holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Updates from Shorewall2 docs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1127 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-08 18:31:31 +00:00
parent 7f46981a4c
commit 624ee225ef
13 changed files with 25327 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Shorewall-docs/Multiple_Zones.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-02-07</pubdate>
<copyright>
<year>2003</year>
@ -291,4 +291,40 @@ loc1 eth1:192.168.1.8/29</programlisting></para>
loc loc1 NONE
loc1 loc NONE</programlisting>
</section>
<section id="OneArmed">
<title>One-armed Router</title>
<para>Nested zones may also be used to configure a <quote>one-armed</quote>
router (I don&#39;t call it a <quote>firewall</quote> because it is very
insecure. For example, if you connect to the internet via cable modem,
your next door neighbor has full access to your local systems as does
everyone else connected to the same cable modem head-end controller). Here
eth0 is configured with both a public IP address and an RFC 1918 address
(More on that topic may be found <ulink
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
<quote>loc</quote> zone are configured with their default gateway set to
the Shorewall router&#39;s RFC1918 address.<graphic
fileref="images/MultiZone3.png" /></para>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local Zone
net Internet The big bad Internet</programlisting>
<note>
<para>the sub-zone (loc) is defined first!</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
net eth0 detect</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
<programlisting>#ZONE HOSTS
loc eth0:192.168.1.0/24</programlisting>
</section>
</article>

