 58204f5bc0
18 changed files with 890 additions and 457 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Lrp2/etc/shorewall/actions
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.0 /etc/shorewall/actions
# Shorewall 2.1 /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -8,10 +8,12 @@
#
# ACTION names should begin with an upper-case letter to
# distinguish them from Shorewall-generated chain names and
# they must need the requirements of a Netfilter chain
# name as well as the requirements for a Bourne Shell identifier
# (must begin with a letter and be composed of letters, digits
# and underscore characters).
# they must need the requirements of a Netfilter chain. If
# you intend to log from the action then the name must be
# no longer than 11 character in length. Names must also
# meet the requirements for a Bourne Shell identifier (must
# begin with a letter and be composed of letters, digits and
# underscore characters).
#
# If you follow the action name with ":DROP", ":REJECT" or
# :ACCEPT then the action will be taken before a DROP, REJECT or

7
Lrp2/etc/shorewall/masq
View File

@ -42,6 +42,13 @@
# will automatically add this address to the
# INTERFACE named in the first column.
#
# If you have set ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf then DO NOT
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
# ADDRESS IN THIS COLUMN -- If you do so, you
# will loose your default route when Shorewall
# starts.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin

4
Lrp2/etc/shorewall/rules
View File

@ -195,8 +195,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in

9
Lrp2/usr/share/shorewall/bogons
View File

@ -14,7 +14,9 @@
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# SUBNET The subnet (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# include iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
@ -47,8 +49,9 @@
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
58.0.0.0/7 logdrop # Reserved
71.0.0.0/8 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
73.0.0.0/8 logdrop # Reserved
74.0.0.0/7 logdrop # Reserved
76.0.0.0/6 logdrop # Reserved
89.0.0.0/8 logdrop # Reserved
90.0.0.0/7 logdrop # Reserved
92.0.0.0/6 logdrop # Reserved

2
Lrp2/usr/share/shorewall/firewall
View File

@ -2075,6 +2075,8 @@ process_tc_rule()
fi
[ "x$dest" = "x-" ] || r="${r}-d $dest "
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport "

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.0.8
2.0.9

13
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-08-10</pubdate>
<pubdate>2004-09-10</pubdate>
<copyright>
<year>2001-2004</year>
@ -1759,6 +1759,17 @@ DNAT loc:<emphasis role="bold">192.168.1.0/24</emphasis> loc:192.168.1.3 tcp
address), the original source address is used. If you want any
destination address to match the rule but want to specify SNAT,
simply use a colon followed by the SNAT address.</para>
<important>
<para>Shorewall does not take any steps to ensure that IP
addresses entered in this column are added to the appropriate
firewall interface. Unless traffic for this address is
automatically routed to the firewall by another router, it is your
responsibility to add the address using your distributions network
configuration facilities. See <ulink
url="Shorewall_and_Aliased_Interfaces.html">this article</ulink>
for additional information.</para>
</important>
</listitem>
</varlistentry>

