diff --git a/Shorewall-docs2/Actions.xml b/Shorewall-docs2/Actions.xml
index 520ea8aa5..fe3fd3c56 100644
--- a/Shorewall-docs2/Actions.xml
+++ b/Shorewall-docs2/Actions.xml
@@ -15,7 +15,7 @@
- 2005-01-19
+ 2005-05-13
2005
@@ -151,7 +151,7 @@ Reject:REJECT #Common Action for REJECT policy
- Defining your own Actions
+ Defining your own Actions
To define a new action:
@@ -477,6 +477,9 @@ acton:info:test fw net
$TAG="test"
+
+ For an example of how to use these variables, see this article.
@@ -499,5 +502,8 @@ acton:info:test fw net
/etc/shorewall/DropBcastsrun_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP
+
+ For a richer example, see this
+ article.
\ No newline at end of file
diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml
index 9b1720f5e..ed06eb47c 100644
--- a/Shorewall-docs2/Documentation_Index.xml
+++ b/Shorewall-docs2/Documentation_Index.xml
@@ -15,7 +15,7 @@
- 2005-05-09
+ 2005-05-12
2001-2005
@@ -439,6 +439,10 @@
+
+ Port Knocking
+
+
PPTP
diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index b12448286..52fff6014 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2005-05-09
+ 2005-05-10
2001-2005
@@ -77,7 +77,7 @@
not modify those files.
-
+
(FAQ 44) I can't install/upgrade the RPM — I keep getting the
message "error: failed dependencies:iproute is needed..."
@@ -320,6 +320,14 @@ DNAT net fw:192.168.1.1:22 tcp 4104
url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and
Linux.
+
+
+ (FAQ 48) How do I Set up Transparent Proxy with
+ Shorewall?
+
+ Answer: See Shorewall_Squid_Usage.html.
+
@@ -554,10 +562,9 @@ really dumb and does not deserve to exist at all. It was an excellent tool
to debug/develop the newnat interface.
- Look here
- for a solution for MSN IM but be aware that there are significant
- security risks involved with this solution. Also check the Netfilter
- mailing list archives at Look here for a solution for MSN IM
+ but be aware that there are significant security risks involved with
+ this solution. Also check the Netfilter mailing list archives at http://www.netfilter.org.
@@ -757,6 +764,33 @@ SPT=33120 DPT=5000 LEN=22
# ZONE
generic:udp:5000 net 69.145.71.133
+
+
+ (FAQ 47) This Rule Doesn't Work as Documented
+
+ I want to allow access from the local zone to the net except for
+ two systems (192.168.100.101 and 192.168.100.115). I use the following
+ rule but find that 192.168.100.115 can still access the net. Is this a
+ bug?
+
+ #ACTION SOURCE DEST PROTO
+ACCEPT loc:!192.168.100.101,192.168.100.115 net
+
+ Answer: Shorewall is currently
+ inconsistent as to where it correctly supports the "!" before a list of
+ addresses. In some places, it works as you would expect and in other
+ cases such as this one it does not. You will need to take a different
+ approach to accomplish what you want. I recommend that you change your
+ loc->net policy to ACCEPT and then use this rule:
+
+ #ACTION SOURCE DEST PROTO
+REJECT loc:192.168.100.101,192.168.100.115 net
+
+ Author's Note: I have looked
+ several times at correcting this problem but it really isn't feasible
+ until I muster the energy to rewrite the Shorewall rules parser.
+ Sorry.
+
@@ -2183,9 +2217,14 @@ REJECT fw net:216.239.39.99 allGiven that
(FAQ 42) How can I tell which features my kernel and iptables
support?
- Answer: At a root prompt, enter the command shorewall
- check. There is a section near the top of the resulting output
- that gives you a synopsis of your kernel/iptables capabilities.
+ Answer: Users running Shorewall 2.2.4 or later can simply use the
+ shorewall show capabilities command at a root
+ prompt.
+
+ For those running older versions, at a root prompt, enter the
+ command shorewall check. There is a section near the
+ top of the resulting output that gives you a synopsis of your
+ kernel/iptables capabilities.
gateway:/etc/shorewall # shorewall check
Loading /usr/share/shorewall/functions...
