holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Changes for 1.3.11

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@341 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-11-24 20:12:22 +00:00
parent 884da5a325
commit 99c0b33000
37 changed files with 9147 additions and 8364 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
STABLE/changelog.txt
View File

@ -1,44 +1,17 @@
Changes since 1.3.9 Changes since 1.3.10
1. Fix dumb bug in 1.3.9 Tunnel Handling. 1. Added TCP flags checking.
2. First implementaiton of dynamic zones. 2. Accomodate bash clones like dash and ash
3. Corrections to Dynamic Zones. 3. Added some comments in the policy chain creation/population logic.
4. More fixes for Dynamic Zones. 4. Check for fw->fw rules.
5. Correct a typo in an error message. 5. Allow 'all' in rules.
6. Fix rule insertion algorithms for Dynamic Zones. 6. Add reverse GRE rules for PPTP server and clients.
7. Optimize dynamic zones code 7. Add warning to tcrules file.
8. Remove iptables 1.2.7 hacks.
9. Fix dumb typo in 1.3.9 (recalculate_interfacess)
10. Add PATH assignment to the install script
11. Correct 'functions' file handling in the install script.
12. Add ipsecnat tunnel type.
13. Correct typo in the shorewall.spec file.
14. Add support for PPTP client and server to the tunnels file.
15. Move the main firewall script to /usr/lib/shorewall
16. Allow SNAT using primary IP and ADD_SNAT_ALIASES=Yes
17. Add MAC verificaiton
18. Conserve space by removing comment decorations.
19. Improve comments in interfaces file re: use of aliases
20. Clear nat and mangle counters during 'shorewall reset'
21. Verify interface names in the SOURCE column of /etc/shorewall/tcrules
8. Add warning to policy file that fw->fw policies aren't allowed.

4437
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1512
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

137
STABLE/documentation/MAC_Validation.html
View File

@ -2,105 +2,104 @@
<html> <html>
<head> <head>
<title>MAC Verification</title> <title>MAC Verification</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses. There are four components to this facility.<br> with one or more IP addresses. There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
this option is specified, all traffic arriving on the interface is subjet option is specified, all traffic arriving on the interface is subjet to MAC
to MAC verification.</li> verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that subnet When this option is specified for a subnet, all traffic from that subnet
is subject to MAC verification.</li> is subject to MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate MAC <li>The /etc/shorewall/maclist file. This file is used to associate
addresses with interfaces and to optionally associate IP addresses with MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li> MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
variable gives the syslogd level at which connection requests that fail variable gives the syslogd level at which connection requests that fail verification
verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
then failing connection requests are not logged.<br> then failing connection requests are not logged.<br>
</li> </li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li> <li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.</li> column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for <li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li> the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my local As shown above, I use MAC Verification on <a href="myfiles.htm">my local
zone</a>.<br> zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and gateway Suppose now that I add a second ethernet segment to my local zone and
that segment via a router with MAC address 00:06:43:45:C6:15 and IP address gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
192.168.1.253. Hosts in the second segment have IP addresses in the subnet IP address 192.168.1.253. Hosts in the second segment have IP addresses
192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) and This entry accomodates traffic from the router itself (192.168.1.253)
from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic. and not that of the host sending the traffic.
<p><font size="2"> Updated 10/23/2002 - <a <p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
</font></p>
<p><font face="Trebuchet MS"><a <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
href="file:///home/teastep/Shorewall-docs/copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

2348
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

64
STABLE/documentation/Shorewall_CVS_Access.html
View File

@ -2,51 +2,51 @@
<html> <html>
<head> <head>
<title>Shorewall CVS Access</title> <title>Shorewall CVS Access</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font> <h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Lots of people try to download the entire Shorewall website for off-line Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of the of data (HTML versions of all versions of all Shorewall files), all of the
pages in Shorewall CVS access are cgi-generated which places a tremendous pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br> THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br> <br>
<div align="center"> <div align="center">
<h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi" <h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br> target="_top">CVS Login</a> &nbsp;<br>
</h3> </h3>
</div> </div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
- <a href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a> - <a href="support.htm">Tom Eastep</a> </font>
</font> </p> </p>
<p><font face="Trebuchet MS"><a <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <br>
<br> <br>
<br> <br>
<br> <br>

198
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -1,121 +1,143 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base
target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
<ul> </tbody>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 GMT.<br> <b>Note: </b></strong>Search is unavailable Daily 0200-0330
<strong></strong> GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input type="text" <font face="Arial" size="-1"> <input
name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
</p> <br>
</p>
<br>
<br>
<br>
</body> </body>
</html> </html>

462
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,316 +1,318 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall <li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li> parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables <li>/etc/shorewall/params - use this file to set shell variables
that you will expand in other files.</li> that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of <li>/etc/shorewall/zones - partition the firewall's view of
the world into <i>zones.</i></li> the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall high-level
policy.</li> policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on <li>/etc/shorewall/interfaces - describes the interfaces on
the firewall system.</li> the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of <li>/etc/shorewall/hosts - allows defining zones in terms of
individual hosts and subnetworks.</li> individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use <li>/etc/shorewall/masq - directs the firewall where to use
many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading)
and Source Network Address Translation (SNAT).</li> and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel <li>/etc/shorewall/modules - directs the firewall to load kernel
modules.</li> modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions <li>/etc/shorewall/rules - defines rules that are exceptions
to the overall policies established in /etc/shorewall/policy.</li> to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later)
- defines hosts accessible when Shorewall is stopped.</li> - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for <li>/etc/shorewall/tcrules - defines marking of packets for
later use by traffic control/shaping or policy routing.</li> later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field <li>/etc/shorewall/tos - defines rules for setting the TOS
in packet headers.</li> field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels <li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels
with end-points on the firewall system.</li> with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li> addresses.</li>
</ul> </ul>
<h2>Comments</h2> <h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at the end character a pound sign ("#"). You may also place comments at the
of any line, again by delimiting the comment from the rest of the end of any line, again by delimiting the comment from the rest of
line with a pound sign.</p> the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre> <pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2> <h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash <p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p> ("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names and
you are called out of bed at 2:00AM because Shorewall won't start as a
result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start as
a result of DNS problems then don't say that you were not forewarned. <br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified either as IP addresses or as DNS Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they first appear.
When a DNS name appears in a rule, the iptables utility resolves the name
to one or more IP addresses and inserts those addresses into the rule.
So change in the DNS-&gt;IP address relationship that occur after the firewall
has started have absolutely no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't <li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li> start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't <li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li> start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't <li>If your Name Server(s) is(are) down then your firewall won't
start.</li> start.</li>
<li>If your startup scripts try to start your firewall before starting <li>If your startup scripts try to start your firewall before starting
your DNS server then your firewall won't start.<br> your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router is <li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li> down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting your <li>You must bring up your network interfaces prior to starting your
firewall.<br> firewall.<br>
</li> </li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum </ul>
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration <p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br> files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net.</li>
</ul>
Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail.shorewall.net</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net.</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These are iptables restrictions and are not simply imposed for your Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These are iptables restrictions and are not simply imposed for your
inconvenience by Shorewall. <br> inconvenience by Shorewall. <br>
<br> <br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must
be no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2> <h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local if you want to forward the range of tcp ports 4000 through 4100 to local
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2>Using MAC Addresses</h2> <h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as a series of In GNU/Linux, MAC addresses are usually written as a series of
6 hex numbers separated by colons. Example:<br> 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0<br>
     collisions:30394 txqueuelen:100<br>      collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8
Mb)<br> Mb)<br>
     Interrupt:11 Base address:0x1800<br>      Interrupt:11 Base address:0x1800<br>
<br> <br>
Because Shorewall uses colons as a separator for address fields, Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 Shorewall, MAC addresses begin with a tilde ("~") and consist of
hex numbers separated by hyphens. In Shorewall, the MAC address in 6 hex numbers separated by hyphens. In Shorewall, the MAC address
the example above would be written "~02-00-08-E3-FA-55".<br> in the example above would be written "~02-00-08-E3-FA-55".<br>
</p> </p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2>Shorewall Configurations</h2> <h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a> The <a href="starting_and_stopping_shorewall.htm">shorewall start and restart</a>
commands allow you to specify an alternate configuration directory and commands allow you to specify an alternate configuration directory
Shorewall will use the files in the alternate directory rather than the and Shorewall will use the files in the alternate directory rather than
corresponding files in /etc/shorewall. The alternate directory need not the corresponding files in /etc/shorewall. The alternate directory need
contain a complete configuration; those files not in the alternate directory not contain a complete configuration; those files not in the alternate directory
will be read from /etc/shorewall.</p> will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from /etc/shorewall <li> copying the files that need modification from /etc/shorewall
to a separate directory;</li> to a separate directory;</li>
<li> modify those files in the separate directory; and</li> <li> modify those files in the separate directory; and</li>
<li> specifying the separate directory in a shorewall start <li> specifying the separate directory in a shorewall start
or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li> restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 10/24/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

