forked from extern/shorewall_code
Documentation Updages
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1492 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e5d42a14a5
commit
7ae14b0e6a
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-16</pubdate>
|
||||
<pubdate>2004-07-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -243,8 +243,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly referred to
|
||||
as Static NAT)</para>
|
||||
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Static NAT)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -344,6 +343,10 @@
|
||||
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="NAT.htm">Static (one-to-one) NAT</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
|
||||
</listitem>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-02-14</pubdate>
|
||||
<pubdate>2004-07-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -33,10 +33,45 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<para>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet. Before
|
||||
you try to use this technique, I strongly recommend that you read the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||
<para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
|
||||
one network appear to be logically part of a different physical network
|
||||
connected to the same router/firewall. Typically it allows us to hide a
|
||||
machine with a public IP address on a private network behind a router, and
|
||||
still have the machine appear to be on the public network "in front
|
||||
of" the router. The router "proxys" ARP requests and all network
|
||||
traffic to and from the hidden machine to make this fiction possible.</para>
|
||||
|
||||
<para>Consider a router with two interface cards, one connected to a public
|
||||
network PUBNET and one connected to a private network PRIVNET. We want to
|
||||
hide a server machine on the PRIVNET network but have it accessible from the
|
||||
PUBNET network. The IP address of the server machine lies in the PUBNET
|
||||
network, even though we are placing the machine on the PRIVNET network
|
||||
behind the router.</para>
|
||||
|
||||
<para>By enabling proxy ARP on the router, any machine on the PUBNET network
|
||||
that issues an ARP "who has" request for the server's MAC
|
||||
address will get a proxy ARP reply from the router containing the
|
||||
router's MAC address. This tells machines on the PUBNET network that
|
||||
they should be sending packets destined for the server via the router. The
|
||||
router forwards the packets from the machines on the PUBNET network to the
|
||||
server on the PRIVNET network.</para>
|
||||
|
||||
<para>Similarly, when the server on the PRIVNET network issues a "who
|
||||
has" request for any machines on the PUBNET network, the router provides
|
||||
its own MAC address via proxy ARP. This tells the server to send packets for
|
||||
machines on the PUBNET network via the router. The router forwards the
|
||||
packets from the server on the PRIVNET network to the machines on the PUBNET
|
||||
network.</para>
|
||||
|
||||
<para>The proxy ARP provided by the router allows the server on the
|
||||
PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
|
||||
pass ARP requests and other network packets in both directions between the
|
||||
server machine and the PUBNET network, making the server machine appear to
|
||||
be connected to the PUBNET network even though it is on the PRIVNET network
|
||||
hidden behind the router. </para>
|
||||
|
||||
<para>Before you try to use this technique, I strongly recommend that you
|
||||
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
|
||||
|
||||
<section>
|
||||
<title>Example</title>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-03</pubdate>
|
||||
<pubdate>2004-07-21</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -54,12 +54,14 @@
|
||||
|
||||
<listitem>
|
||||
<para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
|
||||
<firstterm>Stable Releases</firstterm>. No new features are added to
|
||||
stable releases and new minor releases of a stable release will only
|
||||
contain bug fixes. Installing a new minor release for the major
|
||||
release that you are currently running involves no migration issues
|
||||
(for example, if you are running 1.4.10 and I release 1.4.11, your
|
||||
current configuration is 100% compatible with the new release).</para>
|
||||
<firstterm>Stable Releases</firstterm>. No major new features are
|
||||
added to stable releases and new minor releases of a stable release
|
||||
will only contain bug fixes and simple low-risk enhancements.