398
Shorewall-docs2/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-20</pubdate>
<pubdate>2004-09-23</pubdate>
<copyright>
<year>2001-2004</year>
@ -31,14 +31,21 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>The complete Shorewall Documentation is <ulink
url="http://www.shorewall.net/download.htm">available for download</ulink>
in both Docbook XML and HTML formats.</para>
</note>
<caution>
<para>Are you running Shorewall on <ulink
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink>
with a two-interface setup?</para>
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark>
Linux</ulink> with a two-interface setup?</para>
<para>If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply
@ -51,7 +58,8 @@
<itemizedlist>
<listitem>
<para><ulink url="Introduction.html">Introduction to Shorewall</ulink></para>
<para><ulink url="Introduction.html">Introduction to
Shorewall</ulink></para>
</listitem>
<listitem>
@ -107,48 +115,167 @@
<listitem>
<para><ulink url="configuration_file_basics.htm">Common configuration
file features&#x00A0;</ulink><itemizedlist><listitem><para><ulink
url="configuration_file_basics.htm#Comments">Comments in configuration
files</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Continuation">Line Continuation</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ports">Port Numbers/Service Names</ulink>configuration_file_basics.htm#Ports</para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ranges">Port Ranges</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Variables">Using Shell Variables</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#dnsnames">Using DNS Names</ulink></para></listitem><listitem><para><ulink
file features&nbsp;</ulink><itemizedlist>
<listitem>
<para><ulink url="configuration_file_basics.htm#Comments">Comments
in configuration files</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Continuation">Line
Continuation</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Ports">Port
Numbers/Service
Names</ulink>configuration_file_basics.htm#Ports</para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Ranges">Port
Ranges</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Variables">Using
Shell Variables</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#dnsnames">Using
DNS Names</ulink></para>
</listitem>
<listitem>
<para><ulink
url="configuration_file_basics.htm#Compliment">Complementing an IP
address or Subnet</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Levels">Shorewall Configurations
(making a test configuration)</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</ulink></para></listitem></itemizedlist></para>
address or Subnet</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#Levels">Shorewall
Configurations (making a test configuration)</ulink></para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm#MAC">Using MAC
Addresses in Shorewall</ulink></para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm">Configuration File Reference Manual
</ulink><itemizedlist><listitem><para><ulink
url="Documentation.htm#Variables">params</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Zones">zones</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Interfaces">interfaces</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para></listitem><listitem><para><ulink
url="traffic_shaping.htm#tcrules">tcrules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#modules">modules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#TOS">tos</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#rfc1918">rfc1918</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></para></listitem><listitem><para><ulink
url="Accounting.html">accounting</ulink></para></listitem><listitem><para><ulink
url="UserSets.html">usersets and users</ulink></para></listitem><listitem><para><ulink
url="MAC_Validation.html">maclist</ulink></para></listitem><listitem><para><ulink
url="User_defined_Actions.html">actions and action.template</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Bogons">bogons</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Netmap">netmap</ulink></para></listitem></itemizedlist></para>
</ulink><itemizedlist>
<listitem>
<para><ulink
url="Documentation.htm#Variables">params</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Zones">zones</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Interfaces">interfaces</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Hosts">hosts</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Policy">policy</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Rules">rules</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Masq">masq</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#NAT">nat</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para>
</listitem>
<listitem>
<para><ulink
url="traffic_shaping.htm#tcrules">tcrules</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#modules">modules</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#TOS">tos</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#rfc1918">rfc1918</ulink></para>
</listitem>
<listitem>
<para><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></para>
</listitem>
<listitem>
<para><ulink url="Accounting.html">accounting</ulink></para>
</listitem>
<listitem>
<para><ulink url="UserSets.html">usersets and users</ulink></para>
</listitem>
<listitem>
<para><ulink url="MAC_Validation.html">maclist</ulink></para>
</listitem>
<listitem>
<para><ulink url="User_defined_Actions.html">actions and
action.template</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Bogons">bogons</ulink></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm#Netmap">netmap</ulink></para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
@ -161,7 +288,8 @@
</listitem>
<listitem>
<para><ulink url="ECN.html">ECN Disabling by host or subnet</ulink></para>
<para><ulink url="ECN.html">ECN Disabling by host or
subnet</ulink></para>
</listitem>
<listitem>
@ -169,9 +297,9 @@
</listitem>
<listitem>
<para><ulink url="shorewall_extension_scripts.htm">Extension Scripts</ulink>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start,
<para><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</para>
</listitem>
@ -197,7 +325,8 @@
</listitem>
<listitem>
<para><ulink url="support.htm">Getting help or answers to questions</ulink></para>
<para><ulink url="support.htm">Getting help or answers to
questions</ulink></para>
</listitem>
<listitem>
@ -209,7 +338,8 @@
</listitem>
<listitem>
<para><ulink url="Shorewall_and_Kazaa.html">Kazaa Filtering</ulink></para>
<para><ulink url="Shorewall_and_Kazaa.html">Kazaa
Filtering</ulink></para>
</listitem>
<listitem>
@ -235,7 +365,8 @@
</listitem>
<listitem>
<para><ulink url="NetfilterOverview.html">Netfilter Overview</ulink></para>
<para><ulink url="NetfilterOverview.html">Netfilter
Overview</ulink></para>
</listitem>
<listitem>
@ -261,7 +392,7 @@
</listitem>
<listitem>
<para><ulink url="ping.html">&#39;Ping&#39; Management</ulink></para>
<para><ulink url="ping.html">'Ping' Management</ulink></para>
</listitem>
<listitem>
@ -291,11 +422,13 @@
</listitem>
<listitem>
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para>
<para><ulink
url="shorewall_prerequisites.htm">Requirements</ulink></para>
</listitem>
<listitem>
<para><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></para>
<para><ulink url="Multiple_Zones.html">Routing on One
Interface</ulink></para>
</listitem>
<listitem>
@ -303,29 +436,117 @@
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Concepts">Shorewall Concepts</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Interfaces">Network Interfaces</ulink></para></listitem><listitem><para><ulink
<para><ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink><itemizedlist>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Concepts">Shorewall
Concepts</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Interfaces">Network
Interfaces</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and
Routing</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Addresses">IP Addresses</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ARP">Address Resolution Protocol (ARP)</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Options">Setting up your Network</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ProxyARP">Proxy ARP</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one NAT</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#OddsAndEnds">Odds and Ends</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para></listitem><listitem><para><ulink
url="starting_and_stopping_shorewall.htm">Starting and Stopping the
Firewall</ulink></para></listitem></itemizedlist></para>
Routing</ulink></para>
<itemizedlist>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Addresses">IP
Addresses</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#ARP">Address
Resolution Protocol (ARP)</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#RFC1918">RFC
1918</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#Options">Setting up
your Network</ulink></para>
<itemizedlist>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para>
<itemizedlist>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#ProxyARP">Proxy
ARP</ulink></para>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one
NAT</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm#OddsAndEnds">Odds
and Ends</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting
and Stopping the Firewall</ulink></para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
@ -334,13 +555,20 @@
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist><listitem><para>Description of all
/sbin/shorewall commands</para></listitem><listitem><para>How to safely
test a Shorewall configuration change</para></listitem></itemizedlist></para>
the Firewall</ulink><itemizedlist>
<listitem>
<para>Description of all /sbin/shorewall commands</para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
<para>How to safely test a Shorewall configuration change</para>
</listitem>
</itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with
Shorewall</ulink></para>
</listitem>
<listitem>
@ -352,16 +580,18 @@
</listitem>
<listitem>
<para><ulink url="traffic_shaping.htm">Traffic Shaping/QOS</ulink></para>
<para><ulink url="traffic_shaping.htm">Traffic
Shaping/QOS</ulink></para>
</listitem>
<listitem>
<para><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things to
try if it doesn&#39;t work)</para>
try if it doesn't work)</para>
</listitem>
<listitem>
<para><ulink url="User_defined_Actions.html">User-defined Actions</ulink></para>
<para><ulink url="User_defined_Actions.html">User-defined
Actions</ulink></para>
</listitem>
<listitem>
@ -402,13 +632,15 @@
</listitem>
<listitem>
<para><ulink url="GenericTunnels.html">Other VPN types</ulink></para>
<para><ulink url="GenericTunnels.html">Other VPN
types</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para>
<para><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></para>
</listitem>
</orderedlist>
</article>