528
STABLE/documentation/download.htm
View File

@ -1,308 +1,392 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p> for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p> <p>Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with a 2.4 Linux PPC</b> or <b> TurboLinux</b> distribution with a
kernel, you can use the RPM version (note: the RPM should 2.4 kernel, you can use the RPM version (note: the RPM should
also work with other distributions that store init scripts in also work with other distributions that store init scripts
/etc/init.d and that include chkconfig or insserv). If you find in /etc/init.d and that include chkconfig or insserv). If you
that it works in other cases, let <a find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
if you have problems installing the RPM.</li> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also <li>If you are running LRP, download the .lrp file (you might
want to download the .tgz so you will have a copy of the documentation).</li> also want to download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
would like a .deb package, Shorewall is in both the <a and would like a .deb package, Shorewall is in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li> <li>Otherwise, download the <i>shorewall</i> module
(.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may point
to a newer or an older version than is shown below.</p> to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name will
the version)</li> contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf &lt;downloaded <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf
.lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p><font face="Arial">Once you have verified the version, check the
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
face="Arial"> to see if there are updates that apply to the version face="Arial"> to see if there are updates that apply to the version
that you have downloaded.</font></p> that you have downloaded.</font></p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p>Download Latest Version (<b>1.3.10</b>): <b>Remember that updates to the
mirrors occur 1-12 hours after an update to the primary site.</b></p> <p><b>Download Latest Version</b> (<b>1.3.10</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td valign="top">SourceForge<br>
<td>Shorewall.net</td> </td>
<td><a <td valign="top">sf.net<br>
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> </td>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download <td valign="top"><a
.tgz</a> <br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download </td>
.lrp</a></td> <td valign="top"><br>
<td><a </td>
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> </tr>
Download .rpm</a> <br> <tr>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" <td>Slovak Republic</td>
target="_blank">Download .tgz</a> <br> <td>Shorewall.net</td>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" <td><a
target="_blank">Download .lrp</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a><br>
<td> <a target="_blank" <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td> .rpm</a><br>
</tr> <a
<tr> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
<td>Texas, USA</td> Download.md5sums</a></td>
<td>Infohiiway.com</td> </tr>
<td><a <tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a><br>
<td> <a target="_blank" <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a></td> .lrp</a><br>
</tr> <a
<tr> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
<td>Hamburg, Germany</td> Download.md5sums</a></td>
<td>Shorewall.net</td> </tr>
<td><a <tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a><br>
<td> <a target="_blank" <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a><br>
</tr> <a target="_blank"
<tr> href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
<td>Martinez (Zona Norte - GBA), Argentina</td> .md5sums</a></td>
<td>Correofuego.com.ar</td> </tr>
<td> <a target="_blank" <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td> Download .lrp</a><br>
<td> <a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td> Download .lrp</a><br>
</tr> <a target="_blank"
<tr> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
<td>Paris, France</td> .md5sums</a></td>
<td>Shorewall.net</td> </tr>
<td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download <tr>
.rpm</a><br> <td>Paris, France</td>
<a href="http://france.shorewall.net/pub/LATEST.tgz">Download <td>Shorewall.net</td>
.tgz</a> <br> <td><a href="http://france.shorewall.net/pub/LATEST.rpm">Download
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download .rpm</a><br>
.lrp</a></td> <a href="http://france.shorewall.net/pub/LATEST.tgz">Download
<td> <a target="_blank" .tgz</a> <br>
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a></td> .lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>Browse Download Sites:</p> <p align="left"><b>Documentation in PDF format:</b><br>
</p>
<blockquote>
<blockquote>
<p>Juraj Ontkanin has produced a Portable Document Format (PDF) file containing
the Shorewall 1.3.10 documenation (the documentation in HTML format is included
in the .rpm and in the .tgz). The .pdf may be downloaded from</p>
</blockquote>
<blockquote>
<blockquote><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/"><br>
http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>SourceForge<br>
<td>Shorewall.net</td> </td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> <td>sf.net</td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td><a
target="_blank">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
</tr> <td>N/A</td>
<tr> </tr>
<td>Slovak Republic</td> <tr>
<td>Shorewall.net</td> <td>Slovak Republic</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td> <td>Shorewall.net</td>
<td> <a target="_blank" <td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td> <td><a
<td><a target="_blank" href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td> href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td> <td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" <td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td> href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td><a <td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>France</td> <td>France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr> </tr>
<tr> <tr>
<td>California, USA (Incomplete)</td> <td>Washington State, USA</td>
<td>Sourceforge.net</td> <td>Shorewall.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td> <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td>N/A</td> <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
</tr> target="_blank">Browse</a></td>
</tr>
</tbody>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">CVS:</p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work at
all.</p> all.<br>
</blockquote> </p>
</blockquote>
<p align="left"><font size="2">Last Updated 11/9/2002 - <a
<p align="left"><b></b><font size="2">Last Updated 11/11/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

615
STABLE/documentation/errata.htm
View File

@ -1,152 +1,175 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a a corrected script, be sure to run the script through <u>
href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten to start Shorewall during boot. It is that file that must be overwritten
with the corrected script.</b></p> with the corrected script.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example,
do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with
kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li> </li>
<li>
</ul> <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
<hr> example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> </p>
</li>
<h3>Version 1.3.9a</h3>
</ol>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
the following message appears during "shorewall [re]start":</li> <li> <b><a href="#V1.3">Problems in
Version 1.3</a></b></li>
<li> <b><a href="errata_2.htm">Problems
in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <a
href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7
and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul>
<hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server running on
your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br>
</li>
</ul> </ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then
the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre> <pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described
above.<br> above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common functions <li>The installer (install.sh) issues a misleading message "Common functions
installed in /var/lib/shorewall/functions" whereas the file is installed installed in /var/lib/shorewall/functions" whereas the file is installed
in /usr/lib/shorewall/functions. The installer also performs incorrectly in /usr/lib/shorewall/functions. The installer also performs incorrectly
when updating old configurations that had the file /etc/shorewall/functions. when updating old configurations that had the file /etc/shorewall/functions.
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
at <a at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns of <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
the policy file doesn't work.</li> of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses but with <li>A DNAT rule with the same original and new IP addresses but
different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
@ -154,344 +177,350 @@ at <a
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running a DHCP <li>If the firewall is running a
server, the client won't be able to obtain DHCP server, the client won't be able
an IP address lease from that server.</li> to obtain an IP address lease from that
<li>With this order of checking, the server.</li>
"dhcp" option cannot be used as a noise-reduction <li>With this order of checking,
measure where there are both dynamic the "dhcp" option cannot be used as a
and static clients on a LAN segment.</li> noise-reduction measure where there are
both dynamic and static clients on a LAN
segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an an error occurs when the firewall script attempts to add an
SNAT alias. </p> SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. This possible to  include a single host specification on each line. This
problem is corrected by <a problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p> as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in /etc/shorewall/interfaces.
To correct this problem, you must add an entry to /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces.
Shorewall 1.3.3 and later versions produce a clearer error Shorewall 1.3.3 and later versions produce a clearer error
message in this case.</p> message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry in <li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from /etc/shorewall/interfaces contained a typo that prevented it
working correctly. </li> from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved just <li>"NAT_BEFORE_RULES=No" was broken; it behaved just
like "NAT_BEFORE_RULES=Yes".</li> like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li> packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li> generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface <li>When an option is given for more than one interface
in /etc/shorewall/interfaces then depending on the option, in /etc/shorewall/interfaces then depending on the option,
Shorewall may ignore all but the first appearence of the option. Shorewall may ignore all but the first appearence of the
For example:<br> option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior <li>Update 17 June 2002 - The bug described in the prior
bullet affects the following options: dhcp, dropunclean, logunclean, bullet affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An norfc1918, routefilter, multi, filterping and noping. An
additional bug has been found that affects only the 'routestopped' additional bug has been found that affects only the 'routestopped'
option.<br> option.<br>
<br> <br>
Users who downloaded the corrected script prior to 1850 Users who downloaded the corrected script prior to 1850
GMT today should download and install the corrected script GMT today should download and install the corrected script
again to ensure that this second problem is corrected.</li> again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on the download <li>Folks who downloaded 1.3.0 from the links on the
page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 download page before 23:40 GMT, 29 May 2002 may have downloaded
rather than 1.3.0. The "shorewall version" command will tell 1.2.13 rather than 1.3.0. The "shorewall version" command
you which version that you have installed.</li> will tell you which version that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a <p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p> this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built corrected 1.2.3 rpm which you can download here</a>  and I have also
an <a built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
<ul> from<font color="#ff6633"> <a
<li>cd iptables-1.2.3/extensions</li> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
<li>patch -p0 &lt; <i>the-patch-file</i></li> </font>I have installed this RPM on my firewall and it works fine.</p>
</ul> <p align="left">If you would like to patch iptables 1.2.3 yourself,
</blockquote> the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by installing
<a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g., iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 <li>if you are running Shorewall
you may install 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in Shorewall /etc/shorewall/nat entries of the following form will result in Shorewall
being unable to start:<br> being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes
has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel
contains corrected support under a new kernel configuraiton option; see contains corrected support under a new kernel configuraiton option; see
<a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 10/9/2002 - <p><font size="2"> Last updated 11/24/2002 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

266
STABLE/documentation/mailing_list.htm
View File

@ -1,83 +1,99 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
bgcolor="#400169" height="90"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><a <h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.centralcommand.com/linux_products.html"><img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="35"> height="79" align="left">
</a><a href="http://www.postfix.org/"> <img </a><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35">
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45"> height="45">
</a><font color="#ffffff">Shorewall Mailing Lists</font></h1> </a><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<p align="right"><font color="#ffffff"><b>Powered by Postfix      <p align="right"><font color="#ffffff"><b><br>
</b></font> </p> Powered by Postfix      </b></font> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a <h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0" <h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
src="images/but3.png" hspace="3" width="88" height="31"> src="images/but3.png" hspace="3" width="88" height="31">
 </a><a href="http://osirusoft.com/"> </a></h2>  </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks the sender of incoming mail against the open at shorewall.net checks incoming mail:<br>
relay databases at <a href="http://ordb.org">ordb.org.</a></p> </p>
<h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <ol>
<p> <font size="-1"> Match: <li>against the open relay databases at <a
href="http://ordb.org">ordb.org.</a></li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.<br>
</li>
</ol>
<h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -86,98 +102,120 @@ relay databases at <a href="http://ordb.org">ordb.org.</a></p>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall
(such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you can
either use unencrypted access when subscribing to Shorewall mailing lists
or you can use secure access (SSL) and accept the server's certificate when
prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general to get answers to questions and to report problems. Information of general
interest to the Shorewall user community is also posted to this list.</p> interest to the Shorewall user community is also posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a
<p align="left">The list archives are at <a href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br>
The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating ongoing the exchange of ideas about the future of Shorewall and for coordinating
Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p> href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a
<p align="left">To post to the list, post to <a href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery modes, "To change your subscription (set options like digest and delivery modes,
get a reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), get a reminder of your password, <b>or unsubscribe</b> from &lt;name
enter your subscription email address:". Enter your email address in the of list&gt;), enter your subscription email address:". Enter your email
box and click on the "Edit Options" button.</p> address in the box and click on the "Edit Options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there is and click on "Unsubscribe"; if you have forgotten your password, there
another button that will cause your password to be emailed to you.</p> is another button that will cause your password to be emailed to you.</p>
</li> </li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/27/2002 - <a <p align="left"><font size="2">Last updated 11/22/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

54
STABLE/documentation/mailing_list_problems.htm
View File

@ -1,49 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title> <title>Mailing List Problems</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1> <h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems <h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2> to at least one address in each of the following domains:</h2>
<blockquote> <blockquote>
<div align="left"> <div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>cuscominc.com - delivery to this domain has been disable (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>littleblue.de - (connection timed out)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre> <pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>ionsphere.org - (connection timed out)<br>initialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>littleblue.de - (connection timed out)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>opus.homeip.net - (SpamAssassin is missing the HiRes Time module)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div> </div>
</blockquote> </blockquote>
<p align="left"><font size="2">Last updated 11/3/2002 16:00 GMT - <a <p align="left"><font size="2">Last updated 11/24/2002 18:44 GMT - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font <p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
<p align="left"> </p> <p align="left"> </p>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

