diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 69e8a0a1c..2c3605e0c 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -55,7 +55,7 @@ - Accounting + Limiting per-IPaddress Connection Rate @@ -65,7 +65,7 @@ - Actions + Accounting Logging @@ -74,8 +74,7 @@ - Aliased - (virtual) Interfaces (e.g., eth0:0) + Actions Macros @@ -84,8 +83,8 @@ - Anatomy of Shorewall - (Russian) + Aliased + (virtual) Interfaces (e.g., eth0:0) MAC Verification @@ -95,8 +94,8 @@ - Bandwidth Control - (Russian) + Anatomy of Shorewall + (Russian) Man Pages @@ -104,6 +103,16 @@ Guide + + Bandwidth Control + (Russian) + + Masquerading + + SMB + + Blacklisting ( (Russian) - SMB + SNAT + (Source Network Address + Translation) @@ -182,8 +193,9 @@ - DNAT (Port - Forwarding) + DNAT + (Destination Network Address + Translation) Operating Shorewall @@ -197,6 +209,9 @@ Packet Marking + + Upgrade + Issues @@ -206,8 +221,7 @@ Packet Processing in a Shorewall-based Firewall - Upgrade - Issues + VPN @@ -216,7 +230,8 @@ 'Ping' Management - VPN + White List + Creation @@ -225,8 +240,8 @@ Port Forwarding - White List - Creation + Xen - Shorewall in a Bridged Xen + DomU @@ -235,8 +250,8 @@ Port Information - Xen - Shorewall in a Bridged Xen - DomU + Xen - Shorewall in Routed + Xen Dom0 @@ -246,8 +261,7 @@ Port Knocking and Other Uses of the 'Recent Match' - Xen - Shorewall in Routed - Xen Dom0 + diff --git a/docs/IPSEC-2.6.xml b/docs/IPSEC-2.6.xml index 6012b66f1..6edd106af 100644 --- a/docs/IPSEC-2.6.xml +++ b/docs/IPSEC-2.6.xml @@ -460,6 +460,10 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any # OPTIONS OPTIONS sec ipsec mode=tunnel mss=1400 + You should also set FASTACCEPT=No in shorewall.conf to ensure + that both the SYN and SYN,ACK packets have their MSS field + adjusted. + Note that CLAMPMSS=Yes in shorewall.conf isn't effective with the 2.6 native IPSEC implementation because there is no separate ipsec device with a lower mtu as there was under the diff --git a/docs/Introduction.xml b/docs/Introduction.xml index 1b74145d9..84ee88692 100644 --- a/docs/Introduction.xml +++ b/docs/Introduction.xml @@ -16,7 +16,7 @@ - 2003-2006 + 2003-2007 Thomas M. Eastep @@ -108,6 +108,11 @@ http://www.fs-security.com/ + + + http://www.fs-security.com/ + If you are looking for a Linux firewall solution that can handle diff --git a/docs/two-interface.xml b/docs/two-interface.xml index c5488c10e..53dd143a8 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -578,20 +578,22 @@ root@lists:~# IP Masquerading (SNAT) The addresses reserved by RFC 1918 are sometimes referred to as - non-routable because the Internet backbone routers don't forward packets - which have an RFC-1918 destination address. When one of your local systems - (let's assume computer 1) sends a connection request to an internet host, - the firewall must perform Network Address Translation - (NAT). The firewall rewrites the source address in the - packet to be the address of the firewall's external interface; in other - words, the firewall makes it look as if the firewall itself is initiating - the connection. This is necessary so that the destination host will be - able to route return packets back to the firewall (remember that packets - whose destination address is reserved by RFC 1918 can't be routed across - the internet so the remote host can't address its response to computer 1). - When the firewall receives a return packet, it rewrites the destination - address back to 10.10.10.1 and - forwards the packet on to computer 1. + non-routable because the Internet backbone routers + don't forward packets which have an RFC-1918 destination address. When one + of your local systems (let's assume computer 1 in the above diagram) sends a connection request to an + internet host, the firewall must perform Network Address + Translation (NAT). The firewall rewrites the + source address in the packet to be the address of the firewall's external + interface; in other words, the firewall makes it appear to the destination + internet host as if the firewall itself is initiating the connection. This + is necessary so that the destination host will be able to route return + packets back to the firewall (remember that packets whose destination + address is reserved by RFC 1918 can't be routed across the internet so the + remote host can't address its response to computer 1). When the firewall + receives a return packet, it rewrites the destination address back to + 10.10.10.1 and forwards the + packet on to computer 1. On Linux systems, the above process is often referred to as IP Masquerading but you will also see the term @@ -611,8 +613,8 @@ root@lists:~# In Shorewall, both Masquerading and SNAT are configured with entries - in the /etc/shorewall/masq + in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static. @@ -621,7 +623,8 @@ root@lists:~# If your external firewall interface is eth0, you do not need to modify the file - provided with the sample. Otherwise, edit the sample. Otherwise, edit + /etc/shorewall/masq and change the first column to the name of your external interface and the second column to the name of your internal interface. @@ -632,8 +635,9 @@ root@lists:~# in the third column in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that - column empty. Entering your static IP in column 3 makes - processing outgoing packets a little more efficient. + column empty (Masquerade). Entering your static IP in + column 3 (SNAT) makes the processing of outgoing packets a little more + efficient. diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml index 1f3370c2d..b7757cf42 100644 --- a/manpages/shorewall-zones.xml +++ b/manpages/shorewall-zones.xml @@ -167,7 +167,11 @@ c:a,b ipv4 role="bold">mss=number - sets the MSS field in TCP packets + sets the MSS field in TCP packets. If you supply this + option, you should also set FASTACCEPT=No in shorewall.conf(8) to insure + that both the SYN and SYN,ACK packets have their MSS field + adjusted.