47
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-08-31</pubdate>
<pubdate>2004-09-23</pubdate>
<copyright>
<year>2001-2004</year>
@ -617,6 +617,10 @@ to debug/develop the newnat interface.</programlisting></para>
<para>Answer: Add the <firstterm>routeback</firstterm> option to
<filename class="devicefile">br0</filename> in <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
<para>For more information on this type of configuration, see the <ulink
url="SimpleBridge.html">Shorewall Simple Bridge
documentation</ulink>.</para>
</section>
</section>
@ -817,10 +821,11 @@ LOGBURST=""</programlisting>
</section>
<section id="faq17">
<title>(FAQ 17) What does this log message mean?</title>
<title>(FAQ 17) Why are these packets being Dropped/Rejected?</title>
<para><emphasis role="bold">Answer:</emphasis> Logging occurs out of a
number of chains (as indicated in the log message) in Shorewall:</para>
<para><emphasis role="bold">Answer:</emphasis> Logging of
dropped/rejected packets occurs out of a number of chains (as indicated
in the log message) in Shorewall:</para>
<variablelist>
<varlistentry>
@ -937,9 +942,14 @@ LOGBURST=""</programlisting>
<para>The packet has a source IP address that isn't in any of your
defined zones (<quote>shorewall check</quote> and look at the
printed zone definitions) or the chain is FORWARD and the
destination IP isn't in any of your defined zones. Also see <xref
linkend="faq2a" /> for another cause of packets being logged in
the FORWARD chain.</para>
destination IP isn't in any of your defined zones. If the chain is
FORWARD and the IN and OUT interfaces are the same, then you
probably need the <emphasis role="bold">routeback</emphasis>
option on that interface in <filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
or you need the <emphasis role="bold">routeback</emphasis> option
in the relevant entry in <filename><ulink
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink></filename>.</para>
</listitem>
</varlistentry>
@ -976,7 +986,7 @@ LOGBURST=""</programlisting>
<para>This packet was REJECTed out of the <emphasis
role="bold">all2all</emphasis> chain -- the packet was rejected
under the <quote>all</quote>-&gt;<quote>all</quote> REJECT
policy (<xref linkend="all2all" /> above).</para>
policy (<link linkend="all2all">all2all</link> above).</para>
</listitem>
</varlistentry>
@ -1820,6 +1830,27 @@ iptables: Invalid argument
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.32</revnumber>
<date>2004-09-23</date>
<authorinitials>TE</authorinitials>
<revremark>Add link to simple bridge documentation from FAQ
35.</revremark>
</revision>
<revision>
<revnumber>1.31</revnumber>
<date>2004-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>Rename FAQ 17.</revremark>
</revision>
<revision>
<revnumber>1.30</revnumber>

