diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm index b44a0319f..8964733a5 100644 --- a/Shorewall-docs/Documentation.htm +++ b/Shorewall-docs/Documentation.htm @@ -9,11 +9,17 @@ - + -

Shorewall 1.3 Reference

+ + + + +
+

Shorewall 1.3 Reference

+
@@ -120,26 +126,14 @@ Shorewall programs

Example:

-
- 
NET_IF=eth0
-NET_BCAST=130.252.100.255
-NET_OPTIONS=noping,norfc1918
-
- -


- Example (/etc/shorewall/interfaces record):

- -
- 
net $NET_IF $NET_BCAST $NET_OPTIONS
-
- -

The result will be the same as if the record had been written

- -
- 
net eth0 130.252.100.255 noping,norfc1918
-
- -

Variables may be used anywhere in the + 

 	NET_IF=eth0
+	NET_BCAST=130.252.100.255
+	NET_OPTIONS=noping,norfc1918
+

Example (/etc/shorewall/interfaces record):

+ 
	net $NET_IF $NET_BCAST $NET_OPTIONS
+

The result will be the same as if the record had been written

+ 
	net eth0 130.252.100.255 noping,norfc1918
+

Variables may be used anywhere in the other configuration files.

@@ -155,7 +149,9 @@ NET_OPTIONS=noping,norfc1918 length and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by Shorewall itself. Note that the output produced by iptables is much easier to read if you select short names that -are three characters or less in length. +are three characters or less in length. The name "all" may not be used as + a zone name nor may the zone name assigned to the firewall itself via the FW + variable in /etc/shorewall/shorewall.conf.
  • DISPLAY - The name of the zone as displayed during Shorewall startup.
  • @@ -1989,6 +1985,12 @@ a development snapshot as patching with version 1.9 results in kernel compilat

    This file is used to set the following firewall parameters:

      +
    • FORWARDPING - Added in Version 1.3.7
      + When set to "Yes" or "yes", ICMP echo-request (ping) packets from interfaces + that specify "filterping" are ACCEPTed by the firewall. When set to "No" or + "no", such ping requests are silently dropped unless they are handled by an + explicit entry in the rules file. If not specified, "No" + is assumed.
    • LOGNEWNOTSYN - Added in Version 1.3.6
      Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that are not part of an existing connection. If you would like to log these packets, @@ -2104,7 +2106,10 @@ starts, it will create the directory. Example: STATEDIR=/tmp/shorewall. + /etc/shorewall/rules ("related" given as the protocol). If you specify + ALLOWRELATED=No, you will need to include rules in + /etc/shorewall/icmpdef to + handle common ICMP packet types.
    • MODULESDIR
      This parameter specifies the directory where your kernel netfilter @@ -2689,7 +2694,7 @@ by Shorewall, you must have mangle support enabled - Updated 8/14/2002 - Tom + Updated 8/22/2002 - Tom Eastep

      diff --git a/Shorewall-docs/Documentation_Index.htm b/Shorewall-docs/Documentation_Index.htm index 6e2c831ae..60fcdafc8 100644 --- a/Shorewall-docs/Documentation_Index.htm +++ b/Shorewall-docs/Documentation_Index.htm @@ -6,7 +6,6 @@ The Documentation Index - diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm index 951f9d91c..caaaa7527 100644 --- a/Shorewall-docs/FAQ.htm +++ b/Shorewall-docs/FAQ.htm @@ -6,79 +6,86 @@ Shorewall FAQ - + -

      Shorewall FAQs

      -

      About Shorewall

      -
      -

      Why do you call it "Shorewall"?

      -

      What distributions does it work with?

      -

      What features does it support?

      -

      Why isn't there a GUI?

      -
      -

      Filtering

      -
      -

      I'm connected via a cable modem and it has an -internel web server that allows me to configure/monitor it but as expected if I -enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems -web server.

      -

      Even though it assigns public IP addresses, my -ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my -external interface, my DHCP client cannot renew its lease.

      -

      I just used an online port scanner to check my -firewall and it shows some ports as 'closed' rather than 'blocked'. Why?

      -

      I just ran an nmap UDP scan of my firewall and -it showed 100s of ports as open!!!!

      -
      -

      Port Forwarding

      -
      -

      I want to forward UDP port 7777 to my my personal PC with IP -address 192.168.1.5. I've looked everywhere and can't find how to do it.

      -

      Ok -- I followed those instructions but it -doesn't work.

      -

      I port forward www requests to www.mydomain.com (IP -130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse -http://www.mydomain.com but internal clients can't.

      -

      I have a zone "Z" with an RFC1918 subnet and I -use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot -communicate with each other using their external (non-RFC1918 addresses) so they -can't access each other using their DNS names.

      -
      -

      Applications

      -
      -

      I want to use Netmeeting with Shorewall. What do I do?

      -
      -

      Connection Problems

      -
      -

      I've installed Shorewall and now I can't ping through the -firewall

      -

      My local systems can't see out to the net

      -
      -

      Logging

      -
      -

      Where are the log messages written and  -how do I change the destination?

      -

      Shorewall is writing log messages all over my -console making it unusable!

      -

      Are there any log parsers that work with -Shorewall?

      -
      -

      Starting and stopping the firewall

      -
      -

      When I stop Shorewall using 'shorewall stop', -I can't connect to anything. Why doesn't that command work?

      -

      When I try to start Shorewall on RedHat 7.x, I + + + + +
      +

      Shorewall FAQs

      +
      + +

      1.  I want to forward UDP +port 7777 to my my personal PC with IP address 192.168.1.5. I've looked +everywhere and can't find how to do it.

      +

      1a. Ok -- I followed those instructions +but it doesn't work.

      +

      2. I port forward www requests to www.mydomain.com (IP +130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse +http://www.mydomain.com but internal clients can't.

      +

      2a. I have a zone "Z" with an RFC1918 +subnet and I use static NAT to assign non-RFC1918 addresses to hosts in +Z. Hosts in Z cannot communicate with each other using their external +(non-RFC1918 addresses) so they can't access each other using their DNS +names.

      + +

      3. I want to use Netmeeting with +Shorewall. What do I do?

      +

      4. I just used an online port scanner to +check my firewall and it shows some ports as 'closed' rather than 'blocked'. +Why?

      +

      4a. I just ran an nmap UDP scan +of my firewall and it showed 100s of ports as open!!!!

      +

      5. I've installed Shorewall and now I +can't ping through the firewall

      + +

      6. Where are the log messages +written and  how do I change the destination?

      + +

      6a. Are there any log parsers +that work with Shorewall?

