diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 39972f8be..6586651cd 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -2027,6 +2027,28 @@ ACCEPT fw net tcp www THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. + + Normally MASQUERADE/SNAT rules are evaluated after one-to-one + NAT rules defined in the /etc/shorewall/nat file. + Beginning with Shorewall 2.1.1, if you preceed the interface name + with a plus sign ("+") then the rule will be evaluated before + one-to-one NAT. + + Examples: + + +eth0 ++eth1:192.0.2.32/27 + + Also new in the Shorewall 2.1 series, the effect of + ADD_SNAT_ALIASES=Yes can be negated for an entry by following the + interface name by ":" but no digit. + + Examples: + + eth0: +eth1::192.0.2.32/27 ++eth3 @@ -2382,6 +2404,14 @@ eth0 eth1 206.124.146.176 the ipconfig utility. THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. + + Beginning with Shorewall 2.1.1, the effect of + ADD_IP_ALIASES=Yes can be negated for an entry by following the + interface name by ":" but no digit. + + Example: + + eth0: @@ -3627,6 +3657,16 @@ eth1 - Revision History + + 1.19 + + 2004-09012 + + TE + + Changes for Shorewall 2.1. + + 1.18 diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml index 647d1a857..f06e26fbf 100644 --- a/Shorewall-docs2/Install.xml +++ b/Shorewall-docs2/Install.xml @@ -15,7 +15,7 @@ - 2004-06-25 + 2004-09-12 2001 @@ -35,7 +35,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -45,11 +46,13 @@ If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on - your system in the directory /usr/share/doc/shorewall/default-config. + your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. - Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify those files. @@ -60,9 +63,9 @@ Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall - QuickStart Guide for the configuration that most closely matches - your own. + print a copy of the Shorewall QuickStart Guide + for the configuration that most closely matches your own. To install Shorewall using the RPM: @@ -71,14 +74,15 @@ Install the RPM - rpm -ivh <shorewall rpm> + rpm -ivh <shorewall rpm> Some SuSE users have encountered a problem whereby rpm reports - a conflict with kernel <= 2.2 even though a 2.4 kernel is - installed. If this happens, simply use the --nodeps option to rpm. + a conflict with kernel <= 2.2 even though a 2.4 kernel is + installed. If this happens, simply use the --nodeps option to + rpm. - rpm -ivh --nodeps <shorewall rpm> + rpm -ivh --nodeps <shorewall rpm> @@ -89,9 +93,10 @@ error: failed dependencies:iproute is needed by shorewall-1.4.x-1 - This may be worked around by using the --nodeps option of rpm. + This may be worked around by using the --nodeps option of + rpm. - rpm -ivh --nodeps <shorewall rpm> + rpm -ivh --nodeps <shorewall rpm> @@ -110,6 +115,14 @@ + + Enable startup by removing + /etc/shorewall/startup_disabled (If you are + running Shorewall 2.1.3 or later, edit + /etc/shorewall/shorewall.conf and set + STARTUP_ENABLED to Yes). + + Start the firewall by typing @@ -123,9 +136,9 @@ Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall - QuickStart Guide for the configuration that most closely matches - your own. + print a copy of the Shorewall QuickStart Guide + for the configuration that most closely matches your own. To install Shorewall using the tarball and install script: @@ -141,18 +154,19 @@ - If you are running Slackware, - you need Shorewall 2.0.2 RC1 or later. If you are installing a - Shorewall version earlier than 2.0.3 Beta 1 then you must also edit - the install.sh file and change the lines + If you are running Slackware, you need Shorewall + 2.0.2 RC1 or later. If you are installing a Shorewall version earlier + than 2.0.3 Beta 1 then you must also edit the install.sh file and + change the lines - DEST="/etc/init.d" -INIT="shorewall" + DEST="/etc/init.d" +INIT="shorewall" to - DEST="/etc/rc.d" -INIT="rc.firewall" + DEST="/etc/rc.d" +INIT="rc.firewall" @@ -172,9 +186,26 @@ INIT="rc.firewall" - Enable Startup by removing /etc/shorewall/startup_disabled - (Debian users will edit /etc/default/shorewall - and set startup=1). + Enable Startup: + + + + Users running Shorewall 2.1.3 or later, edit + /etc/shorewall/shorewall.conf and set + STARTUP_ENABLED=Yes. + + + + Users running Shorewall 2.1.2 or earlier and using the .deb + should edit /etc/default/shorewall and set + startup=1. + + + + All other users, remove the file + /etc/shorewall/startup_disabled + + @@ -186,7 +217,8 @@ INIT="rc.firewall" If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions. + url="starting_and_stopping_shorewall.htm">these + instructions. @@ -196,15 +228,16 @@ INIT="rc.firewall" Before attempting installation, I strongly urge you to read and - print a copy of the Shorewall - QuickStart Guide for the configuration that most closely matches - your own. + print a copy of the Shorewall QuickStart Guide + for the configuration that most closely matches your own. To install my version of Shorewall on a fresh Bering disk, simply replace the shorwall.lrp file on the image with the file that you downloaded. See the two-interface - QuickStart Guide for information about further steps required. + QuickStart Guide for information about further steps + required.