299
STABLE/documentation/ports.htm
View File

@ -1,192 +1,195 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title> <title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various <h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1> Services/Applications</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>In addition to those applications described in <a <p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your firewall are some other services/applications that you may need to configure your
to accommodate.</p> firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p> <p>NTP (Network Time Protocol)</p>
<blockquote> <blockquote>
<p>UDP Port 123</p> <p>UDP Port 123</p>
</blockquote> </blockquote>
<p>rdate</p> <p>rdate</p>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
<p>UseNet (NNTP)</p> <p>UseNet (NNTP)</p>
<blockquote> <blockquote>
<p>TCP Port 119</p> <p>TCP Port 119</p>
</blockquote> </blockquote>
<p>DNS</p> <p>DNS</p>
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want <p>UDP Port 53. If you are configuring a DNS client, you will probably
to open TCP Port 53 as well.<br> want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return If you are configuring a server, only open TCP Port 53 if you will return
long replies to queries or if you need to enable ZONE transfers. In the long replies to queries or if you need to enable ZONE transfers. In the
latter case, be sure that your server is properly configured.</p> latter case, be sure that your server is properly configured.</p>
</blockquote> </blockquote>
<p>ICQ   </p> <p>ICQ   </p>
<blockquote> <blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which <p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p> you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote> </blockquote>
<p>PPTP</p> <p>PPTP</p>
<blockquote> <blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p> href="PPTP.htm">Lots more information here</a>).</p>
</blockquote> </blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions.</p>
</blockquote>
<p>SMTP</p>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP</p>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP</p> <p>FTP</p>
<blockquote> <blockquote>
<p>Server configuration is covered on in <a <p>Server configuration is covered on in <a
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p> href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your <p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br> /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p> </p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote> <p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br> <p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br> UDP Ports 137-139.<br>
<br> <br>
Also, <a href="samba.htm">see this page</a>.</p> Also, <a href="samba.htm">see this page</a>.</p>
</blockquote> </blockquote>
<p>Traceroute</p> <p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS</p> <p>NFS</p>
<blockquote> <blockquote>
<p>There's some good information at  <a <p>There's some good information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote> </blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services <p>Didn't find what you are looking for -- have you looked in your own
file? </p> /etc/services file? </p>
<p>Still looking? Try <a <p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 10/22/2002 - </font><font size="2"> <a <p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br>
<br> <br>
</body> </body>
</html> </html>

565
STABLE/documentation/seattlefirewall_index.htm
View File

@ -3,328 +3,409 @@
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
<base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
height="90"> width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables color="#ffffff">Shorewall 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1> made easy"</i></font></font></h1>
<div align="center"><a href="1.2" target="_top"><font
<div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center">
<center> <div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td
width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
firewall that can be used on a dedicated firewall system, a multi-function <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
gateway/router/server or on a standalone GNU/Linux system.</p> that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a <p>This program is free software; you can redistribute it and/or modify
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU it under the terms of <a
General Public License</a> as published by the Free Software Foundation.<br> href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
<br> Public License</a> as published by the Free Software Foundation.<br>
This program is distributed <br>
in the hope that it will be useful, but WITHOUT This program
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY is distributed in the hope that it will be useful,
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General but WITHOUT ANY WARRANTY; without even the implied warranty
Public License for more details.<br> of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
<br> See the GNU General Public License for more details.<br>
You should have received <br>
a copy of the GNU General Public License along with You should
this program; if not, write to the Free Software Foundation, have received a copy of the GNU General Public License
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and </a>Jacques
Eric Wolzak have a LEAF (router/firewall/gateway on a floppy, CD Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
or compact flash) distribution called <i>Bering</i> that on a floppy, CD or compact flash) distribution called
features Shorewall-1.3.9b and Kernel-2.4.18. You can find <i>Bering</i> that features Shorewall-1.3.10 and Kernel-2.4.18.
their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>Thinking of Downloading this Site for Offline Browsing?</h2>
You might want to reconsider -- this site is <u><b>213 MB!!!</b></u>
and you will almost certainly be blacklisted before you download the whole
thing (my SDSL is only 384kbs so I'll have lots of time to catch you). Besides,
if you simply download the product and install it, you get the essential
parts of the site in a fraction of the time. And do you really want to download:<br>
<ul>
<li>Both text and HTML versions of every post ever made on three
different mailing lists (65 MB)?</li>
<li>Every .rpm, .tgz and .lrp ever released for both Shorewall
and Seawall (92MB and 10MB respectively)?</li>
<li>A 2.2.17-14 i586 RedHat Kernel RPM (6.9MB)?<br>
</li>
<li>Several ancient RPMs for courier-imap and maildrop (1.5MB).<br>
</li>
</ul>
You get all that and more if you do a blind recurive copy of this site.
Happy downloading!<br>
<h2>News</h2> <h2>News</h2>
<h2></h2> <h2></h2>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b> </b><b><img border="0"
src="file:///home/teastep/Shorewall-docs/images/new10.gif" width="28" <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b><img border="0"
height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the contents
of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily within
<a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> updown
scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> MAC verification</a>
on ethernet segments. You can specify the set of allowed MAC addresses on
the segment and you can optionally tie each MAC address to one or more IP
addresses.</li>
<li>PPTP Servers and Clients running on the firewall system may
now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when the
<a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as for Debian
and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends
to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br>
<blockquote> <p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or DEST column in
a <a href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible with
bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. fw-&gt;fw rules
generate a warning and are ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/09/2002 - Shorewall is Back at SourceForge</b><b>
</b></p>
<p>The main Shorewall web site is now back at SourceForge at <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>.<br>
</p>
<p><b>11/09/2002 - Shorewall 1.3.10</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the
contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li>
<li>Shorewall can now do<a
href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
You can specify the set of allowed MAC addresses on the segment and
you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall
system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use
when the <a href="IPSEC.htm">remote IPSEC endpoint is behind
a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li>
</ul>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm</pre>
</blockquote> </blockquote>
<p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a <p><b>10/24/2002 - Shorewall is now in Gentoo Linux</b><a
href="http://www.gentoo.org"><br> href="http://www.gentoo.org"><br>
</a></p> </a></p>
Alexandru Hartmann reports that his Shorewall package is now a part Alexandru Hartmann reports that his Shorewall package
of <a href="http://www.gentoo.org">the Gentoo Linux distribution</a>. is now a part of <a href="http://www.gentoo.org">the Gentoo
Thanks Alex!<br> Linux distribution</a>. Thanks Alex!<br>
<p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p> <p><b>10/23/2002 - Shorewall 1.3.10 Beta 1</b><b> </b></p>
In this version:<br> In this version:<br>
<ul> <ul>
<li>You may now <a href="IPSEC.htm#Dynamic">define the <li>You may now <a href="IPSEC.htm#Dynamic">define
contents of a zone dynamically</a> with the <a the contents of a zone dynamically</a> with the <a
href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall href="starting_and_stopping_shorewall.htm">"shorewall add" and "shorewall
delete" commands</a>. These commands are expected to be used primarily delete" commands</a>. These commands are expected to be used primarily
within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a> within <a href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan</a>
updown scripts.</li> updown scripts.</li>
<li>Shorewall can now do<a href="MAC_Validation.html"> <li>Shorewall can now do<a
MAC verification</a> on ethernet segments. You can specify the set of href="MAC_Validation.html"> MAC verification</a> on ethernet segments.
allowed MAC addresses on the segment and you can optionally tie each You can specify the set of allowed MAC addresses on the segment and
MAC address to one or more IP addresses.</li> you can optionally tie each MAC address to one or more IP addresses.</li>
<li>PPTP Servers and Clients running on the firewall system <li>PPTP Servers and Clients running on the
may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a> firewall system may now be defined in the<a href="PPTP.htm"> /etc/shorewall/tunnels</a>
file.</li> file.</li>
<li>A new 'ipsecnat' tunnel type is supported for use when <li>A new 'ipsecnat' tunnel type is supported
the <a href="IPSEC.htm">remote IPSEC endpoint is behind a NAT for use when the <a href="IPSEC.htm">remote IPSEC endpoint
gateway</a>.</li> is behind a NAT gateway</a>.</li>
<li>The PATH used by Shorewall may now be specified in <li>The PATH used by Shorewall may now be specified
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The main firewall script is now /usr/lib/shorewall/firewall. <li>The main firewall script is now /usr/lib/shorewall/firewall.
The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall
to do the real work. This change makes custom distributions such as to do the real work. This change makes custom distributions such
for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall
that tends to have distribution-dependent code.</li> that tends to have distribution-dependent code.</li>
</ul> </ul>
You may download the Beta from:<br> You may download the Beta from:<br>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li> href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a></li>
<li><a <li><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</li> </li>
</ul> </ul>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p><b>10/10/2002 -  Debian 1.3.9b Packages Available </b><b>
</b><br>
</p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0" <p><b>10/9/2002 - Shorewall 1.3.9b </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
This release rolls up fixes to the installer and to the This release rolls up fixes to the installer
firewall script.<br> and to the firewall script.<br>
<b><br> <b><br>
10/6/2002 - Shorewall.net now running on RH8.0 </b><b><img 10/6/2002 - Shorewall.net now running on RH8.0
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> </b><b><img border="0" src="images/new10.gif" width="28"
</b><br> height="12" alt="(New)">
<br> </b><br>
The firewall and server here at shorewall.net are now <br>
running RedHat release 8.0.<br> The firewall and server here at shorewall.net
are now running RedHat release 8.0.<br>
<p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
</b></p> <p><b>9/30/2002 - Shorewall 1.3.9a</b><b>
Roles up the fix for broken tunnels.<br> </b></p>
Roles up the fix for broken tunnels.<br>
<p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
</b></p> <p><b>9/30/2002 - TUNNELS Broken in 1.3.9!!!</b><b>
<img src="images/j0233056.gif" </b></p>
<img src="images/j0233056.gif"
alt="Brown Paper Bag" width="50" height="86" align="left"> alt="Brown Paper Bag" width="50" height="86" align="left">
There is an updated firewall script at <a There is an updated firewall script at
<a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall.<br> -- copy that file to /usr/lib/shorewall/firewall.<br>
<p><b><br> <p><b><br>
</b></p> </b></p>
<p><b><br> <p><b><br>
</b></p> </b></p>
<p><b><br> <p><b><br>
9/28/2002 - Shorewall 1.3.9 </b><b> 9/28/2002 - Shorewall 1.3.9 </b><b>
</b></p> </b></p>
<p>In this version:<br> <p>In this version:<br>
</p> </p>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now href="configuration_file_basics.htm#dnsnames">DNS Names</a> are now
allowed in Shorewall config files (although I recommend against allowed in Shorewall config files (although I recommend against
using them).</li> using them).</li>
<li>The connection SOURCE may now be <li>The connection SOURCE
qualified by both interface and IP address in a <a may now be qualified by both interface and IP address in
href="Documentation.htm#Rules">Shorewall rule</a>.</li> a <a href="Documentation.htm#Rules">Shorewall rule</a>.</li>
<li>Shorewall startup is now disabled <li>Shorewall startup is
after initial installation until the file /etc/shorewall/startup_disabled now disabled after initial installation until the file
is removed. This avoids nasty surprises at reboot for users /etc/shorewall/startup_disabled is removed. This avoids nasty
who install Shorewall but don't configure it.</li> surprises at reboot for users who install Shorewall but don't
<li>The 'functions' and 'version' files configure it.</li>
and the 'firewall' symbolic link have been moved from /var/lib/shorewall <li>The 'functions' and 'version'
to /usr/lib/shorewall to appease the LFS police at Debian.<br> files and the 'firewall' symbolic link have been moved
</li> from /var/lib/shorewall to /usr/lib/shorewall to appease
the LFS police at Debian.<br>
</li>
</ul> </ul>
@ -332,66 +413,74 @@ who install Shorewall but don't configure it.</li>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td
bgcolor="#4b017c" valign="top" align="center"> <a width="88" bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation <p align="center"><font size="4" color="#ffffff">Shorewall is free but
to <a href="http://www.starlight.org"><font if you try it and find it useful, please consider making a donation
to <a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p> color="#ffffff">Starlight Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 11/9/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 11/24/2002 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