293
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2003-02-04</pubdate>
<pubdate>2004-09-14</pubdate>
<copyright>
<year>2003</year>
@ -37,7 +37,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -45,8 +46,9 @@
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open
Source project and is <ulink
url="http://openvpn.sourceforge.net/license.html">licensed under the GPL</ulink>.
OpenVPN can be downloaded from <ulink url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
url="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</ulink>. OpenVPN can be downloaded from <ulink
url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
<para>OpenVPN support was added to Shorewall in version 1.3.14.</para>
@ -59,145 +61,72 @@
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the
/etc/shorewall/policy file and OpenVPN.</para>
accomplished through use of the
<filename>/etc/shorewall/tunnels</filename> file and the
<filename>/etc/shorewall/policy file</filename> and OpenVPN.</para>
<para>While it was possible to use the Shorewall start and stop script to
start and stop OpenVPN, I decided to use the init script of OpenVPN to
start and stop it.</para>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in <filename>/etc/shorewall/zones</filename> on both
systems as follows.</para>
<table>
<title>/etc/shorewall/zones system A &#38; B</title>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE DISPLAY COMMENTS
vpn VPN Remote subnet</programlisting>
</blockquote>
<entry align="center">DISPLAY</entry>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone.</para>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<blockquote>
<para>In <filename>/etc/shorewall/interfaces</filename> on system
A:</para>
<tbody>
<row>
<entry>vpn</entry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tun0</programlisting>
</blockquote>
<entry>VPN</entry>
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
the following:</para>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
openvpn net 134.28.54.2</programlisting>
</blockquote>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<note>
<para>Some OpenVPN clients (notabley on <trademark>Windows</trademark>)
do not use the same source and destination ports which can cause
problems. If system B is a Windows system, then you will want the
following entry in /etc/shorewall/tunnels instead of the one
above:</para>
<table>
<title>etc/shorewall/interfaces system A</title>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
generic:udp:5000 net 134.28.54.2</programlisting>
</note>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
firewall so that OpenVPN traffic on the default port 5000/udp will be
accepted to/from the remote gateway. If you change the port used by
OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:</para>
<entry align="center">INTERFACE</entry>
<blockquote>
<para> /etc/shorewall/tunnels with port 7777:</para>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from the
remote gateway. If you change the port used by OpenVPN to 7777, you can
define /etc/shorewall/tunnels like this:</para>
<table>
<title>/etc/shorewall/tunnels port 7777</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn:7777</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
openvpn:77777 net 134.28.54.2</programlisting>
</blockquote>
<para>This is the OpenVPN config on system A:</para>
<blockquote>
<programlisting>dev tun
local 206.162.148.9
remote 134.28.54.2
@ -210,74 +139,30 @@ cert my-a.crt
key my-a.key
comp-lzo
verb 5</programlisting>
</blockquote>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<emphasis role="bold">vpn</emphasis> zone</para>
<table>
<title>/etc/shorewall/interfaces system B</title>
<blockquote>
<para>In <filename>/etc/shorewall/interfaces</filename> on system
B:</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tun0 192.168.1.255</programlisting>
</blockquote>
<entry align="center">INTERFACE</entry>
<para>In <filename>/etc/shorewall/tunnels</filename> on system B, we
have:</para>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<table>
<title>/etc/shorewall/tunnels system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
openvpn net 206.191.148.9</programlisting>
</blockquote>
<para>And in the OpenVPN config on system B:</para>
<blockquote>
<programlisting>dev tun
local 134.28.54.2
remote 206.162.148.9
@ -289,50 +174,20 @@ cert my-b.crt
key my-b.key
comp-lzo
verb 5</programlisting>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<table>
<title>/etc/shorewall/policy system A &#38; B</title>
<blockquote>
<para><filename>/etc/shorewall/policy </filename>on systems A &amp;
B</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
</blockquote>
<para>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</para>