@@ -224,22 +257,23 @@ INIT="rc.firewall" please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.4 - (you must use the new 1.4 syntax). See the - upgrade issues for details. + (you must use the new 1.4 syntax). See the upgrade issues for details. Upgrade the RPM - rpm -Uvh <shorewall rpm file> + rpm -Uvh <shorewall rpm file> Some SuSE users have encountered a problem whereby rpm reports - a conflict with kernel <= 2.2 even though a 2.4 kernel is - installed. If this happens, simply use the --nodeps option to rpm. + a conflict with kernel <= 2.2 even though a 2.4 kernel is + installed. If this happens, simply use the --nodeps option to + rpm. - rpm -Uvh --nodeps <shorewall rpm> + rpm -Uvh --nodeps <shorewall rpm> @@ -250,15 +284,17 @@ INIT="rc.firewall" error: failed dependencies:iproute is needed by shorewall-1.4.0-1 - This may be worked around by using the --nodeps option of rpm. + This may be worked around by using the --nodeps option of + rpm. - rpm -Uvh --nodeps <shorewall rpm> + rpm -Uvh --nodeps <shorewall rpm> See if there are any incompatibilities between your - configuration and the new Shorewall version and correct as necessary. + configuration and the new Shorewall version and correct as + necessary. shorewall check @@ -288,8 +324,8 @@ INIT="rc.firewall" please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.4 - (you must use the new 1.4 syntax). See the - upgrade issues for details. + (you must use the new 1.4 syntax). See the upgrade issues for details. @@ -305,18 +341,19 @@ INIT="rc.firewall" - If you are running Slackware, - you should use Shorewall 2.0.2 RC1 or later. If you are installing a - Shorewall version earlier than 2.0.3 Beta 1 then you must also edit - the install.sh file and change the lines + If you are running Slackware, you should use + Shorewall 2.0.2 RC1 or later. If you are installing a Shorewall + version earlier than 2.0.3 Beta 1 then you must also edit the + install.sh file and change the lines - DEST="/etc/init.d" -INIT="shorewall" + DEST="/etc/init.d" +INIT="shorewall" to - DEST="/etc/rc.d" -INIT="rc.firewall" + DEST="/etc/rc.d" +INIT="rc.firewall" @@ -332,7 +369,8 @@ INIT="rc.firewall" See if there are any incompatibilities between your - configuration and the new Shorewall version and correct as necessary. + configuration and the new Shorewall version and correct as + necessary. shorewall check @@ -346,7 +384,8 @@ INIT="rc.firewall" If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions. + url="starting_and_stopping_shorewall.htm">these + instructions.
@@ -375,6 +414,7 @@ INIT="rc.firewall"
Uninstall/Fallback - See Fallback and Uninstall. + See Fallback and + Uninstall.
\ No newline at end of file diff --git a/Shorewall-docs2/User_defined_Actions.xml b/Shorewall-docs2/User_defined_Actions.xml index 534a9b58a..50db5e0d7 100755 --- a/Shorewall-docs2/User_defined_Actions.xml +++ b/Shorewall-docs2/User_defined_Actions.xml @@ -15,7 +15,7 @@ - 2004-03-25 + 2004-09-17 2003 @@ -31,28 +31,33 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License.
