diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index caaaa7527..ccbd6292c 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -533,7 +533,9 @@ problem are:

over my console making it unusable!

Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup - scripts or place it in /etc/shorewall/start.

+ scripts or place it in /etc/shorewall/start. Under RedHat, the max log level + that is sent to the console is specified in /etc/sysconfig/init in the + LOGLEVEL variable.

17. Why can't Shorewall detect my interfaces properly?

@@ -566,7 +568,7 @@ over my console making it unusable! zone is defined as all hosts connected through eth1.

Last updated -8/15/2002 - Tom +8/24/2002 - Tom Eastep

Copyright diff --git a/STABLE/documentation/IPIP.htm b/STABLE/documentation/IPIP.htm index c8c0e7a75..a0a350ea7 100644 --- a/STABLE/documentation/IPIP.htm +++ b/STABLE/documentation/IPIP.htm @@ -42,7 +42,25 @@ parameter to the type of tunnel that you want to create.

tunnel_type=gre

-

On system A, the 10.0.0.0/8 will comprise the gw zone. In +

On each firewall, you will need to declare a zone to represent +the remote subnet. We'll assume that this zone is called 'vpn' and declare it in +/etc/shorewall/zones on both systems as follows.

+
+ + + + + + + + + + + + +
ZONEDISPLAYCOMMENTS
vpnVPNRemote Subnet
+
+

On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces:

@@ -53,7 +71,7 @@ parameter to the type of tunnel that you want to create.

- + @@ -88,7 +106,7 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.

gateway=134.28.54.2
subnet=10.0.0.0/8

-

Similarly, On system B the 192.168.1.0/24 subnet will comprise the gw +

Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone. In /etc/shorewall/interfaces:

OPTIONS
gwvpn tosysb 10.255.255.255  
@@ -99,7 +117,7 @@ zone. In /etc/shorewall/interfaces:

- + @@ -135,7 +153,7 @@ zone. In /etc/shorewall/interfaces:

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them.

-

You will need to allow traffic between the "gw" zone and +

You will need to allow traffic between the "vpn" zone and the "loc" zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:

@@ -150,13 +168,13 @@ secured so that root can execute them.

- + - + @@ -168,7 +186,7 @@ secured so that root can execute them.

run the modified tunnel script with the "start" argument on each system. The systems in the two masqueraded subnetworks can now talk to each other

-

Updated 5/18/2002 - Tom +

Updated 8/22/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.

diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index 78ec4d63d..52875a9ad 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -17,6 +17,31 @@
OPTIONS
gwvpn tosysa 192.168.1.255  
locgwvpn ACCEPT  
gwvpn loc ACCEPT  
+

8/26/2002 - Shorewall 1.3.7b

+ +

This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

+ +

8/26/2002 - French FTP Mirror is Operational

+ +

+ ftp://france.shorewall.net/pub/mirrors/shorewall is now available.

+ +

8/25/2002 - Shorewall Mirror in France

+ +

Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

+ +

8/25/2002 - Shorewall 1.3.7a Debian Packages Available

+ +

Lorenzo Martignoni reports that the packages for version 1.3.7a are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

+ +

8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author -- Shorewall 1.3.7a + released

+ +

1.3.7a corrects problems occurring in rules file processing when starting Shorewall + 1.3.7.

+

8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

Features in this release include:

@@ -1024,7 +1049,7 @@ version:

additional "gw" (gateway) zone for tunnels and it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

-

Updated 8/22/2002 - Tom +

Updated 8/26/2002 - Tom Eastep

diff --git a/STABLE/documentation/Shorewall_index_frame.htm b/STABLE/documentation/Shorewall_index_frame.htm index 707727ca4..cc7d5e417 100644 --- a/STABLE/documentation/Shorewall_index_frame.htm +++ b/STABLE/documentation/Shorewall_index_frame.htm @@ -55,6 +55,7 @@

  • Texas, USA
  • Germany
  • Argentina
    • +
  • France
    • diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm index 73418d31b..8880eddf5 100644 --- a/STABLE/documentation/download.htm +++ b/STABLE/documentation/download.htm @@ -66,7 +66,7 @@ AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.