15
Shorewall-docs2/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-09-16</pubdate>
<copyright>
<year>2003-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -41,9 +42,8 @@
KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules <emphasis role="bold">near the top</emphasis> of
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
<quote>loc</quote> zone).</para>
insert the following rules in /etc/shorewall/rules file after any DROP or
REJECT rules whose source is the <quote>loc</quote> zone.</para>
<programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp
@ -54,8 +54,9 @@
and restart Shorewall.</para>
<tip>
<para>There are ftwall init scripts for use with <trademark>SuSE</trademark>
and <trademark>Debian</trademark> Linux at <ulink
<para>There are ftwall init scripts for use with
<trademark>SuSE</trademark> and <trademark>Debian</trademark> Linux at
<ulink
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip>
</article>

119
Shorewall-docs2/SimpleBridge.xml Normal file
View File

@ -0,0 +1,119 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and a Simple Bridge</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-09-23</pubdate>
<copyright>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Background</title>
<para>Systems where Shorewall runs normally function as
<firstterm>routers</firstterm>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
model (think of a bridge as an ethernet switch).</para>
<para>Some differences between routers and bridges are:</para>
<orderedlist>
<listitem>
<para>Routers determine packet destination based on the destination IP
address while bridges route traffic based on the destination MAC
address in the ethernet frame.</para>
</listitem>
<listitem>
<para>As a consequence of the first difference, routers can be
connected to more than one IP network while a bridge may be part of
only a single network.</para>
</listitem>
<listitem>
<para>A router cannot forward broadcast packets while a bridge
can.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Application</title>
<para>There are cases where you want to create a bridge to join two or
more LAN segments and you don't need to restrict the traffic between those
segments. This is the environment that is described in this article.
</para>
<para>If you do need to restrict traffic through the bridge, please refer
to the <ulink url="bridge.html">Shorewall Bridge/Firewall
documentation</ulink>. Also please refer to that documentation for
information about how to create a bridge.</para>
<para>The following diagram shows a firewall for two bridged LAN
segments.</para>
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
<para>This is fundimentally the Two-interface Firewall described in the
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
bridge-specific changes are restricted to the
<filename>/etc/shorewall/interfaces</filename> file.</para>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect ...
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
role="bold">routeback</emphasis>,...</programlisting>
<para>So the key points here are:</para>
<itemizedlist>
<listitem>
<para>The <emphasis role="bold">loc</emphasis> interface is <filename
class="devicefile">br0</filename>.</para>
</listitem>
<listitem>
<para>Neither <filename class="devicefile">eth1</filename> nor
<filename class="devicefile">eth2</filename> have IP addresses and
neither are mentioned in the Shorewall configuration.</para>
</listitem>
<listitem>
<para>The <emphasis role="bold">routeback</emphasis> option is
specified for <filename class="devicefile">br0</filename>.</para>
</listitem>
</itemizedlist>
</section>
</article>

9
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-10</pubdate>
<pubdate>2004-09-23</pubdate>
<copyright>
<year>2004</year>
@ -70,7 +70,7 @@
<section>
<title>Requirements</title>
<para>In order to use Shorewall with a bridging firewall:</para>
<para>In order to use Shorewall as a bridging firewall:</para>
<itemizedlist>
<listitem>
@ -103,6 +103,11 @@
<para>You must be running Shorewall 2.0.1 Beta 1 or later.</para>
</listitem>
</itemizedlist>
<para>Note that if you need a bridge but do not need to restrict the
traffic through the bridge then any version of Shorewall will work. See
the <ulink url="SimpleBridge.html">Simple Bridge documentation</ulink> for
details.</para>
</section>
<section>

BIN
Shorewall-docs2/images/SimpleBridge.dia Normal file
View File

Binary file not shown.

BIN
Shorewall-docs2/images/SimpleBridge.png Normal file
View File

Binary file not shown.

