diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 4378dfc53..fde5e51eb 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -20,7 +20,7 @@ - 2001-2010 + 2001-2011 Thomas M. Eastep @@ -902,6 +902,13 @@ DNAT loc dmz:192.168.2.4 tcp 80 - from that address are disallowed; traffic from that address that is part of an established connection (such as ping replies) is allowed. + + + Beginning with Shorewall 4.4.13, you can use the + option in /etc/shorewall/interfaces + to implement blacklisting by destination IP address. +
@@ -912,8 +919,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - Answer: You probably forgot to specify the blacklist option for your - external interface(s) in - /etc/shorewall/interfaces. + external interface(s) in /etc/shorewall/interfaces.
@@ -926,23 +933,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - Answer: There is an H.323 - connection tracking/NAT module that helps with Netmeeting. Note - however that one of the Netfilter developers recently posted the - following: - -
- > I know PoM -ng is going to address this issue, but till it is ready, and -> all the extras are ported to it, is there any way to use the h.323 -> conntrack module kernel patch with a 2.6 kernel? -> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not -> an option... The module is not ported yet to 2.6, sorry. -> Do I have any options besides a gatekeeper app (does not work in my -> network) or a proxy (would prefer to avoid them)? - -I suggest everyone to setup a proxy (gatekeeper) instead: the module is -really dumb and does not deserve to exist at all. It was an excellent tool -to debug/develop the newnat interface. -
+ connection tracking/NAT module that helps with Netmeeting. + Look here for a solution for MSN IM but be aware that there are significant security risks involved with @@ -1036,7 +1028,7 @@ to debug/develop the newnat interface. If you are running Shorewall 4.4.21 or later, in shorewall.conf, set DROP_DEFAULT=Drop(-,DROP). See the Action HOWTO to learn why that magic + url="Actions.html">Action HOWTO to learn how that magic works. @@ -1046,11 +1038,11 @@ to debug/develop the newnat interface. showed 100s of ports as open!!!! Answer: Take a deep breath and - read the nmap man page section about UDP scans. If nmap gets nothing back from your firewall then it reports the port as open. If you want to see which UDP ports are really open, temporarily change your net->all policy to REJECT, restart - Shorewall and do the nmap UDP scan again. + Shorewall and run the nmap UDP scan again.
@@ -1104,7 +1096,7 @@ to debug/develop the newnat interface. Answer: Every time I read systems can't see out to the net, I wonder where the poster bought computers with eyes and what those computers will - see when things are working properly. That aside, the + see when things are working properly :-). That aside, the most common causes of this problem are: @@ -1166,7 +1158,7 @@ to debug/develop the newnat interface. Shorewall to allow traffic through the bridge? Answer: Add the - routeback option to routeback option to br0 in /etc/shorewall/interfaces. @@ -1176,7 +1168,7 @@ to debug/develop the newnat interface.
- (FAQ 64) I just upgraded my kernel to 2.6.20 and my + <title>(FAQ 64) I just upgraded my kernel to 2.6.20 (or later) and my bridge/firewall stopped working. What is wrong? Answer: In kernel 2.6.20, the @@ -1251,14 +1243,6 @@ to debug/develop the newnat interface. /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, service syslog restart). - By default, older versions of Shorewall rate-limited log messages - through settings in - /etc/shorewall/shorewall.conf -- If you want to log - all messages, set: - - LOGLIMIT="" -LOGBURST="" - It is also possible to set up Shorewall to log all of Netfilter's messages to a separate file. @@ -1329,17 +1313,6 @@ DROP net fw udp 10619 - udp 10619
-
- (FAQ 6c) cat /proc/sys/kernel/prink returns '4 4 1 7' and still - I get dmesg filled up - - Answer: While we would argue - that 'dmesg filled up' is not necessarily a problem, the only way to - eliminate that is to set up - Shorewall to log all of Netfilter's messages to a separate - file. -
-
(FAQ 6d) Why is the MAC address in Shorewall log messages so long? I thought MAC addresses were only 6 bytes in length. @@ -1392,7 +1365,7 @@ DROP net fw udp 10619 Just to be clear, it is not Shorewall that is writing all over your console. Shorewall issues a single log message during each start, restart, - stop, etc. It is rather the klogd daemon that is + stop, etc. It is rather your logging daemon that is writing messages to your console. Shorewall itself has no control over where a particular class of messages are written. See the Shorewall logging @@ -1424,7 +1397,18 @@ teastep@ursa:~$ The first number determines the maximum log thensysctl -p /etc/sysctl.conf
- (FAQ 16a) Why can't I see any Shorewall messages in + <title>(FAQ 16a) cat /proc/sys/kernel/prink returns '4 4 1 7' and + still I get dmesg filled up + + Answer: While we would argue + that 'dmesg filled up' is not necessarily a problem, the only way to + eliminate that is to set up + Shorewall to log all of Netfilter's messages to a separate + file. +
+ +
+ (FAQ 16b) Why can't I see any Shorewall messages in /var/log/messages? Some people who ask this question report that the only Shorewall @@ -1454,20 +1438,20 @@ teastep@ursa:~$ The first number determines the maximum log logging documentation for further information.
