diff --git a/STABLE/documentation/Accounting.html b/STABLE/documentation/Accounting.html
index 52e5e772a..f64d954a0 100755
--- a/STABLE/documentation/Accounting.html
+++ b/STABLE/documentation/Accounting.html
@@ -27,69 +27,62 @@ Shorewall Traffic Accounting support was added in Shorewall release
Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed
-in a chain called "accounting" and can
-thus be displayed using "shorewall show accounting". All traffic
-passing into, out of or through the firewall traverses the accounting
-chain including traffic that will later be rejected by interface options such as
-"tcpflags" and "maclist". If your kernel doesn't support the connection
-tracking match extension (Kernel 2.4.21) then some traffic rejected
-under 'norfc1918' will not traverse the accounting chain.
+in a chain called "accounting" and can thus be displayed using
+"shorewall show accounting". All traffic passing into, out of or
+through the firewall traverses the accounting chain including traffic
+that will later be rejected by interface
+options such as "tcpflags" and "maclist". If your kernel doesn't
+support the connection tracking match extension (Kernel 2.4.21) then
+some traffic rejected under 'norfc1918' will not traverse the
+accounting chain.
The columns in the accounting file are as follows:
- - ACTION - What to do when
-a match is found. Possible values are:
+ - ACTION - What to do when a
+match is found. Possible values are:
- - COUNT- Simply count the match and continue trying to
-match the packet with the following accounting rules
+ - COUNT- Simply count the match and continue trying to match the
+packet with the following accounting rules
- DONE- Count the match and don't attempt to match any following
accounting rules.
- <chain> - The
name of a chain to jump to. Shorewall will create the chain
-automatically. If the
-name of the chain is followed by ":COUNT" then a COUNT rule matching
-this rule will automatically be added to <chain>
- CHAIN - The name of the
-chain where the accounting rule is to be added. If empty or "-" then
-the "accounting" chain is assumed.
+chain where the accounting rule is to be added. If empty or "-" then the
+"accounting" chain is assumed.
- SOURCE - Packet Source.
-The name of an interface, an address
-(host or net) or an interface name followed by ":" and a host or net
-address.
+The name of an interface, an address (host or net) or an interface name
+followed by ":" and a host or net address.
- DESTINATION - Packet
-Destination Format the same as the SOURCE
-column.
- - PROTOCOL - A protocol
-name (from /etc/protocols) or a protocol
-number.
+Destination Format the same as the SOURCE column.
+ - PROTOCOL - A protocol name
+(from /etc/protocols) or a protocol number.
- DEST PORT - Destination
-Port number. Service name from
-/etc/services or port number. May only be specified if the protocol is
-TCP or UDP (6 or 17).
+Port number. Service name from /etc/services or port number. May only be
+specified if the protocol is TCP or UDP (6 or 17).
- SOURCE PORT- Source Port
-number. Service name from /etc/services
-or port number. May only be specified if the protocol is TCP or UDP (6
-or 17).
+number. Service name from /etc/services or port number. May only be
+specified if the protocol is TCP or UDP (6 or 17).
-In all columns except ACTION and CHAIN, the values "-","any" and
-"all" are treated as wild-cards.
-
+In all columns except ACTION and CHAIN, the values "-","any" and "all"
+are treated as wild-cards.
+
The accounting rules are evaluated in the Netfilter 'filter' table.
This is the same environment where the 'rules' file rules are evaluated
and in this environment, DNAT has already occurred in inbound packets
and SNAT has not yet occurred on outbound ones.
-
+
Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you
-have a web
-server in your DMZ connected to eth1 then to count HTTP traffic in
-both directions requires two rules:
+have a web server in your DMZ connected to eth1 then to count HTTP
+traffic in both directions requires two rules:
#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80
Associating a counter with a chain allows for nice reporting. For
example:
@@ -103,8 +96,16 @@ Here's a slightly different example:
Now "shorewall show web" simply gives you a breakdown by input and
output:
-[root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
-Last updated 8/20/2003 - [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
+Here's how the same example would be constructed on a server with only
+one interface (eth0):
+#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
web - - eth0 tcp - 443
COUNT web eth0 -
COUNT web - eth0
+Note that with only one interface, only the SOURCE (for input rules) or
+the DESTINATION (for output rules) is specified in each rule.
+
+Here's the output:
+[root@mail shorewall]# shorewall show accounting web
Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#
+Last updated 10/12/2003 - Tom Eastep
Copyright
© 2003 Thomas M. Eastep.
diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm
index 21f87bed1..c255db080 100644
--- a/STABLE/documentation/FAQ.htm
+++ b/STABLE/documentation/FAQ.htm
@@ -173,7 +173,15 @@ only from specific IP Addresses on the internet?
options in nmap on or behind the firewall, I get "operation not
permitted". How can I use nmap with Shorewall?"
-27. I am compiling a new kernel for my
+26a. When I try
+to use the "-O" option of nmap
+from the firewall system, I get "operation
+not permitted". How to I allow this option?
+
+27. I am compiling a new kernel
+for my
firewall. What should I look out for?
28. How do I use Shorewall as a Bridging
@@ -1079,13 +1087,22 @@ Shorewall I am running?
At the shell prompt, type:
/sbin/shorewall
-version
+version
+
26. When I try to use any of the SYN
options in nmap on or behind the firewall, I get "operation not
permitted".
How can I use nmap with Shorewall?"
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
"NEWNOTSYN=Yes" then restart Shorewall.
+
+26a.
+When I try to use the "-O"
+option of nmap from the firewall system, I get "operation not permitted". How to I
+allow this option?
+Add this command to your /etc/shorewall/start file:
+run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP
diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm
index 2497af2f7..683de2cbe 100644
--- a/STABLE/documentation/News.htm
+++ b/STABLE/documentation/News.htm
@@ -19,6 +19,54 @@
+10/21/2003 - Shorewall 1.4.7a
+
+This is a bugfix rollup of the following problem corrections:
+
+
+ - Tuomo Soini has supplied a correction to a problem that occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:
+
+ local: --limit: bad variable name
+ iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:
+ cannot open shared object file: No such file or directory
+ Try `iptables -h' or 'iptables --help' for more
+information.
+
+
+ - Andres Zhoglo has supplied a correction that avoids trying to use
+the multiport match iptables facility on ICMP rules.
+
+ Example of rule that previously caused "shorewall start"
+to fail:
+
+
+ACCEPT loc $FW
+icmp 0,8,11,12
+
+
+ - Previously, if the following error message was issued, Shorewall
+was left in an inconsistent state.
+
+ Error: Unable to determine the routes routes through
+interface xxx
+
+
+ - Handling of the LOGUNCLEAN option in shorewall.conf has been
+corrected.
+ - In Shorewall 1.4.2, an optimization was added. This optimization
+involved creating a chain named "<zone>_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.
+ - When the MARK value in a tcrules entry is followed by ":F" or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.
+
+
10/06/2003 - Shorewall 1.4.7
Problems Corrected since version 1.4.6 (Those in bold font were
diff --git a/STABLE/documentation/PPTP.htm b/STABLE/documentation/PPTP.htm
index aac549f73..df77ffc70 100644
--- a/STABLE/documentation/PPTP.htm
+++ b/STABLE/documentation/PPTP.htm
@@ -263,9 +263,15 @@ status)
esac
Configuring Shorewall
-I consider hosts connected to my PPTP server to be just like local
-systems.
-My key Shorewall entries are:
+Often there will be situations where you want multiple connections
+from remote networks with these networks having different firewalling
+requirements.