73
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-06</pubdate>
<pubdate>2004-09-07</pubdate>
<copyright>
<year>2001-2004</year>
@ -78,11 +78,11 @@
<listitem>
<para>I use SNAT through 206.124.146.179 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (Windows
XP/SuSE 9.1) laptop <quote>Tipper</quote> which connects through the
Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
9.1/Windows XP) laptop <quote>Tipper</quote> which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
@ -148,7 +148,8 @@
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with IPSEC for tunnel mode
road warrior access from Tipper.</para>
access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink>.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -397,7 +398,7 @@ $EXT_IF:2 eth2 206.124.146.179
</section>
<section>
<title>Tunnels File (Shell variable TEXAS set in
<title>Tunnels File (Shell variables TEXAS and OMAK set in
/etc/shorewall/params)</title>
<blockquote>
@ -653,6 +654,10 @@ ACCEPT tx loc:192.168.1.5 all
<title>zones</title>
<blockquote>
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
<emphasis role="bold">net</emphasis>, <emphasis
role="bold">loc</emphasis> must be defined first.</para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local networks
net Internet The Big Bad Internet
@ -754,11 +759,13 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
<blockquote>
<para>This file is SuSE-specific and creates the bridge device
<filename class="devicefile">br0</filename>. A script for other
disbributions would be similar.</para>
distributions would be similar (see the <ulink
url="bridge.html">Shorewall Bridge documentation</ulink> for
examples).</para>
<programlisting>#!/bin/sh
################################################################################
# Script to create a bridge between eth0, eth1 and eth2
# Script to create a bridge
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
@ -766,6 +773,15 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
#
# Modify the following variables to match your configuration
#
#### BEGIN INIT INFO
# Provides: bridge
# Required-Start: coldplug
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Description: starts and stops a bridge
### END INIT INFO
#
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
@ -773,21 +789,29 @@ br0:eth0 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
INTERFACES="eth0 eth1"
BRIDGE="br0"
do_stop() {
echo "Stopping Bridge"
brctl delbr br0
ip link set eth0 down
ip link set eth1 down
echo "Stopping Bridge $BRIDGE"
brctl delbr $BRIDGE
for interface in $INTERFACES; do
ip link set $interface down
done
}
do_start() {
echo "Starting Bridge"
ip link set eth0 up
ip link set eth1 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
echo "Starting Bridge $BRIDGE"
for interface in $INTERFACES; do
ip link set $interface up
done
brctl addbr $BRIDGE
for interface in $INTERFACES; do
brctl addif $BRIDGE $interface
done
}
case "$1" in
@ -816,11 +840,7 @@ exit 0</programlisting>
<blockquote>
<para>This file is SuSE-specific</para>
<programlisting>BOOTPROTO='static'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.5'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
<programlisting>BOOTPROTO='dhcp'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C'
@ -835,8 +855,9 @@ MTU=''</programlisting>
<blockquote>
<para>This file is SuSE-specific</para>
<programlisting>192.168.1.0 - 255.255.255.0 br0
default 192.168.1.254 - -</programlisting>
<programlisting>192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.5
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev br0</programlisting>
</blockquote>
</section>
</section>