485
Shorewall-docs/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-20</pubdate>
<pubdate>2004-02-04</pubdate>
<copyright>
<year>2003-2004</year>
@ -50,8 +50,8 @@
<itemizedlist>
<listitem>
<para>In all cases, Squid should be configured to run as a
transparent proxy as described at
<para>In all cases, Squid should be configured to run as a transrent
proxy as described at
http://tldp.org/HOWTO/mini/TransparentProxy.html.</para>
</listitem>
@ -90,11 +90,11 @@ MANGLE_ENABLED=Yes</programlisting>
<para>Three different configurations are covered:</para>
<simplelist>
<member><xref linkend="Firewall" /></member>
<member>Squid (transparent) Running on the Firewall</member>
<member><xref linkend="Local" /></member>
<member>Squid (transparent) Running in the local Network</member>
<member><xref linkend="DMZ" /></member>
<member>Squid (transparent) Running in a DMZ</member>
</simplelist>
<section id="Firewall">
@ -105,65 +105,12 @@ MANGLE_ENABLED=Yes</programlisting>
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.</para>
<para>In /etc/shorewall/rules:</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>REDIRECT</entry>
<entry>loc</entry>
<entry>3128</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>!206.124.146.177</entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>fw</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177
ACCEPT fw net tcp www</programlisting>
<para>There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
@ -171,54 +118,16 @@ MANGLE_ENABLED=Yes</programlisting>
<para>If you are running Shorewall version 1.4.5 or later, you may just
add the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule:</para>
REDIRECT rule.</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>REDIRECT</entry>
<entry>loc</entry>
<entry>3128</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry>-</entry>
<entry>!206.124.146.177,130.252.100.0/24</entry>
</row>
</tbody>
</tgroup>
</table>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>If you are running a Shorewall version earlier than 1.4.5, you
must add a manual rule in /etc/shorewall/start:</para>
<programlisting>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</programlisting>
<programlisting><command>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</command></programlisting>
<para>To exclude additional hosts or networks, just add additional
similar rules.</para>
@ -237,18 +146,18 @@ MANGLE_ENABLED=Yes</programlisting>
<listitem>
<para>* On your firewall system, issue the following command</para>
<programlisting>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</programlisting>
<programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/init, put:</para>
<programlisting>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
fi</programlisting>
fi</command></programlisting>
</listitem>
<listitem>
@ -258,144 +167,49 @@ fi</programlisting>
</important>
<para>If you are running Shorewall 1.4.2 or later, then in
/etc/shorewall/interfaces:</para>
<filename>/etc/shorewall/interfaces</filename>:</para>
<table>
<title>/etc/shorewall/interfaces</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>eth1</entry>
<entry>detect</entry>
<entry><emphasis role="bold">routeback</emphasis></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/rules:</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>loc</entry>
<entry>tcp</entry>
<entry>www</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc loc tcp www</programlisting>
<orderedlist numeration="loweralpha">
<listitem>
<para>Alternativfely, if you are running Shorewall 1.4.0 you can
have the following policy in place of the above rule:</para>
have the following policy in place of the above rule.</para>
<table>
<title>/etc/shorewall/policy</title>
<para><filename>/etc/shorewall/policy</filename></para>
<tgroup cols="5">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
<entry align="center">BURST PARAMETERS</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DESTINATION POLICY
loc loc ACCEPT</programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>In /etc/shorewall/start add:</para>
<para>In <filename>/etc/shorewall/start</filename> add:</para>
<programlisting>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</programlisting>
<programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem>
<listitem>
<para>On 192.168.1.3, arrange for the following command to be
executed after networking has come up</para>
<programlisting>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</programlisting>
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:</para>
<programlisting>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</programlisting>
<programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</command></programlisting>
</listitem>
</orderedlist>
</section>
@ -411,17 +225,17 @@ chkconfig --level 35 iptables on</programlisting>
<listitem>
<para>On your firewall system, issue the following command</para>
<programlisting>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</programlisting>
<programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/init, put:</para>
<programlisting>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi</programlisting>
fi</command></programlisting>
</listitem>
<listitem>
@ -429,174 +243,49 @@ fi</programlisting>
<orderedlist numeration="loweralpha">
<listitem>
<para>In /etc/shorewall/start add</para>
<para>In <filename>/etc/shorewall/start</filename> add</para>
<programlisting>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</programlisting>
<programlisting><command>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem>
<listitem>
<para>Set MARK_IN_FORWARD_CHAIN=No in
/etc/shorewall/shorewall.conf and add the following entry in
/etc/shorewall/tcrules:</para>
<para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
<table>
<title>/etc/shorewall/tcrules</title>
<tgroup cols="6">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
</row>
</thead>
<tbody>
<row>
<entry>202</entry>
<entry>eth2</entry>
<entry>0.0.0.0/0</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry>-</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202 eth2 0.0.0.0 tcp 80</programlisting>
</listitem>
<listitem>
<para>Run Shorewall 1.3.14 or later and add the following entry
in /etc/shorewall/tcrules:</para>
in <filename>/etc/shorewall/tcrules</filename>:</para>
<table>
<title>/etc/shorewall/tcrules</title>
<tgroup cols="6">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
</row>
</thead>
<tbody>
<row>
<entry>202:P</entry>
<entry>eth2</entry>
<entry>0.0.0.0/0</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry>-</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202:P eth2 0.0.0.0 tcp 80</programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>In /etc/shorewall/rules, you will need:</para>
<para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">CLIENT PORT(2)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>dmz</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>dmz</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc dmz tcp 80
ACCEPT dmz net tcp 80</programlisting>
</listitem>
<listitem>
<para>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up</para>
<programlisting>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</programlisting>
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:</para>
<programlisting>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</programlisting>
<programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</command></programlisting>
</listitem>
</orderedlist>
</section>
@ -608,75 +297,21 @@ chkconfig --level 35 iptables on</programlisting>
<para>Assume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the
<quote>net</quote> zone. Then for each zone Z that needs access to the
Squid server:</para>
Squid server.</para>
<table>
<title>/etc/shorewall/rules</title>
<para><filename>/etc/shorewall/rules</filename>:</para>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">PROTO</entry>
<entry align="center">DEST PORT(S)</entry>
<entry align="center">CLIENT PORT(2)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>Z</entry>
<entry>SZ</entry>
<entry>tcp</entry>
<entry>SP</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>SZ</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80</programlisting>
<example>
<title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title>
<para><table><title>/etc/shorewall/rules</title><tgroup cols="7"><thead><row><entry
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
align="center">DEST</entry><entry align="center">PROTO</entry><entry
align="center">DEST PORT(S)</entry><entry align="center">CLIENT PORT(2)</entry><entry
align="center">ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>loc</entry><entry>$FW</entry><entry>tcp</entry><entry>8080</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>$FW</entry><entry>net</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw tcp 8080
ACCEPT fw net tcp 80</programlisting></para>
</example>
</section>
</article>

10
Shorewall-docs/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-19</pubdate>
<pubdate>2004-02-04</pubdate>
<copyright>
<year>2003-2004</year>
@ -45,7 +45,8 @@
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
<quote>loc</quote> zone).</para>
<programlisting> QUEUE loc net tcp
<programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp
QUEUE loc net udp
QUEUE loc fw udp</programlisting>
@ -53,7 +54,8 @@
and restart Shorewall.</para>
<tip>
<para>There is an ftwall init script for use with <trademark>SuSE</trademark>
Linux at <ulink url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
<para>There are ftwall init scripts for use with <trademark>SuSE</trademark>
and <trademark>Debian</trademark> Linux at <ulink
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip>
</article>