+
+
+
Here's how you configure this in Shorewall:
+
/etc/shorewall/zones:
@@ -283,7 +289,31 @@ My key Shorewall entries are:
| loc |
Local |
- My Local Network including remote PPTP clients |
+ Local Network
+ |
+
+
+ | vpn1 |
+ Remote1
+ |
+ Remote Network 1
+ |
+
+
+ vpn2
+ |
+ Remote2
+ |
+ Remote Network 2
+ |
+
+
+ vpn3
+ |
+ Remote3
+ |
+ Remote Network 3
+ |
@@ -307,13 +337,13 @@ My key Shorewall entries are:
| loc |
eth2 |
- 192.168.1.255 |
+ 192.168.10.255 |
|
| - |
ppp+ |
- |
+ - |
|
@@ -335,145 +365,32 @@ My key Shorewall entries are:
- | loc |
+ vpn1
+ |
ppp+:192.168.1.0/24 |
|
-
-
-
-/etc/shorewall/policy:
-
-
-
- | SOURCE |
- DEST |
- POLICY |
- LOG LEVEL |
-
-
- | loc |
- loc |
- ACCEPT |
- |
-
-
-
-
-/etc/shorewall/rules (For Shorewall versions up to and including
-1.3.9b):
-
-
-
-
- | ACTION |
- SOURCE |
- DEST |
- PROTO |
- DEST
-PORT(S) |
- SOURCE
-PORT(S) |
- ORIGINAL
-DEST |
-
-
- | ACCEPT |
- net |
- fw |
- tcp |
- 1723 |
- |
- |
-
-
- | ACCEPT |
- net |
- fw |
- 47 |
- - |
- |
- |
-
-
- | ACCEPT |
- fw |
- net |
- 47 |
- - |
- |
- |
-
-
-
-
-/etc/shoreawll/tunnels (For Shorewall versions
-1.3.10 and
-later)
-
-
-
-
-
- TYPE
- |
- ZONE
- |
- GATEWAY
- |
- GATEWAY ZONE
- |
-
-
- pptpserver
+ | vpn2
|
- net
+ | ppp+:192.168.2.0/24
|
- 0.0.0.0/0
+ |
|
-
+ |
+
+ vpn3
+ |
+ ppp+:192.168.3.0/24
+ |
+
|
-
-Note: I have multiple ppp interfaces on my firewall. If you have a
-single
-ppp interface, you probably want:
-/etc/shorewall/interfaces:
-
-
-
-
- | ZONE |
- INTERFACE |
- BROADCAST |
- OPTIONS |
-
-
- | net |
- eth0 |
- 206.124.146.255 |
- norfc1918 |
-
-
- | loc |
- eth2 |
- 192.168.1.255 |
- |
-
-
- | loc |
- ppp0 |
- |
- |
-
-
-
-
-and no entries in /etc/shorewall/hosts.
+Your policies and rules can now be configured using separate zones
+(vpn1, vpn2, and vpn3) for the three remote network.
2. PPTP Server Running
Behind
your Firewall
@@ -968,7 +885,7 @@ as described in the QuickStart Guide corresponding to your setup.
That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.
-Last modified 8/11/2003 - Tom
+Last modified 10/11/2003 - Tom
Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
diff --git a/STABLE/documentation/Shorewall_Doesnt.html b/STABLE/documentation/Shorewall_Doesnt.html
index e96368499..ec6282d68 100644
--- a/STABLE/documentation/Shorewall_Doesnt.html
+++ b/STABLE/documentation/Shorewall_Doesnt.html
@@ -30,18 +30,28 @@ application.
Be used with an Operating System other than Linux (version >=
2.4.0)
- Do content filtering -- better to use Squid for that.
+ Do content filtering:
+
In addition:
- - Shorewall does not contain any support for Netfilter Patch-O-Matic features -- Shorewall
+
- Shorewall does not contain any support for Netfilter Patch-O-Matic features --
+Shorewall
only supports features from released kernels.
-Last updated 9/28/2003 - Tom
+Last updated 10/07/2003 - Tom
Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.
diff --git a/STABLE/documentation/Shorewall_Squid_Usage.html b/STABLE/documentation/Shorewall_Squid_Usage.html
index 49b4ca3ea..0b23fb7ca 100644
--- a/STABLE/documentation/Shorewall_Squid_Usage.html
+++ b/STABLE/documentation/Shorewall_Squid_Usage.html
@@ -28,10 +28,14 @@
This page covers Shorewall configuration to use with Squid running as a Transparent
-Proxy. If you are running Shorewall 1.3, please see this documentation.
+ href="http://www.squid-cache.org/">Squid
running as a Transparent
+Proxy or as a Manual Proxy.
+If you are running Shorewall 1.3, please see this documentation.
+Squid as a Transparent Proxy
+
Please observe the
following general requirements:
@@ -71,7 +75,7 @@ running on the Firewall.
local network
Squid running in the DMZ
-Squid Running on the Firewall
+Squid (transparent) Running on the Firewall
You want to redirect all local www connection requests
EXCEPT those to your own http server (206.124.146.177) to a Squid
transparent proxy running on the firewall
@@ -123,15 +127,49 @@ DEST
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also
want
-requests destined for 130.252.100.0/24 to not be routed to Squid. In
-that
-case, you must add a manual rule in /etc/shorewall/start:
+requests destined for 130.252.100.0/24 to not be routed to Squid.
+
+If you are running Shorewall version 1.4.5 or later, you may just add
+the additional hosts/networks to the ORIGINAL DEST column in your
+REDIRECT rule:
+
+
+
+
+
+ | ACTION |
+ SOURCE |
+ DEST |
+ PROTO |
+ DEST
+PORT(S) |
+ SOURCE
+PORT(S) |
+ ORIGINAL
+DEST |
+
+
+ | REDIRECT |
+ loc |
+ 3128 |
+ tcp |
+ www |
+ -
+ |
+ !206.124.146.177,130.252.100.0/24 |
+
+
+
+
+If you are running a Shorewall version earlier than 1.4.5, you must add
+a manual rule in /etc/shorewall/start:
run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN
To exclude additional hosts or networks, just add additional
similar rules.
-Squid Running in the local network
+Squid (transparent) Running in the local network
You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening
@@ -273,7 +311,8 @@ command above:
color="#009900">
chkconfig --level 35 iptables on
-Squid Running in the DMZ (This is what I do)
+Squid (transparent) Running in the DMZ (This is
+what I do)
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.
@@ -455,7 +494,133 @@ command above:
color="#009900">
chkconfig --level 35 iptables on
- Updated 8/9/2003 - Tom Eastep
+Squid as a Manual Proxy
+Assume that Squid is running in zone SZ and listening on port SP; all
+web sites that are to be accessed through Squid are in the 'net' zone.
+Then for each zone Z that needs access to the Squid server:
+
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DEST
+ |
+ PROTO
+ |
+ DEST
+PORT(S)
+ |
+ CLIENT
+PORT(2)
+ |
+ ORIGINAL
+DEST
+ |
+
+
+ ACCEPT
+ |
+ Z
+ |
+ SZ
+ |
+ tcp
+ |
+ SP
+ |
+
+ |
+
+ |
+
+
+ ACCEPT
+ |
+ SZ
+ |
+ net
+ |
+ tcp
+ |
+ 80
+ |
+
+ |
+
+ |
+
+
+
+
+Example:
+
+Squid on the firewall listening on port
+8080 with access from the 'loc' zone:
+
+
+
+
+ ACTION
+ |
+ SOURCE
+ |
+ DEST
+ |
+ PROTO
+ |
+ DEST
+PORT(S)
+ |
+ CLIENT
+PORT(2)
+ |
+ ORIGINAL
+DEST
+ |
+
+
+ ACCEPT
+ |
+ loc
+ |
+ $FW
+ |
+ tcp
+ |
+ 8080
+ |
+
+ |
+
+ |
+
+
+ ACCEPT
+ |
+ $FW
+ |
+ net
+ |
+ tcp
+ |
+ 80
+ |
+
+ |
+
+ |
+
+
+
+
+
Updated 1017/2003 - Tom
+Eastep
Copyright © 2003 Thomas M. Eastep.
diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm
index 247361e6f..f0dee6e96 100644
--- a/STABLE/documentation/errata.htm
+++ b/STABLE/documentation/errata.htm
@@ -28,25 +28,25 @@ Issues
If you use a Windows system to download
a corrected script, be sure to run the script through dos2unix after you have moved
-it to your Linux system.
+ style="text-decoration: none;"> dos2unix after you have moved it
+to your Linux system.
If you are installing Shorewall for the first
-time and plan to use the .tgz and install.sh script, you can untar
-the archive, replace the 'firewall' script in the untarred directory
-with the one you downloaded below, and then run install.sh.
+time and plan to use the .tgz and install.sh script, you can untar the
+archive, replace the 'firewall' script in the untarred directory with
+the one you downloaded below, and then run install.sh.
When the instructions say to install a
-corrected firewall script in /usr/share/shorewall/firewall,
-you may rename the existing file before copying in the new file.
+corrected firewall script in /usr/share/shorewall/firewall, you may
+rename the existing file before copying in the new file.
DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-BELOW. For example, do NOT install the 1.3.9a firewall script
-if you are running 1.3.7c.
+BELOW. For example, do NOT install the 1.3.9a firewall script if you are
+running 1.3.7c.