Creating a New Action - Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules - were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). - Beginning with Shorewall version 1.4.9, users may use sequences of these - elementary operations to define more complex actions. + Prior to Shorewall version 1.4.9, rules in + /etc/shorewall/rules were limited to those defined by + Netfilter (ACCEPT, DROP, REJECT, etc.). Beginning with Shorewall version + 1.4.9, users may use sequences of these elementary operations to define + more complex actions. To define a new action: - Add a line to /etc/shorewall/actions - that names your new action. Action names must be valid shell variable - names as well as valid Netfilter chain names. It is recommended that - the name you select for a new action begins with with a capital - letter; that way, the name won't conflict with a Shorewall-defined - chain name. + Add a line to + /etc/shorewall/actions that + names your new action. Action names must be valid shell variable names + ((must begin with a letter and be composed of letters, digits and + underscore characters) as well as valid Netfilter chain names. If you + intend to log from the action, the name must have a maximum of 11 + characters. It is recommended that the name you select for a new + action begins with with a capital letter; that way, the name won't + conflict with a Shorewall-defined chain name. Beginning with Shorewall-2.0.0-Beta1, the name of the action may be optionally followed by a colon (:) and ACCEPT, DROP @@ -71,8 +76,9 @@ Once you have defined your new action name (ActionName), then - copy /usr/share/shorewall/action.template to /etc/shorewall/action.ActionName - (for example, if your new action name is Foo then copy + copy /usr/share/shorewall/action.template to + /etc/shorewall/action.ActionName (for example, if + your new action name is Foo then copy /usr/share/shorewall/action.template to /etc/shorewall/action.Foo). @@ -87,10 +93,11 @@ TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or - <action> where <action> - is a previously-defined action (that is, it must precede the action - being defined in this file in your /etc/shorewall/actions - file). These actions have the same meaning as they do in the + <action> where + <action> is a previously-defined action + (that is, it must precede the action being defined in this file in + your /etc/shorewall/actions file). These actions + have the same meaning as they do in the /etc/shorewall/rules file (CONTINUE terminates processing of the current action and returns to the point where that action was invoked). The TARGET may optionally be followed by a colon @@ -120,13 +127,14 @@ MAC addresses are not allowed. Unlike in the SOURCE column, you may specify a range of up to - 256 IP addresses using the syntax <first ip>-<last - ip>. + 256 IP addresses using the syntax <first + ip>-<last ip>. - PROTO - Protocol - Must be tcp, udp, - icmp, a number, or all. + PROTO - Protocol - Must be tcp, + udp, icmp, a number, or + all. @@ -135,8 +143,8 @@ ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). - A port range is expressed as <low port>:<high - port>. + A port range is expressed as <low + port>:<high port>. This column is ignored if PROTOCOL = all but must be entered if any of the following ields are supplied. In that case, it is suggested @@ -156,7 +164,8 @@ - Otherwise, a separate rule will be generated for each port. + Otherwise, a separate rule will be generated for each + port. @@ -164,9 +173,8 @@ source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. - If you don't want to restrict client ports but need to - specify an ADDRESS in the next column, then place "-" in this - column. + If you don't want to restrict client ports but need to specify + an ADDRESS in the next column, then place "-" in this column. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the @@ -182,18 +190,19 @@ - Otherwise, a separate rule will be generated for each port. + Otherwise, a separate rule will be generated for each + port. RATE LIMIT - You may rate-limit the rule by placing a value in this column: - <rate>/<interval>[:<burst>]where - <rate> is the number of connections per - <interval> (sec or - min) and <burst> is the - largest burst permitted. If no <burst> is + <rate>/<interval>[:<burst>]where + <rate> is the number of connections per + <interval> (sec or + min) and <burst> is the + largest burst permitted. If no <burst> is given, a value of 5 is assumed. There may be no whitespace embedded in the specification. @@ -207,30 +216,33 @@ any of the following: - [!]<user number>[:] + [!]