    -

    Download Latest Version (1.3.7): Remember that updates to the mirrors +

    Download Latest Version (1.3.7a): Remember that updates to the mirrors occur 1-12 hours after an update to the primary site.

    @@ -118,8 +118,8 @@ occur 1-12 hours after an update to the primary site.

    Download .rpm  
    Download .tgz 
    - Download - .rpm + + Download .lrp @@ -154,6 +154,20 @@ occur 1-12 hours after an update to the primary site.

    Download .lrp + + + + + +
    Hamburg, Germany
    Paris, FranceShorewall.netDownload .rpm
    + Download + .tgz 
    + Download + .lrp    		 + Download .rpm  
    + Download + .tgz 
    + Download .lrp

    Browse Download Sites:

    @@ -198,6 +212,13 @@ occur 1-12 hours after an update to the primary site.

    Browse + + France + Shorewall.net + Browse + + Browse + California, USA (Incomplete) Sourceforge.net @@ -216,7 +237,7 @@ Shorewall component. There's no guarantee that what you find there will work at all.

     -

    Last Updated 8/22/2002 - Tom +

    Last Updated 8/26/2002 - Tom Eastep

    Copyright diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm index 6adf735d5..3bbc78fb2 100644 --- a/STABLE/documentation/errata.htm +++ b/STABLE/documentation/errata.htm @@ -65,15 +65,15 @@ dos2unix

    -

    Upgrade Issues

    +

    Problems in Version 1.3

    -

    Version >= 1.3.7

    +

    Version 1.3.7a

    -

    Users specifying ALLOWRELATED=No in - /etc/shorewall.conf will need to include the - following rules in their /etc/shorewall/icmpdef - file (creating this file if necessary):

    +

    "shorewall refresh" is not creating the proper + rule for FORWARDPING=Yes. Consequently, after + "shorewall refresh", the firewall will not forward + icmp echo-request (ping) packets. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this problem.

    - 
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
-	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
-	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
-	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
-	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    -

    Users having an /etc/shorewall/icmpdef file may remove the ". - /etc/shorewall/icmp.def" command from that file since the icmp.def file is now - empty.

    -

    Upgrading Bering to - Shorewall >= 1.3.3

    +

    Version <= 1.3.7a

    -

    To properly upgrade with Shorewall version - 1.3.3 and later:

    +

    If "norfc1918" and "dhcp" are both specified as + options on a given interface then RFC 1918 + checking is occurring before DHCP checking. This + means that if a DHCP client broadcasts using an + RFC 1918 source address, then the firewall will + reject the broadcast (usually logging it). This + has two problems:

      -
    1. Be sure you have a backup -- you will need - to transcribe any Shorewall configuration - changes that you have made to the new - configuration.
      2. -
    2. Replace the shorwall.lrp package provided on - the Bering floppy with the later one. If you did - not obtain the later version from Jacques's - site, see additional instructions below.
      3. -
    3. Edit the /var/lib/lrpkg/root.exclude.list - file and remove the /var/lib/shorewall entry if - present. Then do not forget to backup root.lrp !
      4. +
    4. If the firewall is running a DHCP server, + the client won't be able to obtain an IP address + lease from that server.
      5. +
    5. With this order of checking, the "dhcp" + option cannot be used as a noise-reduction + measure where there are both dynamic and static + clients on a LAN segment.
    -

    The .lrp that I release isn't set up for a two-interface firewall like - Jacques's. You need to follow the instructions for - setting up a two-interface firewall plus you also need to add the following - two Bering-specific rules to /etc/shorewall/rules:

    -
    - 
    # Bering specific rules:
-# allow loc to fw udp/53 for dnscache to work
-# allow loc to fw tcp/80 for weblet to work
-#
-ACCEPT loc fw udp 53
-ACCEPT loc fw tcp 80
    -
    -

    Version >= 1.3.6

    - -

    If you have a pair of firewall systems configured for - failover, you will need to modify your firewall setup slightly under - Shorewall versions >= 1.3.6.

