Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1439 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-07-03 15:51:55 +00:00
parent fa8b6fa111
commit 9fd5780f36
226 changed files with 555178 additions and 0 deletions

111
Shorewall-docsN/6to4.xml Normal file
View File

@ -0,0 +1,111 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>6to4 Tunnels</title>
<authorgroup>
<author>
<firstname>Eric</firstname>
<surname>de Thouars</surname>
</author>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-01-05</pubdate>
<copyright>
<year>2003-2004</year>
<holder>Eric de Thoars and Tom Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4
tunneling. It does not provide any IPv6 security measures.</para>
</warning>
<para>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure.</para>
<para>More information on Linux and IPv6 can be found in the <ulink
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</ulink>.
Details on how to setup a 6to4 tunnels are described in the section <ulink
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</ulink>.</para>
<section>
<title>Connecting two IPv6 Networks</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoIPv6Nets1.png" />
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
accomplished through use of the <filename><filename>/etc/shorewall/tunnels</filename></filename>
file and the <quote>ip</quote> utility for network interface and routing
configuration.</para>
<para>Unlike GRE and IPIP tunneling, the <filename>/etc/shorewall/policy</filename>,
<filename>/etc/shorewall/interfaces</filename> and <filename>/etc/shorewall/zones</filename>
files are not used. There is no need to declare a zone to represent the
remote IPv6 network. This remote network is not visible on IPv4 interfaces
and to iptables. All that is visible on the IPv4 level is an IPv4 stream
which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules
need to be defined to handle this traffic.</para>
<para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 134.28.54.2</programlisting>
<para>This entry in <filename>/etc/shorewall/tunnels</filename>, opens the
firewall so that the IPv6 encapsulation protocol (41) will be accepted
to/from the remote gateway.</para>
<para>Use the following commands to setup system A:</para>
<programlisting>&#62;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
&#62;<command>ip link set dev tun6to4 up</command>
&#62;<command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
&#62;<command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
B we have:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 206.191.148.9</programlisting>
<para>And use the following commands to setup system B:</para>
<programlisting>&#62;<command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
&#62;<command>ip link set dev tun6to4 up</command>
&#62;<command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
&#62;<command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
<para>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
talk to each other using IPv6.</para>
</section>
</article>

View File

@ -0,0 +1,238 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Traffic Accounting</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-04-19</pubdate>
<copyright>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>Shorewall Traffic Accounting support was added in Shorewall release
1.4.7.</para>
<para>Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed in a
chain called <quote>accounting</quote> and can thus be displayed using
<quote>shorewall show accounting</quote>. All traffic passing into, out of
or through the firewall traverses the accounting chain including traffic
that will later be rejected by interface options such as <quote>tcpflags</quote>
and <quote>maclist</quote>. If your kernel doesn&#39;t support the
connection tracking match extension (Kernel 2.4.21) then some traffic
rejected under <quote>norfc1918</quote> will not traverse the accounting
chain.</para>
<para>The columns in the accounting file are as follows:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">ACTION </emphasis>- What to do when a match
is found. Possible values are:</para>
<itemizedlist>
<listitem>
<para>COUNT- Simply count the match and continue trying to match the
packet with the following accounting rules</para>
</listitem>
<listitem>
<para>DONE- Count the match and don&#39;t attempt to match any
following accounting rules.</para>
</listitem>
<listitem>
<para><emphasis>&#60;chain&#62;</emphasis> - The name of a chain to
jump to. Shorewall will create the chain automatically. If the name
of the chain is followed by <quote>:COUNT</quote> then a COUNT rule
matching this rule will automatically be added to &#60;chain&#62;.
Chain names must start with a letter, must be composed of letters
and digits, and may contain underscores (<quote>_</quote>) and
periods (<quote>.</quote>). Beginning with Shorewall version 1.4.8,
chain names man also contain embedded dashes (<quote>-</quote>) and
are not required to start with a letter.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
where the accounting rule is to be added. If empty or <quote>-</quote>
then the <quote>accounting</quote> chain is assumed.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The name
of an interface, an address (host or net) or an interface name followed
by <quote>:</quote> and a host or net address.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet Destination
Format the same as the SOURCE column.</para>
</listitem>
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
<filename>/etc/protocols</filename>) or a protocol number.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP or UDP (6 or 17).</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port number.
Service name from /etc/services or port number. May only be specified if
the protocol is TCP or UDP (6 or 17).</para>
</listitem>
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,<quote>any</quote>
and <quote>all</quote> are treated as wild-cards.</para>
<para>The accounting rules are evaluated in the Netfilter <quote>filter</quote>
table. This is the same environment where the <quote>rules</quote> file
rules are evaluated and in this environment, DNAT has already occurred in
inbound packets and SNAT has not yet occurred on outbound ones.</para>
<para>Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you have
a web server in your DMZ connected to eth1 then to count HTTP traffic in
both directions requires two rules:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</programlisting>
<para>Associating a counter with a chain allows for nice reporting. For
example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
web:COUNT - eth1 eth0 tcp - 443
DONE web</programlisting>
<para>Now <quote>shorewall show web</quote> will give you a breakdown of
your web traffic:</para>
<programlisting> [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003
Chain web (4 references)
pkts bytes target prot opt in out source destination
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting>
<para>Here is a slightly different example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
web - eth1 eth0 tcp - 443
COUNT web eth0 eth1
COUNT web eth1 eth0</programlisting>
<para>Now <quote>shorewall show web</quote> simply gives you a breakdown by
input and output:</para>
<programlisting> [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting>
<para>Here&#39;s how the same example would be constructed on an HTTP server
with only one interface (eth0).</para>
<caution>
<para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis role="bold">SERVER</emphasis>.
If you want to account for web browsing, you have to reverse the rules
below.</para>
</caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
web - - eth0 tcp - 443
COUNT web eth0
COUNT web - eth0</programlisting>
<para>Note that with only one interface, only the SOURCE (for input rules)
or the DESTINATION (for output rules) is specified in each rule.</para>
<para>Here&#39;s the output:</para>
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#</programlisting>
<para>For an example of integrating Shorewall Accounting with MRTG, see
<ulink url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
</article>