      + +

      7. When I stop Shorewall using +'shorewall stop', I can't connect to anything. Why doesn't that command +work?

      + +

      8. When I try to start Shorewall on RedHat 7.x, I get messages about insmod failing -- what's wrong?

      -

      Why can't Shorewall detect my interfaces -properly?

      -
      -

      Design

      -
      -

      Why does Shorewall only accept IP addresses as + +

      9. Why does Shorewall only accept IP addresses as opposed to FQDNs?

      + +

      10. What distributions does it +work with?

      + +

      11. What features does it +support?

      + +

      12. Why isn't there a GUI

      + +

      13. Why do you call it "Shorewall"?

      +

      14. I'm connected via a cable modem and it has an internel +web server that allows me to configure/monitor it but as expected if I enable +rfc1918 blocking for my eth0 interface, it also blocks the cable modems +web server.

      +

      14a. Even though it assigns public IP +addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 +filtering on my external interface, my DHCP client cannot renew its lease.

      + +

      15. My local systems can't see out to +the net

      + +

      16. Shorewall is writing log messages +all over my console making it unusable!

      + +

      17. Why can't Shorewall detect my +interfaces properly?

      +
      +

       

      1. I want to forward UDP port 7777 to my my personal PC with IP @@ -556,11 +563,10 @@ over my console making it unusable!

      Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local - zone is defined as all hosts connected through eth1. -

      + zone is defined as all hosts connected through eth1.

      Last updated -7/31/2002 - Tom +8/15/2002 - Tom Eastep

      Copyright diff --git a/Shorewall-docs/GnuCopyright.htm b/Shorewall-docs/GnuCopyright.htm index 7b70f73ff..9edd1c7ae 100644 --- a/Shorewall-docs/GnuCopyright.htm +++ b/Shorewall-docs/GnuCopyright.htm @@ -6,12 +6,17 @@ Copyright - -

      GNU Free Documentation License

      + + + + +
      +

      GNU Free Documentation License

      +

      Version 1.1, March 2000 

      Copyright (C) 2000  Free Software Foundation, Inc.
 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
diff --git a/Shorewall-docs/IPIP.htm b/Shorewall-docs/IPIP.htm
index f0c80a4f7..c8c0e7a75 100644
--- a/Shorewall-docs/IPIP.htm
+++ b/Shorewall-docs/IPIP.htm
@@ -5,11 +5,16 @@
 GRE/IPIP Tunnels
 
 
-
 
 
 
-
      GRE and IPIP Tunnels
      
+
+  
+    
+  
+
      
+    
      GRE and IPIP Tunnels
      
+    
      
 
      Warning: GRE and IPIP Tunnels are insecure when used
 over the internet; use them at your own risk
      
 
      GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. GRE
diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm
index 2c827b29c..fee400531 100644
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@@ -10,10 +10,15 @@
   
          
    
-  
-
+  
  
- 
      IPSEC Tunnels
      
+ 
+   
+     
+   
+ 
      
+     
      IPSEC Tunnels
      
+     
      
  
      Configuring FreeS/Wan
      
 There is an excellent guide to configuring IPSEC tunnels at
  http://jixen.tripod.com
@@ -113,8 +118,28 @@ on system B, we would have:
      +

      You need to define a zone for the remote subnet or include + it in your local zone. In this example, we'll assume that you have created a + zone called "vpn" to represent the remote subnet.

      + +
      + + + + + + + + + + + + +
      ZONEDISPLAYCOMMENTS
      vpnVPNRemote Subnet
      +
      +

      At both -systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw" +systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn" interface:

      @@ -131,7 +156,7 @@ interface:

      OPTIONS - gw + vpn ipsec0     @@ -140,7 +165,7 @@ interface:

      -

      You will need to allow traffic between the "gw" zone and +

      You will need to allow traffic between the "vpn" zone and the "loc" zone -- if you simply want to admit all traffic in both directions, you can use the policy file:

      @@ -155,13 +180,13 @@ interface:

      loc - gw + vpn ACCEPT   - gw + vpn loc ACCEPT   @@ -188,6 +213,26 @@ be able to establish a secure connection back to your local network.

      +

      You need to define a zone for the laptop or include it in + your local zone. In this example, we'll assume that you have created a zone + called "vpn" to represent the remote host.

      + +
      + + + + + + + + + + + + +
      ZONEDISPLAYCOMMENTS
      vpnVPNRemote Subnet
      +
      +

      In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, @@ -210,15 +255,14 @@ the following entry should be made:

      ipsec net 0.0.0.0/0 - gw + vpn

      Note that the GATEWAY -ZONE column contains the name of the zone corresponding to peer subnetworks -(gw in the default /etc/shorewall/zones). This indicates that the +ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system.

      @@ -228,7 +272,7 @@ remote gateway is a standalone system.

      Last -updated 5/18/2002 - +updated 8/20/2002 - Tom Eastep

      diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm index 321ae6156..468f4b2e7 100644 --- a/Shorewall-docs/Install.htm +++ b/Shorewall-docs/Install.htm @@ -5,10 +5,16 @@ Shorewall Installation - -

      Shorewall Installation

      + + + + + +
      +

      Shorewall Installation

      +

      Install using RPM
      Install diff --git a/Shorewall-docs/NAT.htm b/Shorewall-docs/NAT.htm index 6c7d6dadc..c72bf1388 100644 --- a/Shorewall-docs/NAT.htm +++ b/Shorewall-docs/NAT.htm @@ -5,13 +5,18 @@ Shorewall NAT -

      -

      Static NAT

      + + + + +
      +

      Static NAT

      +

      IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use static NAT. Port forwarding can be accomplished with simple entries in the diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index bd6842fa3..78ec4d63d 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -5,13 +5,42 @@ Shorewall News - -

      Shorewall News Archive

      + + + + +
      +

      Shorewall News Archive

      +
      +

      8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

      + +

      Features in this release include:

      + +       + +

      I would like to thank John Distler for his valuable input regarding TCP SYN + and ICMP treatment in Shorewall. That input has led to marked improvement in + Shorewall in the last two releases.