    - -
      -
    1. - -

      Create the file /etc/shorewall/newnotsyn and in it add - the following rule
      -
      - run_iptables -A newnotsyn -j RETURN # So that the - connection tracking table can be rebuilt
      -                                    - # from non-SYN packets after takeover.

      2. -
    2. - -

      Create /etc/shorewall/common (if you don't already - have that file) and include the following:
      -
      - run_iptables -A common -p tcp --tcp-flags - ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
      -                                                                    - #tracking table.
      - . /etc/shorewall/common.def

      3. -
    - -

    Versions >= 1.3.5

    - -

    Some forms of pre-1.3.0 rules file syntax are no - longer supported.

    - -

    Example 1:

    - -
    - 
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
    -
    - -

    Must be replaced with:

    - -
    - 
    	DNAT	net	loc:192.168.1.12:22	tcp	11111
    -
    -
    -

    Example 2:

    -
    - 
    	ACCEPT	loc	fw::3128	tcp	80	-	all
    -
    -
    -

    Must be replaced with:

    -
    - 
    	REDIRECT	loc	3128	tcp	80
    -
    - -

    Problems in Version 1.3

    +

    + + This version of the 1.3.7a firewall script + corrects the problem. It must be installed in /var/lib/shorewall + as described above.

    + +

    Version 1.3.7

    + +

    Version 1.3.7 dead on arrival -- please use + version 1.3.7a and check your version against + these md5sums -- if there's a difference, please + download again.

    + + 
    	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
+	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
+	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
    +

    In other words, type "md5sum <whatever package you downloaded> and + compare the result with what you see above.

    +

    I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 + version in each sequence from now on.

    Version 1.3.6

    @@ -352,6 +298,120 @@ ACCEPT loc fw tcp 80 corrected version is here. +
    + +

    Upgrade Issues

    + +

    Version >= 1.3.7

    + +

    Users specifying ALLOWRELATED=No in + /etc/shorewall.conf will need to include the + following rules in their /etc/shorewall/icmpdef + file (creating this file if necessary):

    + + 
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    +

    Users having an /etc/shorewall/icmpdef file may remove the ". + /etc/shorewall/icmp.def" command from that file since the icmp.def file is now + empty.

    +

    Upgrading Bering to + Shorewall >= 1.3.3

    + +

    To properly upgrade with Shorewall version + 1.3.3 and later:

    + +
      +
    1. Be sure you have a backup -- you will need + to transcribe any Shorewall configuration + changes that you have made to the new + configuration.
      2. +
    2. Replace the shorwall.lrp package provided on + the Bering floppy with the later one. If you did + not obtain the later version from Jacques's + site, see additional instructions below.
      3. +
    3. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall entry if + present. Then do not forget to backup root.lrp !
      4. +
    +

    The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions for + setting up a two-interface firewall plus you also need to add the following + two Bering-specific rules to /etc/shorewall/rules:

    +
    + 
    # Bering specific rules:
+# allow loc to fw udp/53 for dnscache to work
+# allow loc to fw tcp/80 for weblet to work
+#
+ACCEPT loc fw udp 53
+ACCEPT loc fw tcp 80
    +
    + +

    Version >= 1.3.6

    + +

    If you have a pair of firewall systems configured for + failover, you will need to modify your firewall setup slightly under + Shorewall versions >= 1.3.6.

    + +
      +
    1. + +

      Create the file /etc/shorewall/newnotsyn and in it add + the following rule
      +
      + run_iptables -A newnotsyn -j RETURN # So that the + connection tracking table can be rebuilt
      +                                    + # from non-SYN packets after takeover.

      2. +
    2. + +

      Create /etc/shorewall/common (if you don't already + have that file) and include the following:
      +
      + run_iptables -A common -p tcp --tcp-flags + ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
      +                                                                    + #tracking table.
      + . /etc/shorewall/common.def

      3. +
    + +

    Versions >= 1.3.5

    + +

    Some forms of pre-1.3.0 rules file syntax are no + longer supported.