View File

@ -0,0 +1,542 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Corporate Network</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<author>
<firstname>Graeme</firstname>
<surname>Boyle</surname>
</author>
</authorgroup>
<pubdate>2003-11-13</pubdate>
<copyright>
<year>2003 Thomas M. Eastep and Graeme Boyle</year>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>The Network</title>
<note>
<itemizedlist>
<listitem>
<para>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</para>
</listitem>
<listitem>
<para>Make sure you know what public IP addresses are currently
being used and verify these <emphasis>before</emphasis> starting.</para>
</listitem>
<listitem>
<para>Verify your DNS settings <emphasis>before</emphasis> starting
any Shorewall configuration especially if you have split DNS.</para>
</listitem>
<listitem>
<para>System names and Internet IP addresses have been changed to
protect the innocent.</para>
</listitem>
</itemizedlist>
</note>
<warning>
<para>This configuration uses a combination of One-to-one NAT and Proxy
ARP. This is generally not relevant to a simple configuration with a
single public IP address. If you have just a single public IP address,
most of what you see here won&#39;t apply to your setup so beware of
copying parts of this configuration and expecting them to work for you.
What you copy may or may not work in your configuration.</para>
</warning>
<para>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</para>
<section>
<title>Summary</title>
<itemizedlist>
<listitem>
<para>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Polaris</emphasis> (Exchange
Server #2). Internal address 10.10.1.8 and external address
192.0.18.70.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Sims</emphasis> (Inventory
Management server). Internal address 10.10.1.56 and external address
192.0.18.75.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Project</emphasis> (Project Web
Server). Internal address 10.10.1.55 and external address
192.0.18.84.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Fortress</emphasis> (Exchange
Server). Internal address 10.10.1.252 and external address
192.0.18.93.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>BBSRV</emphasis> (Blackberry
Server). Internal address 10.10.1.230 and external address
192.0.18.97.</para>
</listitem>
<listitem>
<para>One-to-one NAT for <emphasis>Intweb</emphasis> (Intranet Web
Server). Internal address 10.10.1.60 and external address
192.0.18.115.</para>
</listitem>
</itemizedlist>
<para>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
with RH8.0.</para>
<para>The Firewall is also a proxy server running Privoxy 3.0.</para>
<para>The single system in the DMZ (address 192.0.18.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</para>
<para>All administration and publishing is done using ssh/scp. I have X
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</para>
<graphic fileref="images/CorpNetwork.gif" />
<para>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server&#39;s default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and init
scripts to include the fixes suggested when having an IPSec tunnel.</para>
</section>
<section>
<title>Some Mistakes I Made</title>
<para>Yes, believe it or not, I made some really basic mistakes when
building this firewall. Firstly, I had the new firewall setup in
parallel with the old firewall so that there was no interruption of
service to my users. During my out-bound testing, I set up systems on
the LAN to utilize the firewall which worked fine. When testing my NAT
connections, from the outside, these would fail and I could not
understand why. Eventually, I changed the default route on the internal
system I was trying to access, to point to the new firewall and
<quote>bingo</quote>, everything worked as expected. This oversight
delayed my deployment by a couple of days not to mention level of
frustration it produced.</para>
<para>Another problem that I encountered was in setting up the Proxyarp
system in the DMZ. Initially I forgot to remove the entry for the eth2
from the /etc/shorewall/masq file. Once my file settings were correct, I
started verifying that the ARP caches on the firewall, as well as the
outside system <quote>kaos</quote>, were showing the correct Ethernet
MAC address. However, in testing remote access, I could access the
system in the DMZ only from the firewall and LAN but not from the
Internet. The message I received was <quote>connection denied</quote> on
all protocols. What I did not realize was that a <quote>helpful</quote>
administrator that had turned on an old system and assigned the same
address as the one I was using for Proxyarp without notifying me. How
did I work this out. I shutdown the system in the DMZ, rebooted the
router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP
cache and lo-and-behold a different MAC address showed up. High levels
of frustration etc., etc. The administrator will not be doing that
again! :-)</para>
</section>
<section>
<title>Lessons Learned</title>
<itemizedlist>
<listitem>
<para>Read the documentation.</para>
</listitem>
<listitem>
<para>Draw your network topology before starting.</para>
</listitem>
<listitem>
<para>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note of
these port numbers.</para>
</listitem>
<listitem>
<para>Try to get quiet time to build the firewall - you need to
focus on the job at hand.</para>
</listitem>
<listitem>
<para>When asking for assistance, be honest and include as much
detail as requested. Don&#39;t try and hide IP addresses etc., you
will probably screw up the logs and make receiving assistance
harder.</para>
</listitem>
<listitem>
<para>Read the documentation.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Futures</title>
<para>This is by no means the final configuration. In the near future, I
will be moving more systems from the LAN to the DMZ. I will also be
watching the logs for port scan programs etc. but, this should be
standard security maintenance.</para>
</section>
</section>
<section>
<title>Configuation Files</title>
<para>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do the
same.</para>
<section>
<title>Shorewall.conf</title>
<programlisting>##############################################################################
# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# L O G G I N G
##############################################################################
LOGFILE=/var/log/messages
LOGFORMAT=<quote>Shorewall:%s:%s:</quote>
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=debug
RFC1918_LOG_LEVEL=debug
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Zones File</title>
<programlisting>#
# Shorewall 1.4 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks
dmz DMZ Demilitarized Zone
vpn1 VPN1 VPN to Germany
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Interfaces File</title>
<programlisting>##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
loc eth1 detect dhcp,routefilter
dmz eth2 detect
vpn1 ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</section>
<section>
<title>Routestopped File</title>
<programlisting>#INTERFACE HOST(S)
eth1 -
eth2 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Policy File</title>
<programlisting>###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc fw ACCEPT
loc dmz ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
fw loc ACCEPT
fw dmz ACCEPT
dmz fw ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
#
# Adding VPN Access
loc vpn1 ACCEPT
dmz vpn1 ACCEPT
fw vpn1 ACCEPT
vpn1 loc ACCEPT
vpn1 dmz ACCEPT
vpn1 fw ACCEPT
#
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Masq File</title>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 eth1 1192.0.18.126
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>NAT File</title>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#
# Intranet Web Server
192.0.18.115 eth0:0 10.10.1.60 No No
#
# Project Web Server
192.0.18.84 eth0:1 10.10.1.55 No No
#
# Blackberry Server
192.0.18.97 eth0:2 10.10.1.55 No No
#
# Corporate Mail Server
192.0.18.93 eth0:3 10.10.1.252 No No
#
# Second Corp Mail Server
192.0.18.70 eth0:4 10.10.1.8 No No
#
# Sims Server
192.0.18.75 eth0:5 10.10.1.56 No No
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Proxy ARP File</title>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE
#
# The Corporate email server in the DMZ
192.0.18.80 eth2 eth0 No
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Tunnels File</title>
<programlisting># TYPE ZONE GATEWAY GATEWAY ZONE PORT
ipsec net 134.147.129.82
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
<programlisting>##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH from internet interface from kaos only
#
ACCEPT net:192.0.18.98 fw tcp 22
#
# Accept connections from the local network for administration
#
ACCEPT loc fw tcp 20:22
ACCEPT loc net tcp 22
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT loc net tcp 53
ACCEPT loc net udp 53
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT loc net icmp 8
ACCEPT dmz fw icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
DROP net fw icmp 8
DROP net loc icmp 8
DROP net dmz icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
DROP fw net icmp 8
#
# Accept proxy web connections from the inside
#
ACCEPT loc fw tcp 8118
#
# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
# From a specific IP Address on the Internet.
#
# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
#
# Intranet web server
ACCEPT net loc:10.10.1.60 tcp 443
ACCEPT dmz loc:10.10.1.60 tcp 443
#
# Projects web server
ACCEPT net loc:10.10.1.55 tcp 80
ACCEPT dmz loc:10.10.1.55 tcp 80
#
# Blackberry Server
ACCEPT net loc:10.10.1.230 tcp 3101
#
# Corporate Email Server
ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
#
# Corporate #2 Email Server
ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
#
# Sims Server
ACCEPT net loc:10.10.1.56 tcp 80,443
ACCEPT net loc:10.10.1.56 tcp 7001:7002
ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
#
# Access to DMZ
ACCEPT loc dmz udp 53,177
ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -
ACCEPT net dmz udp 53
ACCEPT net dmz tcp 25,53,22,21,123
ACCEPT dmz net tcp 25,53,80,123,443,21,22
ACCEPT dmz net udp 53
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</section>
<section>
<title>Start File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
qt service ipsec start</programlisting>
</section>
<section>
<title>Stop File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# <quote>shorewall stop</quote> command.
#
qt service ipsec stop</programlisting>
</section>
<section>
<title>Init File</title>
<programlisting>############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a <quote>shorewall start</quote> or <quote>shorewall restart</quote> command.
#
qt service ipsec stop</programlisting>
</section>
</section>
</article>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,402 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Documentation</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-07-03</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<edition>2.0.3</edition>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para>Are you running Shorewall on <ulink
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink>
with a two-interface setup?</para>
<para>If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply
directly to your environment. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a configuration that matches this documentation. See the <ulink
url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
details.</para>
</caution>
<itemizedlist>
<listitem>
<para><ulink url="Introduction.html">Introduction to Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOS)</ulink></para>
</listitem>
</itemizedlist>
<para>The remainder of the Documentation supplements the QuickStart Guides.
Please review the appropriate guide before trying to use this documentation
directly.</para>
<orderedlist>
<listitem>
<para><ulink url="Kernel2.6.html">2.6 Kernel</ulink></para>
</listitem>
<listitem>
<para><ulink url="Accounting.html">Accounting</ulink></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
(virtual) Interfaces (e.g., eth0:0)</ulink></para>
</listitem>
<listitem>
<para><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></para>
</listitem>
<listitem>
<para><ulink url="blacklisting_support.htm">Blacklisting</ulink></para>
<itemizedlist>
<listitem>
<para>Static Blacklisting using /etc/shorewall/blacklist</para>
</listitem>
<listitem>
<para>Dynamic Blacklisting using /sbin/shorewall</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="bridge.html">Bridge/Firewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Commands</ulink>
(Description of all /sbin/shorewall commands)</para>
</listitem>
<listitem>
<para><ulink url="configuration_file_basics.htm">Common configuration
file features&#x00A0;</ulink><itemizedlist><listitem><para><ulink
url="configuration_file_basics.htm#Comments">Comments in configuration
files</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Continuation">Line Continuation</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ports">Port Numbers/Service Names</ulink>configuration_file_basics.htm#Ports</para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ranges">Port Ranges</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Variables">Using Shell Variables</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#dnsnames">Using DNS Names</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Compliment">Complementing an IP
address or Subnet</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Levels">Shorewall Configurations
(making a test configuration)</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</ulink></para></listitem></itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="Documentation.htm">Configuration File Reference Manual
</ulink><itemizedlist><listitem><para><ulink
url="Documentation.htm#Variables">params</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Zones">zones</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Interfaces">interfaces</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para></listitem><listitem><para><ulink
url="traffic_shaping.htm#tcrules">tcrules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#modules">modules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#TOS">tos</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#rfc1918">rfc1918</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></para></listitem><listitem><para><ulink
url="Accounting.html">accounting</ulink></para></listitem><listitem><para><ulink
url="UserSets.html">usersets and users</ulink></para></listitem><listitem><para><ulink
url="MAC_Validation.html">maclist</ulink></para></listitem><listitem><para><ulink
url="User_defined_Actions.html">actions and action.template</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Bogons">bogons</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Netmap">netmap</ulink></para></listitem></itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="CorpNetwork.htm">Corporate Network Example</ulink>
(Contributed by a Graeme Boyle)</para>
</listitem>
<listitem>
<para><ulink url="dhcp.htm">DHCP</ulink></para>
</listitem>
<listitem>
<para><ulink url="ECN.html">ECN Disabling by host or subnet</ulink></para>
</listitem>
<listitem>
<para><ulink url="errata.htm">Errata</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_extension_scripts.htm">Extension Scripts</ulink>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</para>
</listitem>
<listitem>
<para><ulink url="fallback.htm">Fallback/Uninstall</ulink></para>
</listitem>
<listitem>
<para><ulink url="FAQ.htm">FAQs</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_features.htm">Features</ulink></para>
</listitem>
<listitem>
<para><ulink url="Multiple_Zones.html">Forwarding Traffic on the Same
Interface</ulink></para>
</listitem>
<listitem>
<para><ulink url="FTP.html">FTP and Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="support.htm">Getting help or answers to questions</ulink></para>
</listitem>
<listitem>
<para><ulink url="Install.htm">Installation/Upgrade</ulink></para>
</listitem>
<listitem>
<para><ulink url="IPSEC.htm">IPSEC</ulink></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_and_Kazaa.html">Kazaa Filtering</ulink></para>
</listitem>
<listitem>
<para><ulink url="kernel.htm">Kernel Configuration</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_logging.html">Logging</ulink></para>
</listitem>
<listitem>
<para><ulink url="MAC_Validation.html">MAC Verification</ulink></para>
</listitem>
<listitem>
<para><ulink url="Multiple_Zones.html">Multiple Zones Through One
Interface</ulink></para>
</listitem>
<listitem>
<para><ulink url="myfiles.htm">My Shorewall Configuration</ulink> (How I
personally use Shorewall)</para>
</listitem>
<listitem>
<para><ulink url="NetfilterOverview.html">Netfilter Overview</ulink></para>
</listitem>
<listitem>
<para><ulink url="netmap.html">Network Mapping</ulink></para>
</listitem>
<listitem>
<para><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly referred to
as Static NAT)</para>
</listitem>
<listitem>
<para><ulink url="OPENVPN.html">OpenVPN</ulink></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="ping.html">&#39;Ping&#39; Management</ulink></para>
</listitem>
<listitem>
<para><ulink url="ports.htm">Port Information</ulink></para>
<itemizedlist>
<listitem>
<para>Which applications use which ports</para>
</listitem>
<listitem>
<para>Ports used by Trojans</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="PPTP.htm">PPTP</ulink></para>
</listitem>
<listitem>
<para><ulink url="ProxyARP.htm">Proxy ARP</ulink></para>
</listitem>
<listitem>
<para><ulink url="ReleaseModel.html">Release Model</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_prerequisites.htm">Requirements</ulink></para>
</listitem>
<listitem>
<para><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></para>
</listitem>
<listitem>
<para><ulink url="samba.htm">Samba</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Concepts">Shorewall Concepts</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Interfaces">Network Interfaces</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and
Routing</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Addresses">IP Addresses</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ARP">Address Resolution Protocol (ARP)</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Options">Setting up your Network</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ProxyARP">Proxy ARP</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one NAT</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#OddsAndEnds">Odds and Ends</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para></listitem><listitem><para><ulink
url="starting_and_stopping_shorewall.htm">Starting and Stopping the
Firewall</ulink></para></listitem></itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist><listitem><para>Description of all
/sbin/shorewall commands</para></listitem><listitem><para>How to safely
test a Shorewall configuration change</para></listitem></itemizedlist></para>
</listitem>
<listitem>
<para><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="Accounting.html">Traffic Accounting</ulink></para>
</listitem>
<listitem>
<para><ulink url="traffic_shaping.htm">Traffic Shaping/QOS</ulink></para>
</listitem>
<listitem>
<para><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things to
try if it doesn&#39;t work)</para>
</listitem>
<listitem>
<para><ulink url="User_defined_Actions.html">User-defined Actions</ulink></para>
</listitem>
<listitem>
<para><ulink url="UserSets.html">UID/GID Based Rules</ulink></para>
</listitem>
<listitem>
<para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
</listitem>
<listitem>
<para>VPN</para>
<itemizedlist>
<listitem>
<para><ulink url="IPSEC.htm">IPSEC</ulink></para>
</listitem>
<listitem>
<para><ulink url="IPIP.htm">GRE and IPIP</ulink></para>
</listitem>
<listitem>
<para><ulink url="OPENVPN.html">OpenVPN</ulink></para>
</listitem>
<listitem>
<para><ulink url="PPTP.htm">PPTP</ulink></para>
</listitem>
<listitem>
<para><ulink url="6to4.htm">6to4</ulink></para>
</listitem>
<listitem>
<para><ulink url="VPN.htm">IPSEC/PPTP passthrough from a system
behind your firewall to a remote network</ulink></para>
</listitem>
<listitem>
<para><ulink url="GenericTunnels.html">Other VPN types</ulink></para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><ulink url="whitelisting_under_shorewall.htm">White List Creation</ulink></para>
</listitem>
</orderedlist>
</article>

