holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More 3.0 doc updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2629 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-03 23:03:06 +00:00
parent 87574c0fe3
commit 71c448e6c7
15 changed files with 288 additions and 1309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Shorewall-docs2/Documentation.xml
View File

@ -187,16 +187,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><link linkend="Ipsec">ipsec</link></term>
<listitem>
<para>a parameter file installed in <filename
class="directory">/etc/shorewall</filename> and used to describe
ipsec policies associated with zones.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><link linkend="Maclist">maclist</link></term>
@ -423,16 +413,22 @@ NET_OPTIONS=blacklist,norfc1918</programlisting>
</varlistentry>
<varlistentry>
<term>IPSEC</term>
<term>TYPE</term>
<listitem>
<simplelist>
<member>Yes - All traffic to/from this zone is encrypted.</member>
<member><emphasis role="bold">ipsec</emphasis> - All traffic
to/from this zone is encrypted.</member>
<member>No - By default, traffic to/from some of the hosts in this
zone is not encrypted. Any encrypted hosts are designated using
the <emphasis role="bold">ipsec</emphasis> option in <link
<member><emphasis role="bold">plain</emphasis> - By default,
traffic to/from some of the hosts in this zone is not encrypted.
Any encrypted hosts are designated using the <emphasis
role="bold">ipsec</emphasis> option in <link
linkend="Hosts">/etc/shorewall/hosts</link>.</member>
<member><emphasis role="bold">firewall</emphasis> - Designates the
firewall itself. You must have exactly one 'firewall' zone. No
options are permitted with a 'firewall' zone. </member>
</simplelist>
</listitem>
</varlistentry>
@ -1337,10 +1333,11 @@ loc loc REJECT info</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS
sam Sam Sam's system at home
net Internet The Internet
loc Local Local Network</programlisting>
<programlisting>#ZONE TYPE OPTION
fw firewall
sam plain
net plain
loc plain</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>

221
Shorewall-docs2/GenericTunnels.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2003-08-09</pubdate>
<pubdate>2003-09-03</pubdate>
<copyright>
<year>2001</year>
@ -24,6 +24,8 @@
<year>2003</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -33,13 +35,15 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support, you
can generally describe the tunneling software using <quote>generic tunnels</quote>.</para>
can generally describe the tunneling software using <quote>generic
tunnels</quote>.</para>
<section>
<title>Bridging two Masqueraded Networks</title>
@ -50,7 +54,7 @@
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
accomplished through use of the /etc/shorwall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</para>
@ -73,217 +77,44 @@
</orderedlist>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<informaltable>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<programlisting>#ZONE TYPE OPTIONS
vpn plain</programlisting>
<entry align="center">DISPLAY</entry>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tun0 10.255.255.255</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
generic:tcp:1071 net 134.28.54.2
generic:47 net 134.28.54.2</programlisting>
<para>These entries in /etc/shorewall/tunnels, opens the firewall so that
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
be accepted to/from the remote gateway.</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tun0 192.168.1.255</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
generic:tcp:1071 net 206.191.148.9
generic:47 net 206.191.148.9</programlisting>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para>On both systems, restart Shorewall and start your VPN software on
each system. The systems in the two masqueraded subnetworks can now talk

232
Shorewall-docs2/IPIP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-05-22</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2001</year>
@ -26,6 +26,8 @@
<year>2004</year>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -35,7 +37,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -48,11 +51,11 @@
masqueraded networks.</para>
<para>The simple scripts described in the <citetitle><ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink></citetitle>
work fine with Shorewall. Shorewall also includes a tunnel script for
automating tunnel configuration. If you have installed the RPM, the tunnel
script may be found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&#60;version&#62;/).</para>
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
HOWTO</ulink></citetitle> work fine with Shorewall. Shorewall also includes
a tunnel script for automating tunnel configuration. If you have installed
the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</para>
<section>
<title>Bridging two Masqueraded Networks</title>
@ -71,10 +74,11 @@
by default -- If you install using the tarball, the script is included in
the tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally
/usr/share/doc/shorewall-&#60;version&#62;).</para>
/usr/share/doc/shorewall-&lt;version&gt;).</para>
<para>In the /etc/shorewall/tunnel script, set the <quote>tunnel_type</quote>
parameter to the type of tunnel that you want to create.</para>
<para>In the /etc/shorewall/tunnel script, set the
<quote>tunnel_type</quote> parameter to the type of tunnel that you want
to create.</para>
<example>
<title>/etc/shorewall/tunnel</title>
@ -85,106 +89,31 @@
<warning>
<para>If you use the PPTP connection tracking modules from Netfilter
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels.</para>
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE
tunnels.</para>
</warning>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<table>
<title>/etc/shorewall/zones system A &#38; B</title>
<programlisting>#ZONE TYPE OPTIONS
vpn plain</programlisting>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysb</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn tosysb 10.255.255.255</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 134.28.54.2</programlisting>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote gateway.</para>
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</para>
<para>In the tunnel script on system A:</para>
@ -201,69 +130,16 @@ subnet=10.0.0.0/8
</example>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysa</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST
vpn tosysa 192.168.1.255</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<table>
<title>/etc/shorewall/tunnels system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 206.191.148.9</programlisting>
<para>And in the tunnel script on system B:</para>
@ -285,45 +161,9 @@ subnet=192.168.1.0/24</programlisting>
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<table>
<title>/etc/shorewall/policy system A &#38; B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para>On both systems, restart Shorewall and run the modified tunnel
script with the <quote>start</quote> argument on each system. The systems