      +

      8/13/2002 - Documentation in the CVS Repository

      The Shorewall-docs project now contains just the HTML and image files - the @@ -995,7 +1024,7 @@ version:

      additional "gw" (gateway) zone for tunnels and it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

      -

      Updated 8/13/2002 - Tom +

      Updated 8/22/2002 - Tom Eastep

      diff --git a/Shorewall-docs/PPTP.htm b/Shorewall-docs/PPTP.htm index 0bcf7ba44..b8a61e6c4 100644 --- a/Shorewall-docs/PPTP.htm +++ b/Shorewall-docs/PPTP.htm @@ -6,12 +6,17 @@ Shorewall PPTP - -

      PPTP

      + + + + +
      +

      PPTP

      +

      Shorewall easily supports PPTP in a number of configurations:

        diff --git a/Shorewall-docs/ProxyARP.htm b/Shorewall-docs/ProxyARP.htm index d87c18d34..c42ae0a9d 100644 --- a/Shorewall-docs/ProxyARP.htm +++ b/Shorewall-docs/ProxyARP.htm @@ -5,27 +5,37 @@ Shorewall Proxy ARP - + -
        -

        Proxy ARP

        -

         

        + + + + +
        +

        Proxy ARP

        +

        Proxy ARP allows you to insert a firewall in front of a set of servers without changing their IP addresses and without having to re-subnet.

        The following figure represents a Proxy ARP environment.

        + +

        -

        +

        +
        +

        Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) subnet.  Assuming that the upper firewall interface is eth0 and the lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp:

        + +
        @@ -46,6 +56,8 @@
        ADDRESSno
        +
        +

        Be sure that the internal systems (130.242.100.18 and 130.252.100.19  in the above example) are not included in any specification in /etc/shorewall/masq or /etc/shorewall/nat.

        @@ -56,7 +68,7 @@ Firewall system's eth0 is configured.

        A word of warning is in order here. ISPs typically configure - there routers with a long ARP cache timeout. If you move a system from + their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the internet. You can call your ISP and ask them to purge the stale ARP cache entry but many @@ -86,9 +98,8 @@ was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still associates 130.252.100.19 with the NIC in that system rather than with the firewall's eth0.

        -
        -

        Last updated 8/11/2002 - +

        Last updated 8/17/2002 - Tom Eastep

        Copyright diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm index 8fefa6838..707727ca4 100644 --- a/Shorewall-docs/Shorewall_index_frame.htm +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -7,47 +7,70 @@ Shorewall Index - + - -
        +

        Shorewall
        - - - +
      • Slovak Republic
        • +
      • Texas, USA
        • +
      • Germany
        • +
      • Argentina
        • + + + + +
          -Home
        -Shorewall 1.2 Home
        -Features
        -Requirements
        -Download
        -QuickStart Guides
        -Installation/Upgrade
        - /Configuration
        -Documentation
        -Reference Manual
        -FAQs
        -Troubleshooting
        -Errata
        -Support
        -Mailing Lists
        +         		+
        diff --git a/Shorewall-docs/blacklisting_support.htm b/Shorewall-docs/blacklisting_support.htm index c27da0af8..d6f57f189 100644 --- a/Shorewall-docs/blacklisting_support.htm +++ b/Shorewall-docs/blacklisting_support.htm @@ -6,12 +6,17 @@ Blacklisting Support - -

        Blacklisting Support

        + + + + +
        +

        Blacklisting Support

        +

        Shorewall supports two different forms of blacklisting; static and dynamic.

        Static Blacklisting

        Shorewall diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm index c08ba2dca..7071256c0 100644 --- a/Shorewall-docs/configuration_file_basics.htm +++ b/Shorewall-docs/configuration_file_basics.htm @@ -6,12 +6,17 @@ Configuration File Basics - -

        Configuration Files

        + + + + +
        +

        Configuration Files

        +

        Warning: If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through diff --git a/Shorewall-docs/copyright.htm b/Shorewall-docs/copyright.htm index 2330511e6..b4af82bdd 100644 --- a/Shorewall-docs/copyright.htm +++ b/Shorewall-docs/copyright.htm @@ -6,12 +6,17 @@ Copyright - -

        Copyright

        + + + + +
        +

        Copyright

        +

        Copyright ©  2000, 2001 Thomas M Eastep
         

        diff --git a/Shorewall-docs/dhcp.htm b/Shorewall-docs/dhcp.htm index 4e68f8043..c66b6fe65 100644 --- a/Shorewall-docs/dhcp.htm +++ b/Shorewall-docs/dhcp.htm @@ -6,12 +6,17 @@ DHCP - -

        DHCP

        + + + + +
        +

        DHCP

        +

        DHCP Server on your firewall

        • diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm index fd531673a..73418d31b 100644 --- a/Shorewall-docs/download.htm +++ b/Shorewall-docs/download.htm @@ -6,12 +6,17 @@ Download - -

          Shorewall Download

          + + + + +
          +

          Shorewall Download

          +

          I strongly urge you to read and print a copy of the Shorewall QuickStart Guide @@ -61,7 +66,7 @@ AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.

          -

          Download Latest Version (1.3.6): Remember that updates to the mirrors +

          Download Latest Version (1.3.7): Remember that updates to the mirrors occur 1-12 hours after an update to the primary site.

          @@ -211,7 +216,7 @@ Shorewall component. There's no guarantee that what you find there will work at all.

          -

          Last Updated 8/05/2002 - Tom +

          Last Updated 8/22/2002 - Tom Eastep

          Copyright diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm index a3905ae22..6adf735d5 100644 --- a/Shorewall-docs/errata.htm +++ b/Shorewall-docs/errata.htm @@ -10,15 +10,19 @@ - + -

          Shorewall Errata/Upgrade Issues

          +
          + + + +
          +

          Shorewall Errata/Upgrade Issues

          +

          - - - IMPORTANT

          + IMPORTANT

          1. @@ -86,6 +90,53 @@ dos2unix

            Upgrade Issues

            +

            Version >= 1.3.7

            + +

            Users specifying ALLOWRELATED=No in + /etc/shorewall.conf will need to include the + following rules in their /etc/shorewall/icmpdef + file (creating this file if necessary):

            + + 
            	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
            +

            Users having an /etc/shorewall/icmpdef file may remove the ". + /etc/shorewall/icmp.def" command from that file since the icmp.def file is now + empty.