View File

@ -0,0 +1,314 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Documentation</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-03-28</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<edition>2.0.1</edition>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para>Are you running Shorewall on <ulink
url="http://www.mandrakesoft.com"><trademark>Mandrake</trademark> Linux</ulink>
with a two-interface setup?</para>
<para>If so and if you configured your system while running a Mandrake
release earlier than 10.0 final then this documentation will not apply
directly to your environment. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a configuration that matches this documentation. See the <ulink
url="two-interface.htm">Two-interface QuickStart Guide</ulink> for
details.</para>
</caution>
<itemizedlist>
<listitem>
<para><ulink url="Introduction.html">Introduction to Shorewall</ulink></para>
</listitem>
<listitem>
<para><ulink url="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOS)</ulink></para>
</listitem>
</itemizedlist>
<para>The remainder of the Documentation supplements the QuickStart Guides.
Please review the appropriate guide before trying to use this documentation
directly.</para>
<table frame="none">
<title>Documentation (Alphabetical by column)</title>
<tgroup cols="2">
<tbody>
<row>
<entry><ulink url="Accounting.html">Accounting</ulink></entry>
<entry><ulink url="myfiles.htm">My Shorewall Configuration</ulink>
(How I personally use Shorewall)</entry>
</row>
<row>
<entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
(virtual) Interfaces (e.g., eth0:0)</ulink></entry>
<entry><ulink url="NetfilterOverview.html">Netfilter Overview</ulink></entry>
</row>
<row>
<entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></entry>
<entry><ulink url="netmap.html">Network Mapping</ulink></entry>
</row>
<row>
<entry><ulink url="blacklisting_support.htm">Blacklisting</ulink><itemizedlist><listitem><para>Static
Blacklisting using /etc/shorewall/blacklist</para></listitem><listitem><para>Dynamic
Blacklisting using /sbin/shorewall</para></listitem></itemizedlist></entry>
<entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Formerly
referred to as Static NAT)</entry>
</row>
<row>
<entry><ulink url="bridge.html">Bridge/Firewall</ulink></entry>
<entry><ulink url="OPENVPN.html">OpenVPN</ulink></entry>
</row>
<row>
<entry><ulink url="starting_and_stopping_shorewall.htm">Commands</ulink>
(Description of all /sbin/shorewall commands)</entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry>
</row>
<row>
<entry><ulink url="configuration_file_basics.htm">Common
configuration file features&#x00A0;</ulink><itemizedlist><listitem><para><ulink
url="configuration_file_basics.htm#Comments">Comments in
configuration files</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Continuation">Line Continuation</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ports">Port Numbers/Service Names</ulink>configuration_file_basics.htm#Ports</para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Ranges">Port Ranges</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Variables">Using Shell Variables</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#dnsnames">Using DNS Names</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Compliment">Complementing an IP
address or Subnet</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#Levels">Shorewall Configurations
(making a test configuration)</ulink></para></listitem><listitem><para><ulink
url="configuration_file_basics.htm#MAC">Using MAC Addresses in
Shorewall</ulink></para></listitem></itemizedlist></entry>
<entry><ulink url="ping.html">&#39;Ping&#39; Management</ulink></entry>
</row>
<row>
<entry><ulink url="Documentation.htm">Configuration File Reference
Manual</ulink><itemizedlist><listitem><para><ulink
url="Documentation.htm#Variables">params</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Zones">zones</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Interfaces">interfaces</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Common">common</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Tunnels">tunnels</ulink></para></listitem><listitem><para><ulink
url="traffic_shaping.htm#tcrules">tcrules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Conf">shorewall.conf</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#modules">modules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#TOS">tos</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Blacklist">blacklist</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#rfc1918">rfc1918</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Routestopped">routestopped</ulink></para></listitem><listitem><para><ulink
url="Accounting.html">accounting</ulink></para></listitem><listitem><para><ulink
url="UserSets.html">usersets and users</ulink></para></listitem><listitem><para><ulink
url="MAC_Validation.html">maclist</ulink></para></listitem><listitem><para><ulink
url="User_defined_Actions.html">actions and action.template</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Bogons">bogons</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Netmap">netmap</ulink></para></listitem></itemizedlist></entry>
<entry><ulink url="ports.htm">Port Information</ulink><itemizedlist><listitem><para>Which
applications use which ports</para></listitem><listitem><para>Ports
used by Trojans</para></listitem></itemizedlist></entry>
</row>
<row>
<entry><ulink url="CorpNetwork.htm">Corporate Network Example</ulink>
(Contributed by a Graeme Boyle)</entry>
<entry><ulink url="PPTP.htm">PPTP</ulink></entry>
</row>
<row>
<entry><ulink url="dhcp.htm">DHCP</ulink></entry>
<entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
</row>
<row>
<entry><ulink url="errata.htm">Errata</ulink></entry>
<entry><ulink url="shorewall_prerequisites.htm">Requirements</ulink></entry>
</row>
<row>
<entry><ulink url="shorewall_extension_scripts.htm">Extension
Scripts</ulink> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall --
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</entry>
<entry><ulink url="Multiple_Zones.html">Routing on One Interface</ulink></entry>
</row>
<row>
<entry><ulink url="fallback.htm">Fallback/Uninstall</ulink></entry>
<entry><ulink url="samba.htm">Samba</ulink></entry>
</row>
<row>
<entry><ulink url="FAQ.htm">FAQs</ulink></entry>
<entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Introduction">Introduction</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Concepts">Shorewall Concepts</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Interfaces">Network Interfaces</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Addressing">Addressing, Subnets and
Routing</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Addresses">IP Addresses</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Subnets">Subnets</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Routing">Routing</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ARP">Address Resolution Protocol
(ARP)</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Options">Setting up your Network</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#Routed">Routed</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NonRouted">Non-routed</ulink></para><itemizedlist><listitem><para><ulink
url="shorewall_setup_guide.htm#SNAT">SNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNAT">DNAT</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#ProxyARP">Proxy ARP</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#NAT">One-to-one NAT</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#Rules">Rules</ulink></para></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#OddsAndEnds">Odds and Ends</ulink></para></listitem></itemizedlist></listitem><listitem><para><ulink
url="shorewall_setup_guide.htm#DNS">DNS</ulink></para></listitem><listitem><para><ulink
url="starting_and_stopping_shorewall.htm">Starting and Stopping the
Firewall</ulink></para></listitem></itemizedlist></entry>
</row>
<row>
<entry><ulink url="shorewall_features.htm">Features</ulink></entry>
<entry><ulink url="starting_and_stopping_shorewall.htm">Starting/stopping
the Firewall</ulink><itemizedlist><listitem><para>Description of all
/sbin/shorewall commands</para></listitem><listitem><para>How to
safely test a Shorewall configuration change</para></listitem></itemizedlist></entry>
</row>
<row>
<entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
Same Interface</ulink></entry>
<entry><ulink url="Shorewall_Squid_Usage.html">Squid with Shorewall</ulink></entry>
</row>
<row>
<entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
<entry><ulink url="Accounting.html">Traffic Accounting</ulink></entry>
</row>
<row>
<entry><ulink url="support.htm">Getting help or answers to questions</ulink></entry>
<entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS</ulink></entry>
</row>
<row>
<entry><ulink url="Install.htm">Installation/Upgrade</ulink></entry>
<entry><ulink url="troubleshoot.htm">Troubleshooting</ulink> (Things
to try if it doesn&#39;t work)</entry>
</row>
<row>
<entry><ulink url="IPSEC.htm">IPSEC</ulink></entry>
<entry><ulink url="User_defined_Actions.html">User-defined Actions</ulink></entry>
</row>
<row>
<entry><ulink url="Shorewall_and_Kazaa.html">Kazaa Filtering</ulink></entry>
<entry><ulink url="UserSets.html">UID/GID Based Rules</ulink></entry>
</row>
<row>
<entry><ulink url="kernel.htm">Kernel Configuration</ulink></entry>
<entry><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></entry>
</row>
<row>
<entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
<entry>VPN<itemizedlist><listitem><para><ulink url="IPSEC.htm">IPSEC</ulink></para></listitem><listitem><para><ulink
url="IPIP.htm">GRE and IPIP</ulink></para></listitem><listitem><para><ulink
url="OPENVPN.html">OpenVPN</ulink></para></listitem><listitem><para><ulink
url="PPTP.htm">PPTP</ulink></para></listitem><listitem><para><ulink
url="6to4.htm">6to4</ulink></para></listitem><listitem><para><ulink
url="VPN.htm">IPSEC/PPTP passthrough from a system behind your
firewall to a remote network</ulink></para></listitem><listitem><para><ulink
url="GenericTunnels.html">Other VPN types</ulink></para></listitem></itemizedlist></entry>
</row>
<row>
<entry><ulink url="MAC_Validation.html">MAC Verification</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
</row>
<row>
<entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
Interface</ulink></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</article>