@@ -2210,4 +2249,4 @@ Verifying Configuration...
...
-
\ No newline at end of file
+
diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index 8dcad7a6e..66799910f 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
- 2005-05-02
+ 2005-05-11
2004
@@ -50,6 +50,48 @@
You must have BOTH the
Netfilter+ipsec patches and the policy match patch. One without the other will not work.
+
+ Here's a combination of components that I know works:
+
+
+
+ Kernel 2.6.11 from kernel.org. Patched with:
+
+
+
+ The five patches in http://shorewall.net/pub/shorewall/contrib/IPSEC/2.6.11
+
+
+
+ The "policy match" extension from the Patch-o-matic-ng CVS
+ snapshot from 2005-May-04 (be sure to NOT try to apply the
+ ipsec-NN patches from patch-o-matic-ng).
+
+
+
+
+
+ iptables 1.3.1 patched with the "policy match" extension from
+ the Patch-o-matic-ng CVS snapshot from 2005-May-04.
+
+
+
+ ipsec-tools 0.5.2 compiled from source. I've also had success
+ with:
+
+
+
+ ipsec-tools 0.5.2 and racoon 0.5.2 from Debian
+ Sarge/testing
+
+
+
+ The ipsec-tools 0.5 rpm from SuSE 9.3.
+
+
+
+
@@ -194,6 +236,13 @@
of) SA(s) used to encrypt and decrypt traffic to/from the zone and the
security policies that select which traffic to encrypt/decrypt.
+ This article assumes the use of ipsec-tools (http://ipsec-tools.sourceforge.net).
+ As of this writing, I recommend that you run at least version 0.5.2.
+ Debian users, please note that there are separate Debian packages for
+ ipsec-tools and racoon although the ipsec-tools project releases them as a
+ single package.
+
For more information on IPSEC, Kernel 2.6 and Shorewall see my presentation on the subject given at LinuxFest NW
2005.
@@ -773,7 +822,7 @@ all all REJECT info
url="http://www.ipsec-howto.org/">http://www.ipsec-howto.org/.
One piece of information that may not be so easy to find is "How
- to I generate a PKCS#12 certificate to import into Windows?". Here's the
+ do I generate a PKCS#12 certificate to import into Windows?". Here's the
openssl command that I used:
openssl pkcs12 -export -in eastepnc6000.pem -inkey eastepnc6000_key.pem -out eastepnc6000.pfx -name "IPSEC Cert for Home Wireless"
@@ -785,18 +834,19 @@ all all REJECT info
- eastepnc6000.pem was the laptop's certificate in PEM
- format.
+ eastepnc6000.pem was the laptop's
+ certificate in PEM format.
- eastepnc6000_key.pem was the laptop's private key (actually,
- it's the original signing request which includes the private
- key).
+ eastepnc6000_key.pem was the laptop's
+ private key (actually, it's the original signing request which
+ includes the private key).
- eastepnc6000.pfx is the PKCS#12 output file.
+ eastepnc6000.pfx is the PKCS#12 output
+ file.
@@ -813,4 +863,13 @@ all all REJECT info
different dialog boxes on Windows XP!!!
+
+
+ Source of Additional Samples
+
+ Be sure to check out the src/racoon/samples subdirectory in the
+ ipsec-tools source tree. It has a wide variety of sample racoon
+ configuration files.
+
\ No newline at end of file
diff --git a/Shorewall-docs2/Install.xml b/Shorewall-docs2/Install.xml
index 1fcf956a7..416f15b4c 100644
--- a/Shorewall-docs2/Install.xml
+++ b/Shorewall-docs2/Install.xml
@@ -185,10 +185,13 @@ INIT="rc.firewall"
If you are running Slackware and are installing Shorewall 2.0.3
- Beta 1 or later, then type:
+ Beta 1 to Shorewall 2.2.3, then type:
DEST=/etc/rc.d INIT=rc.firewall ./install.sh
+ If you are running Slackware and are installing Shorewall 2.2.4 or later, then type:
+ ./install.sh
+
Otherwise, type:
./install.sh
diff --git a/Shorewall-docs2/PortKnocking.xml b/Shorewall-docs2/PortKnocking.xml
new file mode 100644
index 000000000..c8a6987e2
--- /dev/null
+++ b/Shorewall-docs2/PortKnocking.xml
@@ -0,0 +1,129 @@
+
+
+
+
+
+
+ Port Knocking
+
+
+
+ Tom
+
+ Eastep
+
+
+
+ 2005-05-13
+
+
+ 2005
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published SHby the Free Software Foundation;
+ with no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License
.
