From 863bd01657821854d4455060e928a9edc23425be Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 4 Feb 2004 22:40:37 +0000 Subject: [PATCH] Misc doc changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1122 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Documentation_Index.xml | 11 +- Shorewall-docs/FAQ.xml | 11 + Shorewall-docs/Multiple_Zones.xml | 447 ++----------- Shorewall-docs/myfiles2.xml | 622 ++++++++++++++++++ Shorewall-docs/releasenotes.xml | 122 ---- .../shorewall_extension_scripts.xml | 23 +- Shorewall-docs/three-interface.xml | 2 +- 7 files changed, 698 insertions(+), 540 deletions(-) create mode 100644 Shorewall-docs/myfiles2.xml delete mode 100644 Shorewall-docs/releasenotes.xml diff --git a/Shorewall-docs/Documentation_Index.xml b/Shorewall-docs/Documentation_Index.xml index b32cfcdec..74ef42e67 100644 --- a/Shorewall-docs/Documentation_Index.xml +++ b/Shorewall-docs/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2004-01-21 + 2004-02-04 2001-2003 @@ -23,7 +23,7 @@ Thomas M. Eastep - 1.4.9 + 1.4.10 Permission is granted to copy, distribute and/or modify this @@ -221,7 +221,8 @@ My Shorewall Configuration (How I - personally use Shorewall) + personally use Shorewall) (Shorewall 2.0 + Configuration) @@ -272,6 +273,10 @@ Requirements + + Routing on One Interface + + Samba diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml index 5ee39a4a2..c38eff1f5 100644 --- a/Shorewall-docs/FAQ.xml +++ b/Shorewall-docs/FAQ.xml @@ -1367,6 +1367,17 @@ Creating input Chains... + +
+ Given that the Debian Stable Release includes Shorewall 1.2.12, + how can you not support that version? + + The first release of Shorewall was in March of 2001. Shorewall + 1.2.12 was released in May of 2002. It is now the year 2004 and soon + Shorewall 2.0 will be available. Shorewall 1.2.12 is poorly documented + and is missing many of the features that Shorewall users find essential + today. +
diff --git a/Shorewall-docs/Multiple_Zones.xml b/Shorewall-docs/Multiple_Zones.xml index 5b1b17382..2cd165e7c 100644 --- a/Shorewall-docs/Multiple_Zones.xml +++ b/Shorewall-docs/Multiple_Zones.xml @@ -5,7 +5,7 @@ - Multiple Zones per Interface + Routing on One Interface @@ -15,7 +15,7 @@ - 2003-11-21 + 2004-02-04 2003 @@ -181,149 +181,35 @@ loc1 to the internet doesn't match any rules for loc1->net then it will be checked against the loc->net rules. - - /etc/shorewall/zones + /etc/shorewall/zones - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - loc1 - - Local2 - - Hosts access through internal router - - - - loc - - Local - - All hosts accessed via eth1 - - - -
+ #ZONE DISPLAY COMMENTS +loc1 Local1 Hosts accessed through internal router +loc Local All hosts accessed via eth1 the sub-zone (loc1) is defined first! - - /etc/shorewall/interfaces + /etc/shorewall/interfaces - - - - ZONE + #ZONE INTERFACE BROADCAST +loc eth1 192.168.1.255 - INTERFACE + /etc/shorewall/hosts - BROADCAST - - OPTIONS - - - - - - loc - - eth1 - - 192.168.1.255 - - ... - - - -
- - - /etc/shorewall/hosts - - - - - ZONE - - HOSTS - - OPTIONS - - - - - - loc1 - - eth1:192.168.2.0/24 - - - - - -
+ #ZONE HOSTS +loc1 eth1:192.168.2.0/24 If you don't need Shorewall to set up infrastructure to route traffic between loc and loc1, add - these two policies: + these two policies. - - /etc/shorewall/policy + /etc/shorewall/policy - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - RATE:BURST - - - - - - loc - - loc1 - - NONE - - - - - - - - loc1 - - loc - - NONE - - - - - - - -
+ #SOURCE DEST POLICY +loc loc1 NONE +loc1 loc NONE
@@ -334,157 +220,34 @@ - - /etc/shorewall/zones + /etc/shorewall/zones - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - loc1 - - Local1 - - Hosts accessed Directly from Firewall - - - - loc2 - - Local2 - - Hosts accessed via internal Router - - - -
+ #ZONE DISPLAY COMMENTS +loc1 Local1 Hosts accessed Directly from Firewall +loc2 Local2 Hosts accessed via the internal Router Here it doesn't matter which zone is defined first. - - /etc/shorewall/interfaces + /etc/shorewall/interfaces - - - - ZONE + #ZONE INTERFACE BROADCAST +- eth1 192.168.1.255 - INTERFACE + /etc/shorewall/hosts - BROADCAST + #ZONE HOSTS +loc1 eth1:192.168.1.0/24 +loc2 eth1:192.168.2.0/24 - OPTIONS - - - - - - - - - eth1 - - 192.168.1.255 - - ... - - - -