            +

            Upgrading Bering to + Shorewall >= 1.3.3

            + +

            To properly upgrade with Shorewall version + 1.3.3 and later:

            + +
              +
            1. Be sure you have a backup -- you will need + to transcribe any Shorewall configuration + changes that you have made to the new + configuration.
              2. +
            2. Replace the shorwall.lrp package provided on + the Bering floppy with the later one. If you did + not obtain the later version from Jacques's + site, see additional instructions below.
              3. +
            3. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall entry if + present. Then do not forget to backup root.lrp !
              4. +
            +

            The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions for + setting up a two-interface firewall plus you also need to add the following + two Bering-specific rules to /etc/shorewall/rules:

            +
            + 
            # Bering specific rules:
+# allow loc to fw udp/53 for dnscache to work
+# allow loc to fw tcp/80 for weblet to work
+#
+ACCEPT loc fw udp 53
+ACCEPT loc fw tcp 80
            +
            +

            Version >= 1.3.6

            If you have a pair of firewall systems configured for @@ -144,6 +195,38 @@ dos2unix

            Problems in Version 1.3

            +

            Version 1.3.6

            + +
              +
            • + +

              If ADD_SNAT_ALIASES=Yes is specified in + /etc/shorewall/shorewall.conf, an error occurs when the firewall + script attempts to add an SNAT alias.

              • +
            • + +

              The logunclean and dropunclean options + cause errors during startup when Shorewall is run with iptables 1.2.7.

              • +
            + +

            These problems are fixed in + + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also + corrected in version 1.3.7.

            + +

            Two-interface Samples 1.3.6 (file two-interfaces.tgz)

            + +

            A line was inadvertently deleted from the "interfaces + file" -- this line should be added back in if the version that you + downloaded is missing it:

            + +

            net    eth0    detect    + routefilter,dhcp,norfc1918

            + +

            If you downloaded two-interfaces-a.tgz then the above + line should already be in the file.

            +

            Version 1.3.5-1.3.5b

            The new 'proxyarp' interface option doesn't work :-( @@ -289,8 +372,7 @@ you are currently running RedHat 7.1, you can install either of these RPMs

            Update 11/9/2001: RedHat has - released an iptables-1.2.4 RPM of their own which you can download from - + released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

            @@ -357,21 +439,25 @@ Aborted (core dumped)

            Upgrading: rpm -Uvh <shorewall rpm>

            -

            Problems with - iptables version 1.2.7 and MULTIPORT=Yes

            +

            Problems with + iptables version 1.2.7 and MULTIPORT=Yes

            The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, - users who install iptables 1.2.7 must set - MULTIPORT=No in /etc/shorewall/shorewall.conf or - install - - this firewall script in /var/lib/shorewall/firewall - as described above.

            + if you install iptables 1.2.7 you must

            -

            - Last updated 8/14/2002 - +

              +
            • set MULTIPORT=No in + /etc/shorewall/shorewall.conf; or
              • +
            • if you are running Shorewall 1.3.6 you may + install + + this firewall script in /var/lib/shorewall/firewall + as described above.
              • +
            +

            + Last updated 8/22/2002 - Tom Eastep

            Copyright diff --git a/Shorewall-docs/errata_1.htm b/Shorewall-docs/errata_1.htm index c6b5123a1..b64dc819a 100644 --- a/Shorewall-docs/errata_1.htm +++ b/Shorewall-docs/errata_1.htm @@ -6,12 +6,17 @@ Shorewall Errata for Version 1 - -

            Shorewall Errata for Version 1.1

            + + + + +
            +

            Shorewall Errata for Version 1.1

            +

            To those of you who downloaded the 1.1.13 updated firewall script prior to Sept 20, 2001:

            diff --git a/Shorewall-docs/errata_2.htm b/Shorewall-docs/errata_2.htm index 11355f3a7..29250ef7d 100644 --- a/Shorewall-docs/errata_2.htm +++ b/Shorewall-docs/errata_2.htm @@ -10,10 +10,15 @@ - - + -

            Shorewall 1.2 Errata

            + + + + +
            +

            Shorewall 1.2 Errata

            +

            diff --git a/Shorewall-docs/fallback.htm b/Shorewall-docs/fallback.htm index 843fa0682..b3219c5e1 100644 --- a/Shorewall-docs/fallback.htm +++ b/Shorewall-docs/fallback.htm @@ -5,12 +5,19 @@ Shorewall Fallback and Uninstall - -

            Fallback and Uninstall

            + + + + +
            + +

            Fallback and Uninstall

            + +

            Shorewall includes a fallback script diff --git a/Shorewall-docs/gnu_mailman.htm b/Shorewall-docs/gnu_mailman.htm index 94a1aa0bd..702ff74be 100644 --- a/Shorewall-docs/gnu_mailman.htm +++ b/Shorewall-docs/gnu_mailman.htm @@ -6,13 +6,20 @@ GNU Mailman - -

            GNU Mailman/Postfix
            -the Easy Way

            + + + + +
            +

            GNU Mailman/Postfix +the Easy Way

            +
            + +

             

            The following was posted on the Postfix mailing list on 5/4/2002 by Michael Tokarev as a suggested addition to the Postfix FAQ.