    + +

    Example 1:

    + +
    + 
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
    +
    + +

    Must be replaced with:

    + +
    + 
    	DNAT	net	loc:192.168.1.12:22	tcp	11111
    +
    +
    +

    Example 2:

    +
    + 
    	ACCEPT	loc	fw::3128	tcp	80	-	all
    +
    +
    +

    Must be replaced with:

    +
    + 
    	REDIRECT	loc	3128	tcp	80
    +
    + +

    Version >= 1.3.2

    + +

    The functions and versions files together with the + 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. + If you have applications that access these files, those applications + should be modified accordingly.

    +

    @@ -435,9 +495,9 @@ Aborted (core dumped) installed, simply use the "--nodeps" option to rpm.

    -

    Installing: rpm -ivh <shorewall rpm>

    +

    Installing: rpm -ivh --nodeps <shorewall rpm>

    -

    Upgrading: rpm -Uvh <shorewall rpm>

    +

    Upgrading: rpm -Uvh --nodeps <shorewall rpm>

    Problems with iptables version 1.2.7 and MULTIPORT=Yes

    @@ -445,7 +505,8 @@ Aborted (core dumped)

    The iptables 1.2.7 release of iptables has made an incompatible change to the syntax used to specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must

    + if you install iptables 1.2.7 you must be running + Shorewall 1.3.7a or later or:

    • set MULTIPORT=No in @@ -457,7 +518,7 @@ Aborted (core dumped) as described above.

    - Last updated 8/22/2002 - + Last updated 8/26/2002 - Tom Eastep

    Copyright diff --git a/STABLE/documentation/images/proxyarp.png b/STABLE/documentation/images/proxyarp.png index 88b0f1b42..495b7fd79 100644 Binary files a/STABLE/documentation/images/proxyarp.png and b/STABLE/documentation/images/proxyarp.png differ diff --git a/STABLE/documentation/mailing_list.htm b/STABLE/documentation/mailing_list.htm index 7a0d25340..831a5be39 100644 --- a/STABLE/documentation/mailing_list.htm +++ b/STABLE/documentation/mailing_list.htm @@ -6,16 +6,18 @@ Shorewall Mailing Lists - + - +

    Shorewall Mailing Lists

    +

    Powered by Postfix      +

    diff --git a/STABLE/documentation/mailing_list_problems.htm b/STABLE/documentation/mailing_list_problems.htm index 4c76f9a6d..7c7f80ba7 100644 --- a/STABLE/documentation/mailing_list_problems.htm +++ b/STABLE/documentation/mailing_list_problems.htm @@ -26,6 +26,7 @@ to at least one address in each of the following domains:

    2020ca - delivery to this domain has been disabled (cause unknown)
 excite.com - delivery to this domain has been disabled (cause unknown)
 epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
+familie-fleischhacker.de - (connection timed out)
 gmx.net - delivery to this domain has been disabled (cause unknown)
 hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
 intercom.net - delivery to this domain has been disabled (cause unknown)
@@ -33,6 +34,7 @@ initialcs.com - delivery to this domain has been disabled (cause unknown)
 intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
 khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
 kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
+littleblue.de - (connection timed out)
 opermail.net - delivery to this domain has been disabled (cause unknown)
 penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
 scip-online.de - delivery to this domain has been disabled (cause unknown)
@@ -42,7 +44,7 @@ yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
    -

    Last updated 7/26/2002 19:39 GMT - +

    Last updated 8/23/2002 17:16 GMT - Tom Eastep

    diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index 81e76436c..c0e323d3b 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -63,9 +63,38 @@

    News

    -

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002 +

    8/26/2002 - Shorewall 1.3.7b

    +

    This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

    + +

    8/26/2002 - French FTP Mirror is Operational +

    + +

    + ftp://france.shorewall.net/pub/mirrors/shorewall is now available.

    + +

    8/25/2002 - Shorewall Mirror in France +

    + +

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

    + +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available +

    + +

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    + +

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released +

    + +

    1.3.7a corrects problems occurring in rules file processing when starting Shorewall + 1.3.7.