- - - /etc/shorewall/hosts - - - - - ZONE - - HOSTS - - OPTIONS - - - - - - loc1 - - eth1:192.168.1.0/24 - - - - - - loc2 - - eth1:192.168.2.0/24 - - - - - -
- - If you don't need Shorewall to set up infrastructure to - route traffic between loc and loc1, add + You don't need Shorewall to set up infrastructure to route + traffic between loc and loc1, so add these two policies: - - /etc/shorewall/policy - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - RATE:BURST - - - - - - loc - - loc1 - - NONE - - - - - - - - loc1 - - loc - - NONE - - - - - - - -
+ #SOURCE DEST POLICY +loc1 loc2 NONE +loc2 loc1 NONE
@@ -500,148 +263,32 @@ In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29) are to be treated as their own zone (loc1). - - /etc/shorewall/zones + /etc/shorewall/zones - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - loc1 - - Local2 - - 192.168.1.8 - 192.168.1.15 - - - - loc - - Local - - All hosts accessed via eth1 - - - -
+ #ZONE DISPLAY COMMENTS +loc1 Local1 192.168.1.8-192.168.1.15 +loc Local All hosts accessed via eth1 the sub-zone (loc1) is defined first! - - /etc/shorewall/interfaces + /etc/shorewall/interfaces - - - - ZONE + #ZONE INTERFACE BROADCAST +loc eth1 192.168.1.255 - INTERFACE - - BROADCAST - - OPTIONS - - - - - - loc - - eth1 - - 192.168.1.255 - - ... - - - -
- - - /etc/shorewall/hosts - - - - - ZONE - - HOSTS - - OPTIONS - - - - - - loc1 - - eth1:192.168.2.0/24 - - - - - -
+ /etc/shorewall/hosts#ZONE HOSTS +loc1 eth1:192.168.1.8/29 You probably don't want Shorewall to set up infrastructure to route traffic between loc and loc1 so you - should add these two policies: + should add these two policies. - - /etc/shorewall/policy + /etc/shorewall/policy - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - RATE:BURST - - - - - - loc - - loc1 - - NONE - - - - - - - - loc1 - - loc - - NONE - - - - - - - -
+ #SOURCE DEST POLICY +loc loc1 NONE +loc1 loc NONE \ No newline at end of file diff --git a/Shorewall-docs/myfiles2.xml b/Shorewall-docs/myfiles2.xml new file mode 100644 index 000000000..947dacbca --- /dev/null +++ b/Shorewall-docs/myfiles2.xml @@ -0,0 +1,622 @@ + + +
+ + + + About My Network + + + + Tom + + Eastep + + + + 2004-02-04 + + + 2001-2004 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + +
+ My Current Network + + + I use a combination of One-to-one NAT and Proxy ARP, neither of + which are relevant to a simple configuration with a single public IP + address. If you have just a single public IP address, most of what you + see here won't apply to your setup so beware of copying parts of + this configuration and expecting them to work for you. What you copy may + or may not work in your configuration. + + + + The configuration shown here corresponds to Shorewall version + 2.0.0-Alpha2. It may use features not available in earlier Shorewall + releases. + + + I have DSL service and have 5 static IP addresses + (206.124.146.176-180). My DSL modem (Fujitsu Speedport) is + connected to eth0. I have a local network connected to eth2 (subnet + 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless + network connected to eth3 (192.168.3.0/24). + + I use: + + + + One-to-one NAT for Ursa (my personal system that dual-boots + Mandrake 9.2 and Windows XP) - Internal address 192.168.1.5 and + external address 206.124.146.178. + + + + One-to-one NAT for EastepLaptop (My work system -- Windows XP + SP2). Internal address 192.168.1.7 and external address + 206.124.146.180. + + + + SNAT through 206.124.146.179 for  my SuSE 9.0 Linux + system (Wookie), my Wife's Windows XP system (Tarry), and + our  Windows XP laptop (Tipper) which connects through the + Wireless Access Point (wap) via a Wireless Bridge (bridge).While + the distance between the WAP and where I usually use the laptop + isn't very far (25 feet or so), using a WAC11 (CardBus wireless + card) has proved very unsatisfactory (lots of lost connections). By + replacing the WAC11 with the WET11 wireless bridge, I have virtually + eliminated these problems (Being an old radio tinkerer (K7JPV), I was + also able to eliminate the disconnects by hanging a piece of aluminum + foil on the family room wall. Needless to say, my wife Tarry rejected + that as a permanent solution :-). + + + + The firewall runs on a 256MB PII/233 with Debian Sarge (Testing). + + Wookie, Ursa and the Firewall all run Samba and the Firewall acts as + a WINS server. + + The wireless network connects to eth3 via a LinkSys WAP11.  + In additional to using the rather weak WEP 40-bit encryption (64-bit with + the 24-bit preamble), I use MAC + verification. This is still a weak combination and if I lived near + a wireless hot spot, I would probably add IPSEC or + something similar to my WiFi->local connections. + + The single system in the DMZ (address 206.124.146.177) runs postfix, + Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP + server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to + fetch our email from our old and current ISPs. That server is managed + through Proxy ARP. + + The firewall system itself runs a DHCP server that serves the local + network. + + All administration and publishing is done using ssh/scp. I have a + desktop environment installed on the firewall but I am not usually logged + in to it. X applications tunnel through SSH to Ursa. The server also has a + desktop environment installed and that desktop environment is available + via XDMCP from the local zone. For the most part though, X tunneled + through SSH is used for server administration and the server runs at run + level 3 (multi-user console mode on RedHat). + + I run an SNMP server on my firewall to serve MRTG running + in the DMZ.The + ethernet interface in the Server is configured with IP address + 206.124.146.177, netmask 255.255.255.0. The server's default gateway + is 206.124.146.254 (Router at my ISP. This is the same default gateway + used by the firewall itself). On the firewall, an entry in my + /etc/network/interfaces file (see below) adds a host route to + 206.124.146.177 through eth1 when that interface is brought up. + + Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for + Road Warrior access. + +
+ Shorewall.conf + +
+ LOGFILE=/var/log/messages +LOGRATE= +LOGBURST= +LOGUNCLEAN=$LOG +BLACKLIST_LOGLEVEL= +LOGNEWNOTSYN=$LOG +MACLIST_LOG_LEVEL=$LOG +TCP_FLAGS_LOG_LEVEL=$LOG +RFC1918_LOG_LEVEL=$LOG +SMURF_LOG_LEVEL= +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +SHOREWALL_SHELL=/bin/ash +SUBSYSLOCK= #I run Debian which doesn't use service locks +STATEDIR=/var/state/shorewall +MODULESDIR= +FW=fw +IP_FORWARDING=On +ADD_IP_ALIASES=Yes +ADD_SNAT_ALIASES=Yes +TC_ENABLED=Yes +CLEAR_TC=No +MARK_IN_FORWARD_CHAIN=No +CLAMPMSS=Yes +ROUTE_FILTER=No +DETECT_DNAT_IPADDRS=Yes +MUTEX_TIMEOUT=60 +NEWNOTSYN=Yes +BLACKLISTNEWONLY=Yes +BLACKLIST_DISPOSITION=DROP +MACLIST_DISPOSITION=REJECT +TCP_FLAGS_DISPOSITION=DROP + +
+
+ +
+ Params File (Edited) + +
+ MIRRORS=<list of shorewall mirror ip addresses> +NTPSERVERS=<list of the NTP servers I sync with> +TEXAS=<ip address of gateway in Dallas> +LOG=info +
+
+ +
+ Zones File + +
+ #ZONE DISPLAY COMMENTS +net Internet Internet +WiFi Wireless Wireless Network on eth3 +dmz DMZ Demilitarized zone +loc Local Local networks +tx Texas Peer Network in Dallas +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ Interfaces File + +
+ This is set up so that I can start the firewall before bringing + up my Ethernet interfaces. + + #ZONE INERFACE BROADCAST OPTIONS +net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs +loc eth2 192.168.1.255 dhcp,detectnets +dmz eth1 192.168.2.255 +WiFi eth3 192.168.3.255 dhcp,maclist,detectnets +- texas 192.168.9.255 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ Hosts File + +
+ #ZONE HOST(S) OPTIONS +tx              texas:192.168.8.0/22 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ Routestopped File + +
+ #INTERFACE HOST(S) +eth1 206.124.146.177 +eth2 - +eth3 192.168.3.0/24 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ RFC1918 File + +
+ I use a stripped-down file which doesn't have to be updated + when the IANA allocates a block of IP addresses. +
+ +