319
Shorewall-docs2/ports.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-07-31</pubdate>
<pubdate>2004-09-21</pubdate>
<copyright>
<year>2001-2002</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
<abstract>
@ -50,8 +51,8 @@
<filename>/usr/share/shorewall/actions.std</filename> file for a list of
the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the
<emphasis role="bold">dmz</emphasis> zone to the <emphasis role="bold">net</emphasis>
zone:</para>
<emphasis role="bold">dmz</emphasis> zone to the <emphasis
role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION
AllowDNS dmz net</programlisting>
@ -67,7 +68,7 @@ AllowDNS dmz net</programlisting>
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
<para>You would code your rule as follows:</para>
@ -80,23 +81,23 @@ DNAT net dmz:192.168.1.4 tcp 21</programlisting>
<title>Auth (identd)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 113</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 113</programlisting>
</section>
<section>
<title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 53
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 53
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 53</programlisting>
<para>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the &#60;<emphasis>destination</emphasis>&#62;
for resolution requests (from clients) and is also the &#60;<emphasis>source</emphasis>&#62;
of recursive resolution requests (usually to other servers in the
&#39;net&#39; zone). So for example, if you have a public DNS server in
your DMZ that supports recursive resolution for local clients then you
would need:</para>
resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
resolution requests (from clients) and is also the
&lt;<emphasis>source</emphasis>&gt; of recursive resolution requests
(usually to other servers in the 'net' zone). So for example, if you have
a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53
@ -105,9 +106,9 @@ ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</programlisting>
<note>
<para>Recursive Resolution means that if the server itself can&#39;t
resolve the name presented to it, the server will attempt to resolve the
name with the help of other servers.</para>
<para>Recursive Resolution means that if the server itself can't resolve
the name presented to it, the server will attempt to resolve the name
with the help of other servers.</para>
</note>
</section>
@ -115,36 +116,37 @@ ACCEPT dmz net tcp 53</programlisting>
<title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more information.</para>
<para>Look <ulink url="FTP.html">here</ulink> for much more
information.</para>
</section>
<section>
<title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> net tcp 5190</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> net tcp 5190</programlisting>
</section>
<section>
<title>IMAP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 993 #Secure IMAP</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 993 #Secure IMAP</programlisting>
</section>
<section>
<title>IPSEC</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 50
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 51
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 500
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 50
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 51
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 500</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 50
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> 51
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 500
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 50
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> 51
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 500</programlisting>
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para>
@ -154,23 +156,23 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>NFS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp</programlisting>
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis> &lt;z2&gt;</emphasis>:a.b.c.d udp</programlisting>
</section>
<section>
<title>NTP (Network Time Protocol)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 123</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 123</programlisting>
</section>
<section>
<title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 5632
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5631</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 5632
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5631</programlisting>
</section>
<section>
@ -179,16 +181,16 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 110 #Unsecure Pop3
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 995 #Secure Pop3</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 110 #Unsecure Pop3
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 995 #Secure Pop3</programlisting>
</section>
<section>
<title>PPTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> 47
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 1723</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> 47
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 1723</programlisting>
<para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para>
@ -198,24 +200,24 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<title>rdate</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 37</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 37</programlisting>
</section>
<section>
<title>SSH</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 22</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 22</programlisting>
</section>
<section>
<title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 137:139
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 137:139</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> udp 137:139
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis> udp 137:139</programlisting>
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
</section>
@ -224,57 +226,67 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<title>SMTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 25 #Insecure SMTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 25 #Insecure SMTP
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting>
</section>
<section>
<title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 161:162
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 161</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 161:162
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 161</programlisting>
</section>
<section>
<title>Telnet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 23</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 23</programlisting>
</section>
<section>
<title>TFTP</title>
<para>You must have TFTP connection tracking support in your kernel. If
modularized, the modules are <emphasis role="bold">ip_conntrack_tftp</emphasis>
(and <emphasis role="bold">ip_nat_tftp</emphasis> if any form of NAT is
involved) These modules may be loaded using entries in
<filename>/etc/shorewall/modules</filename>. The <emphasis role="bold">ip_conntrack_tftp</emphasis>
module must be loaded first. Note that the <filename>/etc/shorewall/modules</filename>
file released with recent Shorewall versions contains entries for these
modules.</para>
modularized, the modules are <emphasis
role="bold">ip_conntrack_tftp</emphasis> (and <emphasis
role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These
modules may be loaded using entries in
<filename>/etc/shorewall/modules</filename>. The <emphasis
role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note