7
Shorewall-docs2/IPP2P.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-06-02</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2004</year>
@ -62,8 +62,9 @@
url="Accounting.html">/etc/shorewall/accounting</ulink></member>
<member><ulink
url="Shorewall_and_Routing.html">/etc/shorewall/routes</ulink> (2.3.2
and later)</member>
url="Shorewall_and_Routing.html">/etc/shorewall/rules</ulink> (Recommend
that you place the rules in the ESTABLISHED section of that
file).</member>
</simplelist>
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST

64
Shorewall-docs2/IPSEC-2.6.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-08-30</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2004</year>
@ -210,19 +210,19 @@
<para>Encrypted communication is used to/from all hosts in a
zone.</para>
<para>The value <emphasis role="bold">Yes</emphasis> is placed in the
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
<para>The value <emphasis role="bold">ipsec</emphasis> is placed in
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for the zone.</para>
</listitem>
<listitem>
<para>Encrypted communication is used to/from only part of the hosts
in a zone.</para>
<para>By default, encrypted communication is not used to communicate
with the hosts in a zone.</para>
<para>The value <emphasis role="bold">No</emphasis> is placed in the
IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
<para>The value <emphasis role="bold">plain</emphasis> is placed in
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for the zone and the new <emphasis role="bold">ipsec</emphasis> option
is specified in <filename>/etc/shorewall/hosts</filename> for those
is specified in <filename>/etc/shorewall/hosts</filename> for any
hosts requiring secure communication.</para>
</listitem>
</orderedlist>
@ -233,15 +233,15 @@
</note>
<note>
<para>It is redundent to have <emphasis role="bold">Yes</emphasis> in
the IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
<para>It is redundent to have <emphasis role="bold">ipsec</emphasis> in
the TYPE column of the <filename>/etc/shorewall/zones</filename> entry
for a zone and to also have the <emphasis role="bold">ipsec</emphasis>
option in <filename>/etc/shorewall/hosts</filename> entries for that
zone.</para>
</note>
<para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
/etc/shorewall/ipsec can be used to match the zone to a particular (set
/etc/shorewall/zones can be used to match the zone to a particular (set
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
security policies that select which traffic to encrypt/decrypt.</para>
@ -319,10 +319,10 @@ ipsec net 206.162.148.9
<para><filename>/etc/shorewall/zones</filename> — Systems A and
B:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
vpn No
net No
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vpn plain
net plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
@ -472,9 +472,9 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
through an ESP tunnel then the following entry would be
appropriate:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
<para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
isn't effective with the 2.6 native IPSEC implementation because there
@ -503,11 +503,11 @@ sec yes mode=tunnel <emphasis role="bold">mss=1400</emphasis
<blockquote>
<para>/etc/shorewall/zones — System A</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
vpn Yes
net No
loc No
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vpn ipsec
net plain
loc plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
@ -546,11 +546,11 @@ vpn eth0:0.0.0.0/0
<blockquote>
<para>/etc/shorewall/zones - System B:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
vpn Yes
net No
loc No
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vpn ipsec
net plain
loc plain
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>/etc/shorewall/tunnels - System B:</para>
@ -759,10 +759,10 @@ ipsec:noah net 192.168.20.0/24 loc</programlisting>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
loc Yes mode=transport
net</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
loc ipsec mode=transport
net plain</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>

