forked from extern/shorewall_code
Documentation updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1699 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
db932e0b16
commit
67751bbedf
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-20</pubdate>
|
||||
<pubdate>2004-10-17</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -43,6 +44,13 @@
|
||||
<section>
|
||||
<title>Squid as a Transparent Proxy</title>
|
||||
|
||||
<important>
|
||||
<para>This section gives instructions for transparent proxying of HTTP.
|
||||
HTTPS (normally TCP port 443) <emphasis role="bold">cannot</emphasis> be
|
||||
proxied transparently (stop and think about it for a minute; if HTTPS
|
||||
could be transparently proxied, then how secure would it be?).</para>
|
||||
</important>
|
||||
|
||||
<caution>
|
||||
<para>Please observe the following general requirements:</para>
|
||||
|
||||
@ -55,8 +63,8 @@
|
||||
|
||||
<listitem>
|
||||
<para>The following instructions mention the files
|
||||
/etc/shorewall/start and /etc/shorewall/init -- if you don't
|
||||
have those files, siimply create them.</para>
|
||||
/etc/shorewall/start and /etc/shorewall/init -- if you don't have
|
||||
those files, siimply create them.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -84,8 +92,9 @@ MANGLE_ENABLED=Yes</programlisting>
|
||||
<caution>
|
||||
<para>In the instructions below, only TCP Port 80 is opened from the
|
||||
system running Squid to the internet. If your users require browsing
|
||||
sites that use a port other than 80 (e.g., http://www.domain.tld:<emphasis
|
||||
role="bold">8080</emphasis>) then you must open those ports as well.</para>
|
||||
sites that use a port other than 80 (e.g.,
|
||||
http://www.domain.tld:<emphasis role="bold">8080</emphasis>) then you
|
||||
must open those ports as well.</para>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
@ -151,17 +160,17 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
<listitem>
|
||||
<para>* On your firewall system, issue the following command</para>
|
||||
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/init, put:</para>
|
||||
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
ip rule add fwmark CA table www.out # Note 0xCA = 202
|
||||
ip route add default via 192.168.1.3 dev eth1 table www.out
|
||||
ip route flush cache
|
||||
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
|
||||
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
|
||||
fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
@ -213,7 +222,7 @@ loc loc ACCEPT</programlisting>
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:</para>
|
||||
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
chkconfig --level 35 iptables on</command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
@ -230,13 +239,13 @@ chkconfig --level 35 iptables on</command></programlisting>
|
||||
<listitem>
|
||||
<para>On your firewall system, issue the following command</para>
|
||||
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
<programlisting><command>echo 202 www.out >> /etc/iproute2/rt_tables</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In /etc/shorewall/init, put:</para>
|
||||
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
<programlisting><command>if [ -z "`ip rule list | grep www.out`" ] ; then
|
||||
ip rule add fwmark CA table www.out # Note 0xCA = 202
|
||||
ip route add default via 192.0.2.177 dev eth1 table www.out
|
||||
ip route flush cache
|
||||
@ -244,7 +253,8 @@ fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Do <emphasis role="bold">one</emphasis> of the following:</para>
|
||||
<para>Do <emphasis role="bold">one</emphasis> of the
|
||||
following:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
<listitem>
|
||||
@ -254,8 +264,10 @@ fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
|
||||
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
|
||||
<para>Set MARK_IN_FORWARD_CHAIN=No in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and add the
|
||||
following entry in
|
||||
<filename>/etc/shorewall/tcrules</filename>:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
|
||||
202 eth2 0.0.0.0/0 tcp 80</programlisting>
|
||||
@ -272,7 +284,8 @@ fi</command></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, you will
|
||||
need:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc dmz tcp 80
|
||||
@ -289,7 +302,7 @@ ACCEPT dmz net tcp 80</programlisting>
|
||||
execute the following commands after you have typed the iptables
|
||||
command above:</para>
|
||||
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
<programlisting><command>iptables-save > /etc/sysconfig/iptables
|
||||
chkconfig --level 35 iptables on</command></programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-10-14</pubdate>
|
||||
<pubdate>2004-10-16</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -48,7 +48,7 @@
|
||||
|
||||
<caution>
|
||||
<para>The configuration shown here corresponds to Shorewall version
|
||||
2.1.11. My configuration uses features not available in earlier
|
||||
2.1.12. My configuration uses features not available in earlier
|
||||
Shorewall releases.</para>
|
||||
</caution>
|
||||
|
||||
@ -669,7 +669,7 @@ ACCEPT tx loc:192.168.1.5 all
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPSEC Gateway (Ursa) Configuration</title>
|
||||
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
|
||||
|
||||
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
|
||||
network. It's view of the network is diagrammed in the following
|
||||
@ -677,18 +677,7 @@ ACCEPT tx loc:192.168.1.5 all
|
||||
|
||||
<graphic align="center" fileref="images/network1.png" valign="middle" />
|
||||
|
||||
<para>I've included the files that I used to configure that system -- some
|
||||
of them are SuSE-specific.</para>
|
||||
|
||||
<section>
|
||||
<title>shorewall.conf</title>
|
||||
|
||||
<blockquote>
|
||||
<para>Only the changes from the defaults are shown.</para>
|
||||
|
||||
<programlisting>CLAMPMSS=1400 # There is an MTU problem between Tipper and the IMAP server at work. This corrects the problem</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
<para>I've included the files that I used to configure that system.</para>
|
||||
|
||||
<section>
|
||||
<title>zones</title>
|
||||
@ -728,7 +717,6 @@ fw sec ACCEPT
|
||||
fw WiFi ACCEPT
|
||||
sec WiFi NONE
|
||||
WiFi sec NONE
|
||||
WiFi net ACCEPT
|
||||
all all REJECT info
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
@ -753,9 +741,16 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
|
||||
<title>ipsec</title>
|
||||
|
||||
<blockquote>
|
||||
<para>The mss=1400 in the OUT OPTIONS uses a feature added in 2.1.12
|
||||
and sets the MSS field in forwarded TCP SYN packets from the 'sec'
|
||||
zone to 1400. This works around a problem whereby ICMP
|
||||
fragmentation-needed packets are being dropped somewhere between my
|
||||
main firewall and the IMAP server at my work.</para>
|
||||
|
||||
<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
sec yes mode=tunnel tunnel-src=192.168.3.8 tunnel-dst=192.168.3.8
|
||||
sec yes mode=tunnel - <emphasis
|
||||
role="bold">mss=1400</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
|
Loading…
Reference in New Issue
Block a user