<user number>[:] - [!]<user name>[:] + [!]<user name>[:] - [!]:<group number> + [!]:<group number> - [!]:<group name> + [!]:<group name> - [!]<user number>:<group - number> + [!]<user + number>:<group + number> - [!]<user name>:<group - number> + [!]<user + name>:<group + number> - [!]<user inumber>:<group - name> + [!]<user + inumber>:<group + name> - [!]<user name>:<group - name> + [!]<user + name>:<group name> - Omitted column entries should be entered using a dash ("-:). + Omitted column entries should be entered using a dash ("-:). Example: @@ -244,13 +256,123 @@ #ACTION SOURCE DEST PROTO DEST PORT(S) LogAndAccept loc fw tcp 22 + + Prior to Shorewall 2.1.2, specifying a log level (and optionally a + log tag) on a rule that specified a user-defined (or Shorewall-defined) + action would log all traffic passed to the action. Beginning with + Shorewall 2.1.2, specifying a log level in a rule that specifies a user- + or Shorewall-defined action will cause each rule in the action to be + logged with the specified level (and tag). + + The extent to which logging of action rules occur is goverend by the + following: + + + + When you invoke an action and specify a log level, only those + rules in the action that have no log level will be changed to log at + the level specified at the action invocation. + + Example: + + /etc/shorewall/action.foo + + #TARGET SOURCE DEST PROTO DEST PORT(S) +ACCEPT - - tcp 22 +bar:info + + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +foo:debug fw net + + Logging in the invoke 'foo' action will be as if foo had been + defined as: + + #TARGET SOURCE DEST PROTO DEST PORT(S) +ACCEPT:debug - - tcp 22 +bar:info + + + + If you follow the log level with "!" then logging will be at + that level for all rules recursively invoked by the action. + + Example: + + /etc/shorewall/action.foo + + #TARGET SOURCE DEST PROTO DEST PORT(S) +ACCEPT - - tcp 22 +bar:info + + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST PORT(S) +foo:debug! fw net + + Logging in the invoke 'foo' action will be as if foo had been + defined as: + + #TARGET SOURCE DEST PROTO DEST PORT(S) +ACCEPT:debug - - tcp 22 +bar:debug + + + + The change in Shorewall 2.1.2 has an effect on extension scripts + used with user-defined actions. If you define an action 'acton' and you + have an /etc/shorewall/acton script then when that + script is invoked, the following three variables will be set for use by + the script: + + + + $CHAIN = the name of the chain where your rules are to be + placed. When logging is used on an action invocation, Shorewall + creates a chain with a slightly different name from the action + itself. + + + + $LEVEL = Log level. If empty, no logging was specified. + + + + $TAG = Log Tag. + + + + Example: + + /etc/shorewall/rules: + + #ACTION SOURCE DEST +acton:info:test fw net + + Your /etc/shorewall/acton file will be run with: + + + + $CHAIN="%acton1" + + + + $LEVEL="info" + + + + $TAG="test" + +
Standard Actions In Shorewall 2.0 Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of - defined actions. These defined actions are listed in /usr/share/shorewall/actions.std. + defined actions. These defined actions are listed in + /usr/share/shorewall/actions.std. The /usr/share/shorewall/actions.std file includes the common actions Drop for DROP policies and @@ -268,27 +390,32 @@ AllowFTP loc fw /usr/share/shorewall/actions.std is processed before /etc/shorewall/actions and if you have any - actions defined with the same name as one in /usr/share/shorewall/actions.std, - your version in /etc/shorewall will - be the one used. So if you wish to modify a standard action, simply copy - the associated action file from /usr/share/shorewall - to /etc/shorewall and modify - it to suit your needs. The next shorewall restart will - cause your action to be installed in place of the standard one. In - particular, if you want to modify the common actions Drop - or Reject, simply copy action.Drop or - Action.Reject to /etc/shorewall - and modify that copy as desired. + actions defined with the same name as one in + /usr/share/shorewall/actions.std, your version in + /etc/shorewall will be the one + used. So if you wish to modify a standard action, simply copy the + associated action file from /usr/share/shorewall to /etc/shorewall and modify it to suit your + needs. The next shorewall restart will cause your + action to be installed in place of the standard one. In particular, if you + want to modify the common actions Drop or + Reject, simply copy action.Drop or + Action.Reject to /etc/shorewall and modify that copy as + desired.