136
STABLE/documentation/shorewall_mirrors.htm
View File

@ -1,67 +1,87 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>Shorewall Mirrors</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Shorewall Mirrors</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p align="left"><b>Remember that updates to the mirrors are often delayed for <p align="left"><b>Remember that updates to the mirrors are often delayed
6-12 hours after an update to the primary site.</b></p> for 6-12 hours after an update to the primary site.</b></p>
<p align="left">The main Shorewall Web Site is <a href="http://www.shorewall.net">http://www.shorewall.net</a> <p align="left">The main Shorewall Web Site is <a
and is located in Washington State, USA. href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
It is mirrored at:</p> and is located in California, USA. It is mirrored at:</p>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> <li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
http://slovakia.shorewall.net</a> (Slovak Republic).</li>
(Slovak Republic).</li> <li> <a href="http://www.infohiiway.com/shorewall"
<li> target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<a href="http://www.infohiiway.com/shorewall" target="_top"> <li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
http://shorewall.infohiiway.com</a> (Hamburg, Germany)</li>
(Texas, USA).</li> <li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
<li><a target="_top" href="http://germany.shorewall.net"> (Martinez (Zona Norte - GBA), Argentina)</li>
http://germany.shorewall.net</a> (Hamburg, Germany)</li> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li> (Paris, France)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
(Paris, France)</li> (Washington State, USA)<br>
</li>
</ul> </ul>
<p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
and is located in Washington State, USA.&nbsp; <p align="left">The main Shorewall FTP Site is <a
It is mirrored at:</p> href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
and is located in Washington State, USA.  It is mirrored at:</p>
<ul> <ul>
<li><a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> <li><a target="_blank"
(Slovak Republic).</li> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
<li> (Slovak Republic).</li>
<a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> <li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
(Texas, USA).</li> target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li>
<li><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall"> <li><a target="_blank"
ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li> href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
<li> (Hamburg, Germany)</li>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li> <li> <a target="_blank"
<li> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
<a target="_blank" href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
(Paris, France)</li> <li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
</ul> </ul>
<p align="left"><font size="2">Last Updated 8/26/2002 - <a href="support.htm">Tom Search results and the mailing list archives are always fetched from the
Eastep</a></font></p> site in Washington State.<br>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <p align="left"><font size="2">Last Updated 11/09/2002 - <a
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body> </body>
</html>
</html>

75
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -1,68 +1,69 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title> <title>Shorewall Prerequisites</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
Shorewall Requires:<br>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
<a href="kernel.htm"> Check here for kernel configuration information.</a> <a href="kernel.htm"> Check here for kernel configuration
If you are looking for a firewall for use with 2.2 kernels, <a information.</a> If you are looking for a firewall for use with 2.2
href="http://www.shorewall.net/seawall"> see the Seattle Firewall kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
site</a> .</li> site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a <li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going and in the <a href="errata.htm">Shorewall Errata</a>. </li>
to be running kernel 2.4.18 or later, NO currently-available RedHat iptables <li>Some features require iproute ("ip" utility). The iproute package
RPM will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. is included with most distributions but may not be installed by default.
</li> The official download site is <a
<li>Some features require iproute ("ip" utility). The iproute package
is included with most distributions but may not be installed by default.
The official download site is <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> <font
face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li> </li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct <li>A Bourne shell or derivative such as bash or ash. This shell must
support for variable expansion formats ${<i>variable</i>%<i>pattern</i> have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> }, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li> } and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have awk <li>The firewall monitoring display is greatly improved if you have
(gawk) installed.</li> awk (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 9/19/2002 - <a <p align="left"><font size="2">Last updated 11/10/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

366
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,221 +1,227 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.</p> must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting
as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your
Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and
Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System
acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System
acting as a firewall/router for a small local network and a DMZ.</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple public
IP addresses involved or if you want to learn more about Shorewall than
is explained in the single-address guides above.</b></p>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li><br>
</li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution
Protocol</a></li>
</ul> </ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a> <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up
your Network</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a </ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy
ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described
above</b>. Please review the appropriate guide before trying to use this
documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li> <li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li> <li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><font color="#000099"><a
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li> (How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally <li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li> use Shorewall)</li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <ul>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li>Description of all /sbin/shorewall commands</li>
<li>VPN <li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
firewall to a remote network.</li> firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li> <li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 11/3/2002 - <a <p><font size="2">Last modified 11/19/2002 - <a
href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p> href="file:///J:/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p> <p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

645
STABLE/documentation/standalone.htm
View File

@ -1,79 +1,79 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Standalone Firewall</title> <title>Standalone Firewall</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2 align="center">Version 2.0.1</h2> <h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very <p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p> easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in Shorewall. It rather focuses on what is required to configure Shorewall
one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for this firewall system. As root, you can use the 'which' command to check for
program:</p> this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself <p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy run them through dos2unix before trying to use them. Similarly, if you copy
a configuration file from your Windows hard drive to a floppy disk, you a configuration file from your Windows hard drive to a floppy disk, you
must run dos2unix against the copy before using it with Shorewall.</p> must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
<h2 align="left">Shorewall Concepts</h2> <h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory <p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of /etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed these as described in this guide. After you have <a href="Install.htm">installed
@ -82,345 +82,348 @@ Shorewall</a>, download the <a
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall (they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation).</p> during Shorewall installation).</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p> zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the request
is first checked against the rules in /etc/shorewall/common (the samples
provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody> <tbody>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td><u><b>Name</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td> <td><u><b>Description</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td><b>net</b></td>
<td>net</td> <td><b>The Internet</b></td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr> </tr>
<tr>
<td>net</td> </tbody>
<td>net</td> </table>
<td>DROP</td>
<td>info</td> <p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<td> </td>
</tr> <p>Shorewall also recognizes the firewall system as its own zone - by default,
<tr> the firewall itself is known as <b>fw</b>.</p>
<td>all</td>
<td>all</td> <p>Rules about what traffic to allow and what traffic to deny are expressed
<td>REJECT</td> in terms of zones.</p>
<td>info</td>
<td> </td> <ul>
</tr> <li>You express your default policy for connections from one zone to
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</tbody> </a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file matches
the connection request then the first policy in /etc/shorewall/policy that
matches the request is applied. If that policy is REJECT or DROP  the
request is first checked against the rules in /etc/shorewall/common (the
samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>net</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre> <pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your firewall</li> <li>drop (ignore) all connection requests from the internet to your
<li>reject all other connection requests (Shorewall requires this catchall firewall</li>
policy).</li> <li>reject all other connection requests (Shorewall requires this catchall
policy).</li>
</ol> </ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that <p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p> you wish.</p>
<h2 align="left">External Interface</h2> <h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the external     The Shorewall one-interface sample configuration assumes that the
interface is <b>eth0</b>. If your configuration is different, you will have external interface is <b>eth0</b>. If your configuration is different, you
to modify the sample /etc/shorewall/interfaces file accordingly. While you will have to modify the sample /etc/shorewall/interfaces file accordingly.
are there, you may wish to review the list of options that are specified While you are there, you may wish to review the list of options that are
for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the option
list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address of      Before starting Shorewall, you should look at the IP address of
your external interface and if it is one of the above ranges, you should your external interface and if it is one of the above ranges, you should
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Enabling other Connections</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p> firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>80</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>110</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular application <p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td> <td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td> <td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td> <td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td> <td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td> <td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT net fw tcp 22</pre> <pre> ACCEPT net fw tcp 22</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p> configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have added the internet, do not issue a "shorewall stop" command unless you have
an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall try" and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 9/26/2002 - <a <p align="left"><font size="2">Last updated 11/21/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p> M. Eastep</font></a></p>
<br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

288
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -1,13 +1,13 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title> <title>Starting and Stopping Shorewall</title>
@ -15,37 +15,37 @@
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels "chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your 2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can use the "--level" option firewall differently from this default, you can use the "--level" option
in chkconfig (see "man chkconfig") or using your favorite graphical in chkconfig (see "man chkconfig") or using your favorite graphical
run-level editor.</p> run-level editor.</p>
@ -53,188 +53,194 @@ run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
<p> The "shorewall" program may also be used to monitor the firewall.</p> <p> The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain <li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li> </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table <li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li> (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li> being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays information
about the traffic control/shaping configuration.</li> about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li> changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet <li>shorewall hits - Produces several reports about the Shorewall
log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of <li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4" the zones, interfaces, hosts, rules and policy files. <font size="4"
color="#ff6666"><b>The "check" command does not parse and validate the color="#ff6666"><b>The "check" command does not parse and validate the
generated iptables commands so even though the "check" command completes generated iptables commands so even though the "check" command completes
successfully, the configuration may fail to start. See the recommended successfully, the configuration may fail to start. See the recommended
way to make configuration changes described below. </b></font> </li> way to make configuration changes described below. </b></font> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
- Restart shorewall using the specified configuration and if an error ] - Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using has been up for that many seconds then shorewall is restarted using the
the standard configuration.</li> standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <a <li>shorewall logwatch (added in version 1.3.2) - Monitors the
href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li> messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the contents Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br> of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li> specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li> the specified interface (and host if included) from the specified zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a
href="#Configs"> Shorewall configuration</a> to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file
will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend <blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that
file will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li>mkdir /etc/test</li> <li>mkdir /etc/test</li>
<li>cd /etc/test</li> <li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li>shorewall -c . check</li> <li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li> <li>/sbin/shorewall try .</li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start, to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p> the "try" command will automatically start the old one for you.</p>
<p> When the new configuration works then just </p> <p> When the new configuration works then just </p>
<ul> <ul>
<li>cp * /etc/shorewall</li> <li>cp * /etc/shorewall</li>
<li>cd</li> <li>cd</li>
<li>rm -rf /etc/test</li> <li>rm -rf /etc/test</li>
</ul> </ul>
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