@@ -61,8 +61,7 @@ Version 1.1
Problem with
iptables version 1.2.3 on RH7.2
Problems with kernels >= 2.4.18 and
-RedHat
-iptables
+RedHat iptables
Problems installing/upgrading RPM on SuSE
Problems with iptables version 1.2.7 and
MULTIPORT=Yes
@@ -75,12 +74,35 @@ REJECT (also applies to 2.4.21-RC1) 
Problems in Version 1.4
+1.4.7
+
+ - Using some versions of 'ash' (such as from RH8) as the
+SHOREWALL_SHELL causes "shorewall [re]start" to fail with:
+
+ local: --limit: bad variable name
+ iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:
+ cannot open shared object file: No such file or directory
+ Try `iptables -h' or 'iptables --help' for more information.
+ - When more than one ICMP type is listed in a rule and your kernel
+includes multiport match support, the firewall fails to start.
+ - Regardless of the setting of LOGUNCLEAN, the value
+LOGUNCLEAN=info was used.
+ - After the following error message, Shorewall was left in an
+inconsistent state:
+
+Error: Unable to determine the routes through interface xxx
+
+
+These problems have been corrected in this firewall
+script which may be installed in /var/share/shorewall/firewall as
+described above.
1.4.6
- If TC_ENABLED is set to yes in shorewall.conf then Shorewall
-would fail to start with the error "ERROR: Traffic Control
-requires Mangle";
-that problem has been corrected in this
firewall script which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
@@ -89,40 +111,34 @@ corrected in bugfix release 1.4.6a.
If a MAC address is used in the SOURCE column, an error occurs as
follows:
- iptables v1.2.8: Bad mac adress
+ iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in this
firewall script which may be installed in
-/var/share/shorewall/firewall
-as described above. For all other versions, you will have to edit your
-'firewall'
-script (in versions 1.4.*, it is located in
-/usr/share/shorewall/firewall).
-Locate the function add_tcrule_() and in that function, replace this
-line:
+/var/share/shorewall/firewall as described above. For all other
+versions, you will have to edit your 'firewall' script (in versions
+1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
+function add_tcrule_() and in that function, replace this line:
- r=`mac_match
-$source`
+ r=`mac_match $source`
with
- r="`mac_match
-$source` "
+ r="`mac_match $source` "
Note that there must be a space before the ending quote!
1.4.4b
1.4.4
@@ -147,8 +162,7 @@ described above.
- If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
-logging rule is too long. Upgrade to Version 1.4.4a to fix this
-problem..
+logging rule is too long. Upgrade to Version 1.4.4a to fix this problem..
1.4.3
@@ -157,8 +171,8 @@ to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
-and is currently in production with fireparse here at shorewall.net.
-The updated files may be found at ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/.
See the 0README.txt file for details.
@@ -170,9 +184,8 @@ See the 0README.txt file for details.
directory created in /tmp is not being removed. This problem may be
corrected by installing this firewall script in
-/usr/share/shorewall/firewall as
-described above.
+ target="_top">this firewall script in /usr/share/shorewall/firewall
+as described above.
1.4.1a, 1.4.1 and 1.4.0
@@ -190,8 +203,8 @@ in /etc/shorewall/common.def.
When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:
- /usr/share/shorewall/firewall: line 2174: [: =:
-unary operator expected
+ /usr/share/shorewall/firewall: line 2174: [: =: unary operator
+expected
You may correct the problem by installing 1.4.0
- When running under certain shells Shorewall will attempt to
-create ECN rules even when /etc/shorewall/ecn is empty. You may
-either just remove /etc/shorewall/ecn or you can install this
correct script in /usr/share/shorewall/firewall as described above.
@@ -218,36 +231,35 @@ with iptables version 1.2.3
There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
-released this buggy iptables in RedHat 7.2.
+released this buggy iptables in RedHat 7.2.
I have built a
-corrected 1.2.3 rpm which you can download here and I have
-also built an and I have also
+built an
-iptables-1.2.4 rpm which you can download here. If you are
-currently running RedHat 7.1, you can install either of these RPMs before
- you upgrade to RedHat 7.2.
+iptables-1.2.4 rpm which you can download here
. If you are currently
+running RedHat 7.1, you can install either of these RPMs before you
+upgrade to RedHat 7.2.
Update 11/9/2001: RedHat
-has released an iptables-1.2.4 RPM of their own which
-you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html.
- I have installed this RPM on my firewall and
-it works fine.
+has released an iptables-1.2.4 RPM of their own which you can download
+from http://www.redhat.com/support/errata/RHSA-2001-144.html.I
+have installed this RPM on my firewall and it works fine.
If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This patch
which corrects a problem with parsing of the --log-level specification
while this patch
-corrects a problem in handling the TOS target.
+corrects a problem in handling the TOS target.
To install one of the above patches:
- cd iptables-1.2.3/extensions
- patch -p0 < the-patch-file
-Problems with kernels >= 2.4.18 and
-RedHat iptables
+Problems with kernels >= 2.4.18 and RedHat
+iptables
Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:
@@ -256,13 +268,11 @@ RedHat iptables
The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
-the Netfilter 'mangle' table. You can correct the problem by installing
-
-this iptables RPM. If you are already running a
-1.2.5 version of iptables, you will need to specify the
---oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
-iptables-1.2.5-1.i386.rpm").
+this iptables RPM. If you are already running a 1.2.5 version of
+iptables, you will need to specify the --oldpackage option to rpm
+(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
Problems installing/upgrading RPM on SuSE
If you find that rpm complains about a conflict with kernel <=
@@ -274,8 +284,8 @@ option to rpm.
MULTIPORT=Yes
The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
-consequence, if you install iptables 1.2.7 you must be running
-Shorewall 1.3.7a or later or:
+consequence, if you install iptables 1.2.7 you must be running Shorewall
+1.3.7a or later or:
The Shoreline Firewall, more commonly known as "Shorewall", is
@@ -59,12 +58,13 @@ capabilities.
This program is free software; you can redistribute it and/or modify it
under the terms of Version
-2 of the GNU
-General Public License as published by the Free Software Foundation.
+2 of the GNU General Public License as published by the Free
+Software Foundation.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.
+General
+Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
@@ -84,23 +84,73 @@ Shorewall. For older versions:
Getting Started with Shorewall
New to Shorewall? Start by selecting the QuickStart Guide that most
-closely match your environment
-and follow the step by step instructions.
+closely match your environment and follow the step by step instructions.
Looking for Information?
The Documentation
Index is a good place to start as is the Quick Search to your
right.
Running Shorewall on Mandrake with a two-interface setup?
-If so, the documentation on
-this site will not apply directly to your setup. If you want
-to use the documentation that you find here, you will want to consider
-uninstalling what you have and installing a setup that matches the
-documentation on this site. See the Two-interface
-QuickStart Guide for details.
+If so, the documentation on this site will not apply directly
+to
+your setup. If you want to use the documentation that you find here,
+you will want to consider uninstalling what you have and installing a
+setup that matches the documentation on this site. See the Two-interface QuickStart Guide for
+details.
News
- 10/06/2003 - Shorewall 1.4.7 ![]()
10/21/2003 - Shorewall 1.4.7a
+ src="images/new10.gif" alt="(New)" title="">
+ This is a bugfix rollup of the following problem corrections:
+
+
+ - Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:
+
+ local: --limit: bad variable name
+ iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:
+ cannot open shared object file: No such file or directory
+ Try `iptables -h' or 'iptables --help' for more
+information.
+
+
+ - Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.
+
+ Example of rule that previously caused "shorewall start"
+to fail:
+
+
+ACCEPT loc $FW
+icmp 0,8,11,12
+
+
+ - Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.
+
+ Error: Unable to determine the routes routes through
+interface xxx
+
+
+ - Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.
+ - In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "<zone>_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.
+ - When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.
+
+
+ 10/06/2003 - Shorewall 1.4.7
Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2)
@@ -119,62 +169,52 @@ were being added to a PPP interface; the addresses were successfully
added in spite of the messages.
The firewall script has been modified to eliminate the error messages
- Interface-specific dynamic blacklisting chains are
-now displayed by "shorewall monitor" on the "Dynamic Chains" page
+ Interface-specific dynamic blacklisting chains are now
+displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").
Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
- The 'shorewall reject' and
-'shorewall drop' commands now delete any existing rules for the subject
-IP address before adding a new DROP or REJECT rule. Previously, there
-could be many rules for the same IP address in the dynamic chain so
-that multiple 'allow' commands were required to re-enable traffic
-to/from the address.