+ #SUBNET TARGET +169.254.0.0/16 DROP # DHCP autoconfig +172.16.0.0/12 logdrop # RFC 1918 +192.0.2.0/24 logdrop # Example addresses +192.168.0.0/16 logdrop # RFC 1918 +10.24.60.56 DROP # Some idiot in my broadcast domain + # has a box configured with this + # address. +10.0.0.0/8 logdrop # Reserved (RFC 1918) +
+
+ +
+ Blacklist File (Partial) + +
+ #ADDRESS/SUBNET PROTOCOL PORT +0.0.0.0/0 udp 1434 +0.0.0.0/0 tcp 1433 +0.0.0.0/0 tcp 8081 +0.0.0.0/0 tcp 57 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ Policy File + +
+ #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT +fw fw ACCEPT # For testing fw->fw rules +loc net ACCEPT # Allow all net traffic from local net +$FW loc ACCEPT # Allow local access from the firewall +$FW tx ACCEPT # Allow firewall access to texas +loc tx ACCEPT # Allow local net access to texas +loc fw REJECT $LOG # Reject loc->fw and log +WiFi net ACCEPT # Allow internet access from wirless +net all DROP $LOG 10/sec:40 # Rate limit and + # DROP net->all +all all REJECT $LOG # Reject and log the rest +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ Masq File + +
+ Although most of our internal systems use one-to-one NAT, my + wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) + as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and + visitors with laptops. + + #INTERFACE SUBNET ADDRESS +eth0:2 eth2 206.124.146.179 +eth0 eth3 206.124.146.179 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + +
+
+ +
+ NAT File + +
+ #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL +206.124.146.178 eth0:0 192.168.1.5 No No +206.124.146.180 eth0:1 192.168.1.7 No No +# +# The following entry allows the server to be accessed through an address in +# the local network. This is convenient when I'm on the road and connected +# to the PPTP server. By doing this, I don't need to set my client's default +# gateway to route through the tunnel. +# +192.168.1.193 eth2:0 206.124.146.177 No No +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+
+ +
+ Proxy ARP File + +
+ #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +206.124.146.177 eth1 eth0 Yes +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+
+ +
+ Tunnels File (Shell variable TEXAS set in /etc/shorewall/params) + +
+ #TYPE ZONE GATEWAY GATEWAY ZONE PORT +gre net $TEXAS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+
+ +
+ Actions File + +
+ #ACTION +DropBcast #Silently Drops Broadcast Traffic +DropSMB #Silently Drops Microsoft SMB Traffic +RejectSMB #Silently Reject Microsoft SMB Traffic +DropUPnP #Silently Drop UPnP Probes +DropNonSyn #Silently Drop Non-syn TCP packets +RejectAuth #Silently Reject Auth +DropPing #Silently Drop Ping +DropDNSrep #Silently Drop DNS Replies +AllowPing #Accept Ping + +Mirrors #Accept traffic from the Shorewall Mirror sites + +MyDrop:DROP #My DROP common action +MyReject:REJECT #My REJECT common action +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ action.Mirrors File + +
+ The $MIRRORS variable expands to a list of approximately 10 IP + addresses. So moving these checks into a separate chain reduces the + number of rules that most net->dmz traffic needs to traverse. + + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT +ACCEPT $MIRRORS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+
+ +
+ action.MyDrop + +
+ This is my common action for the DROP policy. It is like the + standard Reject action except that it + allows Ping. + + #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +RejectAuth +AllowPing +DropBcast +DropSMB +DropUPnP +DropNonSyn +DropDNSrep +
+
+ +
+ action.MyReject + +
+ This is my common action for the REJECT policy. It is like the + standard Drop action except that it + allows Ping. + + #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ +# PORT(S) PORT(S) LIMIT GROUP +RejectAuth +AllowPing +DropBcast +RejectSMB +DropUPnP +DropNonSyn +DropDNSrep +
+
+ +
+ Rules File (The shell variables are set in /etc/shorewall/params) + +