203
STABLE/documentation/support.htm
View File

@ -1,78 +1,85 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Support</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It <h3 align="left"> <span style="font-weight: 400;"><i> "<font size="3">It is
is easier to post a problem than to use your own brain" </font>-- </i> <font easier to post a problem than to use your own brain" </font>-- </i> <font
size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3> size="2">Wietse Venema (creator of <a href="http://www.postfix.org">Postfix</a>)</font></span></h3>
<p align="left"> <i>"Any sane computer will tell you how it works -- you <p align="left"> <i>"Any sane computer will tell you how it works -- you just
just have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p> have to ask it the right questions" </i>-- <font size="2">Tom Eastep</font></p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><span style="font-weight: 400;"><i>"It irks me when people believe that <p><span style="font-weight: 400;"><i>"It irks me when people believe that
free software comes at no cost. The cost is incredibly high."</i> free software comes at no cost. The cost is incredibly high."</i>
- <font size="2"> Wietse Venema</font></span></p> - <font size="2"> Wietse Venem<br>
</font></span></p>
<h3 align="left">Before Reporting a Problem</h3> <h3 align="left">Before Reporting a Problem</h3>
<b><i>"Reading the documentation fully is a prerequisite to getting help
<p>There are a number of sources for problem solution information.</p> for your particular situation. I know it's harsh but you will have to get
so far on your own before you can get reasonable help from a list full of
busy people. A mailing list is not a tool to speed up your day by being spoon
fed</i></b><i><b>".</b> </i>-- Simon White<br>
<p>There are also a number of sources for problem solution information.</p>
<ul> <ul>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li> <li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information <li>The <a href="troubleshoot.htm">Troubleshooting</a> Information
contains a number of tips to help you solve common problems.</li> contains a number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated <li>The <a href="errata.htm"> Errata</a> has links to download
components.</li> updated components.</li>
<li>The Mailing List Archives search facility can locate posts about <li>The Mailing List Archives search facility can locate posts
similar problems:</li> about similar problems:</li>
</ul> </ul>
<h4>Mailing List Archive Search</h4> <h4>Mailing List Archive Search</h4>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -81,68 +88,76 @@ contains a number of tips to help you solve common problems.</li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig"> <input
type="hidden" name="restrict" type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"> </p> type="submit" value="Search"> </p>
</form> </form>
<h3 align="left">Problem Reporting Guidelines</h3> <h3 align="left">Problem Reporting Guideline</h3>
<ul> <ul>
<li>When reporting a problem, give as much information as you can. <li>When reporting a problem, give as much information as you can.
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li> Reports that say "I tried XYZ and it didn't work" are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send <li>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions you custom configuration files. We're here to answer your questions
but we can't do your job for you.</li> but we can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when <li>Do you see any "Shorewall" messages in /var/log/messages
you exercise the function that is giving you problems?</li> when you exercise the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump <li>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</li> to try to understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application <li>Have you tried using the diagnostic capabilities of the
that isn't working? For example, if "ssh" isn't able to connect, using application that isn't working? For example, if "ssh" isn't able
the "-v" option gives you a lot of valuable diagnostic information.</li> to connect, using the "-v" option gives you a lot of valuable diagnostic
<li>Please include any of the Shorewall configuration files (especially information.</li>
the /etc/shorewall/hosts file if you have modified that file) that you <li>Please include any of the Shorewall configuration files (especially
think are relevant. If an error occurs when you try to "shorewall start", the /etc/shorewall/hosts file if you have modified that file) that you
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> think are relevant. If an error occurs when you try to "shorewall start",
section for instructions).</li> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
<li>The list server limits posts to 120kb so don't post GIFs of your section for instructions).</li>
network layout, etc to the Mailing List -- your post will be rejected.</li> <li>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post will
be rejected.</li>
</ul> </ul>
<h3>Where to Send your Problem Report or to Ask for Help</h3> <h3>Where to Send your Problem Report or to Ask for Help</h3>
<b></b> <b>If you run Shorewall on Mandrake 9.0 </b>-- send your problem
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please reports and questions to MandrakeSoft. I ordered a Mandrake 9.0 boxed set
post your question or problem to the <a on October 3, 2002; MandrakeSoft issued a charge against my credit card
on October 4, 2002 (they are really effecient at that part of the order
process) and I haven't heard a word from them since (although their news
letters boast that 9.0 boxed sets have been shipping for the last two weeks).
If they can't fill my 9.0 order within <u>6 weeks after they have billed
my credit card</u> then I refuse to spend my free time supporting of their
product for them.<br>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400;">please
post your question or problem to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>; href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives description and their responses will be placed in the mailing list archives
to help people who have a similar question or problem in the future.</p> to help people who have a similar question or problem in the future.</p>
<p>I don't look at problems sent to me directly but I try to spend some amount <p>I don't look at problems sent to me directly but I try to spend some amount
of time each day responding to problems posted on the mailing list.</p> of time each day responding to problems posted on the mailing list.</p>
<p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p> <p align="center"><a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 10/13/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 11/19//2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

1909
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

276
STABLE/documentation/troubleshoot.htm
View File

@ -1,199 +1,205 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version of sure that there isn't an update that you are missing for your version
the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the firewall If you receive an error message when starting or restarting the firewall
and you can't determine the cause, then do the following: and you can't determine the cause, then do the following:
<ul> <ul>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine <li>Look at the /tmp/trace file and see if that helps you determine
what the problem is.</li> what the problem is.</li>
<li>If you still can't determine what's wrong then see the <a <li>If you still can't determine what's wrong then see the <a
href="support.htm">support page</a>.</li> href="support.htm">support page</a>.</li>
</ul> </ul>
<h3>Your test environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p> actually an ill-conceived network setup. Here are several popular snafus:
</p>
<ul> <ul>
<li>Port Forwarding where client and server are in the same <li>Port Forwarding where client and server are in the same
subnet. See <a href="FAQ.htm">FAQ 2.</a></li> subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li> is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the <li>Multiple interfaces connected to the same HUB or Switch. Given
way that the Linux kernel respond to ARP "who-has" requests, this type the way that the Linux kernel respond to ARP "who-has" requests, this
of setup does NOT work the way that you expect it to.</li> type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add clutter TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
to your rule set and they represent a big security hole in the event that clutter to your rule set and they represent a big security hole in the event
you forget to remove them later.</p> that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted will generate when you try to connect in a way that isn't permitted
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log. If you don't see Shorewall messages, then <p align="left">Check your log. If you don't see Shorewall messages, then
your problem is probably NOT a Shorewall problem. If you DO see packet messages, your problem is probably NOT a Shorewall problem. If you DO see packet messages,
it may be an indication that you are missing one or more rules -- see <a it may be an indication that you are missing one or more rules -- see <a
href="FAQ.htm#faq17">FAQ 17</a>.</p> href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p> generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p> LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font> </font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all chain <li>all2all:REJECT - This packet was REJECTed out of the all2all chain
-- the packet was rejected under the "all"-&gt;"all" REJECT policy (see -- the packet was rejected under the "all"-&gt;"all" REJECT policy (see
<a href="FAQ.htm#faq17">FAQ 17).</a></li> <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li> <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li> <li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li> <li>DPT=53 - DNS</li>
</ul> </ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p> is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53</p> <p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD <li>Seeing rejected/dropped packets logged out of the INPUT or FORWARD
chains? This means that: chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is sending <li>your zone definitions are screwed up and the host that is sending
the packets or the destination host isn't in any zone (using an the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are you?); <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file are
or</li> you?); or</li>
<li>the source and destination hosts are both connected to the same <li>the source and destination hosts are both connected to the same
interface and that interface doesn't have the 'multi' option specified interface and that interface doesn't have the 'multi' option specified
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP type <li>Remember that Shorewall doesn't automatically allow ICMP type
8 ("ping") requests to be sent between zones. If you want pings to be 8 ("ping") requests to be sent between zones. If you want pings to be
allowed between zones, you need a rule of the form:<br> allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you have the The ramifications of this can be subtle. For example, if you have
following in /etc/shorewall/nat:<br> the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type 8 between and you ping 130.252.100.18, unless you have allowed icmp type 8
the zone containing the system you are pinging from and the zone containing between the zone containing the system you are pinging from and the
10.1.1.2, the ping requests will be dropped. This is true even if you zone containing 10.1.1.2, the ping requests will be dropped. This is
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need <li>Is your routing correct? For example, internal systems usually
to be configured with their default gateway set to the IP address of need to be configured with their default gateway set to the IP address
their nearest firewall interface. One often overlooked aspect of routing of their nearest firewall interface. One often overlooked aspect of routing
is that in order for two hosts to communicate, the routing between them is that in order for two hosts to communicate, the routing between them
must be set up <u>in both directions.</u> So when setting up routing must be set up <u>in both directions.</u> So when setting up routing
between <b>A</b> and<b> B</b>, be sure to verify that the route from between <b>A</b> and<b> B</b>, be sure to verify that the route from
<b>B</b> back to <b>A</b> is defined.</li> <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell <li>Some versions of LRP (EigerStein2Beta for example) have a
with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally <li>Some features require the "ip" program. That program is generally
included in the "iproute" package which should be included with your included in the "iproute" package which should be included with your
distribution (though many distributions don't install iproute by distribution (though many distributions don't install iproute by
default). You may also download the latest source tarball from <a default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless you then the zone must be entirely defined in /etc/shorewall/hosts unless
have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has an For example, if a zone has two interfaces but only one interface has an
entry in /etc/shorewall/hosts then hosts attached to the other interface entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external <li>Problems with NAT? Be sure that you let Shorewall add all
addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 10/17/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 11/21/2002 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
</body> </body>
</html> </html>

1469
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

8
STABLE/documentation/upgrade_issues.htm
View File

@ -170,11 +170,7 @@ So that the connection tracking table can be rebuilt<br>
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
<br> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

61
STABLE/documentation/useful_links.html
View File

@ -2,63 +2,62 @@
<html> <html>
<head> <head>
<title>Useful Links</title> <title>Useful Links</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Useful Links</font><br> <h1 align="center"><font color="#ffffff">Useful Links</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
&nbsp;&nbsp; &nbsp;<br> &nbsp;&nbsp; &nbsp;<br>
<h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img <h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
src="images/netfilterlogo.png" alt="Netfilter Logo" width="94" src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
height="33" hspace="4" align="middle" border="0"> height="33" hspace="4" align="middle" border="0">
</a></h3> </a></h3>
<h3>Linux Advanced Routing and Traffic Control Howto: <a <h3>Linux Advanced Routing and Traffic Control Howto: <a
href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3> href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
<h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3> <h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
<h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img <h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48" src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
align="middle" hspace="4" border="0"> align="middle" hspace="4" border="0">
</a></h3> </a></h3>
<h3>Bering LEAF Distribution: <a <h3>Bering LEAF Distribution: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3>
<h3>Debian apt-get sources for Shorewall: <a <h3>Debian apt-get sources for Shorewall: <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30" src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
align="middle" hspace="4" border="0"> align="middle" hspace="4" border="0">
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30" <img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
align="middle" border="0"> align="middle" border="0">
</a><br> </a><br>
</h3> </h3>
<br> <br>
<font size="2">Last updated 9/16/2002 - <a <font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
href="file:///vfat/Shorewall/Shorewall-docs/support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
href="file:///vfat/Shorewall/Shorewall-docs/copyright.htm"><font <br>
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br> <br>
<br> <br>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.10 VERSION=1.3.11
usage() # $1 = exit status usage() # $1 = exit status
{ {