|
||||
Installing a new minor release for the major release that you are
|
||||
currently running involves no migration issues unless you want to take
|
||||
advantage of an enhancement (for example, if you are running 1.4.10
|
||||
and I release 1.4.11, your current configuration is 100% compatible
|
||||
with the new release).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -123,9 +125,9 @@
|
||||
<section>
|
||||
<title>Old Release Model</title>
|
||||
|
||||
<para>This release model described above was adopted on 2003-07-03. Prior
|
||||
to that time, a different release model was followed. Highlights of that
|
||||
model were:</para>
|
||||
<para>This release model described above was adopted on 2004-07-03 and
|
||||
modified 2004-07-21. Prior to 2004-07-03, a different release model was
|
||||
followed. Highlights of that model were:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -134,9 +136,9 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>New functionality was added in minor releases of the current
|
||||
major release. There was no concept of Stable vs Development major
|
||||
releases.</para>
|
||||
<para>Major new functionality was added in minor releases of the
|
||||
current major release. There was no concept of Stable vs Development
|
||||
major releases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -144,8 +146,8 @@
|
||||
of a major release and had identifications of the form
|
||||
<emphasis>x.y.zX</emphasis> (e.g., 2.0.3c) where <emphasis>X</emphasis>=1,b,c,...
|
||||
. Consequently, if a user required a bug fix but was not running the
|
||||
last minor release of the associated major release then it was
|
||||
necessary to accept new functionailty along with the bug fix.</para>
|
||||
last minor release of the associated major release then it might be
|
||||
necessary to accept major new functionailty along with the bug fix.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-16</pubdate>
|
||||
<pubdate>2004-07-20</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003-2004</year>
|
||||
@ -80,6 +80,13 @@ MANGLE_ENABLED=Yes</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
|
||||
<caution>
|
||||
<para>In the instructions below, only TCP Port 80 is opened from the
|
||||
system running Squid to the internet. If your users require browsing
|
||||
sites that use a port other than 80 (e.g., http://www.domain.tld:<emphasis
|
||||
role="bold">8080</emphasis>) then you must open those ports as well.</para>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -301,7 +308,7 @@ chkconfig --level 35 iptables on</command></programlisting>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT Z SZ tcp SP
|
||||
ACCEPT SZ net tcp 80</programlisting>
|
||||
ACCEPT SZ net tcp 80,443</programlisting>
|
||||
|
||||
<example>
|
||||
<title>Squid on the firewall listening on port 8080 with access from the
|
||||
@ -309,7 +316,7 @@ ACCEPT SZ net tcp 80</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc fw tcp 8080
|
||||
ACCEPT fw net tcp 80</programlisting></para>
|
||||
ACCEPT fw net tcp 80,443</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-15</pubdate>
|
||||
<pubdate>2004-07-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -1365,18 +1365,23 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The firewall responds to ARP <quote>who has</quote> requests
|
||||
for <emphasis role="bold">A</emphasis>.</para>
|
||||
for <emphasis role="bold">A</emphasis> from machines outside of
|
||||
the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When <emphasis role="bold">H</emphasis> <emphasis
|
||||
role="bold">A </emphasis>andissues an ARP <quote>who has</quote>
|
||||
request for an address in the subnetwork defined by <emphasis
|
||||
role="bold">M</emphasis>, the firewall will respond (with the MAC
|
||||
if the firewall interface) to <emphasis role="bold">H</emphasis>.</para>
|
||||
<para>When <emphasis role="bold">H</emphasis> issues an ARP
|
||||
<quote>who has</quote> request for a machine with an address in
|
||||
the network defined by <emphasis role="bold">M</emphasis> where
|
||||
the target machine is outside of the firewall, the firewall will
|
||||
respond to <emphasis role="bold">H</emphasis> (with the MAC of the
|
||||
firewall interface).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>For a more complete description of how Proxy ARP works, please
|
||||
see the <ulink url="ProxyARP.htm">Shorewall Proxy Documentation</ulink>.</para>
|
||||
|
||||
<para>Let us suppose that we decide to use Proxy ARP on the DMZ in our
|
||||
example network.</para>
|
||||
|
||||
|
@ -410,9 +410,9 @@ DROP net fw icmp echo-request</programlist
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2005-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
||||
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2005-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2004-04-03</date><authorinitials>TE</authorinitials><revremark>Point
|
||||
out that firewall addresses are in the $FW zone.</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-02</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook Conversion</revremark></revision></revhistory></para>
|
||||
|
Loading…
Reference in New Issue
Block a user