+ ############################################################################################################################################################################### +#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL RATE USER +# PORT(S) DEST:SNAT SET +############################################################################################################################################################################### +# Local Network to Internet - Reject attempts by Trojans to call home +# +REJECT:$LOG loc net tcp 6667 +# +# Stop NETBIOS crap since our policy is ACCEPT +# +REJECT loc net tcp 137,445 +REJECT loc net udp 137:139 +# +DROP loc:!192.168.1.0/24 net + +QUEUE loc net udp +QUEUE loc fw udp +QUEUE loc net tcp +############################################################################################################################################################################### +# Local Network to Firewall +# +DROP loc:!192.168.1.0/24 fw +ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445 +ACCEPT loc fw udp snmp,ntp,445 +ACCEPT loc fw udp 137:139 +ACCEPT loc fw udp 1024: 137 +############################################################################################################################################################################### +# Local Network to DMZ +# +DROP loc:!192.168.1.0/24 dmz +REJECT loc dmz tcp 465 +ACCEPT loc dmz udp domain,xdmcp +ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 - +############################################################################################################################################################################### +# Internet to DMZ +# +DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179,206.124.146.178 +ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https - +ACCEPT net dmz udp domain +ACCEPT net dmz udp 33434:33436 +Mirrors net dmz tcp rsync +#ACCEPT:$LOG net dmz tcp 32768:61000 20 +############################################################################################################################################################################### +# +# Net to Local +# +# When I'm "on the road", the following two rules allow me VPN access back home. +# +ACCEPT net loc:192.168.1.5 tcp 1723 +ACCEPT net loc:192.168.1.5 gre +# +# ICQ +# +ACCEPT net loc:192.168.1.5 tcp 4000:4100 +# +# Real Audio +# +ACCEPT net loc:192.168.1.5 udp 6970:7170 +# +# Overnet +# +#ACCEPT net loc:192.168.1.5 tcp 4662 +#ACCEPT net loc:192.168.1.5 udp 12112 +############################################################################################################################################################################### +# DMZ to Internet +# +ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080 +ACCEPT dmz net udp domain +ACCEPT dmz net:$POPSERVERS tcp pop3 +#ACCEPT dmz net:206.191.151.2 tcp pop3 +#ACCEPT dmz net:66.216.26.115 tcp pop3 +# +# Something is wrong with the FTP connection tracking code or there is some client out there +# that is sending a PORT command which that code doesn't understand. Either way, +# the following works around the problem. +# +ACCEPT:$LOG dmz net tcp 1024: 20 +############################################################################################################################################################################### +# DMZ to Firewall -- ntp & snmp, Silently reject Auth +# +ACCEPT dmz fw udp ntp ntp +ACCEPT dmz fw tcp snmp,ssh +ACCEPT dmz fw udp snmp +REJECT dmz fw tcp auth +############################################################################################################################################################################### +# DMZ to Internet +# +ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080 +ACCEPT dmz net udp domain +ACCEPT dmz net:$POPSERVERS tcp pop3 +#ACCEPT dmz net:206.191.151.2 tcp pop3 +#ACCEPT dmz net:66.216.26.115 tcp pop3 +# +# Something is wrong with the FTP connection tracking code or there is some client out there +# that is sending a PORT command which that code doesn't understand. Either way, +# the following works around the problem. +# +ACCEPT:$LOG dmz net tcp 1024: 20 +############################################################################################################################################################################### +# DMZ to Firewall -- ntp & snmp, Silently reject Auth +# +ACCEPT dmz fw udp ntp ntp +ACCEPT dmz fw tcp snmp,ssh +ACCEPT dmz fw udp snmp +REJECT dmz fw tcp auth +############################################################################################################################################################################### +# +# DMZ to Local Network +# +ACCEPT dmz loc tcp smtp,6001:6010 +ACCEPT dmz loc tcp 111 +ACCEPT dmz loc udp +############################################################################################################################################################################### +# Internet to Firewall +# +REJECT net fw tcp www +ACCEPT net dmz udp 33434:33435 +############################################################################################################################################################################### +# WIFI to Firewall +# +ACCEPT WiFi fw tcp ssh,137,139,445 +ACCEPT WiFi fw udp 137:139,445 +ACCEPT WiFi fw udp 1024: 137 +ACCEPT WiFi fw udp ntp ntp +############################################################################################################################################################################### +# Firewall to WIFI +# +ACCEPT fw WiFi tcp 137,139,445 +ACCEPT fw WiFi udp 137:139,445 +ACCEPT fw WiFi udp 1024: 137 +ACCEPT fw WiFi udp ntp ntp +############################################################################################################################################################################## +# WIFI to DMZ +# +DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193 +ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh,8080 - +ACCEPT WiFi dmz udp domain +############################################################################################################################################################################## +# WIFI to loc +# +ACCEPT WiFi loc udp 137:139 +ACCEPT WiFi loc tcp 22,80,137,139,445,901,3389 +ACCEPT WiFi loc udp 1024: 137 +ACCEPT WiFi loc udp 177 +############################################################################################################################################################################## +# loc to WiFi +# +ACCEPT loc WiFi udp 137:139 +ACCEPT loc WiFi tcp 137,139,445 +ACCEPT loc WiFi udp 1024: 137 +ACCEPT loc WiFi tcp 6000:6010 +############################################################################################################################################################################### +# Firewall to Internet +# +ACCEPT fw net:$NTPSERVERS udp ntp ntp +#ACCEPT fw net:$POPSERVERS tcp pop3 +ACCEPT fw net udp domain +ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7 +ACCEPT fw net udp 33435:33535 +ACCEPT fw net icmp +############################################################################################################################################################################### +# Firewall to DMZ +# +ACCEPT fw dmz tcp www,ftp,ssh,smtp +ACCEPT fw dmz udp domain +REJECT fw dmz udp 137:139 +############################################################################################################################################################################### +# Ping +# +ACCEPT all all icmp 8 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+
+ +
+ /etc/network/interfaces + +
+ This file is Debian specific. My additional entry (which is + displayed in bold type) adds a route + to my DMZ server when eth1 is brought up. It allows me to enter + Yes in the HAVEROUTE column of my + Proxy ARP file. + + ... +auto eth1 +iface eth1 inet static + address 192.168.2.1 + netmask 255.255.255.0 + network 192.168.2.0 + broadcast 192.168.2.255 + up ip route add 206.124.146.177 dev eth1 +... +
+
+
+
\ No newline at end of file diff --git a/Shorewall-docs/releasenotes.xml b/Shorewall-docs/releasenotes.xml deleted file mode 100644 index 9998e15b2..000000000 --- a/Shorewall-docs/releasenotes.xml +++ /dev/null @@ -1,122 +0,0 @@ - - -
- - - Shorewall 1.4.9 - -
- Problems Corrected - - These are the problems corrected since Shorewall 1.4.8 - - - - There has been a low continuing level of confusion over the - terms Source NAT (SNAT) and Static NAT. - To avoid future confusion, all instances of Static NAT - have been replaced with One-to-one NAT in the - documentation and configuration files. - - - - The description of NEWNOTSYN in shorewall.conf has been reworded - for clarity. - - - - Wild-card rules (those involving all as SOURCE or - DEST) will no longer produce an error if they attempt to add a rule - that would override a NONE policy. The logic for expanding these - wild-card rules now simply skips those (SOURCE,DEST) pairs that have a - NONE policy. - - -