201
STABLE/firewall
View File

@ -187,8 +187,6 @@ run_tc() {
# #
createchain() # $1 = chain name, $2 = If non-null, don't create default rules createchain() # $1 = chain name, $2 = If non-null, don't create default rules
{ {
local target
run_iptables -N $1 run_iptables -N $1
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
@ -281,6 +279,14 @@ deletechain() # $1 = name of chain
qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1 qt iptables -L $1 -n && qt iptables -F $1 && qt iptables -X $1
} }
#
# Determine if a chain is a policy chain
#
is_policy_chain() # $1 = name of chain
{
eval test \"\$${1}_is_policy\" = Yes
}
# #
# Set a standard chain's policy # Set a standard chain's policy
# #
@ -529,7 +535,7 @@ validate_interfaces_file() {
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
dhcp|noping|filterping|routestopped|norfc1918|multi) dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
@ -803,7 +809,7 @@ validate_rule() {
# Validate the Source Zone # Validate the Source Zone
# #
if ! validate_zone $clientzone; then if ! validate_zone $clientzone; then
startup_error "Error: Undefined Client Zone in rule \"$rule\"" [ "x$clientzone" = xall ] || startup_error "Error: Undefined Client Zone in rule \"$rule\""
fi fi
source=$clientzone source=$clientzone
@ -835,10 +841,18 @@ validate_rule() {
# Validate the destination zone # Validate the destination zone
# #
if ! validate_zone $serverzone; then if ! validate_zone $serverzone; then
startup_error "Error: Undefined Server Zone in rule \"$rule\"" [ "x$serverzone" = xall ] || startup_error "Error: Undefined Server Zone in rule \"$rule\""
fi fi
dest=$serverzone dest=$serverzone
chain=${source}2${dest}
if [ "x$chain" = x${FW}2${FW} ]; then
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
fi
# #
# Check length of port lists if MULTIPORT set # Check length of port lists if MULTIPORT set
# #
@ -923,6 +937,17 @@ validate_policy()
;; ;;
esac esac
chain=${client}2${server}
[ "x$chain" = "x${FW}2${FW}" ] && \
startup_error "Error: fw->fw policy not allowed: $policy"
if is_policy_chain $chain ; then
startup_error "Error: Duplicate policy $policy"
fi
eval ${client}2${server}_is_policy=Yes
done < $TMP_DIR/policy done < $TMP_DIR/policy
} }
@ -1211,7 +1236,7 @@ setup_tunnels() # $1 = name of tunnels file
setup_pptp_client() # $1 = gateway setup_pptp_client() # $1 = gateway
{ {
addrule $outchain -p 47 -d $1 -j ACCEPT addrule $outchain -p 47 -d $1 -j ACCEPT
addrule $inchain -p 47 -s $1 -j ACCEPT addrule $inchain -p 47 -j ACCEPT
addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT
echo " PPTP tunnel to $1 defined." echo " PPTP tunnel to $1 defined."
@ -1970,21 +1995,26 @@ add_a_rule()
# #
# Process a record from the rules file # Process a record from the rules file
# #
# The caller has loaded the column contents from the record into the following process_rule() # $1 = target
# variables: # $2 = clients
# # $3 = servers
# target clients servers protocol ports cports address # $4 = protocol
# # $5 = ports
# and has loaded a space-separated list of their values in "rule". # $6 = cports
# # $7 = address
# The 'multioption' variable has also been loaded appropriately to reflect {
# the setting of the MULTIPORT option in /etc/shorewall/shorewall.conf local target="$1"
# local clients="$2"
process_rule() { local servers="$3"
local protocol="$4"
local ports="$5"
local cports="$6"
local address="$7"
local rule="`echo $target $clients $servers $protocol $ports $cports $address`"
# Function Body -- isolate log level # Function Body -- isolate log level
if [ "$target" = "${target%:*}" ]; then if [ "$target" = "${target%:*}" ]; then
loglevel= loglevel=
else else
loglevel="${target#*:}" loglevel="${target#*:}"
@ -2072,6 +2102,12 @@ process_rule() {
# Create canonical chain if necessary # Create canonical chain if necessary
chain=${source}2${dest} chain=${source}2${dest}
if [ "x$chain" = x${FW}2${FW} ]; then
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
return
fi
ensurechain $chain ensurechain $chain
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
@ -2111,20 +2147,49 @@ process_rule() {
# #
process_rules() # $1 = name of rules file process_rules() # $1 = name of rules file
{ {
strip_file rules #
# Process a rule where the source or destination is "all"
#
process_wildcard_rule() {
for yclients in $xclients; do
for yservers in $xservers; do
if [ "${yclients}" != "${yservers}" ] ; then
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress
fi
done
done
}
while read target clients servers protocol ports cports address; do strip_file rules $1
case "$target" in
ACCEPT*|DROP*|REJECT*|DNAT*|REDIRECT*) while read xtarget xclients xservers xprotocol xports xcports xaddress; do
expandv clients servers protocol ports cports address case "$xtarget" in
rule="`echo $target $clients $servers $protocol $ports $cports $address`"
process_rule ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
;; expandv xclients xservers xprotocol xports xcports xaddress
*)
rule="`echo $target $clients $servers $protocol $ports $cports $address`" if [ "x$xclients" = xall ]; then
fatal_error "Error: Invalid Target in rule \"$rule\"" xclients="$zones $FW"
;; if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
fi
process_wildcard_rule
continue
fi
if [ "x$xservers" = xall ]; then
xservers="$zones $FW"
process_wildcard_rule
continue
fi
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress
;;
*)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Error: Invalid Target in rule \"$rule\""
;;
esac esac
done < $TMP_DIR/rules done < $TMP_DIR/rules
} }
@ -3213,6 +3278,47 @@ add_common_rules() {
done done
fi fi
interfaces=`find_interfaces_by_option tcpflags`
if [ -n "$interfaces" ]; then
echo "Setting up TCP Flags checking..."
createchain tcpflags no
if [ -n "$TCP_FLAGS_LOG_LEVEL" ]; then
createchain logflags no
run_iptables -A logflags -j LOG $LOGPARMS \
--log-level $TCP_FLAGS_LOG_LEVEL \
--log-prefix "Shorewall:logflags:$TCP_FLAGS_DISPOSITION:" \
--log-tcp-options --log-ip-options
case $TCP_FLAGS_DISPOSITION in
REJECT)
run_iptables -A logflags -j REJECT --reject-with tcp-reset
;;
*)
run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
;;
esac
disposition="-j logflags"
else
disposition="-j $TCP_FLAGS_DISPOSITION"
fi
run_iptables -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH $disposition
run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
for interface in $interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -p tcp -j tcpflags
done
done
fi
# #
# Process Black List # Process Black List
# #
@ -3291,7 +3397,7 @@ apply_policy_rules() {
run_iptables -I $chain 2 -p tcp --syn -j @$chain run_iptables -I $chain 2 -p tcp --syn -j @$chain
else else
# #
# A wild-card rule. Create the chain and add policy # The chain doesn't exist. Create the chain and add policy
# rules # rules
# #
# We must include the ESTABLISHED and RELATED state # We must include the ESTABLISHED and RELATED state
@ -3301,6 +3407,13 @@ apply_policy_rules() {
# #
createchain $chain createchain $chain
#
# If either client or server is 'all' then this MUST be
# a policy chain and we must apply the appropriate policy rules
#
# Otherwise, this is a canonical chain which will be handled in
# the for loop below
#
[ "$client" = "all" -o "$server" = "all" ] && \ [ "$client" = "all" -o "$server" = "all" ] && \
policy_rules $chain $policy $loglevel policy_rules $chain $policy $loglevel
@ -3725,6 +3838,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
blacklist_interfaces=`find_interfaces_by_option blacklist` blacklist_interfaces=`find_interfaces_by_option blacklist`
filterping_interfaces=`find_interfaces_by_option filterping` filterping_interfaces=`find_interfaces_by_option filterping`
maclist_interfaces=`find_interfaces_by_maclist` maclist_interfaces=`find_interfaces_by_maclist`
tcpflags_interfaces=`find_interfaces_by_option tcpflags`
# #
# Normalize the first argument to this function # Normalize the first argument to this function
# #
@ -3788,6 +3902,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
fi fi
if ! list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1))
fi
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
else else
# #
@ -3812,6 +3930,10 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
if ! list_search $interface $maclist_interfaces; then if ! list_search $interface $maclist_interfaces; then
rulenum=$(($rulenum + 1)) rulenum=$(($rulenum + 1))
fi fi
if ! list_search $interface $tcpflags_interfaces; then
rulenum=$(($rulenum + 1))
fi
fi fi
for h in $dest_hosts; do for h in $dest_hosts; do
@ -4078,6 +4200,8 @@ do_initialize() {
FORWARDPING= FORWARDPING=
MACLIST_DISPOSITION= MACLIST_DISPOSITION=
MACLIST_LOG_LEVEL= MACLIST_LOG_LEVEL=
TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4175,6 +4299,18 @@ do_initialize() {
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
fi fi
if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
case $TCP_FLAGS_DISPOSITION in
REJECT|ACCEPT|DROP)
;;
*)
startup_error "Invalid value ($TCP_FLAGS_DISPOSITION) for TCP_FLAGS_DISPOSITION"
;;
esac
else
TCP_FLAGS_DISPOSITION=DROP
fi
} }
# #
@ -4246,7 +4382,8 @@ case "$command" in
status) status)
[ $# -ne 1 ] && usage [ $# -ne 1 ] && usage
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo
iptables -L -n -v iptables -L -n -v
;; ;;