- When ADD_SNAT_ALIASES=Yes in
-shorewall.conf, the following entry in /etc/shorewall/masq resulted in
-a startup error:
+ The 'shorewall reject' and 'shorewall drop' commands now
+delete any existing rules for the subject IP address before adding a
+new DROP or REJECT rule. Previously, there could be many rules for the
+same IP address in the dynamic chain so that multiple 'allow' commands
+were required to re-enable traffic to/from the address.
+ When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
+entry in /etc/shorewall/masq resulted in a startup error:
eth0 eth1
206.124.146.20-206.124.146.24
- Shorewall previously choked over
-IPV6 addresses configured on interfaces in contexts where Shorewall
-needed to detect something about the interface (such as when "detect"
-appears in the BROADCAST column of the /etc/shorewall/interfaces file).
- Shorewall will now load
-module files that are formed from the module name by appending ".o.gz".
- When Shorewall adds a route to a
-proxy ARP host and such a route already exists, two routes resulted
-previously. This has been corrected so that the existing route is
-replaced if it already exists.
- The rfc1918 file has been
-updated to reflect recent allocations.
- The documentation of the
-USER SET column in the rules file has been corrected.
- If there is no policy
-defined for
-the zones specified in a rule, the firewall script previously
-encountered a shell syntax error:
-
-
+ Shorewall previously choked over IPV6 addresses configured
+on interfaces in contexts where Shorewall needed to detect something
+about the interface (such as when "detect" appears in the BROADCAST
+column of the /etc/shorewall/interfaces file).
+ Shorewall will now load module files that are formed from
+the module name by appending ".o.gz".
+ When Shorewall adds a route to a proxy ARP host and such a
+route already exists, two routes resulted previously. This has been
+corrected so that the existing route is replaced if it already exists.
+ The rfc1918 file has been updated to reflect recent
+allocations.
+ The documentation of the USER SET column in the rules file
+has been corrected.
+ If there is no policy defined for the zones specified in a
+rule, the firewall script previously encountered a shell syntax error:
+
[: NONE: unexpected operator
-
-
+
Now, the absence of a policy generates an error message and the
firewall is stopped:
-
-
+
No policy defined from zone
<source> to zone <dest>
- Previously, if neither
-/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
-would fail to start and would not remove the lock file. Failure to
-remove the lock file resulted in the following during subsequent
-attempts to start:
-
-
+ Previously, if neither /etc/shorewall/common nor
+/etc/shorewall/common.def existed, Shorewall would fail to start and
+would not remove the lock file. Failure to remove the lock file
+resulted in the following during subsequent attempts to start:
+
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
@@ -183,19 +223,17 @@ attempts to start:
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.
- The order of processing
-the
-various options has been changed such that blacklist entries now take
-precedence over the 'dhcp' interface setting.
- The log message generated
-from the
-'logunclean' interface option has been changed to reflect a disposition
-of LOG rather than DROP.
+ The order of processing the various options has been
+changed such that blacklist entries now take precedence over the 'dhcp'
+interface setting.
+ The log message generated from the 'logunclean' interface
+option has been changed to reflect a disposition of LOG rather than
+DROP.
When a user name and/or a
-group
-name was specified in the USER SET column and the destination zone was
-qualified with a IP address, the user and/or group name was not being
-used to qualify the rule.
+group name was specified in the USER SET column and the destination
+zone
+was qualified with a IP address, the user and/or group name was not
+being used to qualify the rule.
Example:
@@ -225,8 +263,9 @@ command-specific help (e.g., shorewall help <command>).
A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state to
-continue as it has been; namely, in the stopped state only traffic
-to/from hosts listed in /etc/shorewall/routestopped is accepted.
+continue
+as it has been; namely, in the stopped state only traffic to/from hosts
+listed in /etc/shorewall/routestopped is accepted.
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
@@ -234,7 +273,8 @@ addition to traffic to/from the hosts listed in
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an
-already-existing connection.
+already-existing
+connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
@@ -258,12 +298,9 @@ fw tcp 22
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
-connection
-from that computer to the firewall and confidently type "shorewall
-stop".
-As part of its stop processing, Shorewall removes eth0:0 which kills my
-SSH
-connection to 192.168.1.5!!!
+connection from that computer to the firewall and confidently type
+"shorewall stop". As part of its stop processing, Shorewall removes
+eth0:0 which kills my SSH connection to 192.168.1.5!!!
Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.
@@ -283,15 +320,17 @@ where:
<protocol> is the protocol
used by the tunnel
<port> if the protocol
-is 'udp' or 'tcp' then this is the destination port number used by the
-tunnel.
+is 'udp' or 'tcp' then this is the
+destination port number used by the tunnel.
<zone> is the zone of
the remote tunnel gateway
<ip address> is the IP
-address of the remote tunnel gateway.
+address of the remote tunnel
+gateway.
<gateway zone>
-Optional. A comma-separated list of zone names. If specified, the
-remote gateway is to be considered part of these zones.
+Optional. A comma-separated list of zone
+names. If specified, the remote gateway is to be considered part of
+these zones.
An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
@@ -301,7 +340,8 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
-recommended against.
+recommended
+against.
The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \
@@ -320,8 +360,9 @@ separately.
Warning: When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
-fields, the limit will apply to each pair of zones individually rather
-than as a single limit for all pairs of covered by the rule.
+fields,
+the limit will apply to each pair of zones individually rather than as
+a single limit for all pairs of covered by the rule.
To specify a rate limit,
@@ -330,15 +371,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
<
<rate>/<interval>[:<burst>] >
-
-where
+ where
<rate> is the sustained rate per
<interval>
<interval> is "sec" or "min"
<burst> is the largest burst
-accepted within an <interval>. If not given, the default of 5 is
-assumed.
+accepted within an
+<interval>. If not given, the default of 5 is assumed.
There may be no white space between the ACTION and "<" nor there may
be any white space within the burst specification. If you want to
@@ -364,59 +404,16 @@ After this, it will be 500ms (1 second divided by the rate
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
-hit the rule for 2 second, the burst will be fully recharged; back
-where we started.
+hit
+the rule for 2 second, the burst will be fully recharged; back where we
+started.
Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).
Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See http://shorewall.net/UserSets.html
-for details.
-
-
-
- 8/27/2003 - Shorewall Mirror in Australia
- Thanks to Dave Kempe and Solutions First (http://www.solutionsfirst.com.au),
-there is now a Shorewall Mirror in Australia:
- http://www.shorewall.com.au
- ftp://ftp.shorewall.com.au
-
- 8/26/2003 - French Version of the Shorewall Setup
-Guide
-Thanks to Fabien Demassieux, there is now a French translation of the
-Shorewall Setup Guide. Merci Beacoup, Fabien!
-
- 8/5/2003 - Shorewall-1.4.6b
-
- Problems Corrected since version 1.4.6:
-
- - Previously, if TC_ENABLED is set to yes in shorewall.conf
-then Shorewall would fail to start with the error "ERROR: Traffic
-Control requires Mangle"; that problem has been corrected.
- - Corrected handling of MAC addresses in the SOURCE column of
-the
-tcrules file. Previously, these addresses resulted in an invalid
-iptables
-command.
- - The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled
-exists. This prevents people from shooting themselves in the foot prior
-to
-having configured Shorewall.
- - A change introduced in version 1.4.6 caused error messages
-during
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
-being
-added to a PPP interface; the addresses were successfully added in
-spite
-of the messages.
-
-The firewall script has been modified to eliminate the error messages.
+ href="UserSets.html">http://shorewall.net/UserSets.html for
+details.
@@ -432,8 +429,8 @@ You can find their work at:
http://leaf.sourceforge.net/devel/jnilo
- Congratulations to Jacques
-and Eric on the recent release of Bering 1.2!!!
+ Congratulations to Jacques and Eric on the recent release of
+Bering 1.2!!!
Donations
@@ -479,7 +476,7 @@ Children's Foundation. Thanks!
- Updated 10/06/2003 - Tom Eastep
+ Updated 10/21/2003 - Tom Eastep
diff --git a/STABLE/documentation/shorewall_features.htm b/STABLE/documentation/shorewall_features.htm
index c043b43f7..9be0c68eb 100644
--- a/STABLE/documentation/shorewall_features.htm
+++ b/STABLE/documentation/shorewall_features.htm
@@ -1,119 +1,106 @@
-
-
-
-
Shorewall Features
-
-
+
-
-
- |
+ |
+
+
Shorewall Features
- |
-
-
-
+
+
+
-
-
-Last updated 2/5/2003 - Tom Eastep
-
+Last updated 10/12/2003 - Tom
+Eastep
Copyright © 2001-2003 Thomas M. Eastep.