that the <filename>/etc/shorewall/modules</filename> file released with
recent Shorewall versions contains entries for these modules.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 69</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 69</programlisting>
</section>
<section>
<title>Traceroute</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 33434:33443 #Good for 10 hops
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> icmp 8</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 33434:33443 #Good for 10 hops
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> icmp 8</programlisting>
<para>UDP traceroute uses ports 33434 through 33434+&#60;max number of
hops&#62;-1</para>
<para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
hops&gt;-1. Note that for the firewall to respond with a TTL expired ICMP
reply, you will need to allow ICMP 11 outbound from the firewall. The
standard Shorewall sample configurations all set this up for you
automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw ...</programlisting>
</section>
<section>
<title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 119</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 119</programlisting>
<para>TCP Port 119</para>
</section>
@ -282,43 +294,60 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<section>
<title>VNC</title>
<para>Vncviewer to Vncserver -- TCP port 5900 + &#60;display number&#62;.</para>
<para>Vncviewer to Vncserver -- TCP port 5900 + &lt;display
number&gt;.</para>
<para>Vncviewer to Vncserver -- TCP port 5900 + &lt;display
number&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5902 #Display Number 2
...</programlisting>
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5500</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 5500</programlisting>
</section>
<section>
<title><trademark>Vonage</trademark></title>
<para>The standard Shorewall loc-&gt;net ACCEPT policy is all that is
required for <trademark>Vonage</trademark> IP phone service to work,
provided that you have loaded the tftp helper modules (add the following
entries to /etc/shorewall/modules if they are not there already):</para>
<programlisting> loadmodule ip_conntrack_tftp
loadmodule ip_nat_tftp</programlisting>
</section>
<section>
<title>Web Access</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 80 #Insecure HTTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 80 #Insecure HTTP
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 443 #Secure HTTP</programlisting>
</section>
<section>
<title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at &#60;<emphasis>chooser</emphasis>&#62;
and the Display Manager/X applications are running at &#60;<emphasis>apps</emphasis>&#62;.</para>
<para>Assume that the Choser and/or X Server are running at
&lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT &#60;<emphasis>chooser</emphasis>&#62; &#60;<emphasis>apps</emphasis>&#62; udp 177 #XDMCP
ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphasis>&#62; tcp 6000:6009 #X Displays 0-9</programlisting>
ACCEPT &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt; udp 177 #XDMCP
ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>&gt; tcp 6000:6009 #X Displays 0-9</programlisting>
</section>
<section>
<title>Other Source of Port Information</title>
<para>Didn&#39;t find what you are looking for -- have you looked in your
own /etc/services file?</para>
<para>Didn't find what you are looking for -- have you looked in your own
/etc/services file?</para>
<para>Still looking? Try <ulink
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
@ -327,16 +356,138 @@ ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphas
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.11</revnumber><date>2004-05-28</date><authorinitials>TE</authorinitials><revremark>Corrected
directory for actions.std and enhanced the DNS section.</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-05-09</date><authorinitials>TE</authorinitials><revremark>Added
TFTP.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-04-24</date><authorinitials>TE</authorinitials><revremark>Revised
ICQ/AIM.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-04-23</date><authorinitials>TE</authorinitials><revremark>Added
SNMP.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-18</date><authorinitials>TE</authorinitials><revremark>Make
NFS work for everyone.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-14</date><authorinitials>TE</authorinitials><revremark>Add
PCAnywhere.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para>
<para><revhistory>
<revision>
<revnumber>1.13</revnumber>
<date>2004-09-21</date>
<authorinitials>TE</authorinitials>
<revremark>Add note about ICMP type 11 to Traceroute.</revremark>
</revision>
<revision>
<revnumber>1.12</revnumber>
<date>2004-09-09</date>
<authorinitials>TE</authorinitials>
<revremark>Add note about <trademark>Vonage</trademark>.</revremark>
</revision>
<revision>
<revnumber>1.11</revnumber>
<date>2004-05-28</date>
<authorinitials>TE</authorinitials>
<revremark>Corrected directory for actions.std and enhanced the DNS
section.</revremark>
</revision>
<revision>
<revnumber>1.10</revnumber>
<date>2004-05-09</date>
<authorinitials>TE</authorinitials>
<revremark>Added TFTP.</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2004-04-24</date>
<authorinitials>TE</authorinitials>
<revremark>Revised ICQ/AIM.</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2004-04-23</date>
<authorinitials>TE</authorinitials>
<revremark>Added SNMP.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-18</date>
<authorinitials>TE</authorinitials>
<revremark>Make NFS work for everyone.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-14</date>
<authorinitials>TE</authorinitials>
<revremark>Add PCAnywhere.</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Added information about VNC viewers in listen
mode.</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2004-01-26</date>
<authorinitials>TE</authorinitials>
<revremark>Correct ICQ.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2004-01-04</date>
<authorinitials>TE</authorinitials>
<revremark>Alphabetize</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2004-01-03</date>
<authorinitials>TE</authorinitials>
<revremark>Add rules file entries.</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2002-07-30</date>
<authorinitials>TE</authorinitials>
<revremark>Initial version converted to Docbook XML</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

13
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-09-04</pubdate>
<pubdate>2004-09-07</pubdate>
<copyright>
<year>2001-2004</year>
@ -175,14 +175,6 @@
other output is better than a paraphrase or summary.</para>
</listitem>
<listitem>
<para>Please don't describe your problem as <quote>Computer A can't
see Computer B</quote>. Of course it can't -- it hasn't any eyes! If
ping from A to B fails, say so (and see below for information about
reporting <quote>ping</quote> problems). If Computer B doesn't show up
in <quote>Network Neighborhood</quote> then say so.</para>
</listitem>
<listitem>
<para>Please give details about what doesn't work. Reports that say
<quote>I followed the directions and it didn't work</quote> will
@ -220,7 +212,8 @@
(<quote><command>/sbin/shorewall show log</command></quote>) when you
exercise the function that is giving you problems? If so, include the
message(s) in your post along with a copy of your
/etc/shorewall/interfaces file.</para>
/etc/shorewall/interfaces file (and /etc/shorewall/hosts file if you
have entries in that file).</para>
</listitem>
<listitem>