+
+
+
+
+ What is Port Knocking?
+
+ Port knocking is a technique whereby attempting to connect to port A
+ enables access to port B from that same host. For the example on which
+ this article is based, see http://www.soloport.com/iptables.html
+ which should be considered to be part of this documentation.
+
+
+
+ Implementing Port Knocking in Shorewall
+
+ In order to implement this solution, your iptables and kernel must
+ support the 'recent match' extension (see FAQ
+ 42). These instructions also assume Shorewall version 2.2.0 or
+ later.
+
+ In this example:
+
+
+
+ Attempting to connect to port 1600 enables SSH access.
+
+
+
+ Attempting to connect to port 1601 disables SSH access (note
+ that in the article linked above, attempting to connect to port 1599
+ also disables access. This is an port scan defence as explained in the
+ article).
+
+
+
+ To implement that approach:
+
+
+
+ Add an action named SSHKnock (see the Action documentation). Leave the
+ action.SSHKnock file empty.
+
+
+
+ Create /etc/shorewall/SSHKnock with the following
+ contents:
+
+ if [ -n "$LEVEL" ]; then
+ log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
+ log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
+fi
+run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT
+run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
+run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
+run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP
+
+
+
+ Now if you want to protect SSH access to the firewall from the
+ Internet, add this rule in
+ /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+SSHKnock net fw tcp 22,1599,1600,1601
+
+ If you want to log the DROPs and ACCEPTs done by SSHKnock, you
+ can just add a log level as in:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+SSHKnock:info net fw tcp 22,1599,1600,1601
+
+
+
+ If you wish to use SSHKnock with a forwarded connection, you
+ must be using Shorewall 2.3.1 or later for fullest protection. Assume
+ that you forward port 22 from external IP address 206.124.146.178 to
+ internal system 192.168.1.5 In /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
+# PORT(S) DEST
+DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
+SSHKnock net fw tcp 1599,1600,1601
+SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178
+
+
+ You can use SSHKnock with DNAT on earlier releases provided
+ that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
+ This rule will be quite secure provided that you specify 'norfc1918'
+ on your external interface.
+
+
+
+
+
\ No newline at end of file
diff --git a/Shorewall-docs2/shorewall_extension_scripts.xml b/Shorewall-docs2/shorewall_extension_scripts.xml
index 740694986..bc16d02e2 100644
--- a/Shorewall-docs2/shorewall_extension_scripts.xml
+++ b/Shorewall-docs2/shorewall_extension_scripts.xml
@@ -15,7 +15,7 @@
- 2005-04-06
+ 2005-05-13
2001-2005
@@ -131,6 +131,53 @@
/var/lib/shorewall/restore exists).
+
+ If you wish to generate a log message, use log_rule_limit. Parameters are:
+
+
+
+ Log Level
+
+
+
+ Chain to insert the rule into
+
+
+
+ Chain name to display in the message (this can be different
+ from the preceding argument — see the Port Knocking article for an example
+ of how to use this).
+
+
+
+ Disposition to report in the message (ACCEPT, DROP,
+ etc)
+
+
+
+ Rate Limit (if passed as "" then $LOGLIMIT is assumed — see
+ the LOGLIMIT option in /etc/shorewall/shorewall.conf)
+
+
+
+
+ Log Tag ("" if none)
+
+
+
+ Command (-A or -I for append or insert). This argument applies
+ to Shorewall 2.2.0 and later only.
+
+
+
+ The remaining arguments are passed "as is" to iptables
+
+
+
+
With Shorewall 2.0.2 Beta 1 and later versions, if you run
commands other than iptables that must be re-run in