94
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.10 VERSION=1.3.11
usage() # $1 = exit status usage() # $1 = exit status
{ {
@ -68,15 +68,17 @@ usage() # $1 = exit status
run_install() run_install()
{ {
if ! install $*; then if ! install $*; then
echo -e "\nERROR: Failed to install $*" echo
echo "ERROR: Failed to install $*"
exit 1 exit 1
fi fi
} }
cant_autostart() cant_autostart()
{ {
echo -e "\nWARNING: Unable to configure Shorewall to start" echo
echo " automatically at boot" echo "WARNING: Unable to configure Shorewall to start"
echo " automatically at boot"
} }
backup_file() # $1 = file to backup backup_file() # $1 = file to backup
@ -224,7 +226,8 @@ fi
install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544 install_file_with_backup shorewall ${PREFIX}/sbin/shorewall 0544
echo -e "\nShorewall control program installed in ${PREFIX}/sbin/shorewall" echo
echo "Shorewall control program installed in ${PREFIX}/sbin/shorewall"
# #
# Install the Firewall Script # Install the Firewall Script
@ -240,7 +243,8 @@ if [ -n "$RUNLEVELS" ]; then
awk -f awk.temp init.sh > init.temp awk -f awk.temp init.sh > init.temp
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "\nERROR: Error running awk." echo
echo "ERROR: Error running awk."
echo " You must run `basename $0` without the "-r" option then edit" echo " You must run `basename $0` without the "-r" option then edit"
echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')" echo " $DEST/$FIREWALL manually (line beginning '# chkconfig:')"
exit 1 exit 1
@ -253,7 +257,8 @@ else
install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544 install_file_with_backup init.sh ${PREFIX}${DEST}/$FIREWALL 0544
fi fi
echo -e "\nShorewall script installed in ${PREFIX}${DEST}/$FIREWALL" echo
echo "Shorewall script installed in ${PREFIX}${DEST}/$FIREWALL"
# #
# Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed # Create /etc/shorewall, /usr/lib/shorewall and /var/shorewall if needed
@ -268,7 +273,8 @@ if [ -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
backup_file /etc/shorewall/shorewall.conf backup_file /etc/shorewall/shorewall.conf
else else
run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf run_install -o $OWNER -g $GROUP -m 0744 shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
echo -e "\nConfig file installed as ${PREFIX}/etc/shorewall/shorewall.conf" echo
echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"
fi fi
# #
# Install the zones file # Install the zones file
@ -277,7 +283,8 @@ if [ -f ${PREFIX}/etc/shorewall/zones ]; then
backup_file /etc/shorewall/zones backup_file /etc/shorewall/zones
else else
run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones run_install -o $OWNER -g $GROUP -m 0744 zones ${PREFIX}/etc/shorewall/zones
echo -e "\nZones file installed as ${PREFIX}/etc/shorewall/zones" echo
echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
fi fi
# #
@ -295,19 +302,22 @@ fi
install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444 install_file_with_backup functions ${PREFIX}/usr/lib/shorewall/functions 0444
echo -e "\nCommon functions installed in ${PREFIX}/usr/lib/shorewall/functions" echo
echo "Common functions installed in ${PREFIX}/usr/lib/shorewall/functions"
# #
# Install the common.def file # Install the common.def file
# #
install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444 install_file_with_backup common.def ${PREFIX}/etc/shorewall/common.def 0444
echo -e "\nCommon rules installed in ${PREFIX}/etc/shorewall/common.def" echo
echo "Common rules installed in ${PREFIX}/etc/shorewall/common.def"
# #
# Install the icmp.def file # Install the icmp.def file
# #
install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444 install_file_with_backup icmp.def ${PREFIX}/etc/shorewall/icmp.def 0444
echo -e "\nCommon ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def" echo
echo "Common ICMP rules installed in ${PREFIX}/etc/shorewall/icmp.def"
# #
# Install the policy file # Install the policy file
@ -316,7 +326,8 @@ if [ -f ${PREFIX}/etc/shorewall/policy ]; then
backup_file /etc/shorewall/policy backup_file /etc/shorewall/policy
else else
run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy run_install -o $OWNER -g $GROUP -m 0600 policy ${PREFIX}/etc/shorewall/policy
echo -e "\nPolicy file installed as ${PREFIX}/etc/shorewall/policy" echo
echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
fi fi
# #
# Install the interfaces file # Install the interfaces file
@ -325,7 +336,8 @@ if [ -f ${PREFIX}/etc/shorewall/interfaces ]; then
backup_file /etc/shorewall/interfaces backup_file /etc/shorewall/interfaces
else else
run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces run_install -o $OWNER -g $GROUP -m 0600 interfaces ${PREFIX}/etc/shorewall/interfaces
echo -e "\nInterfaces file installed as ${PREFIX}/etc/shorewall/interfaces" echo
echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
fi fi
# #
# Install the hosts file # Install the hosts file
@ -334,7 +346,8 @@ if [ -f ${PREFIX}/etc/shorewall/hosts ]; then
backup_file /etc/shorewall/hosts backup_file /etc/shorewall/hosts
else else
run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts run_install -o $OWNER -g $GROUP -m 0600 hosts ${PREFIX}/etc/shorewall/hosts
echo -e "\nHosts file installed as ${PREFIX}/etc/shorewall/hosts" echo
echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
fi fi
# #
# Install the rules file # Install the rules file
@ -343,7 +356,8 @@ if [ -f ${PREFIX}/etc/shorewall/rules ]; then
backup_file /etc/shorewall/rules backup_file /etc/shorewall/rules
else else
run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules run_install -o $OWNER -g $GROUP -m 0600 rules ${PREFIX}/etc/shorewall/rules
echo -e "\nRules file installed as ${PREFIX}/etc/shorewall/rules" echo
echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
fi fi
# #
# Install the NAT file # Install the NAT file
@ -352,7 +366,8 @@ if [ -f ${PREFIX}/etc/shorewall/nat ]; then
backup_file /etc/shorewall/nat backup_file /etc/shorewall/nat
else else
run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat run_install -o $OWNER -g $GROUP -m 0600 nat ${PREFIX}/etc/shorewall/nat
echo -e "\nNAT file installed as ${PREFIX}/etc/shorewall/nat" echo
echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
fi fi
# #
# Install the Parameters file # Install the Parameters file
@ -361,7 +376,8 @@ if [ -f ${PREFIX}/etc/shorewall/params ]; then
backup_file /etc/shorewall/params backup_file /etc/shorewall/params
else else
run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params run_install -o $OWNER -g $GROUP -m 0600 params ${PREFIX}/etc/shorewall/params
echo -e "\nParameter file installed as ${PREFIX}/etc/shorewall/params" echo
echo "Parameter file installed as ${PREFIX}/etc/shorewall/params"
fi fi
# #
# Install the proxy ARP file # Install the proxy ARP file
@ -370,7 +386,8 @@ if [ -f ${PREFIX}/etc/shorewall/proxyarp ]; then
backup_file /etc/shorewall/proxyarp backup_file /etc/shorewall/proxyarp
else else
run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp run_install -o $OWNER -g $GROUP -m 0600 proxyarp ${PREFIX}/etc/shorewall/proxyarp
echo -e "\nProxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp" echo
echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
fi fi
# #
# Install the Stopped Routing file # Install the Stopped Routing file
@ -379,7 +396,8 @@ if [ -f ${PREFIX}/etc/shorewall/routestopped ]; then
backup_file /etc/shorewall/routestopped backup_file /etc/shorewall/routestopped
else else
run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped run_install -o $OWNER -g $GROUP -m 0600 routestopped ${PREFIX}/etc/shorewall/routestopped
echo -e "\nStopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped" echo
echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
fi fi
# #
# Install the Mac List file # Install the Mac List file
@ -388,7 +406,8 @@ if [ -f ${PREFIX}/etc/shorewall/maclist ]; then
backup_file /etc/shorewall/maclist backup_file /etc/shorewall/maclist
else else
run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist run_install -o $OWNER -g $GROUP -m 0600 maclist ${PREFIX}/etc/shorewall/maclist
echo -e "\nMAC list file installed as ${PREFIX}/etc/shorewall/maclist" echo
echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
fi fi
# #
# Install the Masq file # Install the Masq file
@ -397,7 +416,8 @@ if [ -f ${PREFIX}/etc/shorewall/masq ]; then
backup_file /etc/shorewall/masq backup_file /etc/shorewall/masq
else else
run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq run_install -o $OWNER -g $GROUP -m 0600 masq ${PREFIX}/etc/shorewall/masq
echo -e "\nMasquerade file installed as ${PREFIX}/etc/shorewall/masq" echo
echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
fi fi
# #
# Install the Modules file # Install the Modules file
@ -406,7 +426,8 @@ if [ -f ${PREFIX}/etc/shorewall/modules ]; then
backup_file /etc/shorewall/modules backup_file /etc/shorewall/modules
else else
run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules run_install -o $OWNER -g $GROUP -m 0600 modules ${PREFIX}/etc/shorewall/modules
echo -e "\nModules file installed as ${PREFIX}/etc/shorewall/modules" echo
echo "Modules file installed as ${PREFIX}/etc/shorewall/modules"
fi fi
# #
# Install the TC Rules file # Install the TC Rules file
@ -415,7 +436,8 @@ if [ -f ${PREFIX}/etc/shorewall/tcrules ]; then
backup_file /etc/shorewall/tcrules backup_file /etc/shorewall/tcrules
else else
run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules run_install -o $OWNER -g $GROUP -m 0600 tcrules ${PREFIX}/etc/shorewall/tcrules
echo -e "\nTC Rules file installed as ${PREFIX}/etc/shorewall/tcrules" echo
echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
fi fi
# #
@ -425,7 +447,8 @@ if [ -f ${PREFIX}/etc/shorewall/tos ]; then
backup_file /etc/shorewall/tos backup_file /etc/shorewall/tos
else else
run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos run_install -o $OWNER -g $GROUP -m 0600 tos ${PREFIX}/etc/shorewall/tos
echo -e "\nTOS file installed as ${PREFIX}/etc/shorewall/tos" echo
echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
fi fi
# #
# Install the Tunnels file # Install the Tunnels file
@ -434,7 +457,8 @@ if [ -f ${PREFIX}/etc/shorewall/tunnels ]; then
backup_file /etc/shorewall/tunnels backup_file /etc/shorewall/tunnels
else else
run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels run_install -o $OWNER -g $GROUP -m 0600 tunnels ${PREFIX}/etc/shorewall/tunnels
echo -e "\nTunnels file installed as ${PREFIX}/etc/shorewall/tunnels" echo
echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
fi fi
# #
# Install the blacklist file # Install the blacklist file
@ -443,7 +467,8 @@ if [ -f ${PREFIX}/etc/shorewall/blacklist ]; then
backup_file /etc/shorewall/blacklist backup_file /etc/shorewall/blacklist
else else
run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist run_install -o $OWNER -g $GROUP -m 0600 blacklist ${PREFIX}/etc/shorewall/blacklist
echo -e "\nBlacklist file installed as ${PREFIX}/etc/shorewall/blacklist" echo
echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
fi fi
# #
# Backup and remove the whitelist file # Backup and remove the whitelist file
@ -459,7 +484,8 @@ if [ -f ${PREFIX}/etc/shorewall/rfc1918 ]; then
backup_file /etc/shorewall/rfc1918 backup_file /etc/shorewall/rfc1918
else else
run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918 run_install -o $OWNER -g $GROUP -m 0600 rfc1918 ${PREFIX}/etc/shorewall/rfc1918
echo -e "\nRFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918" echo
echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
fi fi
# #
# Backup the version file # Backup the version file
@ -498,20 +524,23 @@ install_file_with_backup firewall ${PREFIX}/usr/lib/shorewall/firewall 0544
if [ -z "$PREFIX" -a -n "$first_install" ]; then if [ -z "$PREFIX" -a -n "$first_install" ]; then
if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
if insserv /etc/init.d/shorewall ; then if insserv /etc/init.d/shorewall ; then
echo -e "\nFirewall will start automatically at boot" echo
echo "Firewall will start automatically at boot"
else else
cant_autostart cant_autostart
fi fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add $FIREWALL ; then if chkconfig --add $FIREWALL ; then
echo -e "\nFirewall will start automatically in run levels as follows:" echo
echo "Firewall will start automatically in run levels as follows:"
chkconfig --list $FIREWALL chkconfig --list $FIREWALL
else else
cant_autostart cant_autostart
fi fi
elif [ -x /sbin/rc-update ]; then elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then if rc-update add shorewall default; then
echo -e "\nFirewall will start automatically at boot" echo
echo "Firewall will start automatically at boot"
else else
cant_autostart cant_autostart
fi fi
@ -528,4 +557,5 @@ fi
# #
# Report Success # Report Success
# #
echo -e "\nShorewall Version $VERSION Installed" echo
echo "Shorewall Version $VERSION Installed"

10
STABLE/interfaces
View File

@ -20,6 +20,8 @@
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple # column is left black.If the interface has multiple
@ -89,6 +91,14 @@
# is specified, the interface must be # is specified, the interface must be
# an ethernet NIC and must be up before # an ethernet NIC and must be up before
# Shorewall is started. # Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp - # proxyarp -
# Sets # Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # /proc/sys/net/ipv4/conf/<interface>/proxy_arp.