-
- (FAQ 16b) Shorewall messages are flooding the output of + <section id="faq16c"> + <title>(FAQ 16c) Shorewall messages are flooding the output of 'dmesg'; how to I stop that? Answer: Switch to using ulogd.
-
- (FAQ 16c) I set LOGFILE=/var/log/shorewall but log messages are + <section id="faq16d"> + <title>(FAQ 16d) I set LOGFILE=/var/log/shorewall but log messages are still going to /var/log/messages. Answer: See the answer to FAQ 16a above. + linkend="faq16b">FAQ 16b above.
@@ -1794,9 +1778,8 @@ teastep@ursa:~$ The first number determines the maximum log (FAQ 81) logdrop and logreject don't log. I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and - >> completely block a particular IP address. However, the log part - doesn't happen. When I look in the logdrop chain, there is no LOG - prefix. + completely block a particular IP address. However, the log part doesn't + happen. When I look in the logdrop chain, there is no LOG prefix. Answer: You haven't set a value for BLACKLIST_LOGLEVEL in Answer: The Webmin 'bandwidth' module adds commands to /etc/shorewall/start that - creates rules to log every packet to/from/through the firewall. DON'T - START THE BANDWIDTH SERVICE IN WEBMIN!!!!! + creates rules to log every packet to/from/through the firewall. + DON'T START THE BANDWIDTH SERVICE IN + WEBMIN! To correct this situation once it occurs, edit /etc/shorewall/start and insert 'return 0' prior to @@ -1886,7 +1870,7 @@ Dec 15 16:47:30 heath-desktop last message repeated 2 times Answer: The stop command is intended to place your firewall into a safe state whereby only those hosts listed in - /etc/shorewall/routestopped are activated. If you + /etc/shorewall/routestopped are allowed. If you want to totally open up your firewall, you must use the shorewall[-lite] clear command. @@ -1957,42 +1941,6 @@ Creating input Chains... the default run-levels of your firewall system. -
- (FAQ 45) Why does "shorewall[-lite] start" fail when trying to - set up SNAT/Masquerading? - - shorewall start produces the following - output: - - … -Processing /etc/shorewall/policy... - Policy ACCEPT for fw to net using chain fw2net - Policy ACCEPT for loc0 to net using chain loc02net - Policy ACCEPT for loc1 to net using chain loc12net - Policy ACCEPT for wlan to net using chain wlan2net -Masqueraded Networks and Hosts: -iptables: Invalid argument - ERROR: Command "/sbin/iptables -t nat -A …" Failed - - Answer: 99.999% of the time, this - error is caused by a mismatch between your iptables and kernel. - - - - Your iptables must be compiled against a kernel source tree - that is Netfilter-compatible with the kernel that you are - running. - - - - If you rebuild iptables using the defaults and install it, it - will be installed in /usr/local/sbin/iptables. As shown above, you - have the IPTABLES variable in shorewall.conf set to - "/sbin/iptables". - - -
-
(FAQ 59) After I start Shorewall, there are lots of unused Netfilter modules loaded. How do I avoid that? @@ -2126,8 +2074,7 @@ Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010 Shorewall is stopped State:Started (Tue Jul 20 16:01:49 PDT 2010) -gateway:~# - +gateway:~# then it means that something outside of Shorewall has deleted the @@ -2629,34 +2576,6 @@ else NAT of local connections (READ HELP) on the Netfilter Configuration menu. Otherwise, DNAT rules with your firewall as the source zone won't work with your new kernel. - -
- (FAQ 27a) I just built (or downloaded or otherwise acquired) - and installed a new kernel and now Shorewall won't start. I know that - my kernel options are correct. - - The last few lines of a startup - trace are these: - - + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. -0/0 -j MASQUERADE' ']' -+ run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -+ iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -iptables: Invalid argument -+ '[' -z '' ']' -+ stop_firewall -+ set +x - - Answer: Your new kernel - contains headers that are incompatible with the ones used to compile - your iptables utility. You need to rebuild - iptables using your new kernel source. -