Creating an Action using an Extension Script There may be cases where you wish to create a chain with rules that - can't be constructed using the tools defined in the action.template. - In that case, you can use an extension script.If you actually - need an action to drop broadcast packets, use the dropBcast - standard action rather than create one like this. + can't be constructed using the tools defined in the action.template. In + that case, you can use an extension script. + If you actually need an action to drop broadcast packets, use + the dropBcast standard action rather than create + one like this. + An action to drop all broadcast packets diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index e419c042a..aa22366c8 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ - 2004-09-23 + 2004-10-04 2004 @@ -433,6 +433,12 @@ loc eth1 detect net br0:eth0 dmz br0:eth2 + + + The DMZ systems need a route to the 192.168.201.0/24 network via + 192.0.2.176 to enable them to communicate with the local + network. +
@@ -456,4 +462,4 @@ dmz br0:eth2 - \ No newline at end of file + diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index 8de85790f..c7732c6b9 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2004-09-07 + 2004-10-02 2001-2004 @@ -213,8 +213,7 @@ OMAK=<ip address of tipper while we are at our second home> LOG=info EXT_IF=eth1 INT_IF=eth0 -DMZ_IF=eth2 - +DMZ_IF=eth2 @@ -223,10 +222,10 @@ DMZ_IF=eth2
#ZONE DISPLAY COMMENTS +omak Omak Our Laptop at our second home net Internet Internet dmz DMZ Demilitarized zone loc Local Local networks -omak Omak Our Laptop at our second home tx Texas Peer Network in Dallas #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE @@ -242,7 +241,7 @@ tx Texas Peer Network in Dallas #ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs -loc $INT_IF detect dhcp +loc $INT_IF 192.168.1.255 dhcp dmz $DMZ_IF - - texas - #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE @@ -351,9 +350,8 @@ all all REJECT $LOG
Although most of our internal systems use one-to-one NAT, my - wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do - my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors - with laptops. + wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as + does our laptop (192.168.3.8) and visitors with laptops. The first entry allows access to the DSL modem and uses features introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the @@ -861,4 +859,4 @@ default via 192.168.1.254 dev br0
- \ No newline at end of file + diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index 249ac458f..52ab7c493 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -15,7 +15,7 @@ - 2004-07-14 + 2004-09-12 2002-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -39,9 +40,9 @@ Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the documentation. - This guide doesn't attempt to acquaint you with all of the - features of Shorewall. It rather focuses on what is required to configure - Shorewall in one of its most common configurations: + This guide doesn't attempt to acquaint you with all of the features + of Shorewall. It rather focuses on what is required to configure Shorewall + in one of its most common configurations: @@ -62,11 +63,11 @@ Requirements Shorewall requires that you have the iproute/iproute2 package - installed (on RedHat, the package is called iproute). - You can tell if this package is installed by the presence of an - ip program on your firewall system. As - root, you can use the which command to check for this - program: + installed (on RedHat, the package is called + iproute). You can tell if this package is installed + by the presence of an ip program on + your firewall system. As root, you can use the which + command to check for this program: [root@gateway root]# which ip /sbin/ip @@ -77,8 +78,8 @@ Before you start I recommend that you read through the guide first to familiarize - yourself with what's involved then go back through it again making - your configuration changes. + yourself with what's involved then go back through it again making your + configuration changes. If you edit your configuration files on a Windows system, you @@ -92,8 +93,9 @@ Windows Version of dos2unix - Linux - Version of dos2unix + Linux Version of + dos2unix @@ -102,7 +104,8 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . @@ -112,10 +115,11 @@ If you have an ADSL Modem and you use PPTP to communicate with a - server in that modem, you must make the changes - recommended here in addition to those - described in the steps below. ADSL with PPTP is most commonly - found in Europe, notably in Austria. + server in that modem, you must make the changes recommended here in addition to those described in the steps + below. ADSL with PPTP is most commonly found in Europe, notably + in Austria.