852
Shorewall-docs2/IPSEC.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-08-20</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<important>
<para>The information in this article is only applicable if you plan to
have IPSEC end-points on the same system where Shorewall is used.</para>
@ -67,13 +74,6 @@
recommend that you consult that site for information about configuring
FreeS/Wan.</para>
<warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata
Page</ulink>.</para>
</warning>
<important>
<para>The documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
@ -131,67 +131,13 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table>
<title>/etc/shorewall/tunnels - System A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2</programlisting>
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
<table>
<title>/etc/shorewall/tunnels - System B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.161.148.9</programlisting>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
@ -206,72 +152,19 @@ conn packetdefault
zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para>
<para><table>
<title>/etc/shorewall/zones - Systems A and B</title>
<para>/etc/shorewall/zones (both systems):</para>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
<row>
<entry>net</entry>
<entry>Internet</entry>
<entry>The big bad internet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<programlisting>#ZONE TYPE OPTIONS
vpn plain
net plain</programlisting>
<para><emphasis role="bold">If you are running kernel
2.4:</emphasis><blockquote>
<para>At both systems, ipsec0 would be included in
/etc/shorewall/interfaces as a <quote>vpn</quote> interface:</para>
<para><table>
<title>/etc/shorewall/interfaces - Systems A and B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn ipsec0</programlisting>
</blockquote></para>
<para><emphasis role="bold">If you are running kernel
@ -289,57 +182,15 @@ conn packetdefault
<para>You must define the vpn zone using the /etc/shorewall/hosts
file.</para>
<table>
<title>/etc/shorewall/hosts - System A</title>
<para>/etc/shorewall/hosts - System A</para>
<tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:10.0.0.0/8</programlisting>
<entry>HOSTS</entry>
<para>/etc/shorewall/hots - System B</para>
<entry>OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:10.0.0.0/8</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts - System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<entry>HOSTS</entry>
<entry>OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:192.168.1.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE HOSTS OPTIONS
vpn eth0:192.168.1.0/24</programlisting>
<para>In addition, <emphasis role="bold">if you are using Masquerading
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
@ -347,102 +198,26 @@ conn packetdefault
role="bold">replace</emphasis> your current masquerade/SNAT entries for
the local networks.</para>
<table>
<title>/etc/shorewall/masq - System A</title>
<para>/etc/shorewall/masq - System A</para>
<tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
<entry>SUBNET</entry>
<para>/etc/shorewall/masq - System B</para>
<entry>ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0:!10.0.0.0/8</entry>
<entry>192.168.1.0/24</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/masq System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<entry>SUBNET</entry>
<entry>ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0:!192.168.1.0/24</entry>
<entry>10.0.0.0/8</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para>
<para><table>
<title>/etc/shorewall/policy - Systems A and B</title>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table></para>
<para></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
@ -487,77 +262,14 @@ conn packetdefault
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>130.152.100.14</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 134.28.54.2
ipsec net 130.252.100.14</programlisting>
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table>
<title>/etc/shorewall/tunnels system B &amp; C</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 206.161.148.9</programlisting>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
@ -570,170 +282,33 @@ conn packetdefault
<para>On each system, we will create a zone to represent the remote
networks. On System A:</para>
<table>
<title>/etc/shorewall/zones system A</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN1</entry>
<entry>Remote Subnet on system B</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN2</entry>
<entry>Remote Subnet on system C</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE TYPE OPTIONS
vpn1 plain
vp2 plain</programlisting>
<para>On systems B and C:</para>
<table>
<title>/etc/shorewall/zones system B &amp; C</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet on system A</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE TYPE OPTIONS
vpn plain</programlisting>
<para>At system A, ipsec0 represents two zones so we have the following in
/etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- ipsec0</programlisting>
<para>The /etc/shorewall/hosts file on system A defines the two VPN
zones:</para>
<table>
<title>/etc/shorewall/hosts system A</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOSTS</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>ipsec0:10.0.0.0/16</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>ipsec0:10.1.0.0/16</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE HOSTS OPTIONS
vpn1 ipsec0:10.0.0.0/16
vpn2 ipsec0:10.1.0.0/16</programlisting>
<para>At systems B and C, ipsec0 represents a single zone so we have the
following in /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B &amp; C</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
vpn ipsec0</programlisting>
<para>On systems A, you will need to allow traffic between the
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
@ -741,110 +316,22 @@ conn packetdefault
simply want to admit all traffic in both directions, you can use the
following policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn1</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>loc</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn1 ACCEPT
vpn1 loc ACCEPT
loc vpn2 ACCEPT
vpn2 loc ACCEPT</programlisting>
<para>On systems B and C, you will need to allow traffic between the
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
want to admit all traffic in both directions, you can use the following
policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system B &amp; C</title>
<para>/etc/shorewall/policy -- Systems B &amp; C</para>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT</programlisting>
<para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the
@ -856,45 +343,9 @@ conn packetdefault
it is necessary to simply add two additional entries to the
/etc/shorewall/policy file on system A.</para>
<table>
<title>/etc/shorewall/policy system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#SOURCE DEST POLICY LOG LEVEL
vpn1 vpn2 ACCEPT
vpn2 vpn1 ACCEPT</programlisting>
</note>
<note>
@ -920,65 +371,17 @@ conn packetdefault
local zone. In this example, we'll assume that you have created a zone
called <quote>vpn</quote> to represent the remote host.</para>
<para><table>
<title>/etc/shorewall/zones local</title>
<para>/etc/shorewall/zones - System A</para>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table></para>
<programlisting>#ZONE TYPE OPTIONS
vpn plain</programlisting>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para>
<para><table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn</entry>
</row>
</tbody>
</tgroup>
</table></para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0</programlisting>
<para><note>
<para>the GATEWAY ZONE column contains the name of the zone
@ -1004,79 +407,15 @@ conn packetdefault
<para>In /etc/shorewall/zones:</para>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN-1</entry>
<entry>First VPN Zone</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN-2</entry>
<entry>Second VPN Zone</entry>
</row>
<row>
<entry>vpn3</entry>
<entry>VPN-3</entry>
<entry>Third VPN Zone</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#ZONE TYPE OPTIONS
vpn1 plain
vpn2 plain
vpn3 plain</programlisting>
<para>In /etc/shorewall/tunnels:</para>
<table>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn1,vpn2,vpn3</entry>
</row>
</tbody>
</tgroup>
</table>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and
Shorewall will issue warnings to that effect. These warnings may be safely
@ -1101,49 +440,12 @@ conn packetdefault
<para>If you include a dynamic zone in the exclude list of a DNAT rule,
the dynamically-added hosts are not excluded from the rule.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT z!dyn loc:192.168.1.3 tcp 80</programlisting>
<example>
<title>dyn=dynamic zone</title>
<para><informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">CLIENT PORT(S)</entry>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>z!dyn</entry>
<entry>loc:192.168.1.3</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para>
</example>