92
Shorewall-docsN/ECN.xml Normal file
View File

@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="ECN">
<!--$Id$-->
<articleinfo>
<title>ECN</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-03-28</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Explicit Congestion Notification (ECN)</title>
<para>Explicit Congestion Notification (ECN) is described in RFC 3168 and
is a proposed internet standard. Unfortunately, not all sites support ECN
and when a TCP connection offering ECN is sent to sites that don&#39;t
support it, the result is often that the connection request is ignored.</para>
<para>To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).</para>
<para>You enable ECN by</para>
<programlisting>echo 1 &#62; /proc/sys/net/ipv4/tcp_ecn</programlisting>
<para>You must arrange for that command to be executed at system boot.
Most distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.</para>
<programlisting>net.ipv4.tcp_ecn = 1</programlisting>
<para>Entries in /etc/shorewall/ecn have two columns as follows:</para>
<variablelist>
<varlistentry>
<term>INTERFACE</term>
<listitem>
<para>The name of an interface on your system</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HOST(S)</term>
<listitem>
<para>An address (host or subnet) of a system or group of systems
accessed through the interface in the first column. You may include
a comma-separated list of such addresses in this column.</para>
</listitem>
</varlistentry>
</variablelist>
<example>
<title>Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:</title>
<para><table><title>/etc/shorewall/ecn</title><tgroup cols="2"><thead><row><entry
align="center">INTERFACE</entry><entry align="center">HOST(S)</entry></row></thead><tbody><row><entry>eth0</entry><entry>192.0.2.0/24</entry></row></tbody></tgroup></table></para>
</example>
</section>
</article>