@@ -126,12 +130,13 @@ The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you only need to deal with a few of these as described in this - guide. After you have installed Shorewall, - download the installed + Shorewall, download the one-interface sample, un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall (they will replace files with the same names that - were placed in /etc/shorewall during Shorewall installation). + were placed in /etc/shorewall during Shorewall + installation). Note to Debian Users @@ -139,11 +144,14 @@ If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on - your system in the directory /usr/share/doc/shorewall/default-config. + your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. + class="directory">/etc/shorewall and modify the + copies. - Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify those files. @@ -177,10 +185,12 @@ - Shorewall zones are defined in /etc/shorewall/zones. + Shorewall zones are defined in /etc/shorewall/zones. Shorewall also recognizes the firewall system as its own zone - by - default, the firewall itself is known as fw. + default, the firewall itself is known as fw. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. @@ -188,7 +198,8 @@ You express your default policy for connections from one zone to - another zone in the /etc/shorewall/policy + another zone in the /etc/shorewall/policy file. @@ -200,12 +211,13 @@ For each connection request entering the firewall, the request is - first checked against the /etc/shorewall/rules - file. If no rule in that file matches the connection request then the - first policy in /etc/shorewall/policy that matches - the request is applied. If there is a comon action defined for the - policy in /etc/shorewall/actions or + first checked against the + /etc/shorewall/rules file. If no + rule in that file matches the connection request then the first policy in + /etc/shorewall/policy that matches the request is + applied. If there is a comon + action defined for the policy in + /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is peformed before the action is applied. @@ -221,7 +233,8 @@ all all REJECT info - allow all connection requests from the firewall to the internet + allow all connection requests from the firewall to the + internet @@ -244,15 +257,16 @@ all all REJECT info The firewall has a single network interface. Where Internet connectivity is through a cable or DSL Modem, the - External Interface will be the ethernet adapter (eth0) that is connected to that Modem - unless you connect via - Point-to-Point Protocol over Ethernet (PPPoE) or - Point-to-Point Tunneling Protocol (PPTP) in which - case the External Interface will be a ppp0. - If you connect via a regular modem, your External Interface will also be - ppp0. If you connect using ISDN, your - external interface will be ippp0. + External Interface will be the ethernet adapter + (eth0) that is connected to that + Modem unless you + connect via Point-to-Point Protocol over Ethernet + (PPPoE) or Point-to-Point Tunneling Protocol (PPTP) + in which case the External Interface will be a ppp0. If you connect via a regular modem, your + External Interface will also be ppp0. If + you connect using ISDN, your external interface will be ippp0. @@ -264,25 +278,28 @@ all all REJECT info Some hints: - If your external interface is ppp0 - or ippp0, you can replace the - detect in the second column with -. + If your external interface is ppp0 or ippp0, + you can replace the detect in the second column with + -. - If your external interface is ppp0 - or ippp0 or if you have a static IP - address, you can remove dhcp from the option list. + If your external interface is ppp0 or ippp0 or + if you have a static IP address, you can remove dhcp from + the option list. If you specify norfc1918 for your external interface, you will want to check the Shorewall - Errata periodically for updates to the /usr/share/shorewall/rfc1918 - file. Alternatively, you can copy /usr/share/shorewall/rfc1918 - to /etc/shorewall/rfc1918 then strip down your /etc/shorewall/rfc1918 - file as I do. + Errata periodically for updates to the + /usr/share/shorewall/rfc1918 file. Alternatively, + you can copy /usr/share/shorewall/rfc1918 to + /etc/shorewall/rfc1918 then strip down your + /etc/shorewall/rfc1918 file as I do.