1
Shorewall-docs2/Introduction.xml
View File

@ -122,6 +122,7 @@
example, the following zone names are used:</para>
<programlisting>#NAME DESCRIPTION
fw The firewall itself
net The Internet
loc Your Local Network
dmz Demilitarized Zone</programlisting>

33
Shorewall-docs2/Multiple_Zones.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-05-15</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2003-2005</year>
@ -34,6 +34,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section>
<title>Introduction</title>
@ -205,9 +212,9 @@
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 Hosts accessed through internal router
loc Local All hosts accessed via eth1</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc1 plain
loc plain</programlisting>
<note>
<para>the sub-zone (loc1) is defined first!</para>
@ -244,9 +251,9 @@ loc1 loc NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 Hosts accessed Directly from Firewall
loc2 Local2 Hosts accessed via the internal Router</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc1 plain
loc2 plain</programlisting>
<note>
<para>Here it doesn't matter which zone is defined first.</para>
@ -287,9 +294,9 @@ loc2 loc1 NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 192.168.1.8-192.168.1.15
loc Local All hosts accessed via eth1</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc1 plain
loc plain</programlisting>
<note>
<para>the sub-zone (loc1) is defined first!</para>
@ -332,9 +339,9 @@ loc1 loc NONE</programlisting>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local Zone
net Internet The big bad Internet</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc1 plain
net plain</programlisting>
<note>
<para>the sub-zone (loc) is defined first!</para>

24
Shorewall-docs2/OPENVPN.xml
View File

@ -21,7 +21,7 @@
</author>
</authorgroup>
<pubdate>2005-08-27</pubdate>
<pubdate>2005-08-30</pubdate>
<copyright>
<year>2003</year>
@ -46,6 +46,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open
@ -97,8 +104,9 @@
<para><filename>/etc/shorewall/zones</filename> — Systems A &amp;
B</para>
<programlisting>#ZONE DISPLAY COMMENTS
vpn VPN Remote subnet</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vpn plain</programlisting>
</blockquote>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
@ -231,8 +239,9 @@ vpn loc ACCEPT</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System A:</para>
<programlisting>#ZONE DISPLAY COMMENTS
road Roadwarriors Remote clients</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
road plain</programlisting>
</blockquote>
<para>On system A, the remote clients will comprise the <emphasis
@ -314,8 +323,9 @@ verb 3</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename> — System B:</para>
<programlisting>#ZONE DISPLAY COMMENTS
home Home Home LAN</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
home plain</programlisting>
</blockquote>
<para>On system A, the hosts accessible through the tunnel will comprise