    + +

    8/22/2002 - Shorewall 1.3.7 Released

    +

    Features in this release include:

      @@ -150,7 +179,7 @@

      Updated - 8/22/2002 - Tom Eastep + 8/26/2002 - Tom Eastep diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index 3e6239b7f..5bf26bd34 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -73,17 +73,20 @@ Washington

      • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
        • -
      • Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My - personal Linux System which runs Samba configured as a WINS server.
        • +
      • Celeron 1.4Gz, RH7.3, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My + personal Linux System which runs Samba configured as a WINS server. This + system also has VMware installed and + can run both Debian and + SuSE in virtual machines.
      • K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind).
        • -
      • PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3 +
      • PII/233, RH7.3 with 2.4.20-pre2 kernel, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.6 and a DHCP server.  Also runs PoPToP for road warrior access.
      • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.
      • PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 -in expansion base - My main work system.
        • +in expansion base and LinkSys WAC11 - My main work system.

      For more about our network see my Shorewall Configuration.

      diff --git a/STABLE/documentation/shorewall_features.htm b/STABLE/documentation/shorewall_features.htm index e2dff314f..02ac60f3d 100644 --- a/STABLE/documentation/shorewall_features.htm +++ b/STABLE/documentation/shorewall_features.htm @@ -50,7 +50,7 @@
    • Blacklisting of individual IP addresses and subnetworks is supported.
      • -
    • Operational support: +
    • Operational support:
      • Commands to start, stop and clear the firewall
      • Supports status monitoring diff --git a/STABLE/documentation/shorewall_firewall_structure.htm b/STABLE/documentation/shorewall_firewall_structure.htm index ffdfd6b46..a82e5bfe0 100644 --- a/STABLE/documentation/shorewall_firewall_structure.htm +++ b/STABLE/documentation/shorewall_firewall_structure.htm @@ -43,7 +43,11 @@ from the internet and from the DMZ and in some cases, from each other.

        • While zones are normally disjoint (no two zones have a host in common), there are cases where nested or overlapping zone definitions are appropriate.

        -

        Packets entering the firewall first pass through the mangle table's +

        For a general picture of how packets traverse a Netfilter firewall, see + + http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.
        +
        + Packets entering the firewall first pass through the mangle table's PREROUTING chain (you can see the mangle table by typing "shorewall show mangle"). If the packet entered through an interface that has the norfc1918 option, then the packet is sent down the man1918  which will drop @@ -55,10 +59,25 @@ from the internet and from the DMZ and in some cases, from each other.

        Next, if the packet isn't part of an established connection, it passes through the nat table's PREROUTING chain (you can see the nat table by - typing "shorewall show nat").

        + typing "shorewall show nat"). If you are doing both static nat and + port forwarding, the order in which chains are traversed is dependent on the + setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then + packets will ender a chain called interface_in where interface is + the name of the interface on which the packet entered. Here it's destination IP + is compared to each of the EXTERNAL IP addresses from /etc/shorewall/nat + that correspond to this interface; if there is a match, DNAT is applied and the + packet header is modified to the IP in the INTERNAL column of the nat + file record. If the destination address doesn't match any of the rules in the + interface_in chain then the packet enters a chain called sourcezone_dnat + where sourcezone is the source zone of the packet. There it is compared + for a match against each of the DNAT records in the rules file that specify + sourcezone as the source zone. If a match is found, the destination IP + address (and possibly the destination port) is modified based on the rule + matched. If NAT_BEFORE_RULES is off, then the order of traversal of the + interface_in and sourcezone_dnat is reversed.

        - Traffic entering the - firewall is sent to an input chain. If the traffic is destined for the + Traffic is next sent to an input chain in the mail Netfilter table + (called 'filter'). If the traffic is destined for the firewall itself, the name of the input chain is formed by appending "_in" to the interface name. So traffic on eth0 destined for the firewall will enter a chain called eth0_in. The input chain for traffic that will be routed to @@ -151,6 +170,6 @@ its own separate connection from the firewall to zone B.

        zone and you are having problems connecting from a local client to an internet server, adding a rule won't help (see point 3 above).