@@ -296,12 +313,12 @@ all all REJECT info 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 - These addresses are sometimes referred to as non-routable - because the Internet backbone routers will not forward a packet whose - destination address is reserved by RFC 1918. In some cases though, ISPs - are assigning these addresses then using Network Address - Translation to rewrite packet headers when forwarding to/from - the internet. + These addresses are sometimes referred to as + non-routable because the Internet backbone routers + will not forward a packet whose destination address is reserved by RFC + 1918. In some cases though, ISPs are assigning these addresses then using + Network Address Translation to rewrite packet headers + when forwarding to/from the internet. @@ -319,7 +336,8 @@ all all REJECT info actions included in your version of Shorewall in the file /usr/share/shorewall/actions.std. - Those actions that allow a connection begin with Allow. + Those actions that allow a connection begin with + Allow. If you wish to enable connections from the internet to your firewall and you find an appropriate Allow action in @@ -327,7 +345,7 @@ all all REJECT info rule in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -<action> net fw +<action> net fw You want to run a Web Server and a POP3 Server on your firewall @@ -341,10 +359,11 @@ AllowPOP3 net fw</programlisting> <para>You may also choose to code your rules directly without using the pre-defined actions. This will be necessary in the event that there is not a pre-defined action that meets your requirements. In that case the - general format of a rule in <filename>/etc/shorewall/rules</filename> is:</para> + general format of a rule in <filename>/etc/shorewall/rules</filename> + is:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting> +ACCEPT net fw <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting> <example> <title>You want to run a Web Server and a POP3 Server on your firewall @@ -355,12 +374,12 @@ ACCEPT net fw tcp 80 ACCEPT net fw tcp 110</programlisting></para> </example> - <para>If you don't know what port and protocol a particular - application uses, see <ulink url="ports.htm">here</ulink>.</para> + <para>If you don't know what port and protocol a particular application + uses, see <ulink url="ports.htm">here</ulink>.</para> <important> - <para>I don't recommend enabling telnet to/from the internet because - it uses clear text (even for login!). If you want shell access to your + <para>I don't recommend enabling telnet to/from the internet because it + uses clear text (even for login!). If you want shell access to your firewall from the internet, use SSH:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -380,34 +399,46 @@ AllowSSH net fw </programlisting> <para>The <ulink url="Install.htm">installation procedure</ulink> configures your system to start Shorewall at system boot but beginning - with Shorewall version 1.3.9 startup is disabled so that your system - won't try to start Shorewall before configuration is complete. Once - you have completed configuration of your firewall, you can enable - Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.</para> + with Shorewall version 1.3.9 startup is disabled so that your system won't + try to start Shorewall before configuration is complete. Once you have + completed configuration of your firewall, you can enable Shorewall startup + by removing the file + <filename>/etc/shorewall/startup_disabled</filename>.</para> <important> <para><emphasis role="bold">Users of the .deb package must edit - <filename>/etc/default/shorewall</filename> and set <quote>startup=1</quote>.</emphasis></para> + <filename>/etc/default/shorewall</filename> and set + <quote>startup=1</quote>.</emphasis></para> </important> - <para>The firewall is started using the <quote><command>shorewall start</command></quote> - command and stopped using <quote><command>shorewall stop</command></quote>. - When the firewall is stopped, routing is enabled on those hosts that have - an entry in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>. + <important> + <para><emphasis role="bold">If you are running Shorewall 2.1.3 or later, + you must enable startup by editing /etc/shorewall/shorewall.conf and + setting STARTUP_ENABLED=Yes.</emphasis></para> + </important> + + <para>The firewall is started using the <quote><command>shorewall + start</command></quote> command and stopped using + <quote><command>shorewall stop</command></quote>. When the firewall is + stopped, routing is enabled on those hosts that have an entry in + <filename><ulink + url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>. A running firewall may be restarted using the <quote><command>shorewall restart</command></quote> command. If you want to totally remove any trace - of Shorewall from your Netfilter configuration, use <quote><command>shorewall - clear</command></quote>.