            Q: Mailman does not work with Postfix, complaining about GID mismatch
            diff --git a/Shorewall-docs/index.htm b/Shorewall-docs/index.htm index b140d6f58..6bf808fdb 100644 --- a/Shorewall-docs/index.htm +++ b/Shorewall-docs/index.htm @@ -5,10 +5,9 @@ Shoreline Firewall - - + diff --git a/Shorewall-docs/kernel.htm b/Shorewall-docs/kernel.htm index 9c3e2dab0..175527399 100644 --- a/Shorewall-docs/kernel.htm +++ b/Shorewall-docs/kernel.htm @@ -5,11 +5,16 @@ <title>Shorewall Kernel Configuration</title> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Kernel Configuration</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1> + </td> + </tr> +</table> <p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p> <p>Here's a screen shot of my Network Options Configuration:</p> <blockquote> diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index b5faeb2e0..7a0d25340 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -11,12 +11,14 @@ <body> -<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html"> -<img border="0" src="images/logo-sm.jpg" align="left" width="110" height="35"></a>Shorewall Mailing Lists</h1> - -<p align="left">&nbsp;<a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="left" width="115" height="45"></a> </p> - -<h2 align="left">&nbsp;</h2> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html"> +<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1> + </td> + </tr> +</table> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p> diff --git a/Shorewall-docs/mailing_list_problems.htm b/Shorewall-docs/mailing_list_problems.htm index 167b74a39..4c76f9a6d 100644 --- a/Shorewall-docs/mailing_list_problems.htm +++ b/Shorewall-docs/mailing_list_problems.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Mailing List Problems</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Mailing List Problems</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1> + </td> + </tr> +</table> <h2 align="left">Shorewall.net is currently experiencing mail delivery problems to at least one address in each of the following domains:</h2> diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm index d85d5cf6a..d39dd4de6 100644 --- a/Shorewall-docs/myfiles.htm +++ b/Shorewall-docs/myfiles.htm @@ -10,10 +10,16 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> - <meta name="Microsoft Theme" content="boldstri 011, default"> + <meta name="Microsoft Theme" content="none"> </head> <body> - <h1 align="center">About My Network</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">About My Network</font></h1> + </td> + </tr> + </table> <blockquote> </blockquote> @@ -116,10 +122,10 @@ interfaces. </p> <h3>Routestopped File:</h3> - <pre> #INTERFACE HOST(S) + <pre><font face="Courier" size="2"> #INTERFACE HOST(S) eth1 206.124.146.177 eth2 - - eth3 206.124.146.180</pre> + eth3 206.124.146.180</font></pre> <h3>Common File: </h3> <pre><font size="2" face="Courier"> . /etc/shorewall/common.def run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP diff --git a/Shorewall-docs/ports.htm b/Shorewall-docs/ports.htm index 5a4d43b72..f205236fe 100644 --- a/Shorewall-docs/ports.htm +++ b/Shorewall-docs/ports.htm @@ -5,10 +5,16 @@ <title>Shorewall Port Information</title> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> -<body><h1 align="center">Ports required for Various Services/Applications</h1> +<body> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1> + </td> + </tr> +</table> <p>In addition to those applications described in <a href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here are some other @@ -95,6 +101,12 @@ services/applications that you may need to configure your firewall to accommodat <p>Traceroute</p> <blockquote> <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p> +</blockquote> + <p>NFS</p> +<blockquote> + <p>There's some good information at&nbsp; + <a href="http://nfs.sourceforge.net/nfs-howto/security.html"> + http://nfs.sourceforge.net/nfs-howto/security.html</a></p> </blockquote> <p>Didn't find what you are looking for -- have you looked in your own /etc/services file? </p> @@ -103,7 +115,7 @@ services/applications that you may need to configure your firewall to accommodat <a href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> -<p><font size="2">Last updated 7/30/2002 - </font><font size="2"> +<p><font size="2">Last updated 8/21/2002 - </font><font size="2"> <a href="support.htm">Tom Eastep</a></font> </p> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> diff --git a/Shorewall-docs/quotes.htm b/Shorewall-docs/quotes.htm index bff768d67..9f3778db2 100644 --- a/Shorewall-docs/quotes.htm +++ b/Shorewall-docs/quotes.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Quotes from Shorewall Users</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Quotes from Shorewall Users</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1> + </td> + </tr> +</table> <p>&quot;I just installed Shorewall after weeks of messing with diff --git a/Shorewall-docs/samba.htm b/Shorewall-docs/samba.htm index 98d52d9a6..6656b21bf 100644 --- a/Shorewall-docs/samba.htm +++ b/Shorewall-docs/samba.htm @@ -6,12 +6,17 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Samba</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Samba</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Samba</font></h1> + </td> + </tr> +</table> <p>If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules:</p> <h4>/etc/shorewall/rules:</h4> diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index 6db9b5750..81e76436c 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -11,7 +11,7 @@ <base target="_self"> - <meta name="Microsoft Theme" content="boldstri 011, default"> + <meta name="Microsoft Theme" content="none"> </head> <body> <table border="0" cellpadding="0" cellspacing="4" style="border-collapse: collapse" width="100%" id="AutoNumber3" bgcolor="#4B017C"> @@ -63,29 +63,53 @@ <h2>News</h2> + <p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002 + <img border="0" src="images/new10.gif" width="28" height="12"> </b></p> + + <p>Features in this release include:</p> + + <ul> + <li>The 'icmp.def' file is now empty! The rules in that file were + required in ipchains firewalls but are not required in Shorewall. Users + who have ALLOWRELATED=No in <a href="Documentation.htm#Conf"> + shorewall.conf</a> should see the <a href="errata.htm#Upgrade">Upgrade + Issues</a>.</li> + <li>A 'FORWARDPING' option has been added to + <a href="Documentation.htm#Conf">shorewall.conf</a>. The effect of + setting this variable to Yes is the same as the effect of adding an + ACCEPT rule for ICMP echo-request in + <a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>. + Users who have such a rule in icmpdef are encouraged to switch to + FORWARDPING=Yes.</li> + <li>The loopback CLASS A Network (127.0.0.0/8) has been added to the + rfc1918 file.</li> + <li>Shorewall now works with iptables 1.2.7.</li> + <li>The documentation and Web site no longer use FrontPage themes.</li> + </ul> + + <p>I would like to thank John Distler for his valuable input regarding TCP SYN + and ICMP treatment in Shorewall. That input has led to marked improvement in + Shorewall in the last two releases.</p> + <p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> - CVS Repository</a> - <img border="0" src="images/new10.gif" width="28" height="12"></b></p> + CVS Repository</a></b></p> <p>The Shorewall-docs project now contains just the HTML and image files - the Frontpage files have been removed.</p> <p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"> - CVS Repository</a> - <img border="0" src="images/new10.gif" width="28" height="12"></b></p> + CVS Repository</a></b></p> <p>This branch will only be updated after I release a new version of Shorewall so you can always update from this branch to get the latest stable tree.</p> <p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added - to the <a href="errata.htm">Errata Page</a> - <img border="0" src="images/new10.gif" width="28" height="12"></b></p> + to the <a href="errata.htm">Errata Page</a></b></p> <p>Now there is one place to go to look for issues involved with upgrading to recent versions of Shorewall.