1773
Shorewall-docsN/FAQ.xml Normal file

File diff suppressed because it is too large Load Diff

370
Shorewall-docsN/FTP.xml Normal file
View File

@ -0,0 +1,370 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="FTP">
<!--$Id$-->
<articleinfo>
<title>Shorewall and FTP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-05-19</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<important>
<para>If you are running Mandrake 9.1 or 9.2 and are having problems with
FTP, you have three choices:</para>
<orderedlist>
<listitem>
<para>Edit /usr/share/shorewall/firewall and replace this line:</para>
<programlisting>for suffix in o gz ko ; do</programlisting>
<para>with</para>
<programlisting>for suffix in o gz ko o.gz ; do</programlisting>
<para>and at a root shell prompt:</para>
<programlisting><command>shorewall restart</command></programlisting>
</listitem>
<listitem>
<para>Install the Mandrake <quote>cooker</quote> version of Shorewall.</para>
</listitem>
<listitem>
<para>Upgrade to Shorewall 1.4.7 or later.</para>
</listitem>
</orderedlist>
</important>
<important>
<para><trademark>Mandrake</trademark> have done it again with their 10.0
release. This time, they have decided that kernel modules should have
&#34;ko.gz&#34; for their suffix. If you are having problems with Mandrake
10.0 and FTP, change your <filename>/etc/shorewall/conf</filename> file
definition of MODULE_SUFFIX as follows:</para>
<programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
<para>The version of <command>insmod</command> shipped with 10.0 also does
not comprehend these module files so you will also need Shorewall 2.0.2 or
later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
-- replace the line that reads:</para>
<programlisting> insmod $modulefile $*</programlisting>
<para>with:</para>
<programlisting> modprobe $modulename $*</programlisting>
</important>
<section>
<title>FTP Protocol</title>
<para>FTP transfers involve two TCP connections. The first <emphasis
role="bold">control</emphasis> connection goes from the FTP client to port
21 on the FTP server. This connection is used for logon and to send
commands and responses between the endpoints. Data transfers (including
the output of <quote>ls</quote> and <quote>dir</quote> commands) requires
a second data connection. The <emphasis role="bold">data</emphasis>
connection is dependent on the <emphasis role="bold">mode</emphasis> that
the client is operating in:</para>
<variablelist>
<varlistentry>
<term>Passive Mode</term>
<listitem>
<para>(often the default for web browsers) -- The client issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client.
The PASV reply gives the IP address and port number that the server
is listening on. The client then opens a second connection to that
IP address and port number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Active Mode</term>
<listitem>
<para>(often the default for line-mode clients) -- The client
listens on a dynamically-allocated port then sends a PORT command to
the server. The PORT command gives the IP address and port number
that the client is listening on. The server then opens a connection
to that IP address and port number; the <emphasis role="bold">source
port</emphasis> for this connection is 20 (ftp-data in
/etc/services).</para>
</listitem>
</varlistentry>
</variablelist>
<para>You can see these commands in action using your linux ftp
command-line client in debugging mode. Note that my ftp client defaults to
passive mode and that I can toggle between passive and active mode by
issuing a <quote>passive</quote> command:</para>
<programlisting>[teastep@wookie Shorewall]$ <emphasis role="bold">ftp ftp1.shorewall.net</emphasis>
Connected to lists.shorewall.net.
220-=(&#60;*&#62;)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(&#60;*&#62;)=-
220-You are user number 1 of 50 allowed.
220-Local time is now 10:21 and the load is 0.14. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
500 Security extensions not implemented
500 Security extensions not implemented
KERBEROS_V4 rejected as an authentication type
Name (ftp1.shorewall.net:teastep): ftp
331-Welcome to ftp.shorewall.net
331-
331 Any password will work
Password:
230 Any password will work
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&#62; <emphasis role="bold">debug</emphasis>
Debugging on (debug=1).
ftp&#62; <emphasis role="bold">ls</emphasis>
---&#62; <emphasis>PASV</emphasis>
<emphasis>227 Entering Passive Mode (192,168,1,193,195,210)</emphasis>
---&#62; LIST
150 Accepted data connection
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp&#62; <emphasis role="bold">passive</emphasis>
Passive mode off.
ftp&#62; <emphasis role="bold">ls</emphasis>
<emphasis>---&#62; PORT 192,168,1,3,142,58</emphasis>
200 PORT command successful
---&#62; LIST
150 Connecting to port 36410
drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives
drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc
drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub
226-Options: -l
226 3 matches total
ftp&#62;</programlisting>
<para>Things to notice:</para>
<orderedlist>
<listitem>
<para>The commands that I issued are <emphasis role="bold">strongly
emphasized</emphasis>.</para>
</listitem>
<listitem>
<para>Commands sent by the client to the server are preceded by
---&#62;</para>
</listitem>
<listitem>
<para>Command responses from the server over the control connection
are numbered.</para>
</listitem>
<listitem>
<para>FTP uses a comma as a separator between the bytes of the IP
address; and</para>
</listitem>
<listitem>
<para>When sending a port number, FTP sends the MSB then the LSB and
separates the two bytes by a comma. As shown in the PORT command, port
142,58 translates to 142*256+58 = 36410.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Linux FTP connection-tracking</title>
<para>Given the normal loc-&#62;net policy of ACCEPT, passive mode access
from local clients to remote servers will always work but active mode
requires the firewall to dynamically open a <quote>hole</quote> for the
server&#39;s connection back to the client. Similarly, if you are running
an FTP server in your local zone then active mode should always work but
passive mode requires the firewall to dynamically open a <quote>hole</quote>
for the client&#39;s second connection to the server. This is the role of
FTP connection-tracking support in the Linux kernel.</para>
<para>Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is
involved, the PORT commands and PASV responses may also need to be
modified by the firewall. This is the job of the FTP nat support kernel
function.</para>
<para>Including FTP connection-tracking and NAT support normally means
that the modules <quote>ip_conntrack_ftp</quote> and <quote>ip_nat_ftp</quote>
need to be loaded. Shorewall automatically loads these <quote>helper</quote>
modules from /lib/modules/&#60;<emphasis>kernel-version</emphasis>&#62;/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the <quote>lsmod</quote>
command. The &#60;<emphasis>kernel-version</emphasis>&#62; may be obtained
by typing</para>
<programlisting><command>uname -r</command></programlisting>
<example>
<title></title>
<programlisting>[root@lists etc]# lsmod
Module Size Used by Not tainted
autofs 12148 0 (autoclean) (unused)
ipt_TOS 1560 12 (autoclean)
ipt_LOG 4120 5 (autoclean)
ipt_REDIRECT 1304 1 (autoclean)
ipt_REJECT 3736 4 (autoclean)
ipt_state 1048 13 (autoclean)
ip_nat_irc 3152 0 (unused)
<emphasis role="bold">ip_nat_ftp 3888 0 (unused)</emphasis>
ip_conntrack_irc 3984 1
<emphasis role="bold">ip_conntrack_ftp 5008 1</emphasis>
ipt_multiport 1144 2 (autoclean)
ipt_conntrack 1592 0 (autoclean)
iptable_filter 2316 1 (autoclean)
iptable_mangle 2680 1 (autoclean)
iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]
ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc
ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp
ipt_conntrack iptable_nat]
ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state
ipt_multiport ipt_conntrack iptable_filter
iptable_mangle iptable_nat]
tulip 42464 0 (unused)
e100 50596 1
keybdev 2752 0 (unused)
mousedev 5236 0 (unused)
hid 20868 0 (unused)
input 5632 0 [keybdev mousedev hid]
usb-uhci 24684 0 (unused)
usbcore 73280 1 [hid usb-uhci]
ext3 64704 2
jbd 47860 2 [ext3]
[root@lists etc]#</programlisting>
</example>
<para>If you want Shorewall to load these modules from an alternate
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.</para>
<para>If your FTP helper modules are compressed and have the names
<emphasis>ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz</emphasis> then you
will need Shorewall 1.4.7 or later if you want Shorewall to load them for
you. If your helper modules have names <emphasis>ip_nat_ftp.ko.gz and
ip_conntrack_ftp.ko.gz</emphasis> then you will need Shorewall 2.0.2 or
later if you want Shorewall to load them for you.</para>
</section>
<section>
<title>FTP on Non-standard Ports</title>
<para>The above discussion about commands and responses makes it clear
that the FTP connection-tracking and NAT helpers must scan the traffic on
the control connection looking for PASV and PORT commands as well as PASV
responses. If you run an FTP server on a nonstandard port or you need to
access such a server, you must therefore let the helpers know by
specifying the port in /etc/shorewall/modules entries for the helpers.
<caution><para>You must have modularized FTP connection tracking support
in order to use FTP on a non-standard port.</para></caution></para>
<example>
<title>if you run an FTP server that listens on port 49 or you need to
access a server on the internet that listens on that port then you would
have:</title>
<programlisting>loadmodule ip_conntrack_ftp ports=21,49
loadmodule ip_nat_ftp ports=21,49</programlisting>
<para><note><para>you MUST include port 21 in the ports list or you may
have problems accessing regular FTP servers.</para></note></para>
<para>If there is a possibility that these modules might be loaded
before Shorewall starts, then you should include the port list in
/etc/modules.conf:</para>
<programlisting>options ip_conntrack_ftp ports=21,49
options ip_nat_ftp ports=21,49</programlisting>
<para><important><para>Once you have made these changes to
/etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
</example>
</section>
<section id="Rules">
<title>Rules</title>
<para>If the policy from the source zone to the destination zone is ACCEPT
and you don&#39;t need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
then <emphasis role="bold">you need no rule</emphasis>.</para>
<para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT or &#60;<emphasis>source</emphasis>&#62; &#60;<emphasis>destination</emphasis>&#62; tcp 21 &#60;external IP addr&#62; if
DNAT ACTION = DNAT</programlisting>
<para>You need an entry in the ORIGINAL DESTINATION column only if the
ACTION is DNAT, you have multiple external IP addresses and you want a
specific IP address to be forwarded to your server.</para>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
mailing list and they show 20 in the PORT(S) column, I will know that you
haven&#39;t read this article and I will either ignore your post or tell
you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
that you run an FTP server on 192.168.1.5 in your local zone using the
standard port (21). You need this rule: </para><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
DNAT net loc:192.168.1.5 tcp 21</programlisting></example><example><title>Allow
your DMZ FTP access to the Internet</title><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT dmz net tcp 21</programlisting></example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle
cases where a PORT command (or PASV reply) is broken across two packets.
When such cases occur, you will see a console message similar to this one:</para>
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
<para> I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my
DMZ to the net.</para>
</section>
</article>

View File

@ -0,0 +1,292 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="GenericTunnels">
<!--$Id$-->
<articleinfo>
<title>Generic Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-08-09</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support, you
can generally describe the tunneling software using <quote>generic tunnels</quote>.</para>
<section>
<title>Bridging two Masqueraded Networks</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</para>
<para>Suppose that you have tunneling software that uses two different
protocols:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>TCP port 1071</para>
</listitem>
<listitem>
<para>GRE (Protocol 47)</para>
</listitem>
<listitem>
<para>The tunnel interface on system A is <quote>tun0</quote> and the
tunnel interface on system B is also <quote>tun0</quote>.</para>
</listitem>
</orderedlist>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<informaltable>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>These entries in /etc/shorewall/tunnels, opens the firewall so that
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
be accepted to/from the remote gateway.</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>generic:tcp:1071</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
<row>
<entry>generic:47</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>On both systems, restart Shorewall and start your VPN software on
each system. The systems in the two masqueraded subnetworks can now talk
to each other</para>
</section>
</article>