        -

        Last modified 7/26/2002 - Tom +

        Last modified 8/22/2002 - Tom Eastep

        Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/shorewall_mirrors.htm b/STABLE/documentation/shorewall_mirrors.htm index a99d161ed..c57155bd6 100644 --- a/STABLE/documentation/shorewall_mirrors.htm +++ b/STABLE/documentation/shorewall_mirrors.htm @@ -36,6 +36,8 @@ It is mirrored at:

      • http://germany.shorewall.net (Hamburg, Germany)
      • http://shorewall.correofuego.com.ar (Martinez (Zona Norte - GBA), Argentina)
        • +
      • http://france.shorewall.net + (Paris, France)

      The main Shorewall FTP Site is ftp://ftp.shorewall.net/pub/shorewall/ and is located in Washington State, USA.  @@ -50,8 +52,11 @@ It is mirrored at:

      ftp://germany.shorewall.net/pub/shorewall (Hamburg, Germany)
    • ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall (Martinez (Zona Norte - GBA), Argentina)
      • +
    • + ftp://france.shorewall.net/pub/mirrors/shorewall + (Paris, France)
    -

    Last Updated 7/16/2002 - Tom +

    Last Updated 8/26/2002 - Tom Eastep

    diff --git a/STABLE/documentation/shorewall_prerequisites.htm b/STABLE/documentation/shorewall_prerequisites.htm index 56067978f..0790156da 100644 --- a/STABLE/documentation/shorewall_prerequisites.htm +++ b/STABLE/documentation/shorewall_prerequisites.htm @@ -18,7 +18,7 @@

    -

    Last updated 8/4/2002 - Tom +

    Last updated 8/24/2002 - Tom Eastep

    diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index 79ce8991f..c62005864 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -19,20 +19,22 @@ -

    Before Reporting a Problem

    -
    -

    -"It is easier to post a problem than to use your own brain" -- +"It is easier to post a problem than to use your own brain" +-- Weitse Venema (creator of Postfix)

    -
    + +

    "Any sane computer with tell you how it works -- you just +have to ask it the right questions" -- Tom Eastep

    + +

    Before Reporting a Problem

    There are a number of sources for problem solution information.

      +
    • The FAQ has solutions to common problems.
    • The Troubleshooting Information contains a number of tips to help you solve common problems.
    • The Errata has links to download updated components.
      • -
    • The FAQ has solutions to common problems.
    • The Mailing List Archives are a useful source of problem solving information.
    @@ -116,7 +118,7 @@ to respond promptly to mailing list posts.   http://www.shorewall.net/mailman/listinfo/shorewall-users .

    -

    Last Updated 8/17/2002 - Tom +

    Last Updated 8/24`/2002 - Tom Eastep

    diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm index 22092ef11..4593e1f70 100644 --- a/STABLE/documentation/traffic_shaping.htm +++ b/STABLE/documentation/traffic_shaping.htm @@ -55,6 +55,9 @@ utilities.

    normally not required as Shorewall's method of clearing qdisc and filter definitions is pretty general. +

    Kernel Configuration

    +

    This screen shot show how I've configured QoS in my Kernel:

    +

    /etc/shorewall/tcrules

    The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/tcrules file provides a means @@ -200,7 +203,7 @@ use to others.

    configuration to get an idea of why I want these particular rules.

    -

    Last Updated 6/18/2002 - Tom +

    Last Updated 8/24/2002 - Tom Eastep

    Copyright diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 71c0e9ba4..72f76ebae 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.7 +VERSION=1.3.7b usage() # $1 = exit status { diff --git a/STABLE/install.sh b/STABLE/install.sh index 1626089db..fef688774 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.7 +VERSION=1.3.7b usage() # $1 = exit status { diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index aedc4cc1f..66c9abc56 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.3.7 +%define version 1.3.7b %define release 1 %define prefix /usr @@ -76,6 +76,10 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Aug 26 2002 Tom Eastep +- Changed version to 1.3.7b +* Thu Aug 22 2002 Tom Eastep +- Changed version to 1.3.7a * Thu Aug 22 2002 Tom Eastep - Changed version to 1.3.7 * Sun Aug 04 2002 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 8dfcbe0e3..1d7100bdc 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.7 +VERSION=1.3.7b usage() # $1 = exit status {