</p> - <p><b>8/7/2002 - Shorewall 1.3.6 - <img border="0" src="images/new10.gif" width="28" height="12"></b></p> + <p><b>8/7/2002 - Shorewall 1.3.6</b></p> <p>This is primarily a bug-fix rollup with a couple of new features:</p> @@ -126,7 +150,7 @@ </table> <p><font size="2">Updated - 8/13/2002 - <a href="support.htm">Tom Eastep</a> + 8/22/2002 - <a href="support.htm">Tom Eastep</a> </font> diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm index 039c60ba3..3e6239b7f 100644 --- a/Shorewall-docs/shoreline.htm +++ b/Shorewall-docs/shoreline.htm @@ -10,13 +10,19 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> - <meta name="Microsoft Theme" content="boldstri 011"> + <meta name="Microsoft Theme" content="none"> </head> <body> - <h1 align="Center">Tom Eastep</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1> + </td> + </tr> + </table> @@ -65,16 +71,15 @@ Washington</a> <p>Our current home network consists of: </p> <ul> - <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs - and LNE100TX (Tulip) NIC - My personal Windows system. This system also has - RH7.3 installed.</li> - <li>PII/266, RH7.3, 320MB RAM, 20GB HD, LNE100TX(Tulip) NIC - My personal - GNU/Linux System which runs Samba configured as a WINS server.</li> - <li>K6-2/350, RH7.3, 256MB RAM, 8GB IDE HD, EEPRO100 NIC  + <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX + (Tulip) NIC - My personal Windows system.</li> + <li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My + personal Linux System which runs Samba configured as a WINS server.</li> + <li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).</li> - <li>PII/233, RH7.3 with 2.4.19 kernel, 128MB MB RAM, 2GB SCSI HD - 3 - LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.4 and a DHCP + <li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3 + LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP server.  Also runs PoPToP for road warrior access.</li> <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li> <li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 @@ -83,7 +88,7 @@ in expansion base - My main work system.</li> <p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p> - <p>The PII/266 is made by <a href="http://www.dell.com">Dell</a>. All of our + <p>All of our other systems are made by <a href="http://www.compaq.com">Compaq</a> (part of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a> FA310TXs.</p> @@ -93,7 +98,7 @@ in expansion base - My main work system.</li> </font></p> - <p><font size="2">Last updated 8/10/2002 - </font><font size="2"> + <p><font size="2">Last updated 8/16/2002 - </font><font size="2"> <a href="support.htm">Tom Eastep</a></font> </p> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> diff --git a/Shorewall-docs/shorewall_ca_certificate.htm b/Shorewall-docs/shorewall_ca_certificate.htm index 1241ebdc7..3768f568c 100644 --- a/Shorewall-docs/shorewall_ca_certificate.htm +++ b/Shorewall-docs/shorewall_ca_certificate.htm @@ -6,7 +6,6 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall CA Certificate</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> diff --git a/Shorewall-docs/shorewall_extension_scripts.htm b/Shorewall-docs/shorewall_extension_scripts.htm index bb81ef009..c8689cdbe 100644 --- a/Shorewall-docs/shorewall_extension_scripts.htm +++ b/Shorewall-docs/shorewall_extension_scripts.htm @@ -6,12 +6,17 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall Extension Scripts</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> - <h1 align="center">Extension Scripts</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1> + </td> + </tr> + </table> <p> Extension scripts are user-provided @@ -41,20 +46,10 @@ been processed.</p> - <p>The following two files receive -special treatment:</p> - - <ul> - <li>/etc/shorewall/common -- If this file is present, the rules that it + <p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it defines will totally replace the default rules in the common chain. These default rules are contained in the file /etc/shorewall/common.def which - may be used as a starting point for making your own customized file.</li> - <li>/etc/shorewall/icmpdef -- If this file is present, the rules that it - defines will totally replace the default rules in the icmpdef chain. -These default rules are contained in the file /etc/shorewall/icmp.def -which may be used as a starting point for making your own customized -file.</li> -</ul> + may be used as a starting point for making your own customized file.</p> @@ -68,9 +63,8 @@ processing of the command.</p> <p> - If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it - is a good idea to use the following technique (common file shown but the same - technique applies to icmpdef).</p> + If you decide to create /etc/shorewall/common it is a good idea to use the + following technique</p> @@ -80,25 +74,36 @@ processing of the command.</p> <blockquote> - <pre>source /etc/shorewall/common.def + <pre>. /etc/shorewall/common.def &lt;add your rules here&gt;</pre> </blockquote> <p>If you need to supercede a rule in the released common.def file, you can add - the superceding rule before the 'source' command. Using this technique allows + the superceding rule before the '.' command. Using this technique allows you to add new rules while still getting the benefit of the latest common.def file.</p> - <p>Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules + <p>Remember that /etc/shorewall/common defines rules that are only applied if the applicable policy is DROP or REJECT. These rules - are NOT applied if the policy is ACCEPT or CONTINUE.<br> -</p> + are NOT applied if the policy is ACCEPT or CONTINUE.</p> -<p align="left"><font size="2">Last updated -8/5/2002 - <a href="support.htm">Tom + <p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be + rejected by the firewall. It is recommended with this setting that you create + the file /etc/shorewall/icmpdef and in it place the following commands:</p> + + + + <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT + run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT + run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT + run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT + run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT +</pre> + <p align="left"><font size="2">Last updated +8/22/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> diff --git a/Shorewall-docs/shorewall_features.htm b/Shorewall-docs/shorewall_features.htm index afd814396..e2dff314f 100644 --- a/Shorewall-docs/shorewall_features.htm +++ b/Shorewall-docs/shorewall_features.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Features</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Shorewall Features</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1> + </td> + </tr> +</table> <ul> <li>Uses Netfilter's connection tracking facilities for stateful packet filtering.</li> diff --git a/Shorewall-docs/shorewall_firewall_structure.htm b/Shorewall-docs/shorewall_firewall_structure.htm index 89dcfd7b1..ffdfd6b46 100644 --- a/Shorewall-docs/shorewall_firewall_structure.htm +++ b/Shorewall-docs/shorewall_firewall_structure.htm @@ -6,14 +6,19 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall Firewall Structure</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> - <h1 align="center">Firewall Structure</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Firewall Structure</font></h1> + </td> + </tr> + </table> <p> - Shorewall views the network in which it is running as a set of disjoint + Shorewall views the network in which it is running as a set of <i> zones. </i>Shorewall itself defines exactly one zone called "fw" which refers to the firewall system itself . The /etc/shorewall/zones file is used to define additional zones and the example file provided with Shorewall @@ -36,6 +41,21 @@ from the internet and from the DMZ and in some cases, from each other.</li with the exception of the firewall zone, Shorewall itself attaches no meaning to zone names. Zone names are simply labels used to refer to a collection of network hosts.</p> + <p>While zones are normally disjoint (no two zones have a host in common), + there are cases where nested or overlapping zone definitions are appropriate.