4
STABLE/policy
View File

@ -17,6 +17,10 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
# #

42
STABLE/releasenotes.txt
View File

@ -1,27 +1,23 @@
This is a minor release of Shorewall that has a number of new features.. This is a minor release of Shorewall that has a couple of new features.
New features include: New features include:
1) You may now define the contents of a zone dynamically with the 1) A 'tcpflags' option has been added to entries in
"shorewall add" and "shorewall delete" commands. These commands /etc/shorewall/interfaces. This option causes Shorewall to make a
are expected to be used primarily within FreeS/Wan updown scripts. set of sanity check on TCP packet header flags.
2) Shorewall can now do MAC verification on ethernet segments. You can 2) It is now allowed to use 'all' in the SOURCE or DEST column in a
specify the set of allowed MAC addresses on the segment and you can rule. When used, 'all' must appear by itself (in may not be
optionally tie each MAC address to an IP address. qualified) and it does not enable intra-zone traffic (e.g., the rule
"ACCEPT loc all tcp 80" does not enable http traffic from
3) PPTP Servers and Clients running on the firewall system may now be 'loc' to 'loc').
defined in the /etc/shorewall/tunnels file.
3) Shorewall's use of the 'echo' command is now compatible with bash
clones such as ash and dash.
4) fw->fw policies now generate a startup error. fw->fw rules generate
a warning and are ignored.
4) A new 'ipsecnat' tunnel type is supported for use when the remote
IPSEC endpoint is behind a NAT gateway.
5) The PATH used by Shorewall may now be specified in
/etc/shorewall/shorewall.conf.
6) The main firewall script is now /usr/lib/shorewall/firewall. The
script in /etc/init.d/shorewall is very small and uses
/sbin/shorewall to do the real work. This change makes custom
distributions such as for Debian and for Gentoo easier to manage
since it is /etc/init.d/shorewall that tends to have
distribution-dependent code.

32
STABLE/rules
View File

@ -32,17 +32,18 @@
# logged at the specified level. # logged at the specified level.
# #
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT, # firewall itself, or "all" If the ACTION is DNAT or
# sub-zones of the specified zone may be excluded from # REDIRECT, sub-zones of the specified zone may be
# the rule by following the zone name with "!' and a # excluded from the rule by following the zone name with
# comma-separated list of sub-zone names. # "!' and a comma-separated list of sub-zone names.
# #
# Clients may be further restricted to a list of subnets # Except when "all" is specified, clients may be further
# and/or hosts by appending ":" and a comma-separated # restricted to a list of subnets and/or hosts by
# list of subnets and/or hosts. Hosts may be specified # appending ":" and a comma-separated list of subnets
# by IP or MAC address; mac addresses must begin with # and/or hosts. Hosts may be specified by IP or MAC
# "~" and must use "-" as a separator. # address; mac addresses must begin with "~" and must use
# "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# #
@ -64,12 +65,13 @@
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., loc:eth1:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
# itself. # itself or "all"
# #
# The server may be further restricted to a particular # Except when "all" is specified, the server may be
# subnet, host or interface by appending ":" and the # further restricted to a particular subnet, host or
# subnet, host or interface. See above. # interface by appending ":" and the subnet, host or
# interface. See above.
# #
# Restrictions: # Restrictions:
# #

129
STABLE/shorewall
View File

@ -150,8 +150,10 @@ display_chains()
iptables -L -n -v > /tmp/chains-$$ iptables -L -n -v > /tmp/chains-$$
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "Standard Chains\\n" echo
echo "Standard Chains"
echo
firstchain="Yes" firstchain="Yes"
showchain INPUT showchain INPUT
showchain OUTPUT showchain OUTPUT
@ -160,9 +162,11 @@ display_chains()
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Input Chains\\n" echo "Input Chains"
echo
chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2` chains=`grep '^Chain.*_[in|fwd]' /tmp/chains-$$ | cut -d' ' -f 2`
@ -176,10 +180,12 @@ display_chains()
if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then if [ -n "`grep "^Chain \.*${zone}" /tmp/chains-$$`" ] ; then
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
eval display=\$${zone}_display eval display=\$${zone}_display
echo -e "$display Chains\\n" echo "$display Chains"
echo
for zone1 in $FW $zones; do for zone1 in $FW $zones; do
showchain ${zone}2$zone1 showchain ${zone}2$zone1
showchain @${zone}2$zone1 showchain @${zone}2$zone1
@ -193,9 +199,11 @@ display_chains()
done done
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Policy Chains\\n" echo "Policy Chains"
echo
showchain common showchain common
showchain badpkt showchain badpkt
showchain icmpdef showchain icmpdef
@ -212,9 +220,11 @@ display_chains()
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
firstchain=Yes firstchain=Yes
echo -e "Dynamic Chain\\n" echo "Dynamic Chain"
echo
showchain dynamic showchain dynamic
timed_read timed_read
@ -309,9 +319,11 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
display_chains display_chains
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n" echo "Dropped/Rejected Packet Log"
echo
show_reset show_reset
@ -319,11 +331,14 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 20 packet_log 20
if [ "$pause" = "Yes" ]; then if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: ' echo
echo $ECHO_N 'Enter any character to continue: '
read foo read foo
else else
timed_read timed_read
@ -335,26 +350,37 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
fi fi
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "NAT Status\\n" echo
echo "NAT Status"
echo
iptables -t nat -L -n -v iptables -t nat -L -n -v
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTOS/MARK Status\\n" echo
echo
echo "TOS/MARK Status"
echo
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTracked Connections\\n" echo
echo
echo "Tracked Connections"
echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
timed_read timed_read
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo -e "\\nTraffic Shaping/Control\\n" echo
echo
echo "Traffic Shaping/Control"
echo
show_tc show_tc
timed_read timed_read
done done
@ -383,9 +409,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
while true; do while true; do
clear clear
echo -e "$banner `date`\\n" echo "$banner `date`"
echo
echo -e "Dropped/Rejected Packet Log\\n" echo "Dropped/Rejected Packet Log"
echo
show_reset show_reset
@ -393,11 +421,14 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
if [ "$rejects" != "$oldrejects" ]; then if [ "$rejects" != "$oldrejects" ]; then
oldrejects="$rejects" oldrejects="$rejects"
echo -e '\a'
$RING_BELL
packet_log 40 packet_log 40
if [ "$pause" = "Yes" ]; then if [ "$pause" = "Yes" ]; then
echo -en '\nEnter any character to continue: ' echo
echo $ECHO_N 'Enter any character to continue: '
read foo read foo
else else
timed_read timed_read
@ -445,7 +476,8 @@ usage() # $1 = exit status
# #
show_reset() { show_reset() {
[ -f $STATEDIR/restarted ] && \ [ -f $STATEDIR/restarted ] && \
echo -e "Counters reset `cat $STATEDIR/restarted`\\n" echo "Counters reset `cat $STATEDIR/restarted`" && \
echo
} }
# #
@ -537,6 +569,24 @@ banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir get_statedir
case `echo -e` in
-e*)
RING_BELL="echo \'\a\'"
;;
*)
RING_BELL="echo -e \'\a\'"
;;
esac
case `echo -n "Testing"` in
-n*)
ECHO_N=
;;
*)
ECHO_N=-n
;;
esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
@ -550,32 +600,38 @@ case "$1" in
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
case "$2" in case "$2" in
connections) connections)
echo -e "Shorewall-$version Connections at $HOSTNAME - `date`\\n" echo "Shorewall-$version Connections at $HOSTNAME - `date`"
echo
cat /proc/net/ip_conntrack cat /proc/net/ip_conntrack
;; ;;
nat) nat)
echo -e "Shorewall-$version NAT at $HOSTNAME - `date`\\n" echo "Shorewall-$version NAT at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -t nat -L -n -v iptables -t nat -L -n -v
;; ;;
tos|mangle) tos|mangle)
echo -e "Shorewall-$version TOS at $HOSTNAME - `date`\\n" echo "Shorewall-$version TOS at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -t mangle -L -n -v iptables -t mangle -L -n -v
;; ;;
log) log)
get_config get_config
echo -e "Shorewall-$version Log at $HOSTNAME - `date`\\n" echo "Shorewall-$version Log at $HOSTNAME - `date`"
echo
show_reset show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
packet_log 20 packet_log 20
;; ;;
tc) tc)
echo -e "Shorewall-$version Traffic Control at $HOSTNAME - `date`\\n" echo "Shorewall-$version Traffic Control at $HOSTNAME - `date`"
echo
show_tc show_tc
;; ;;
*) *)
echo -e "Shorewall-$version Chain $2 at $HOSTNAME - `date`\\n" echo "Shorewall-$version Chain $2 at $HOSTNAME - `date`"
echo
show_reset show_reset
iptables -L $2 -n -v iptables -L $2 -n -v
;; ;;
@ -594,7 +650,8 @@ case "$1" in
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Status at $HOSTNAME - `date`\\n" echo "Shorewall-$version Status at $HOSTNAME - `date`"
echo
show_reset show_reset
host=`echo $HOSTNAME | sed 's/\..*$//'` host=`echo $HOSTNAME | sed 's/\..*$//'`
iptables -L -n -v iptables -L -n -v
@ -611,7 +668,9 @@ case "$1" in
[ $# -eq 1 ] || usage 1 [ $# -eq 1 ] || usage 1
get_config get_config
clear clear
echo -e "Shorewall-$version Hits at $HOSTNAME - `date`\\n" echo "Shorewall-$version Hits at $HOSTNAME - `date`"
echo
timeout=30 timeout=30
if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then if [ `grep -c "Shorewall:" $LOGFILE ` -gt 0 ] ; then

20
STABLE/shorewall.conf
View File

@ -404,4 +404,24 @@ MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
# such packets will not be logged.
#
TCP_FLAGS_LOG_LEVEL=info
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.10 %define version 1.3.11
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -101,6 +101,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sun Nov 24 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.11
* Sat Nov 09 2002 Tom Eastep <tom@shorewall.net> * Sat Nov 09 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.10 - Changes version to 1.3.10
* Wed Oct 23 2002 Tom Eastep <tom@shorewall.net> * Wed Oct 23 2002 Tom Eastep <tom@shorewall.net>

5
STABLE/tcrules
View File

@ -6,6 +6,11 @@
# Entries in this file cause packets to be marked as a means of # Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing. # classifying them for traffic control or policy routing.
# #
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Columns are: # Columns are:
# #
# #

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.10 VERSION=1.3.11
usage() # $1 = exit status usage() # $1 = exit status
{ {