</para> + of Shorewall from your Netfilter configuration, use + <quote><command>shorewall clear</command></quote>.</para> <warning> <para>If you are connected to your firewall from the internet, do not issue a <quote><command>shorewall stop</command></quote> command unless you have added an entry for the IP address that you are connected from - to <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>. - Also, I don't recommend using <quote><command>shorewall restart</command></quote>; - it is better to create an <emphasis><ulink - url="configuration_file_basics.htm#Configs">alternate configuration</ulink></emphasis> - and test it using the <ulink url="starting_and_stopping_shorewall.htm"><quote><command>shorewall + to <ulink + url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>. + Also, I don't recommend using <quote><command>shorewall + restart</command></quote>; it is better to create an <emphasis><ulink + url="configuration_file_basics.htm#Configs">alternate + configuration</ulink></emphasis> and test it using the <ulink + url="starting_and_stopping_shorewall.htm"><quote><command>shorewall try</command></quote> command</ulink>.</para> </warning> </section> @@ -424,11 +455,57 @@ AllowSSH net fw </programlisting> <appendix> <title>Revision History - 1.72004-02-16TEMove - /etc/shorewall/rfc1918 to /usr/share/shorewall.1.62004-02-05TEUpdate - for Shorewall 2.01.52004-01-05TEStandards - Changes1.42003-12-30TEAdd - tip about /etc/shorewall/rfc1918 updates.1.32003-11-15TEInitial - Docbook Conversion + + + 1.7 + + 2004-02-16 + + TE + + Move /etc/shorewall/rfc1918 to + /usr/share/shorewall. + + + + 1.6 + + 2004-02-05 + + TE + + Update for Shorewall 2.0 + + + + 1.5 + + 2004-01-05 + + TE + + Standards Changes + + + + 1.4 + + 2003-12-30 + + TE + + Add tip about /etc/shorewall/rfc1918 updates. + + + + 1.3 + + 2003-11-15 + + TE + + Initial Docbook Conversion + + \ No newline at end of file diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index a60612676..410a5e5a9 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2004-08-10 + 2004-09-12 2004 @@ -176,7 +176,10 @@ file /etc/shorewall/startup_disabled. Note: Users of the .deb package must edit /etc/default/shorewall and set - startup=1. + startup=1 while users who are running Shorewall + 2.1.3 or later must edit + /etc/shorewall/shorewall.conf and set + STARTUP_ENABLED=Yes. diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml index c1d3a0488..e929dc54a 100644 --- a/Shorewall-docs2/support.xml +++ b/Shorewall-docs2/support.xml @@ -15,7 +15,7 @@ - 2004-09-07 + 2004-09-21 2001-2004 @@ -269,7 +269,8 @@
Where to Send your Problem Report or to Ask for Help - If you run the current development + If you run the current development release and + your question involves a feature that is only available in the development release (see the Shorewall Release Model page) -- please post your question or problem to the Shorewall @@ -303,72 +304,4 @@ url="http://lists.shorewall.net">http://lists.shorewall.net .
- - - Revision History - - - - 1.6 - - 2003-07-03 - - TE - - New Release Model - - - - 1.5 - - 2003-05-16 - - TE - - Add link to the troubleshooting section - - - - 1.4 - - 2003-03-15 - - TE - - Remove Newbies Mailing List. - - - - 1.3 - - 2003-02-19 - - TE - - Admonish against including "iptables -L" - output. - - - - 1.2 - - 2003-01-01 - - TE - - Removed .GIF and moved note about unsupported releases. - Move Revision History to this Appendix. - - - - 1.1 - - 2003-12-19 - - TE - - Corrected URL for Newbies List - - - - \ No newline at end of file + diff --git a/Shorewall-docs2/template.xml b/Shorewall-docs2/template.xml index cb9f18754..6895743dc 100644 --- a/Shorewall-docs2/template.xml +++ b/Shorewall-docs2/template.xml @@ -5,7 +5,7 @@ - Operating Shorewall + @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 65fff79b2..c63c57e7e 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2004-09-06 + 2004-09-12 2002-2004 @@ -931,6 +931,10 @@ ACCEPT net fw tcp 80 Users of the .deb package must edit /etc/default/shorewall and set startup=1. + + Users running Shorewall 2.1.3 or later should edit + /etc/shorewall/shorewall.conf and set + STARTUP_ENABLED=Yes. The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, routing is enabled on those diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index 84e7e7915..61496c2b5 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -859,6 +859,9 @@ ACCEPT loc fw tcp 80 #Allow Weblet to workUsers of the .deb package must edit /etc/default/shorewall and set startup=1. + + Users running Shorewall 2.1.3 or later must edit + /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is