</p> + <p>Packets entering the firewall first pass through the <i>mangle </i>table's + PREROUTING chain (you can see the mangle table by typing &quot;shorewall show + mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b> + option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop + the packet if its destination IP address is reserved (as specified in the + /etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b> + chain to set its TOS field as specified in the /etc/shorewall/tos file. + Finally, if traffic control/shaping is being used, the packet is sent through + the<b> tcpre</b> chain to be marked for later use in policy routing or traffic + control.</p> + <p>Next, if the packet isn't part of an established connection, it passes + through the<i> nat</i> table's PREROUTING chain (you can see the nat table by + typing &quot;shorewall show nat&quot;). </p> <p> Traffic entering the firewall is sent to an<i> input </i>chain. If the traffic is destined for the diff --git a/Shorewall-docs/shorewall_index.htm b/Shorewall-docs/shorewall_index.htm index 0624df8b4..bede1c576 100644 --- a/Shorewall-docs/shorewall_index.htm +++ b/Shorewall-docs/shorewall_index.htm @@ -5,7 +5,6 @@ <title>Shoreline Firewall</title> <meta name="GENERATOR" content="Microsoft FrontPage 4.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> -<meta name="Microsoft Theme" content="boldstri 011, default"> <meta name="Microsoft Border" content="none, default"> </head> diff --git a/Shorewall-docs/shorewall_mailing_list_migration.htm b/Shorewall-docs/shorewall_mailing_list_migration.htm index 054eb4a46..d39573fe8 100644 --- a/Shorewall-docs/shorewall_mailing_list_migration.htm +++ b/Shorewall-docs/shorewall_mailing_list_migration.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Mailing List Migration</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Shorewall Mailing List Migration</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Mailing List Migration</font></h1> + </td> + </tr> +</table> <p align="left">If you are a current subscriber to the Shorewall mailing list at <a href="http://sourceforge.net">Sourceforge</a>, please do the following:</p> <ol> diff --git a/Shorewall-docs/shorewall_mirrors.htm b/Shorewall-docs/shorewall_mirrors.htm index 01bf4e6ff..a99d161ed 100644 --- a/Shorewall-docs/shorewall_mirrors.htm +++ b/Shorewall-docs/shorewall_mirrors.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Mirrors</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Shorewall Mirrors</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Mirrors</font></h1> + </td> + </tr> +</table> <p align="left"><b>Remember that updates to the mirrors are often delayed for 6-12 hours after an update to the primary site.</b></p> diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm index 2a3eb83d4..56067978f 100644 --- a/Shorewall-docs/shorewall_prerequisites.htm +++ b/Shorewall-docs/shorewall_prerequisites.htm @@ -6,13 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Prerequisites</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Shorewall Requirements</h1> -<p align="center">&nbsp;</p> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1> + </td> + </tr> +</table> <ul> <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm"> Check here for kernel configuration information.</a> diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm index 5c3d47df5..bcd097d68 100644 --- a/Shorewall-docs/shorewall_quickstart_guide.htm +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -6,13 +6,19 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall QuickStart Guide</title> -<meta name="Microsoft Theme" content="boldstri 011"> +<meta name="Microsoft Theme" content="none"> </head> <body> -<h1 align="center">Shorewall QuickStart Guides<br> -Version 3.0</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall QuickStart Guides<br> +Version 3.0</font></h1> + </td> + </tr> +</table> <p align="center">With thanks to Richard who reminded me once again that we must all first walk before we can run.</p> @@ -69,7 +75,7 @@ explained in the single-address guides above.</p> </ul> <h2><a name="Documentation"></a>Additional Documentation</h2> <p>The following documentation covers a variety of topics and supplements the -QuickStart Guides described above.</p> +<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described above.</p> <ul> <li><a href="blacklisting_support.htm">Blacklisting</a><ul> <li>Static Blacklisting using /etc/shorewall/blacklist</li> @@ -126,6 +132,7 @@ QuickStart Guides described above.</p> <li><a href="samba.htm">Samba</a></li> <li><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> + <li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li>Tunnels<ul> <li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li> diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm index e99e5abfe..fefe0e2ab 100644 --- a/Shorewall-docs/shorewall_setup_guide.htm +++ b/Shorewall-docs/shorewall_setup_guide.htm @@ -6,7 +6,7 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Shorewall Setup Guide</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> +<meta name="Microsoft Theme" content="none"> </head> <body> @@ -46,6 +46,10 @@ know more about Shorewall than is contained in the guides</a>. Because the range of possible applications is so broad, the Guide will give you general guidelines and will point you to other resources as necessary.</p> +<p><img border="0" src="images/j0213519.gif" width="60" height="60">&nbsp;&nbsp;&nbsp; +If you run LEAF Bering, your Shorewall configuration is NOT what I release -- I +suggest that you consider installing a stock Shorewall lrp from the +shorewall.net site before you proceed.</p> <p>This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this package is installed by the presence of an <b>ip</b> program on your firewall @@ -730,6 +734,13 @@ table but if we logically and that address with 255.255.255.0, the result is <pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre> </blockquote> <p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</div> +<p align="left">One more thing needs to be emphasized -- all outgoing packet are +sent using the routing table and reply packets are not a special case. There +seems to be a common mis-conception whereby people think that request packets +are like salmon and contain a genetic code that is magically transferred to +reply packets so that the replies follow the reverse route taken by the request. +That isn't the case; the replies may take a totally different route back to the +client than was taken by the requests -- they are totally independent.</p> <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3> <p align="left">When sending packets over Ethernet, IP addresses aren't used. Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC) @@ -1123,7 +1134,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</div> <div align="left"> <p align="left">A word of warning is in order here. ISPs typically configure - there routers with a long ARP cache timeout. If you move a system from + their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the internet. You can call your ISP and ask them to purge the stale ARP cache entry but many @@ -2347,11 +2358,11 @@ foobar.net. 86400 IN A 192.0.2.177 test it using the <a href="Documentation.htm#Starting">&quot;shorewall try&quot; command</a>.</div> <p align="left"><font size="2">Last updated -8/10/2002 - <a href="support.htm">Tom +8/18/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> </body> -</html> +</html> \ No newline at end of file diff --git a/Shorewall-docs/spam_filters.htm b/Shorewall-docs/spam_filters.htm index e78e581f0..b230cdda6 100644 --- a/Shorewall-docs/spam_filters.htm +++ b/Shorewall-docs/spam_filters.htm @@ -6,12 +6,19 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>SPAM Filters</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">SPAM Filters<br> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1> + </td> + </tr> +</table> + +<h1 align="center"><br> <a href="http://ordb.org"> <img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1> <p>Like all of you, I'm concerned about the increasing volume of Unsolicited diff --git a/Shorewall-docs/standalone.htm b/Shorewall-docs/standalone.htm index b14242d05..c09af0eda 100644 --- a/Shorewall-docs/standalone.htm +++ b/Shorewall-docs/standalone.htm @@ -6,12 +6,19 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Standalone Firewall</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Standalone Firewall</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + +<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1> + + </td> + </tr> +</table> <h2 align="center">Version 2.0.1</h2> <p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the @@ -93,7 +100,7 @@ file for you).