42
Shorewall-docs/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-01-19</pubdate>
<pubdate>2004-02-04</pubdate>
<copyright>
<year>2001-2004</year>
@ -73,6 +73,22 @@
<section>
<title>Problems in Version 1.4</title>
<section>
<title>Shorewall 1.4.10</title>
<itemizedlist>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 1.4.9</title>
@ -94,10 +110,15 @@
or ADD_SNAT_ALIASES=Yes are specified in
/etc/shorewall/shorewall.conf.</para>
</listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
<para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.9/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
@ -112,9 +133,14 @@
column), the SNAT specification is effectively ignored in some
cases.</para>
</listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist>
<para>This problem has been corrected in <ulink
<para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
@ -155,6 +181,11 @@
column), the SNAT specification is effectively ignored in some
cases.</para>
</listitem>
<listitem>
<para>Unexplained errors may occur during &#34;shorewall
[re]start&#34; when the /etc/shorewall/masq file is being processed.</para>
</listitem>
</itemizedlist>
<para>These problems have been corrected in <ulink
@ -467,7 +498,8 @@ Aborted (core dumped)</programlisting>
<appendix>
<title>Revision History4</title>
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
<para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
Problem</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated

BIN
Shorewall-docs/images/MultiZone3.png Executable file
View File

Binary file not shown.

13850
Shorewall-docs/images/MultiZone3.vdx Executable file
View File

File diff suppressed because it is too large Load Diff

BIN
Shorewall-docs/images/basics2.png Executable file
View File

Binary file not shown.

11212
Shorewall-docs/images/basics2.vdx Executable file
View File

File diff suppressed because it is too large Load Diff

21
Shorewall-docs/myfiles2.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-02-08</pubdate>
<copyright>
<year>2001-2004</year>
@ -47,7 +47,7 @@
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.0.0-Alpha2. It may use features not available in earlier Shorewall
2.0.0-Beta1. It may use features not available in earlier Shorewall
releases.</para>
</caution>
@ -341,16 +341,14 @@ gre net $TEXAS
</blockquote>
</section>
<section>
<section id="Actions">
<title>Actions File</title>
<blockquote>
<programlisting>#ACTION
DropBcast #Silently Drops Broadcast Traffic
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
DropNonSyn #Silently Drop Non-syn TCP packets
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
@ -391,10 +389,10 @@ ACCEPT $MIRRORS
# PORT(S) PORT(S) LIMIT GROUP
RejectAuth
AllowPing
DropBcast
dropBcast
DropSMB
DropUPnP
DropNonSyn
dropNonSyn
DropDNSrep</programlisting>
</blockquote>
</section>
@ -411,11 +409,14 @@ DropDNSrep</programlisting>
# PORT(S) PORT(S) LIMIT GROUP
RejectAuth
AllowPing
DropBcast
dropBcast
RejectSMB
DropUPnP
DropNonSyn
DropDNSrep</programlisting>
dropNonSyn
DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn&#39;t flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting>
</blockquote>
</section>

13
Shorewall-docs/ports.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-01-26</pubdate>
<pubdate>2004-02-05</pubdate>
<copyright>
<year>2001-2002</year>
@ -220,12 +220,18 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<section>
<title>VNC</title>
<para>TCP port 5900 + &#60;display number&#62;.</para>
<para>Vncviewer -&#62; Vncserver is TCP port 5900 + &#60;display
number&#62;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2
...</programlisting>
<para>Vncserver to Vncviewer in listen mode is TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5500</programlisting>
</section>
<section>
@ -249,7 +255,8 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
<para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para>

26
Shorewall-docs/samba.xml
View File

@ -15,11 +15,13 @@
</author>
</authorgroup>
<pubdate>2002-10-22</pubdate>
<pubdate>2004-02-08</pubdate>
<copyright>
<year>2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -36,15 +38,25 @@
<para>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><informaltable><tgroup
cols="7"><thead><row><entry>ACTION</entry><entry>SOURCE</entry><entry>DESTINATION</entry><entry>PROTOCOL</entry><entry>PORT(S)</entry><entry>SOURCE
PORT(S)</entry><entry>ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>fw</entry><entry>loc</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>loc</entry><entry>fw</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row></tbody></tgroup></informaltable></para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139,445
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139,445
ACCEPT loc fw udp 1024: 137</programlisting></para>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><informaltable><tgroup
cols="7"><thead><row><entry>ACTION</entry><entry>SOURCE</entry><entry>DESTINATION</entry><entry>PROTOCOL</entry><entry>PORT(S)</entry><entry>SOURCE
PORT(S)</entry><entry>ORIGINAL DEST</entry></row></thead><tbody><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z1</entry><entry>Z2</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>udp</entry><entry>137:139</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>tcp</entry><entry>137,139,445</entry><entry></entry><entry></entry></row><row><entry>ACCEPT</entry><entry>Z2</entry><entry>Z1</entry><entry>udp</entry><entry>1024:</entry><entry>137</entry><entry></entry></row></tbody></tgroup></informaltable></para>
<para><emphasis role="bold">/etc/shorewall/rules:</emphasis><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
ACCEPT Z1 Z2 udp 137:139
ACCEPT Z1 Z2 tcp 137,139,445
ACCEPT Z1 Z2 udp 1024: 137
ACCEPT Z2 Z1 udp 137:139
ACCEPT Z2 Z1 tcp 137,139,445
ACCEPT Z1 Z1 udp 1024: 137</programlisting></para>
<para>To make network browsing (<quote>Network Neighborhood</quote>) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a