-
-
-
-
+
+
+
+
diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm
index 34042e47d..71e93a3da 100644
--- a/STABLE/documentation/shorewall_quickstart_guide.htm
+++ b/STABLE/documentation/shorewall_quickstart_guide.htm
@@ -24,8 +24,7 @@ Guides (HOWTO's)
With thanks to Richard who reminded me once again
-that we
-must all first walk before we can run.
+that we must all first walk before we can run.
The French Translations of the single-IP guides are courtesy of Patrice
Vetsel
The French Translation of the Shorewall Setup Guide is courtesy of
@@ -50,16 +49,15 @@ acting as a firewall/router for a small local network and a DMZ. (The above guides are designed to get your first firewall up and
running quickly in the three most common Shorewall configurations. If
you want to learn more about Shorewall than is explained in the above
-simple guides, the Shorewall
-Setup Guide (See Index Below) is for you.
+simple guides, the Shorewall Setup
+Guide (See Index Below) is for you.
If you have more than one public
IP address:
The Shorewall Setup
Guide (See Index Below) outlines the steps necessary to set up a
-firewall where there are multiple public IP
-addresses involved or if you
+firewall where there are multiple public IP addresses involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above (Version
Française).
@@ -79,15 +77,13 @@ Interfaces (e.g., eth0:0)
Blacklisting
- Static Blacklisting using /etc/shorewall/blacklist
- - Dynamic Blacklisting using
-/sbin/shorewall
+ - Dynamic Blacklisting using /sbin/shorewall
Commands
-(Description of
-all /sbin/shorewall commands)
+(Description of all /sbin/shorewall commands)
Common configuration file
-features
+features
- Comments in
configuration files
@@ -142,14 +138,13 @@ in Shorewall
- Extension
Scripts (How to extend Shorewall without modifying Shorewall
-code through the use of files in /etc/shorewall --
-/etc/shorewall/start, /etc/shorewall/stopped, etc.)
+code through the use of files in /etc/shorewall -- /etc/shorewall/start,
+/etc/shorewall/stopped, etc.)
- Fallback/Uninstall
- FAQs
- Features
- - Firewall Structure
- FTP and Shorewall
- Getting help or answers to questions
@@ -164,7 +159,8 @@ code through the use of files in /etc/shorewall --
- Logging
- MAC Verification
- - Mailing Lists
+ - Mailing Lists
+ - Netfilter Overview
- My Shorewall Configuration (How I
personally use Shorewall)
@@ -178,8 +174,7 @@ personally use Shorewall)
- Ports used by Trojans
- Proxy
-ARP
+ Proxy ARP
Requirements
Samba
@@ -197,8 +192,7 @@ Subnets and Routing
-If you use one of these guides and have a suggestion for improvement
-please let me know.
-Last modified 9/23/2003 - Tom
+If you use one of these guides and have a suggestion for improvement please let me know.
+Last modified 10/11/2003 - Tom
Eastep
Copyright 2002, 2003 Thomas
M. Eastep
diff --git a/STABLE/documentation/sourceforge_index.htm b/STABLE/documentation/sourceforge_index.htm
index 05cb287ed..747c9718d 100644
--- a/STABLE/documentation/sourceforge_index.htm
+++ b/STABLE/documentation/sourceforge_index.htm
@@ -37,14 +37,12 @@ and control that facility. Netfilter can be used in ipchains
compatibility mode.
iptables - the utility program used to configure and
-control
-Netfilter. The term 'iptables' is often used to refer to the
-combination of iptables+Netfilter (with Netfilter not in
-ipchains compatibility mode).
+control Netfilter. The term 'iptables' is often used to refer to the
+combination of iptables+Netfilter (with Netfilter not in ipchains
+compatibility mode).
-The
-Shoreline Firewall, more commonly known as "Shorewall", is
+The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
@@ -56,14 +54,14 @@ and can thus take advantage of Netfilter's connection state tracking
capabilities.
This program is free software; you can redistribute it and/or
modify it under the terms of Version 2 of the
-GNU General Public License as published by the Free Software
-Foundation.
+ href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
+General Public License as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.
+General
+Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
@@ -81,30 +79,80 @@ Shorewall. For older versions:
Getting Started with Shorewall
-New to Shorewall? Start by
-selecting the QuickStart Guide
-that most closely match your environment and
-follow the step by step instructions.
+New to Shorewall? Start by selecting the QuickStart Guide that most
+closely match your environment and follow the step by step instructions.
Looking for Information?
The Documentation
Index is a good place to start as is the Quick Search to your
right.
Running Shorewall on Mandrake with a two-interface setup?
If so, the documentation on this site will not apply directly
-to your setup. If you want to
-use the documentation that you find here, you will want to consider
-uninstalling what you have and installing a setup that matches the
-documentation on this site. See the Two-interface
-QuickStart Guide for
+to
+your setup. If you want to use the documentation that you find here,
+you will want to consider uninstalling what you have and installing a
+setup that matches the documentation on this site. See the Two-interface QuickStart Guide for
details.
News
+ 10/21/2003 - Shorewall 1.4.7a
+ This is a bugfix rollup of the following problem corrections:
+
+
+ - Tuomo Soini has supplied a correction to a problem that
+occurs
+using some versions of 'ash'. The symptom is that "shorewall start"
+fails with:
+
+ local: --limit: bad variable name
+ iptables v1.2.8: Couldn't load match
+`-j':/lib/iptables/libipt_-j.so:
+ cannot open shared object file: No such file or directory
+ Try `iptables -h' or 'iptables --help' for more
+information.
+
+
+ - Andres Zhoglo has supplied a correction that avoids trying
+to use the multiport match iptables facility on ICMP rules.
+
+ Example of rule that previously caused "shorewall start"
+to fail:
+
+
+ACCEPT loc $FW
+icmp 0,8,11,12
+
+
+ - Previously, if the following error message was issued,
+Shorewall was left in an inconsistent state.
+
+ Error: Unable to determine the routes routes through
+interface xxx
+
+
+ - Handling of the LOGUNCLEAN option in shorewall.conf has
+been corrected.
+ - In Shorewall 1.4.2, an optimization was added. This
+optimization
+involved creating a chain named "<zone>_frwd" for most zones
+defined using the /etc/shorewall/hosts file. It has since been
+discovered that in many cases these new chains contain redundant rules
+and that the "optimization" turns out to be less than optimal. The
+implementation has now been corrected.
+ - When the MARK value in a tcrules entry is followed by ":F"
+or
+":P", the ":F" or ":P" was previously only applied to the first
+Netfilter rule generated by the entry. It is now applied to all entries.
+
10/06/2003 - Shorewall 1.4.7
-Problems Corrected since version 1.4.6 (Those in bold font
-were corrected since 1.4.7 RC2).
+Problems Corrected since version 1.4.6 (Those in bold font were
+corrected since 1.4.7 RC2).
- Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.
@@ -120,65 +168,53 @@ were being added to a PPP interface; the addresses were successfully
added in spite of the messages.
The firewall script has been modified to eliminate the error messages
- - Interface-specific dynamic blacklisting chains are
-now displayed by "shorewall monitor" on the "Dynamic Chains" page
+
- Interface-specific dynamic blacklisting chains are now
+displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").
- Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
- - The 'shorewall reject'
-and
-'shorewall drop' commands now delete any existing rules for the subject
-IP address before adding a new DROP or REJECT rule. Previously, there
-could be many rules for the same IP address in the dynamic chain so
-that multiple 'allow' commands were required to re-enable traffic
-to/from the address.
- - When ADD_SNAT_ALIASES=Yes in
-shorewall.conf, the following entry in /etc/shorewall/masq resulted in
-a startup error:
+ - The 'shorewall reject' and 'shorewall drop'
+commands now delete any existing rules for the subject IP address
+before adding a new DROP or REJECT rule. Previously, there could be
+many rules for the same IP address in the dynamic chain so that
+multiple 'allow' commands were required to re-enable traffic to/from
+the address.
+ - When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
+entry in /etc/shorewall/masq resulted in a startup error:
eth0 eth1
206.124.146.20-206.124.146.24
- - Shorewall previously choked over
-IPV6
-addresses configured on interfaces in contexts where Shorewall needed
-to detect something about the interface (such as when "detect" appears
-in the BROADCAST column of the /etc/shorewall/interfaces file).