View File

@ -0,0 +1,434 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<appendix id="gfdl">
<title>GNU Free Documentation License</title>
<subtitle>Version 1.2, November 2002</subtitle>
<blockquote id="fsf-copyright">
<para>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.</para>
</blockquote>
<section id="gfdl-0"><title>PREAMBLE</title>
<para>The purpose of this License is to make a manual, textbook, or
other functional and useful document "free" in the sense of freedom: to
assure everyone the effective freedom to copy and redistribute it, with
or without modifying it, either commercially or noncommercially.
Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible for
modifications made by others.</para>
<para>This License is a kind of "copyleft", which means that derivative
works of the document must themselves be free in the same sense. It
complements the GNU General Public License, which is a copyleft license
designed for free software.</para>
<para>We have designed this License in order to use it for manuals for
free software, because free software needs free documentation: a free
program should come with manuals providing the same freedoms that the
software does. But this License is not limited to software manuals; it
can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License
principally for works whose purpose is instruction or reference.</para>
</section>
<section id="gfdl-1"><title>APPLICABILITY AND DEFINITIONS</title>
<para id="gfdl-doc">This License applies to any manual or other work, in
any medium, that contains a notice placed by the copyright holder saying
it can be distributed under the terms of this License. Such a notice
grants a world-wide, royalty-free license, unlimited in duration, to use
that work under the conditions stated herein. The "Document", below,
refers to any such manual or work. Any member of the public is a
licensee, and is addressed as "you". You accept the license if you
copy, modify or distribute the work in a way requiring permission under
copyright law.</para>
<para id="gfdl-mod-ver">A "Modified Version" of the Document means any
work containing the Document or a portion of it, either copied verbatim,
or with modifications and/or translated into another language.</para>
<para id="gfdl-secnd-sect">A "Secondary Section" is a named appendix or
a front-matter section of the Document that deals exclusively with the
relationship of the publishers or authors of the Document to the
Document's overall subject (or to related matters) and contains nothing
that could fall directly within that overall subject. (Thus, if the
Document is in part a textbook of mathematics, a Secondary Section may
not explain any mathematics.) The relationship could be a matter of
historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position
regarding them.</para>
<para id="gfdl-inv-sect">The "Invariant Sections" are certain Secondary
Sections whose titles are designated, as being those of Invariant
Sections, in the notice that says that the Document is released under
this License. If a section does not fit the above definition of
Secondary then it is not allowed to be designated as Invariant. The
Document may contain zero Invariant Sections. If the Document does not
identify any Invariant Sections then there are none.</para>
<para id="gfdl-cov-text">The "Cover Texts" are certain short passages of
text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
notice that says that the Document is released under this License. A
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
most 25 words.</para>
<para id="gfdl-transparent">A "Transparent" copy of the Document means a
machine-readable copy, represented in a format whose specification is
available to the general public, that is suitable for revising the
document straightforwardly with generic text editors or (for images
composed of pixels) generic paint programs or (for drawings) some widely
available drawing editor, and that is suitable for input to text
formatters or for automatic translation to a variety of formats suitable
for input to text formatters. A copy made in an otherwise Transparent
file format whose markup, or absence of markup, has been arranged to
thwart or discourage subsequent modification by readers is not
Transparent. An image format is not Transparent if used for any
substantial amount of text. A copy that is not "Transparent" is called
"Opaque".</para>
<para>Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
XML using a publicly available DTD, and standard-conforming simple HTML,
PostScript or PDF designed for human modification. Examples of
transparent image formats include PNG, XCF and JPG. Opaque formats
include proprietary formats that can be read and edited only by
proprietary word processors, SGML or XML for which the DTD and/or
processing tools are not generally available, and the machine-generated
HTML, PostScript or PDF produced by some word processors for output
purposes only.</para>
<para id="gfdl-title-page">The "Title Page" means, for a printed book,
the title page itself, plus such following pages as are needed to hold,
legibly, the material this License requires to appear in the title page.
For works in formats which do not have any title page as such, "Title
Page" means the text near the most prominent appearance of the work's
title, preceding the beginning of the body of the text.</para>
<para id="gfdl-entitled">A section "Entitled XYZ" means a named subunit
of the Document whose title either is precisely XYZ or contains XYZ in
parentheses following text that translates XYZ in another language.
(Here XYZ stands for a specific section name mentioned below, such as
"Acknowledgements", "Dedications", "Endorsements", or "History".) To
"Preserve the Title" of such a section when you modify the Document
means that it remains a section "Entitled XYZ" according to this
definition.</para>
<para>The Document may include Warranty Disclaimers next to the notice
which states that this License applies to the Document. These Warranty
Disclaimers are considered to be included by reference in this License,
but only as regards disclaiming warranties: any other implication that
these Warranty Disclaimers may have is void and has no effect on the
meaning of this License.</para>
</section>
<section id="gfdl-2"><title>VERBATIM COPYING</title>
<para>You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and the license notice saying this License applies to
the Document are reproduced in all copies, and that you add no other
conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further copying
of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough
number of copies you must also follow the conditions in section 3.
</para>
<para>You may also lend copies, under the same conditions stated above,
and you may publicly display copies.</para>
</section>
<section id="gfdl-3"><title>COPYING IN QUANTITY</title>
<para>If you publish printed copies (or copies in media that commonly
have printed covers) of the Document, numbering more than 100, and the
Document's license notice requires Cover Texts, you must enclose the
copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover. Both covers must also clearly and legibly identify you as the
publisher of these copies. The front cover must present the full title
with all words of the title equally prominent and visible. You may add
other material on the covers in addition. Copying with changes limited
to the covers, as long as they preserve the title of the Document and
satisfy these conditions, can be treated as verbatim copying in other
respects.</para>
<para>If the required texts for either cover are too voluminous to fit
legibly, you should put the first ones listed (as many as fit
reasonably) on the actual cover, and continue the rest onto adjacent
pages.</para>
<para>If you publish or distribute Opaque copies of the Document
numbering more than 100, you must either include a machine-readable
Transparent copy along with each Opaque copy, or state in or with each
Opaque copy a computer-network location from which the general
network-using public has access to download using public-standard
network protocols a complete Transparent copy of the Document, free of
added material. If you use the latter option, you must take reasonably
prudent steps, when you begin distribution of Opaque copies in quantity,
to ensure that this Transparent copy will remain thus accessible at the
stated location until at least one year after the last time you
distribute an Opaque copy (directly or through your agents or retailers)
of that edition to the public.</para>
<para>It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies, to
give them a chance to provide you with an updated version of the
Document.</para>
</section>
<section id="gfdl-4"><title>MODIFICATIONS</title>
<para>You may copy and distribute a Modified Version of the Document
under the conditions of sections 2 and 3 above, provided that you
release the Modified Version under precisely this License, with the
Modified Version filling the role of the Document, thus licensing
distribution and modification of the Modified Version to whoever
possesses a copy of it. In addition, you must do these things in the
Modified Version:</para>
<orderedlist id="gfdl-modif-cond" numeration="upperalpha">
<listitem><simpara>Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History
section of the Document). You may use the same title as a previous
version if the original publisher of that version gives permission.
</simpara></listitem>
<listitem><simpara>List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the principal
authors of the Document (all of its principal authors, if it has fewer
than five), unless they release you from this requirement.
</simpara></listitem>
<listitem><simpara>State on the Title page the name of the publisher of
the Modified Version, as the publisher.</simpara></listitem>
<listitem><simpara>Preserve all the copyright notices of the Document.
</simpara></listitem>
<listitem><simpara>Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices.
</simpara></listitem>
<listitem><simpara>Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified
Version under the terms of this License, in the form shown in the
<link linkend="gfdl-addendum">Addendum</link> below.
</simpara></listitem>
<listitem><simpara>Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's
license notice.</simpara></listitem>
<listitem><simpara>Include an unaltered copy of this License.
</simpara></listitem>
<listitem><simpara>Preserve the section Entitled "History", Preserve its
Title, and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the Title
Page. If there is no section Entitled "History" in the Document,
create one stating the title, year, authors, and publisher of the
Document as given on its Title Page, then add an item describing the
Modified Version as stated in the previous sentence.
</simpara></listitem>
<listitem><simpara>Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for previous
versions it was based on. These may be placed in the "History"
section. You may omit a network location for a work that was
published at least four years before the Document itself, or if the
original publisher of the version it refers to gives permission.
</simpara></listitem>
<listitem><simpara>For any section Entitled "Acknowledgements" or
"Dedications", Preserve the Title of the section, and preserve in the
section all the substance and tone of each of the contributor
acknowledgements and/or dedications given therein.
</simpara></listitem>
<listitem><simpara>Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the
equivalent are not considered part of the section titles.
</simpara></listitem>
<listitem><simpara>Delete any section Entitled "Endorsements".
Such a section may not be included in the Modified Version.
</simpara></listitem>
<listitem><simpara>Do not retitle any existing section to be Entitled
"Endorsements" or to conflict in title with any Invariant Section.
</simpara></listitem>
<listitem><simpara>Preserve any Warranty Disclaimers.
</simpara></listitem>
</orderedlist>
<para>If the Modified Version includes new front-matter sections or
appendices that qualify as Secondary Sections and contain no material
copied from the Document, you may at your option designate some or all
of these sections as invariant. To do this, add their titles to the
list of Invariant Sections in the Modified Version's license notice.
These titles must be distinct from any other section titles.</para>
<para>You may add a section Entitled "Endorsements", provided it
contains nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard.</para>
<para>You may add a passage of up to five words as a Front-Cover Text,
and a passage of up to 25 words as a Back-Cover Text, to the end of the
list of Cover Texts in the Modified Version. Only one passage of
Front-Cover Text and one of Back-Cover Text may be added by (or through
arrangements made by) any one entity. If the Document already includes
a cover text for the same cover, previously added by you or by
arrangement made by the same entity you are acting on behalf of, you may
not add another; but you may replace the old one, on explicit permission
from the previous publisher that added the old one.</para>
<para>The author(s) and publisher(s) of the Document do not by this
License give permission to use their names for publicity for or to
assert or imply endorsement of any Modified Version.</para>
</section>
<section id="gfdl-5"><title>COMBINING DOCUMENTS</title>
<para>You may combine the Document with other documents released under
this License, under the terms defined in <link linkend="gfdl-4">section
4</link> above for modified versions, provided that you include in the
combination all of the Invariant Sections of all of the original
documents, unmodified, and list them all as Invariant Sections of your
combined work in its license notice, and that you preserve all their
Warranty Disclaimers.</para>
<para>The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there are multiple Invariant Sections with the same name but
different contents, make the title of each such section unique by adding
at the end of it, in parentheses, the name of the original author or
publisher of that section if known, or else a unique number. Make the
same adjustment to the section titles in the list of Invariant Sections
in the license notice of the combined work.</para>
<para>In the combination, you must combine any sections Entitled
"History" in the various original documents, forming one section
Entitled "History"; likewise combine any sections Entitled
"Acknowledgements", and any sections Entitled "Dedications". You must
delete all sections Entitled "Endorsements".</para>
</section>
<section id="gfdl-6"><title>COLLECTIONS OF DOCUMENTS</title>
<para>You may make a collection consisting of the Document and other
documents released under this License, and replace the individual copies
of this License in the various documents with a single copy that is
included in the collection, provided that you follow the rules of this
License for verbatim copying of each of the documents in all other
respects.</para>
<para>You may extract a single document from such a collection, and
distribute it individually under this License, provided you insert a
copy of this License into the extracted document, and follow this
License in all other respects regarding verbatim copying of that
document.</para>
</section>
<section id="gfdl-7"><title>AGGREGATION WITH INDEPENDENT WORKS</title>
<para>A compilation of the Document or its derivatives with other
separate and independent documents or works, in or on a volume of a
storage or distribution medium, is called an "aggregate" if the
copyright resulting from the compilation is not used to limit the legal
rights of the compilation's users beyond what the individual works
permit. When the Document is included in an aggregate, this License does
not apply to the other works in the aggregate which are not themselves
derivative works of the Document.</para>
<para>If the Cover Text requirement of section 3 is applicable to these
copies of the Document, then if the Document is less than one half of
the entire aggregate, the Document's Cover Texts may be placed on covers
that bracket the Document within the aggregate, or the electronic
equivalent of covers if the Document is in electronic form. Otherwise
they must appear on printed covers that bracket the whole
aggregate.</para>
</section>
<section id="gfdl-8"><title>TRANSLATION</title>
<para>Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections in addition to the
original versions of these Invariant Sections. You may include a
translation of this License, and all the license notices in the
Document, and any Warranty Disclaimers, provided that you also include
the original English version of this License and the original versions
of those notices and disclaimers. In case of a disagreement between the
translation and the original version of this License or a notice or
disclaimer, the original version will prevail.</para>
<para>If a section in the Document is Entitled "Acknowledgements",
"Dedications", or "History", the requirement (section 4) to Preserve its
Title (section 1) will typically require changing the actual
title.</para>
</section>
<section id="gfdl-9"><title>TERMINATION</title>
<para>You may not copy, modify, sublicense, or distribute the Document
except as expressly provided for under this License. Any other attempt
to copy, modify, sublicense or distribute the Document is void, and will
automatically terminate your rights under this License. However,
parties who have received copies, or rights, from you under this License
will not have their licenses terminated so long as such parties remain
in full compliance.</para>
</section>
<section id="gfdl-10"><title>FUTURE REVISIONS OF THIS LICENSE</title>
<para>The Free Software Foundation may publish new, revised versions of
the GNU Free Documentation License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in
detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.</para>
<para>Each version of the License is given a distinguishing version
number. If the Document specifies that a particular numbered version of
this License "or any later version" applies to it, you have the option
of following the terms and conditions either of that specified version
or of any later version that has been published (not as a draft) by the
Free Software Foundation. If the Document does not specify a version
number of this License, you may choose any version ever published (not
as a draft) by the Free Software Foundation.</para>
</section>
<section id="gfdl-addendum"><title>ADDENDUM: How to use this License for
your documents</title>
<para>To use this License in a document you have written, include a copy
of the License in the document and put the following copyright and
license notices just after the title page:</para>
<blockquote id="copyright-sample"><para>
Copyright (c) YEAR YOUR NAME.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
</para></blockquote>
<para>If you have Invariant Sections, Front-Cover Texts and Back-Cover
Texts, replace the "with...Texts." line with this:</para>
<blockquote id="inv-cover-sample"><para>
with the Invariant Sections being LIST THEIR TITLES, with the
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
</para></blockquote>
<para>If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
situation.</para>
<para>If your document contains nontrivial examples of program code, we
recommend releasing these examples in parallel under your choice of free
software license, such as the GNU General Public License, to permit
their use in free software.</para>
</section>
</appendix>