8
Shorewall-docs/three-interface.xml
View File

@ -15,13 +15,15 @@
</author>
</authorgroup>
<pubdate>2003-11-15</pubdate>
<pubdate>2004-12-05</pubdate>
<copyright>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -649,8 +651,8 @@ ACCEPT dmz fw udp 53 </programlist
Run name server on DMZ computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc dmz:10.10.11.1 tcp 53
ACCEPT loc dmz:10.10.11.1 udp 53
ACCEPT dmz dmz:10.10.11.1 tcp 53
ACCEPT dmz dmz:10.10.11.1 udp 53 </programlisting></para>
ACCEPT fw dmz:10.10.11.1 tcp 53
ACCEPT fw dmz:10.10.11.1 udp 53 </programlisting></para>
</section>
<section>

81
Shorewall-docs/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2003-01-26</pubdate>
<pubdate>2003-02-08</pubdate>
<copyright>
<year>2002</year>
@ -604,4 +604,83 @@ ACCEPT loc fw tcp 80 #Allow Weblet to work</progra
page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para>
</section>
<section>
<title>Adding a Wireless Segment to your Two-Interface Firewall</title>
<para>Once you have the two-interface setup working, the next logical step
is to add a Wireless Network. The first step involves adding an additional
network card to your firewall, either a Wireless card or an ethernet card
that is connected to a Wireless Access Point.<caution><para>When you add a
network card, it won&#39;t necessarily be detected as the next highest
ethernet interface. For example, if you have two ethernet cards in your
system (<filename class="devicefile">eth0</filename> and <filename
class="devicefile">eth1</filename>) and you add a third card that uses the
same driver as one of the other two, that third card won&#39;t necessarily
be detected as <filename class="devicefile">eth2</filename>; it could
rather be detected as <filename class="devicefile">eth0</filename> or
<filename class="devicefile">eth1</filename>! You can either live with
that or you can shuffle the cards around in the slots until the new card
is detected as <filename class="devicefile">eth2</filename>.</para></caution></para>
<para>Your new network will look similar to what is shown in the following
figure.<graphic fileref="images/basics2.png" /></para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The first thing to note is that the computers in your wireless
network will be in a different subnet from those on your wired local LAN.
In the above example, we have chosen to use the network 10.10.11.0/24.
Computers 3 and 4 would be configured with a default gateway IP address of
10.10.11.254.</para>
<para>Second, we have chosen to include the wireless network as part of
the local zone. Since Shorewall allows intra-zone traffic by default,
traffic may flow freely between the local wired network and the wireless
network.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>There are only two changes that need to be made to the Shorewall
configuration:</para>
<itemizedlist>
<listitem>
<para>An entry needs to be added to <filename>/etc/shorewall/interfaces</filename>
for the wireless network interface. If the wireless interface is
<filename class="devicefile">wlan0</filename>, the entry might look
like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc wlan0 detect maclist</programlisting>
<para>As shown in the above entry, I recommend using the <ulink
url="MAC_Validation.html">maclist option</ulink> for the wireless
segment. By adding entries for computers 3 and 4 in
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
neighbors aren&#39;t getting a free ride on your internet connection.
Start by omitting that option; when you have everything working, then
add the option and configure your <filename>/etc/shorewall/maclist</filename>
file.</para>
</listitem>
<listitem>
<para>You need to add an entry to the <filename>/etc/shorewall/masq</filename>
file to masquerade traffic from the wireless network to the internet.
If your internet interface is <filename class="devicefile">eth0</filename>
and your wireless interface is <filename class="devicefile">wlan0</filename>,
the entry would be:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 wlan0</programlisting>
</listitem>
</itemizedlist>
<para>One other thing to note. To get <trademark>Microsoft</trademark>
networking working between the wireless and wired networks, you will need
either a WINS server or a PDC. I personally use Samba configured as a WINS
server running on my firewall. Running a WINS server on your firewall
requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
documentation</ulink>. </para>
</section>
</article>