- - Shorewall will now load
-module files that are formed from the module name by appending ".o.gz".
- - When Shorewall adds a route to a
-proxy
-ARP host and such a route already exists, two routes resulted
-previously. This has been corrected so that the existing route is
-replaced if it already exists.
- - The rfc1918 file has been
-updated to reflect recent allocations.
- - The documentation of the
-USER SET column in the rules file has been corrected.
- - If there is no policy
-defined for
-the zones specified in a rule, the firewall script previously
-encountered a shell syntax error:
-
-
+ - Shorewall previously choked over IPV6 addresses configured
+on interfaces in contexts where Shorewall needed to detect something
+about the interface (such as when "detect" appears in the BROADCAST
+column of the /etc/shorewall/interfaces file).
+ - Shorewall will now load module files that are formed from
+the module name by appending ".o.gz".
+ - When Shorewall adds a route to a proxy ARP host and such a
+route already exists, two routes resulted previously. This has been
+corrected so that the existing route is replaced if it already exists.
+ - The rfc1918 file has been updated to reflect recent
+allocations.
+ - The documentation of the USER SET column in the rules file
+has been corrected.
+ - If there is no policy defined for the zones specified in a
+rule, the firewall script previously encountered a shell syntax error:
+
[: NONE: unexpected operator
-
-
+
Now, the absence of a policy generates an error message and the
firewall is stopped:
-
-
+
No policy defined from zone
<source> to zone <dest>
- - Previously, if neither
-/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
-would fail to start and would not remove the lock file. Failure to
-remove the lock file resulted in the following during subsequent
-attempts to start:
-
-
+ - Previously, if neither /etc/shorewall/common nor
+/etc/shorewall/common.def existed, Shorewall would fail to start and
+would not remove the lock file. Failure to remove the lock file
+resulted in the following during subsequent attempts to start:
+
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
@@ -187,19 +223,17 @@ attempts to start:
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.
- - The order of processing
-the
-various options has been changed such that blacklist entries now take
-precedence over the 'dhcp' interface setting.
- - The log message generated
-from the
-'logunclean' interface option has been changed to reflect a disposition
-of LOG rather than DROP.
+ - The order of processing the various options has been
+changed such that blacklist entries now take precedence over the 'dhcp'
+interface setting.
+ - The log message generated from the 'logunclean' interface
+option has been changed to reflect a disposition of LOG rather than
+DROP.
- When a user name and/or a
-group
-name was specified in the USER SET column and the destination zone was
-qualified with a IP address, the user and/or group name was not being
-used to qualify the rule.
+group name was specified in the USER SET column and the destination
+zone
+was qualified with a IP address, the user and/or group name was not
+being used to qualify the rule.
Example:
@@ -217,10 +251,9 @@ details.
- The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the User Set page for
details.
- - The
-per-interface Dynamic Blacklisting facility introduced in the first
-post-1.4.6 Snapshot has been removed. The facility had too many
-idiosyncrasies for dial-up users to be a viable part of Shorewall.
+ - The per-interface Dynamic Blacklisting facility introduced
+in the first post-1.4.6 Snapshot has been removed. The facility had too
+many idiosyncrasies for dial-up users to be a viable part of Shorewall.
New Features:
@@ -239,8 +272,9 @@ command-specific help (e.g., shorewall help <command>).
A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state to
-continue as it has been; namely, in the stopped state only traffic
-to/from hosts listed in /etc/shorewall/routestopped is accepted.
+continue
+as it has been; namely, in the stopped state only traffic to/from hosts
+listed in /etc/shorewall/routestopped is accepted.
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
@@ -248,7 +282,8 @@ addition to traffic to/from the hosts listed in
a) All traffic originating from the firewall itself; and
b) All traffic that is part of or related to an
-already-existing connection.
+already-existing
+connection.
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.
@@ -272,12 +307,9 @@ fw tcp 22
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
-connection
-from that computer to the firewall and confidently type "shorewall
-stop".
-As part of its stop processing, Shorewall removes eth0:0 which kills my
-SSH
-connection to 192.168.1.5!!!
+connection from that computer to the firewall and confidently type
+"shorewall stop". As part of its stop processing, Shorewall removes
+eth0:0 which kills my SSH connection to 192.168.1.5!!!
Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.
@@ -297,15 +329,17 @@ where:
<protocol> is the protocol
used by the tunnel
<port> if the protocol
-is 'udp' or 'tcp' then this is the destination port number used by the
-tunnel.
+is 'udp' or 'tcp' then this is the
+destination port number used by the tunnel.
<zone> is the zone of
the remote tunnel gateway
<ip address> is the IP
-address of the remote tunnel gateway.
+address of the remote tunnel
+gateway.
<gateway zone>
-Optional. A comma-separated list of zone names. If specified, the
-remote gateway is to be considered part of these zones.
+Optional. A comma-separated list of zone
+names. If specified, the remote gateway is to be considered part of
+these zones.
An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
@@ -315,7 +349,8 @@ facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
-recommended against.
+recommended
+against.
The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \
@@ -334,8 +369,9 @@ separately.
Warning: When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
-fields, the limit will apply to each pair of zones individually rather
-than as a single limit for all pairs of covered by the rule.
+fields,
+the limit will apply to each pair of zones individually rather than as
+a single limit for all pairs of covered by the rule.
To specify a rate limit,
@@ -344,15 +380,14 @@ a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with
<
<rate>/<interval>[:<burst>] >
-
-where
+ where
<rate> is the sustained rate per
<interval>
<interval> is "sec" or "min"
<burst> is the largest burst
-accepted within an <interval>. If not given, the default of 5 is
-assumed.
+accepted within an
+<interval>. If not given, the default of 5 is assumed.
There may be no white space between the ACTION and "<" nor there may
be any white space within the burst specification. If you want to
@@ -378,8 +413,9 @@ After this, it will be 500ms (1 second divided by the rate
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
-hit the rule for 2 second, the burst will be fully recharged; back
-where we started.
+hit
+the rule for 2 second, the burst will be fully recharged; back where we
+started.
Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).
@@ -387,50 +423,6 @@ show" command (e.g., shorewall show INPUT FORWARD OUTPUT).
limited to a set of local users and/or groups. See http://shorewall.net/UserSets.html for
details.
-
- 8/27/2003 - Shorewall Mirror in Australia
- Thanks to Dave Kempe and Solutions First (http://www.solutionsfirst.com.au),
-there is now a Shorewall Mirror in Australia:
-
- 8/26/2003 - French Version of the Shorewall Setup
-Guide
-Thanks to Fabien Demassieux, there is now a French translation of the
-Shorewall Setup Guide. Merci Beacoup, Fabien! 9/15/2003
-- Shorewall 1.4.7 Beta 2 
- 8/5/2003 - Shorewall-1.4.6b
-
- Problems Corrected since version 1.4.6:
-
- - Previously, if TC_ENABLED is set to yes in shorewall.conf
-then Shorewall would fail to start with the error "ERROR: Traffic
-Control requires Mangle"; that problem has been corrected.
- - Corrected handling of MAC addresses in the SOURCE column of
-the
-tcrules file. Previously, these addresses resulted in an invalid
-iptables
-command.
- - The "shorewall stop" command is now disabled when
-/etc/shorewall/startup_disabled
-exists. This prevents people from shooting themselves in the foot prior
-to
-having configured Shorewall.
- - A change introduced in version 1.4.6 caused error messages
-during
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
-being
-added to a PPP interface; the addresses were successfully added in
-spite
-of the messages.
-
-The firewall script has been modified to eliminate the error messages.
More News
@@ -503,7 +495,7 @@ Children's Foundation. Thanks!
-Updated 10/06/2003 - Tom Eastep
+ Updated 10/21/2003 - Tom Eastep
diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm
index 4b127c911..b4c30a56e 100644
--- a/STABLE/documentation/traffic_shaping.htm
+++ b/STABLE/documentation/traffic_shaping.htm
@@ -1,341 +1,315 @@
-
-
-
-
Traffic Shaping
-
-
+
-
-
- |
+ |
+
+
Traffic Shaping/Control
- |
-
-
-
+
+
+
-
-Shorewall has limited support for traffic shaping/control.
- In order to use traffic shaping under Shorewall, it is essential that
- you get a copy of the Linux Advanced Routing
- and Shaping HOWTO, version 0.3.0 or later. It is also necessary
-to be running Linux Kernel 2.4.18 or later.