- -
- Migration Considerations - - None. -
- -
- New Features - - These are the new features added since Shorewall 1.4.8 - - - - To cut down on the number of Why are these ports closed - rather than stealthed? questions, the SMB-related rules in - /etc/shorewall/common.def have been changed from reject - to DROP. - - - - For easier identification, packets logged under the - norfc1918 interface option are now logged out of chains - named rfc1918. Previously, such packets were logged - under chains named logdrop. - - - - Distributors and developers seem to be regularly inventing new - naming conventions for kernel modules. To avoid the need to change - Shorewall code for each new convention, the MODULE_SUFFIX option has - been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix - for module names in your particular distribution. If MODULE_SUFFIX is - not set in shorewall.conf, Shorewall will use the list o gz ko - o.gz. To see what suffix is used by your distribution: - - ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter - - All of the files listed should have the same suffix (extension). - Set MODULE_SUFFIX to that suffix. Examples: - - - - If all files end in .kzo then set - MODULE_SUFFIX="kzo" - - - - If all files end in .kz.o then set - MODULE_SUFFIX="kz.o" - - - - - - Support for user defined rule ACTIONS has been implemented - through two new files: /etc/shorewall/actions - - used to list the user-defined ACTIONS./etc/shorewall/action.template - - For each user defined <action>:copy - this file to /etc/shorewall/action.<action>Add - the appropriate rules in that file for the <action>.Once - an <action> has been defined, it may be used like any of the - builtin ACTIONS (ACCEPT, DROP, etc.) in /etc/shorewall/rules. - - Example: You want an action that logs a packet at the - info level and accepts the connection. - - In /etc/shorewall/actions, you would add: - - - LogAndAccept - - - You would then copy /etc/shorewall/action.template to - /etc/shorewall/action.LogAndAccept and in that file, you would add the - two rules: - - - LOG:info - - ACCEPT - - - -
-
\ No newline at end of file diff --git a/Shorewall-docs/shorewall_extension_scripts.xml b/Shorewall-docs/shorewall_extension_scripts.xml index b3c6949cb..6e057be14 100755 --- a/Shorewall-docs/shorewall_extension_scripts.xml +++ b/Shorewall-docs/shorewall_extension_scripts.xml @@ -15,14 +15,10 @@ - 2003-06-30 + 2004-02-01 - 2001 - - 2002 - - 2003 + 2001-2004 Thomas M. Eastep @@ -115,13 +111,12 @@ /etc/shorewall/common: - . /etc/shorewall/common.def - <add your rules here> + <add your rules here> + . /etc/shorewall/common.def - If you need to supercede a rule in the released common.def file, you - can add the superceding rule before the . command. Using this - technique allows you to add new rules while still getting the benefit of the - latest common.def file. Remember that /etc/shorewall/common defines rules - that are only applied if the applicable policy is DROP or REJECT. These - rules are NOT applied if the policy is ACCEPT or CONTINUE + Using this technique allows you to add new rules while still getting + the benefit of the latest common.def file. Remember that + /etc/shorewall/common defines rules that are only applied if the applicable + policy is DROP or REJECT. These rules are NOT applied if the policy is + ACCEPT or CONTINUE \ No newline at end of file diff --git a/Shorewall-docs/three-interface.xml b/Shorewall-docs/three-interface.xml index 65ef64fc8..45f2e24b3 100644 --- a/Shorewall-docs/three-interface.xml +++ b/Shorewall-docs/three-interface.xml @@ -743,7 +743,7 @@ ACCEPT net fw tcp 80 /etc/shorewall/routestopped. Also, I don't recommend using shorewall restart; it - is better to create an alternate + is better to create an alternate configuration and test it using the shorewall try command.