</p> <p>The /etc/shorewall/policy file included with the one-interface sample has the following policies:</p> <blockquote> - <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3"> + <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3"> <tr> <td><u><b>SOURCE ZONE</b></u></td> <td><u><b>DESTINATION ZONE</b></u></td> @@ -185,7 +192,7 @@ use in private networks:</p> <p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div> <div align="left"> <blockquote> - <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4"> + <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4"> <tr> <td><u><b>ACTION</b></u></td> <td><u><b>SOURCE</b></u></td> @@ -212,7 +219,7 @@ use in private networks:</p> system:</div> <div align="left"> <blockquote> - <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber5"> + <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5"> <tr> <td><u><b>ACTION</b></u></td> <td><u><b>SOURCE</b></u></td> @@ -252,7 +259,7 @@ use in private networks:</p> access to your firewall from the internet, use SSH:</div> <div align="left"> <blockquote> - <table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4"> + <table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4"> <tr> <td><u><b>ACTION</b></u></td> <td><u><b>SOURCE</b></u></td> diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm index 89bf70f77..67cc82150 100644 --- a/Shorewall-docs/starting_and_stopping_shorewall.htm +++ b/Shorewall-docs/starting_and_stopping_shorewall.htm @@ -6,14 +6,19 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Starting and Stopping Shorewall</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> - <h1 align="center">Starting/Stopping and Monitoring the Firewall</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1> + </td> + </tr> + </table> diff --git a/Shorewall-docs/subnet_masks.htm b/Shorewall-docs/subnet_masks.htm index 5eb644ecc..d3d0b3159 100644 --- a/Shorewall-docs/subnet_masks.htm +++ b/Shorewall-docs/subnet_masks.htm @@ -6,12 +6,17 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Subnet Masks</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Subnet Masks/VLSM Notation</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1> + </td> + </tr> +</table> <p align="left">IP addresses and subnet masks are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm index befd8a1cb..79ce8991f 100644 --- a/Shorewall-docs/support.htm +++ b/Shorewall-docs/support.htm @@ -6,12 +6,18 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Support</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> +<meta name="Microsoft Theme" content="none"> </head> <body> -<h1 align="center">Shorewall Support</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Support</font></h1> + </td> + </tr> +</table> <h3 align="left">Before Reporting a Problem</h3> <blockquote> @@ -92,7 +98,10 @@ isn't working? For example, if "ssh" isn't able to connect, using the </ul> <h3>Where to Send your Problem Report or to Ask for Help</h3> -<p>Please post your question or problem to the +<h4>If you run Shorewall under Bering -- <span style="font-weight: 400">please +post your question or problem to the +<a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> +<p>Otherwise, please post your question or problem to the <a href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; there are lots of folks there who are willing to help you. Your question/problem description and their responses will be placed in the mailing list archives to @@ -107,7 +116,7 @@ to respond promptly to mailing list posts.&nbsp;&nbsp; <a href="mailto:teastep@s <p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> .</p> -<p align="left"><font size="2">Last Updated 8/5/2002 - Tom +<p align="left"><font size="2">Last Updated 8/17/2002 - Tom Eastep</font></p> <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> diff --git a/Shorewall-docs/three-interface.htm b/Shorewall-docs/three-interface.htm index ea100a5b6..ad554638d 100644 --- a/Shorewall-docs/three-interface.htm +++ b/Shorewall-docs/three-interface.htm @@ -6,12 +6,17 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Three-Interface Firewall</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Three-Interface Firewall</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Three-Interface Firewall</font></h1> + </td> + </tr> +</table> <h2 align="center">Version 2.0.1</h2> <p align="left">Setting up a Linux system as a firewall for a small network with diff --git a/Shorewall-docs/traffic_shaping.htm b/Shorewall-docs/traffic_shaping.htm index 12e2fc37b..22092ef11 100644 --- a/Shorewall-docs/traffic_shaping.htm +++ b/Shorewall-docs/traffic_shaping.htm @@ -6,12 +6,17 @@ <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <title>Traffic Shaping</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Traffic Shaping/Control</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1> + </td> + </tr> +</table> <p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic shaping/control. In order to use traffic shaping under Shorewall, it is essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing diff --git a/Shorewall-docs/troubleshoot.htm b/Shorewall-docs/troubleshoot.htm index c184d0703..43ae1333e 100644 --- a/Shorewall-docs/troubleshoot.htm +++ b/Shorewall-docs/troubleshoot.htm @@ -10,13 +10,18 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> - <meta name="Microsoft Theme" content="boldstri 011, default"> -</head> + </head> <body> - <h1 align="center">Shorewall Troubleshooting</h1> + <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1> + </td> + </tr> + </table> diff --git a/Shorewall-docs/two-interface.htm b/Shorewall-docs/two-interface.htm index 3ed7f1775..b8867ba10 100644 --- a/Shorewall-docs/two-interface.htm +++ b/Shorewall-docs/two-interface.htm @@ -6,12 +6,18 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Two-Interface Firewall</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> +<meta name="Microsoft Theme" content="none"> </head> <body> -<h1 align="center">Basic Two-Interface Firewall</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber5" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Basic Two-Interface Firewall</font></h1> + </td> + </tr> +</table> <p align="left">Setting up a Linux system as a firewall for a small network is a fairly straight-forward task if you understand the basics and follow the documentation.</p> @@ -53,8 +59,7 @@ copy before using it with Shorewall.</p> <p>The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>, -download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz"> -two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall +download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall (these files will replace files with the same name).</p> <p>As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed diff --git a/Shorewall-docs/whitelisting_under_shorewall.htm b/Shorewall-docs/whitelisting_under_shorewall.htm index d8b9776e6..c0a706c56 100644 --- a/Shorewall-docs/whitelisting_under_shorewall.htm +++ b/Shorewall-docs/whitelisting_under_shorewall.htm @@ -6,12 +6,17 @@ <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Whitelisting under Shorewall</title> -<meta name="Microsoft Theme" content="boldstri 011, default"> </head> <body> -<h1 align="center">Whitelisting under Shorewall</h1> +<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> + <tr> + <td width="100%"> + <h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1> + </td> + </tr> +</table> <p align="left">For a brief time, the 1.2 version of Shorewall supported an /etc/shorewall/whitelist file. This file was intended to contain a list of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was