-
-Shorewall traffic shaping support consists of the following:
-
+Shorewall has limited support for traffic
+shaping/control. In order to use traffic shaping under Shorewall, it is
+essential that you get a copy of the Linux
+Advanced Routing and Shaping HOWTO, version 0.3.0 or later. It is
+also necessary to be running Linux Kernel 2.4.18 or later.
+Shorewall traffic shaping support consists of the
+following:
- - A new TC_ENABLED parameter in /etc/shorewall.conf.
- Traffic Shaping also requires that you enable packet mangling.
- - A new CLEAR_TC parameter in /etc/shorewall.conf (Added
- in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
- the setting of this variable determines whether Shorewall clears the traffic
- shaping configuration during Shorewall [re]start and Shorewall stop.
-
- - /etc/shorewall/tcrules - A file where you
-can specify firewall marking of packets. The firewall mark value
-may be used to classify packets for traffic shaping/control.
-
- - /etc/shorewall/tcstart - A user-supplied file
- that is sourced by Shorewall during "shorewall start" and which
- you can use to define your traffic shaping disciplines and classes.
- I have provided a sample that does
- table-driven CBQ shaping but if you read the traffic shaping sections
- of the HOWTO mentioned above, you can probably code your own faster
- than you can learn how to use my sample. I personally use
- HTB (see below).
- HTB support may eventually become an integral part of Shorewall
-since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
- HTB is a standard part of the kernel but iproute2 must be patched in
- order to use it.
-
- In tcstart, when you want to run the 'tc' utility,
-use the run_tc function supplied by shorewall if you want tc errors
- to stop the firewall.
-
- You can generally use off-the-shelf traffic shaping scripts by
-simply copying them to /etc/shorewall/tcstart. I use The Wonder Shaper (HTB version)
- that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
-and modified it according to the Wonder Shaper README). WARNING: If
- you use use Masquerading or SNAT (i.e., you only have one external IP address)
- then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
- script won't work. Traffic shaping occurs after SNAT has already been
-applied so when traffic shaping happens, all outbound traffic will have
-as a source address the IP addresss of your firewall's external interface.
-
- - /etc/shorewall/tcclear - A user-supplied file
- that is sourced by Shorewall when it is clearing traffic shaping.
- This file is normally not required as Shorewall's method of clearing
- qdisc and filter definitions is pretty general.
-
-
- Shorewall allows you to start traffic shaping when Shorewall itself
- starts or it allows you to bring up traffic shaping when you bring up your
- interfaces.
-
- To start traffic shaping when Shorewall starts:
-
-
- - Set TC_ENABLED=Yes and CLEAR_TC=Yes
- - Supply an /etc/shorewall/tcstart script to configure your traffic
- shaping rules.
- - Optionally supply an /etc/shorewall/tcclear script to stop
-traffic shaping. That is usually unnecessary.
- - If your tcstart script uses the 'fwmark' classifier, you can
-mark packets using entries in /etc/shorewall/tcrules.
-
-
- To start traffic shaping when you bring up your network interfaces,
- you will have to arrange for your traffic shaping configuration script
-to be run at that time. How you do that is distribution dependent and will
-not be covered here. You then should:
-
-
- - Set TC_ENABLED=Yes and CLEAR_TC=No
- - Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
- scripts.
- - If your tcstart script uses the 'fwmark' classifier,
- you can mark packets using entries in /etc/shorewall/tcrules.
-
-
-
-Kernel Configuration
-
-This screen shot show how I've configured QoS in my Kernel:
-
-
-
-
-/etc/shorewall/tcrules
-
-The fwmark classifier provides a convenient way to classify
- packets for traffic shaping. The /etc/shorewall/tcrules file provides
- a means for specifying these marks in a tabular fashion.
-
-
-Normally, packet marking occurs in the PREROUTING chain before
- any address rewriting takes place. This makes it impossible to mark inbound
- packets based on their destination address when SNAT or Masquerading
-are being used. Beginning with Shorewall 1.3.12, you can cause packet
-marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
-option in shorewall.conf.
-
-
-Columns in the file are as follows:
-
-
- - MARK - Specifies the mark value is to be assigned
-in case of a match. This is an integer in the range 1-255. Beginning
-with Shorewall version 1.3.14, this value may be optionally followed by
-":" and either 'F' or 'P' to designate that the marking will occur in the
-FORWARD or PREROUTING chains respectively. If this additional specification
-is omitted, the chain used to mark packets will be determined by the setting
-of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
-
- Example - 5
-
- - SOURCE - The source of the packet. If the packet
-originates on the firewall, place "fw" in this column. Otherwise,
-this is a comma-separated list of interface names, IP addresses, MAC
-addresses in Shorewall Format and/or
-Subnets.
-
- Examples
- eth0
- 192.168.2.4,192.168.1.0/24
-
- - DEST -- Destination of the packet. Comma-separated
-list of IP addresses and/or subnets.
-
- - PROTO - Protocol - Must be the name of a protocol
-from /etc/protocol, a number or "all"
-
- - PORT(S) - Destination Ports. A comma-separated list
- of Port names (from /etc/services), port numbers or port ranges (e.g.,
- 21:22); if the protocol is "icmp", this column is interpreted as
- the destination icmp type(s).
-
- - CLIENT PORT(S) - (Optional) Port(s) used by the client.
- If omitted, any source port is acceptable. Specified as a comma-separate
- list of port names, port numbers or port ranges.
-
-
-
-Example 1 - All packets arriving on eth1 should be marked
- with 1. All packets arriving on eth2 and eth3 should be marked with
- 2. All packets originating on the firewall itself should be marked with
- 3.
-
-
-
-
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 1 |
- eth1 |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
- | 2 |
- eth2 |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
- 2
- |
- eth3
- |
- 0.0.0.0/0
- |
- all
- |
-
- |
-
- |
-
-
- | 3 |
- fw |
- 0.0.0.0/0 |
- all |
- |
- |
-
-
-
-
-
-Example 2 - All GRE (protocol 47) packets not originating
- on the firewall and destined for 155.186.235.151 should be marked
-with 12.
-
-
-
-
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 12 |
- 0.0.0.0/0 |
- 155.186.235.151 |
- 47 |
- |
- |
-
-
-
-
-
-Example 3 - All SSH packets originating in 192.168.1.0/24
- and destined for 155.186.235.151 should be marked with 22.
-
-
-
-
- | MARK |
- SOURCE |
- DEST |
- PROTO |
- PORT(S) |
- CLIENT PORT(S) |
-
-
- | 22 |
- 192.168.1.0/24 |
- 155.186.235.151 |
- tcp |
- 22 |
- |
-
-
-
-
-
-My Setup
-
-
-While I am currently using the HTB version of The Wonder Shaper (I just copied
- wshaper.htb to /etc/shorewall/tcstart and modified it as shown
- in the Wondershaper README), I have also run with the following set of
-hand-crafted rules in my /etc/shorewall/tcstart file:
-
-
-
- run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k
echo " Added Top Level Class -- rate 384kbit"
-
- run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
-
- echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
-
- run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
-
- echo " Enabled PFIFO on Second Level Classes"
-
- run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
-
- echo " Defined fwmark filters"
-
-
-My tcrules file that went with this tcstart file is shown in Example 1
- above. You can look at my configuration to
-see why I wanted shaping of this type.
-
-
-
- - I wanted to allow up to 140kbits/second for traffic outbound
- from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
-traffic can use all available bandwidth if there is no traffic from the
-local systems or from my laptop or firewall).
- - My laptop and local systems could use up to 224kbits/second.
- - My firewall could use up to 20kbits/second.
-
-
- You see the rest of my Shorewall configuration
- to see how this fit in.
-
-Last Updated 3/19/2003 - Tom Eastep
-
-Copyright
- © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
+ A new TC_ENABLED parameter in /etc/shorewall.conf.
+Traffic Shaping also requires that you enable packet mangling.
+ A new CLEAR_TC parameter in /etc/shorewall.conf (Added
+in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
+the setting of this variable determines whether Shorewall clears the
+traffic shaping configuration during Shorewall [re]start and Shorewall
+stop.
+
+ /etc/shorewall/tcrules - A file where you
+can specify firewall marking of packets. The firewall mark value
+may be used to classify packets for traffic shaping/control.