332
Shorewall-docsN/IPIP.xml Normal file
View File

@ -0,0 +1,332 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="IPIP">
<!--$Id$-->
<articleinfo>
<title>GRE and IPIP Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-05-22</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>GRE and IPIP Tunnels are insecure when used over the internet; use
them at your own risk</para>
</warning>
<para>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</para>
<para>The simple scripts described in the <citetitle><ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink></citetitle>
work fine with Shorewall. Shorewall also includes a tunnel script for
automating tunnel configuration. If you have installed the RPM, the tunnel
script may be found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&#60;version&#62;/).</para>
<section>
<title>Bridging two Masqueraded Networks</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</para>
<para>The <quote>tunnel</quote> script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included in
the tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally
/usr/share/doc/shorewall-&#60;version&#62;).</para>
<para>In the /etc/shorewall/tunnel script, set the <quote>tunnel_type</quote>
parameter to the type of tunnel that you want to create.</para>
<example>
<title>/etc/shorewall/tunnel</title>
<programlisting>tunnel_type=gre</programlisting>
</example>
<warning>
<para>If you use the PPTP connection tracking modules from Netfilter
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels.</para>
</warning>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<table>
<title>/etc/shorewall/zones system A &#38; B</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysb</entry>
<entry>10.255.255.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote gateway.</para>
<para>In the tunnel script on system A:</para>
<example>
<title>tunnel script on system A</title>
<programlisting>tunnel=tosysb
myrealip=206.161.148.9 (for GRE tunnel only)
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8
</programlisting>
</example>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tosysa</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<table>
<title>/etc/shorewall/tunnels system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipip</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>And in the tunnel script on system B:</para>
<example>
<title>tunnel script on system B</title>
<programlisting>tunnel=tosysa
myrealip=134.28.54.2 (for GRE tunnel only)
myip=10.0.0.1
hisip=192.168.1.1
gateway=206.191.148.9
subnet=192.168.1.0/24</programlisting>
</example>
<para>You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them.</para>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<table>
<title>/etc/shorewall/policy system A &#38; B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On both systems, restart Shorewall and run the modified tunnel
script with the <quote>start</quote> argument on each system. The systems
in the two masqueraded subnetworks can now talk to each other</para>
</section>
</article>

