Note that mss= in zones file should be accompanied by FASTACCEPT=No

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7165 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-08-17 14:59:07 +00:00 · 2007-08-17 14:59:07 +00:00 · 9afce0d59b
commit 9afce0d59b
parent e8657289fc
5 changed files with 72 additions and 41 deletions
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@ -55,7 +55,7 @@
      <tgroup align="left" cols="3">
        <tbody>
          <row>
-            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
+            <entry></entry>

            <entry><ulink url="PortKnocking.html#Limit">Limiting per-IPaddress
            Connection Rate</ulink></entry>
@ -65,7 +65,7 @@
          </row>

          <row>
-            <entry><ulink url="Actions.html">Actions</ulink></entry>
+            <entry><ulink url="Accounting.html">Accounting</ulink></entry>

            <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>

@ -74,8 +74,7 @@
          </row>

          <row>
-            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
-            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
+            <entry><ulink url="Actions.html">Actions</ulink></entry>

            <entry><ulink url="Macros.html">Macros</ulink></entry>

@ -84,8 +83,8 @@
          </row>

          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
-            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>

            <entry><ulink url="MAC_Validation.html">MAC
            Verification</ulink></entry>
@ -95,8 +94,8 @@
          </row>

          <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
-            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
+            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>

            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>

@ -104,6 +103,16 @@
            Guide</ulink></entry>
          </row>

+          <row>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+
+            <entry><ulink
+            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
+          </row>
+
          <row>
            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
            (<ulink
@ -113,7 +122,9 @@
            from a Single Firewall</ulink> (<ulink
            url="MultiISP_ru.html">Russian</ulink>)</entry>

-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
          </row>

          <row>
@ -182,8 +193,9 @@
          </row>

          <row>
-            <entry><ulink url="two-interface.htm#DNAT">DNAT</ulink> (Port
-            Forwarding)</entry>
+            <entry><ulink url="two-interface.htm#DNAT">DNAT</ulink>
+            (<firstterm>Destination Network Address
+            Translation</firstterm>)</entry>

            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@ -197,6 +209,9 @@

            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
+
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
          </row>

          <row>
@ -206,8 +221,7 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>

-            <entry><ulink url="upgrade_issues.htm">Upgrade
-            Issues</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>

          <row>
@ -216,7 +230,8 @@

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
          </row>

          <row>
@ -225,8 +240,8 @@
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>

-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
          </row>

          <row>
@ -235,8 +250,8 @@

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
          </row>

          <row>
@ -246,8 +261,7 @@
            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
            of the 'Recent Match'</ulink></entry>

-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
          </row>

          <row>
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@ -460,6 +460,10 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
 #                                       OPTIONS                 OPTIONS
 sec     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>

+        <para>You should also set FASTACCEPT=No in shorewall.conf to ensure
+        that both the SYN and SYN,ACK packets have their MSS field
+        adjusted.</para>
+
        <para>Note that CLAMPMSS=Yes in <filename>shorewall.conf</filename>
        isn't effective with the 2.6 native IPSEC implementation because there
        is no separate ipsec device with a lower mtu as there was under the
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2003-2006</year>
+      <year>2003-2007</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -108,6 +108,11 @@
          <para><ulink
          url="http://www.fs-security.com/">http://www.fs-security.com/</ulink></para>
        </listitem>
+
+        <listitem>
+          <para><ulink
+          url="http://www.fs-security.com/">http://www.fs-security.com/</ulink></para>
+        </listitem>
      </itemizedlist>

      <para>If you are looking for a Linux firewall solution that can handle
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -578,20 +578,22 @@ root@lists:~# </programlisting>
    <title>IP Masquerading (SNAT)</title>

    <para>The addresses reserved by RFC 1918 are sometimes referred to as
-    non-routable because the Internet backbone routers don't forward packets
-    which have an RFC-1918 destination address. When one of your local systems
-    (let's assume computer 1) sends a connection request to an internet host,
-    the firewall must perform <emphasis>Network Address Translation</emphasis>
-    (<acronym>NAT</acronym>). The firewall rewrites the source address in the
-    packet to be the address of the firewall's external interface; in other
-    words, the firewall makes it look as if the firewall itself is initiating
-    the connection. This is necessary so that the destination host will be
-    able to route return packets back to the firewall (remember that packets
-    whose destination address is reserved by RFC 1918 can't be routed across
-    the internet so the remote host can't address its response to computer 1).
-    When the firewall receives a return packet, it rewrites the destination
-    address back to <systemitem class="ipaddress">10.10.10.1</systemitem> and
-    forwards the packet on to computer 1.</para>
+    <firstterm>non-routable</firstterm> because the Internet backbone routers
+    don't forward packets which have an RFC-1918 destination address. When one
+    of your local systems (let's assume computer 1 in the <link
+    linkend="Diagram">above diagram</link>) sends a connection request to an
+    internet host, the firewall must perform <emphasis>Network Address
+    Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
+    source address in the packet to be the address of the firewall's external
+    interface; in other words, the firewall makes it appear to the destination
+    internet host as if the firewall itself is initiating the connection. This
+    is necessary so that the destination host will be able to route return
+    packets back to the firewall (remember that packets whose destination
+    address is reserved by RFC 1918 can't be routed across the internet so the
+    remote host can't address its response to computer 1). When the firewall
+    receives a return packet, it rewrites the destination address back to
+    <systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
+    packet on to computer 1.</para>

    <para>On Linux systems, the above process is often referred to as
    <emphasis>IP Masquerading</emphasis> but you will also see the term
@ -611,8 +613,8 @@ root@lists:~# </programlisting>
        </listitem>
      </itemizedlist> In Shorewall, both <emphasis>Masquerading</emphasis> and
    <emphasis><acronym>SNAT</acronym></emphasis> are configured with entries
-    in the <filename
-    class="directory">/etc/shorewall/</filename><filename>masq</filename>
+    in the <ulink url="manpages/shorewall-masq.html"><filename
+    class="directory">/etc/shorewall/</filename><filename>masq</filename></ulink>
    file. You will normally use Masquerading if your external
    <acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
    <acronym>IP</acronym> is static.</para>
@ -621,7 +623,8 @@ root@lists:~# </programlisting>

    <para>If your external firewall interface is <filename
    class="devicefile">eth0</filename>, you do not need to modify the file
-    provided with the sample. Otherwise, edit <filename
+    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
+    <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
    change the first column to the name of your external interface and the
    second column to the name of your internal interface.</para>
@ -632,8 +635,9 @@ root@lists:~# </programlisting>
    in the third column in the <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename>
    entry if you like although your firewall will work fine if you leave that
-    column empty. Entering your static <acronym>IP</acronym> in column 3 makes
-    processing outgoing packets a little more efficient.</para>
+    column empty (Masquerade). Entering your static <acronym>IP</acronym> in
+    column 3 (SNAT) makes the processing of outgoing packets a little more
+    efficient.</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@ -167,7 +167,11 @@ c:a,b     ipv4</programlisting>
              role="bold">mss=</emphasis><emphasis>number</emphasis></term>

              <listitem>
-                <para>sets the MSS field in TCP packets</para>
+                <para>sets the MSS field in TCP packets. If you supply this
+                option, you should also set FASTACCEPT=No in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(8) to insure
+                that both the SYN and SYN,ACK packets have their MSS field
+                adjusted.</para>
              </listitem>
            </varlistentry>