+
+ /etc/shorewall/tcstart - A user-supplied file that is
+sourced by Shorewall during "shorewall start" and which you can use to
+define your traffic shaping disciplines and classes. I have provided a sample that does
+table-driven CBQ shaping but if you read the traffic shaping sections
+of the HOWTO mentioned above, you can probably code your own faster
+than you can learn how to use my sample. I personally use HTB (see below). HTB
+support may eventually become an integral part of Shorewall since HTB
+is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
+standard part of the kernel but iproute2 must be patched in order to
+use it.
-
-
-
+In tcstart, when you want to run the 'tc' utility,
+use the run_tc function supplied by shorewall if you want tc errors to
+stop the firewall.
+
+You can generally use off-the-shelf traffic shaping scripts by simply
+copying them to /etc/shorewall/tcstart. I use The Wonder Shaper (HTB
+version) that way (i.e., I just copied wshaper.htb to
+/etc/shorewall/tcstart
+and modified it according to the Wonder Shaper README). WARNING: If
+you use use Masquerading or SNAT (i.e., you only have one external IP
+address) then listing internal hosts in the NOPRIOHOSTSRC variable in
+the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
+has already been
+applied so when traffic shaping happens, all outbound traffic will have
+as a source address the IP addresss of your firewall's external
+interface.
+
+ /etc/shorewall/tcclear - A user-supplied file that is
+sourced by Shorewall when it is clearing traffic shaping. This file is
+normally not required as Shorewall's method of clearing qdisc and
+filter definitions is pretty general.
+
+Shorewall allows you to start traffic shaping when Shorewall itself
+starts or it allows you to bring up traffic shaping when you bring up
+your interfaces.
+
+To start traffic shaping when Shorewall starts:
+
+ - Set TC_ENABLED=Yes and CLEAR_TC=Yes
+ - Supply an /etc/shorewall/tcstart script to configure your traffic
+shaping rules.
+ - Optionally supply an /etc/shorewall/tcclear script to stop
+traffic shaping. That is usually unnecessary.
+ - If your tcstart script uses the 'fwmark' classifier, you can mark
+packets using entries in /etc/shorewall/tcrules.
+
+To start traffic shaping when you bring up your network interfaces, you
+will have to arrange for your traffic shaping configuration script to
+be run at that time. How you do that is distribution dependent and will
+not be covered here. You then should:
+
+ - Set TC_ENABLED=Yes and CLEAR_TC=No
+ - Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
+scripts.
+ - If your tcstart script uses the 'fwmark' classifier,
+you can mark packets using entries in /etc/shorewall/tcrules.
+
+Kernel Configuration
+This screen shot show how I've configured QoS in my
+Kernel:
+
+/etc/shorewall/tcrules
+The fwmark classifier provides a convenient way to
+classify packets for traffic shaping. The /etc/shorewall/tcrules file
+provides a means for specifying these marks in a tabular fashion.
+
+Normally, packet marking occurs in the PREROUTING chain
+before any address rewriting takes place. This makes it impossible to
+mark inbound packets based on their destination address when SNAT or
+Masquerading
+are being used. Beginning with Shorewall 1.3.12, you can cause packet
+marking to occur in the FORWARD chain by using the
+MARK_IN_FORWARD_CHAIN
+option in shorewall.conf.
+
+Columns in the file are as follows:
+
+ - MARK - Specifies the mark value is to be assigned in case of a
+match. This is an integer in the range 1-255. Beginning with Shorewall
+version 1.3.14, this value may be optionally followed by
+":" and either 'F' or 'P' to designate that the marking will occur in
+the
+FORWARD or PREROUTING chains respectively. If this additional
+specification
+is omitted, the chain used to mark packets will be determined by the
+setting
+of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
+
+Example - 5
+
+ - SOURCE - The source of the packet. If the packet
+originates on the firewall, place "fw" in this column. Otherwise,
+this is a comma-separated list of interface names, IP addresses, MAC
+addresses in Shorewall Format
+and/or
+Subnets.
+
+Examples
+ eth0
+ 192.168.2.4,192.168.1.0/24
+
+ - DEST -- Destination of the packet. Comma-separated list of IP
+addresses and/or subnets.
+
+ - PROTO - Protocol - Must be the name of a protocol from
+/etc/protocol, a number or "all"
+
+ - PORT(S) - Destination Ports. A comma-separated list of Port names
+(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
+protocol is "icmp", this column is interpreted as the destination icmp
+type(s).
+
+ - CLIENT PORT(S) - (Optional) Port(s) used by the client. If
+omitted, any source port is acceptable. Specified as a comma-separate
+list of port names, port numbers or port ranges.
+
+Example 1 - All packets arriving on eth1 should be
+marked with 1. All packets arriving on eth2 and eth3 should be marked
+with 2. All packets originating on the firewall itself should be marked
+with 3.
+
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
+
+ | 1 |
+ eth1 |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+ | 2 |
+ eth2 |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+ 2
+ |
+ eth3
+ |
+ 0.0.0.0/0
+ |
+ all
+ |
+
+ |
+
+ |
+
+
+ | 3 |
+ fw |
+ 0.0.0.0/0 |
+ all |
+ |
+ |
+
+
+
+Example 2 - All GRE (protocol 47) packets not
+originating on the firewall and destined for 155.186.235.151 should be
+marked with 12.
+
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
+
+ | 12 |
+ 0.0.0.0/0 |
+ 155.186.235.151 |
+ 47 |
+ |
+ |
+
+
+
+Example 3 - All SSH packets originating in
+192.168.1.0/24 and destined for 155.186.235.151 should be marked with
+22.
+
+
+
+ | MARK |
+ SOURCE |
+ DEST |
+ PROTO |
+ PORT(S) |
+ CLIENT PORT(S) |
+
+
+ | 22 |
+ 192.168.1.0/24 |
+ 155.186.235.151 |
+ tcp |
+ 22 |
+ |
+
+
+
+My Current Setup
+
+I am currently using the HTB version of The Wonder Shaper (I just
+copied wshaper.htb to /etc/shorewall/tcstart and modified it as
+shown in the Wondershaper README). WonderShaper
+DOES NOT USE THE
+/etc/shorewall/tcrules file. While I currently have entries in
+/etc/shorewall/tcrules, I do so for policy routing for Squid and not
+for Traffic Shaping.
+My Old Setup
+
+I have also run with the following set of hand-crafted rules in my /etc/shorewall/tcstart
+file.
+
+
+ run_tc qdisc add dev eth0 root handle 1: htb default 30
run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k
echo " Added Top Level Class -- rate 384kbit"
+ run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
+ echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
+ run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
+ echo " Enabled PFIFO on Second Level Classes"
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
+ echo " Defined fwmark filters"
+
+My tcrules file that went with this tcstart file is shown in Example
+1 above. When I was using these rules:
+
+
+ - I wanted to allow up to 140kbits/second for traffic outbound from
+my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
+traffic can use all available bandwidth if there is no traffic from the
+local systems or from my laptop or firewall).
+ - My laptop (which at that time connected via eth3) and local
+systems (eth2) could use up to 224kbits/second.
+ - My firewall could use up to 20kbits/second.
+
+Once www.shorewall.net was moved off-site, I no longer needed these
+shaping rules and The Wonder Shaper does all that I now require.
+Last Updated 10/21/2003 - Tom
+Eastep
+Copyright
+© 2001, 2002, 2003 Thomas M. Eastep.
+
+
+
+
+
+
+
diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh
index d008a31e1..a04468d5c 100755
--- a/STABLE/fallback.sh
+++ b/STABLE/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=1.4.7
+VERSION=1.4.7a
usage() # $1 = exit status
{
diff --git a/STABLE/install.sh b/STABLE/install.sh
index 9a2c1145a..4edffed39 100755
--- a/STABLE/install.sh
+++ b/STABLE/install.sh
@@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
-VERSION=1.4.7
+VERSION=1.4.7a
usage() # $1 = exit status
{
diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec
index 4d4cac0b4..a4e21f8d2 100644
--- a/STABLE/shorewall.spec
+++ b/STABLE/shorewall.spec
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 1.4.7
+%define version 1.4.7a
%define release 1
%define prefix /usr
@@ -108,6 +108,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
+* Tue Oct 21 2003 Tom Eastep
+- Changed version to 1.4.7a-1
* Sat Oct 04 2003 Tom Eastep
- Changed version to 1.4.7-1
- Removed conflict with 2.2 Kernels
diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh
index ca54b3929..6f896635e 100755
--- a/STABLE/uninstall.sh
+++ b/STABLE/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=1.4.7
+VERSION=1.4.7a
usage() # $1 = exit status
{
|