holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow comma-separated list in routestopped file entries; update documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-18 01:51:36 +00:00
parent 5fe2bef29e
commit 5c4c7d8f41
4 changed files with 2026 additions and 1872 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -42,17 +42,17 @@
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a
as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
and /etc/shorewall/init -- if you don't have those files, siimply create
them.<br>
them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.<br>
<br>
@ -62,11 +62,11 @@ the local zone, that zone must be defined ONLY by its interface -- no /etc/shor
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br>
server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your
/etc/shorewall/conf file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
@ -74,8 +74,8 @@ server.<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
@ -147,10 +147,10 @@ local network</a></li>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on 192.168.1.3.
It is assumed that web access is already enabled from the local zone to the
internet.<br>
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
@ -315,18 +315,19 @@ internet.<br>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
@ -359,11 +360,13 @@ and add the following entry in /etc/shorewall/tcrules:<br>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
@ -401,7 +404,8 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
</table>
</blockquote>
<br>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
@ -473,8 +477,7 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
<blockquote> </blockquote>
<p><font size="-1"> Updated 1/23/2003 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 1/23/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -486,5 +489,6 @@ C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/t
<br>
<br>
<br>
<br>
</body>
</html>

165
STABLE/documentation/errata.htm
View File

@ -8,6 +8,7 @@
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
@ -47,9 +48,9 @@
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
@ -57,15 +58,14 @@ untar the archive, replace the 'firewall' script in the untarred director
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by
your system initialization scripts to start Shorewall during
boot. It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be
overwritten with the corrected script. Beginning with Shorewall
1.3.11, you may rename the existing file before copying in the new file.</b></p>
</li>
<li>
@ -80,8 +80,8 @@ For example, do NOT install the 1.3.9a firewall script if you are running
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a
href="#V1.3">Problems in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
@ -90,14 +90,14 @@ For example, do NOT install the 1.3.9a firewall script if you are running
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and
NAT</a></b><br>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
@ -106,6 +106,19 @@ version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address. This has been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
</li>
</ul>
<h3>Version 1.3.13</h3>
<ul>
@ -124,8 +137,8 @@ too big".<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br>
are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
@ -133,8 +146,8 @@ post on the users list and I can provide you with a patched version.<br>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
@ -149,8 +162,9 @@ is corrected by <a
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a
new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
<li>The .lrp was missing the /etc/shorewall/routestopped file --
a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
</li>
</ul>
@ -194,16 +208,16 @@ the following warnings:<br>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
the old version of /usr/lib/shorewall/firewall before copying in the new
one since /usr/lib/shorewall/firewall is the real script now and not
just a symbolic link to the real script.<br>
</li>
</ul>
@ -233,9 +247,9 @@ not just a symbolic link to the real script.<br>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
the file is installed in /usr/lib/shorewall/functions. The installer
also performs incorrectly when updating old configurations that had the
file /etc/shorewall/functions. <a
the file is installed in /usr/lib/shorewall/functions. The installer also
performs incorrectly when updating old configurations that had the file
/etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
@ -271,8 +285,7 @@ problems.
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3>
@ -283,8 +296,7 @@ problem.</p>
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
@ -298,13 +310,13 @@ problem.</p>
<ol>
<li>If the firewall is
running a DHCP server, the client
won't be able to obtain an IP address
running a DHCP server, the client
won't be able to obtain an IP address
lease from that server.</li>
<li>With this order of
checking, the "dhcp" option cannot
be used as a noise-reduction measure
where there are both dynamic and static
checking, the "dhcp" option cannot
be used as a noise-reduction measure
where there are both dynamic and static
clients on a LAN segment.</li>
</ol>
@ -313,9 +325,9 @@ where there are both dynamic and static
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed
in /var/lib/shorewall as described
above.</p>
corrects the problem. It must be
installed in /var/lib/shorewall as
described above.</p>
<h3>Version 1.3.7</h3>
@ -339,11 +351,12 @@ where there are both dynamic and static
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
an error occurs when the firewall script attempts to add
an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
@ -410,10 +423,10 @@ add an SNAT alias. </p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
@ -423,23 +436,22 @@ so it's a good idea to run that command after you have made configura
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in
/etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in this
case.</p>
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li>
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it
behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
@ -484,9 +496,9 @@ appearence of the option. For example:<br>
that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
prior to 1850 GMT today should download and install the
corrected script again to ensure that this second problem
is corrected.</li>
</ul>
@ -530,19 +542,19 @@ problem is corrected.</li>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
@ -586,8 +598,8 @@ fine.</p>
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
@ -613,10 +625,10 @@ installing <a
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
@ -635,11 +647,11 @@ Shorewall 1.3.6 you may install
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/8/2003 -
<p><font size="2"> Last updated 2/17/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -654,5 +666,6 @@ Shorewall 1.3.6 you may install
<br>
<br>
<br>
<br>
</body>
</html>

977
STABLE/documentation/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

6
STABLE/firewall
View File

@ -1281,8 +1281,10 @@ stop_firewall() {
while read interface host; do
expandv interface host
[ "x$host" = "x-" ] && host=
hosts="$hosts $interface:${host:-0.0.0.0/0}"
[ "x$host" = "x-" ] && host=0.0.0.0/0
for h in `separate_list $host`; do
hosts="$hosts $interface:$h"
done
done < $TMP_DIR/routestopped
for host in $hosts; do