7
Shorewall-docs2/PPTP.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>PPTP</title>
<title>PPTP - Unmaintained</title>
<authorgroup>
<author>
@ -92,6 +92,11 @@
</abstract>
</articleinfo>
<warning>
<para><emphasis role="bold">This document is no longer maintained. Any
volunteers?</emphasis></para>
</warning>
<section>
<title>Overview</title>

22
Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-03-17</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section>
<title>Background</title>
@ -265,9 +272,8 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone
</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc plain</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
@ -285,13 +291,11 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
separate zones and control the access between them (the users of the
systems do not have administrative privileges).</title>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone 1
loc2 Local2 Local Zone 2</programlisting>
<programlisting>#ZONE TYPE OPTIONS
loc plain
loc2 plain</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>

14
Shorewall-docs2/Shorewall_and_Kazaa.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-06-01</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2003-2005</year>
@ -34,6 +34,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
@ -42,8 +49,9 @@
KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules in /etc/shorewall/rules file after any DROP or
REJECT rules whose source is the <quote>loc</quote> zone.</para>
insert the following rules in the ESTABLISHED section of
/etc/shorewall/rules file after any DROP or REJECT rules whose source is the
<quote>loc</quote> zone.</para>
<programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp

9
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-02-22</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2004</year>
@ -485,9 +485,10 @@ rc-update add bridge boot
defined -- one for the internet and one for the local LAN so in
<filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
<programlisting>#ZONE TYPE OPTIONS
fw firewall
net plain
loc plain
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>A conventional two-zone policy file is appropriate here —

4
Shorewall-docs2/ipsets.xml
View File

@ -196,8 +196,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE IPSEC OPTIONS IN OPTIONS OUT OPTIONS
dyn No</programlisting>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
dyn plain</programlisting>
<para>/etc/shorewall/interfaces:</para>

72
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-05-26</pubdate>
<pubdate>2005-09-03</pubdate>
<copyright>
<year>2001-2005</year>
@ -34,6 +34,13 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section id="Introduction">
<title>Introduction</title>
@ -123,63 +130,28 @@
instructions and some contain default entries.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. In the default installation, the following zone names are
used:</para>
<table>
<title>Zones</title>
<tgroup cols="2">
<tbody>
<row>
<entry align="left"><emphasis role="bold">Name</emphasis></entry>
<entry align="left" role="underline"><emphasis
role="bold">Description</emphasis></entry>
</row>
<row>
<entry>net</entry>
<entry>The Internet</entry>
</row>
<row>
<entry>loc</entry>
<entry>Your Local Network</entry>
</row>
<row>
<entry>dmz</entry>
<entry>Demilitarized Zone</entry>
</row>
</tbody>
</tgroup>
</table>
a set of zones. </para>
<para>Zones are defined in the file <filename><ulink
url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink></filename>.</para>
<important>
<para>Beginning with Shorewall 2.2.0, the
<filename>/etc/shorewall/zones</filename> file included in the release
is empty. You can create the above set of zones by copying and pasting
the following into the file:</para>
<para>The <filename>/etc/shorewall/zones</filename> file included in the
release is empty. You can create a standard set of zones by copying and
pasting the following into the file:</para>
<programlisting>net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone</programlisting>
<programlisting>#ZONE TYPE OPTIONS
fw firewall
net plain
loc plain
dmz plain</programlisting>
</important>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis
role="bold">fw</emphasis> but that may be changed in the <ulink
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>
file. In this guide, the default name (<emphasis
role="bold">fw</emphasis>) will be used. With the exception of <emphasis
role="bold">fw</emphasis>, Shorewall attaches absolutely no meaning to
<para>Note that Shorewall recognizes the firewall system as its own zone -
The above example follows the usual convention of naming the Firewall zone
<emphasis role="bold">fw</emphasis>. In this guide, the name <emphasis
role="bold">fw</emphasis> will be used. With the exception of the name
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is
the internet zone</quote> or <quote>because that is the