953
Shorewall-docsN/IPSEC.xml Normal file
View File

@ -0,0 +1,953 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="IPSEC">
<!--$Id$-->
<articleinfo>
<title>IPSEC Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-07-01</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para>This documentation is incomplete regarding using IPSEC and the 2.6
Kernel. Netfilter currently lacks full support for the 2.6 kernel&#39;s
implementation of IPSEC. Until that implementation is complete, only a
simple network-network tunnel is described for 2.6.</para>
</warning>
<section>
<title>Configuring FreeS/Wan</title>
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
url="http://www.geocities.com/jixen66/">http://www.geocities.com/jixen66/</ulink>.
I highly recommend that you consult that site for information about
configuring FreeS/Wan.</para>
<warning>
<para>IPSEC and Proxy ARP do not work unless you are running Shorewall
2.0.1 Beta 3 or later or unless you have installed the fix to Shorewall
2.0.0 available from the <ulink url="errata.htm">Errata Page</ulink>.</para>
</warning>
<important>
<para>The documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
additional entries in ipsec.conf:</para>
<programlisting>conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore</programlisting>
<para>For further information see <ulink
url="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</ulink>.</para>
</important>
</section>
<section>
<title>IPSec Gateway on the Firewall System</title>
<para>Suppose that we have the following sutuation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
communicate with systems in the 10.0.0.0/8 network. We assume that on both
systems A and B, eth0 is the internet interface.</para>
<para>To make this work, we need to do two things:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500).</para>
</listitem>
<listitem>
<para>Allow traffic through the tunnel.</para>
</listitem>
</orderedlist>
<para>Opening the firewall for the IPSEC tunnel is accomplished by adding
an entry to the /etc/shorewall/tunnels file.</para>
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table>
<title>/etc/shorewall/tunnels - System A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we would have:</para>
<table>
<title>/etc/shorewall/tunnels - System B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
tunnels file entry on the <emphasis role="bold">other</emphasis>
endpoint should specify a tunnel type of ipsecnat rather than ipsec and
the GATEWAY address should specify the external address of the NAT
gateway.</para>
</note>
<para>You need to define a zone for the remote subnet or include it in
your local zone. In this example, we&#39;ll assume that you have created a
zone called <quote>vpn</quote> to represent the remote subnet. Note that
you should define the vpn zone before the net zone.</para>
<para><table><title>/etc/shorewall/zones - Systems A and B</title><tgroup
cols="3"><thead><row><entry align="center">ZONE</entry><entry
align="center">DISPLAY</entry><entry align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row><row><entry>net</entry><entry>Internet</entry><entry>The
big bad internet</entry></row></tbody></tgroup></table></para>
<para><emphasis role="bold">If you are running kernel 2.4:</emphasis><blockquote><para>At
both systems, ipsec0 would be included in /etc/shorewall/interfaces as a
<quote>vpn</quote> interface:</para><para><table><title>/etc/shorewall/interfaces
- Systems A and B</title><tgroup cols="4"><thead><row><entry
align="center">ZONE</entry><entry align="center">INTERFACE</entry><entry
align="center">BROADCAST</entry><entry align="center">OPTIONS</entry></row></thead><tbody><row><entry>vpn</entry><entry>ipsec0</entry><entry></entry></row></tbody></tgroup></table></para></blockquote></para>
<para><emphasis role="bold">If you are running kernel 2.6:</emphasis></para>
<blockquote>
<para><emphasis role="bold">It is essential that the
<emphasis>vpn</emphasis> zone be declared before the
<emphasis>net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</emphasis></para>
<para>Remember the assumption that both systems A and B have eth0 as
their internet interface.</para>
<para>You must define the vpn zone using the /etc/shorewall/hosts file.</para>
<table>
<title>/etc/shorewall/hosts - System A</title>
<tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<entry>HOSTS</entry>
<entry>OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:10.0.0.0/8</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/hosts - System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>ZONE</entry>
<entry>HOSTS</entry>
<entry>OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>eth0:192.168.1.0/24</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In addition, <emphasis role="bold">if you are using Masquerading
or SNAT</emphasis> on your firewalls, you need to elmiinate the remote
network from Masquerade/SNAT. These entries <emphasis role="bold">replace</emphasis>
your current masquerade/SNAT entries for the local networks.</para>
<table>
<title>/etc/shorewall/masq - System A</title>
<tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<entry>SUBNET</entry>
<entry>ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0:!10.0.0.0/8</entry>
<entry>192.168.1.0/24</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
<table>
<title>/etc/shorewall/masq System B</title>
<tgroup cols="3">
<thead>
<row>
<entry>INTERFACE</entry>
<entry>SUBNET</entry>
<entry>ADDRESS</entry>
</row>
</thead>
<tbody>
<row>
<entry>eth0:!192.168.1.0/24</entry>
<entry>10.0.0.0/8</entry>
<entry>...</entry>
</row>
</tbody>
</tgroup>
</table>
</blockquote>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone -- if you simply want to admit all traffic
in both directions, you can use the policy file:</para>
<para><table><title>/etc/shorewall/policy - Systems A and B</title><tgroup
cols="4"><thead><row><entry align="center">SOURCE</entry><entry
align="center">DEST</entry><entry align="center">POLICY</entry><entry
align="center">LOG LEVEL</entry></row></thead><tbody><row><entry>loc</entry><entry>vpn</entry><entry>ACCEPT</entry><entry></entry></row><row><entry>vpn</entry><entry>loc</entry><entry>ACCEPT</entry><entry></entry></row></tbody></tgroup></table></para>
<para>Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <ulink
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
</section>
<section>
<title>VPN Hub using Kernel 2.4</title>
<para>Shorewall can be used in a VPN Hub environment where multiple remote
networks are connected to a gateway running Shorewall. This environment is
shown in this diatram.</para>
<graphic fileref="images/ThreeNets.png" />
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks and
we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to
communicate.</para>
<para>To make this work, we need to do several things:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Open the firewall so that two IPSEC tunnels can be established
(allow the ESP and AH protocols and UDP Port 500).</para>
</listitem>
<listitem>
<para>Allow traffic through the tunnels two/from the local zone
(192.168.1.0/24).</para>
</listitem>
<listitem>
<para>Deny traffic through the tunnels between the two remote
networks.</para>
</listitem>
</orderedlist>
<para>Opening the firewall for the IPSEC tunnels is accomplished by adding
two entries to the /etc/shorewall/tunnels file.</para>
<para>In /etc/shorewall/tunnels on system A, we need the following</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>130.152.100.14</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on systems B and C, we would have:</para>
<table>
<title>/etc/shorewall/tunnels system B &#38; C</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>206.161.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<note>
<para>If either of the endpoints is behind a NAT gateway then the
tunnels file entry on the <emphasis role="bold">other</emphasis>
endpoint should specify a tunnel type of <emphasis>ipsecnat</emphasis>
rather than ipsec and the GATEWAY address should specify the external
address of the NAT gateway.</para>
</note>
<para>On each system, we will create a zone to represent the remote
networks. On System A:</para>
<table>
<title>/etc/shorewall/zones system A</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN1</entry>
<entry>Remote Subnet on system B</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN2</entry>
<entry>Remote Subnet on system C</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems B and C:</para>
<table>
<title>/etc/shorewall/zones system B &#38; C</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet on system A</entry>
</row>
</tbody>
</tgroup>
</table>
<para>At system A, ipsec0 represents two zones so we have the following in
/etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>-</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>The /etc/shorewall/hosts file on system A defines the two VPN zones:</para>
<table>
<title>/etc/shorewall/hosts system A</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">HOSTS</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>ipsec0:10.0.0.0/16</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>ipsec0:10.1.0.0/16</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>At systems B and C, ipsec0 represents a single zone so we have the
following in /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B &#38; C</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>ipsec0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems A, you will need to allow traffic between the
<quote>vpn1</quote> zone and the <quote>loc</quote> zone as well as
between <quote>vpn2</quote> and the <quote>loc</quote> zone -- if you
simply want to admit all traffic in both directions, you can use the
following policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn1</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>loc</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On systems B and C, you will need to allow traffic between the
<quote>vpn</quote> zone and the <quote>loc</quote> zone -- if you simply
want to admit all traffic in both directions, you can use the following
policy file entries on all three gateways:</para>
<table>
<title>/etc/shorewall/policy system B &#38; C</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Once you have the Shorewall entries added, restart Shorewall on each
gateway (type shorewall restart); you are now ready to configure the
tunnels in <ulink url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
<note>
<para>to allow traffic between the networks attached to systems B and C,
it is necessary to simply add two additional entries to the
/etc/shorewall/policy file on system A.</para>
<table>
<title>/etc/shorewall/policy system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>vpn2</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn2</entry>
<entry>vpn1</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
</note>
<note>
<para>If you find traffic being rejected/dropped in the OUTPUT chain,
place the names of the remote VPN zones as a comma-separated list in the
GATEWAY ZONE column of the /etc/shorewall/tunnels file entry.</para>
</note>
</section>
<section>
<title>Mobile System (Road Warrior) Using Kernel 2.4</title>
<para>Suppose that you have a laptop system (B) that you take with you
when you travel and you want to be able to establish a secure connection
back to your local network.</para>
<graphic fileref="images/Mobile.png" />
<example>
<title>Road Warrior VPN</title>
<para>You need to define a zone for the laptop or include it in your
local zone. In this example, we&#39;ll assume that you have created a
zone called <quote>vpn</quote> to represent the remote host.</para>
<para><table><title>/etc/shorewall/zones local</title><tgroup cols="3"><thead><row><entry
align="center">ZONE</entry><entry align="center">DISPLAY</entry><entry
align="center">COMMENTS</entry></row></thead><tbody><row><entry>vpn</entry><entry>VPN</entry><entry>Remote
Subnet</entry></row></tbody></tgroup></table></para>
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</para>
<para><table><title>/etc/shorewall/tunnels system A</title><tgroup
cols="4"><thead><row><entry align="center">TYPE</entry><entry
align="center">ZONE</entry><entry align="center">GATEWAY</entry><entry
align="center">GATEWAY ZONE</entry></row></thead><tbody><row><entry>ipsec</entry><entry>net</entry><entry>0.0.0.0/0</entry><entry>vpn</entry></row></tbody></tgroup></table></para>
<para><note><para>the GATEWAY ZONE column contains the name of the zone
corresponding to peer subnetworks. This indicates that the gateway
system itself comprises the peer subnetwork; in other words, the remote
gateway is a standalone system.</para></note></para>
<para>You will need to configure /etc/shorewall/interfaces and establish
your <quote>through the tunnel</quote> policy as shown under the first
example above.</para>
</example>
</section>
<section>
<title>Dynamic RoadWarrior Zones</title>
<para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
zones and add and delete remote endpoints dynamically using
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="Documentation.htm#Conf">shorewall.conf</ulink>.</para>
<para>In /etc/shorewall/zones:</para>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn1</entry>
<entry>VPN-1</entry>
<entry>First VPN Zone</entry>
</row>
<row>
<entry>vpn2</entry>
<entry>VPN-2</entry>
<entry>Second VPN Zone</entry>
</row>
<row>
<entry>vpn3</entry>
<entry>VPN-3</entry>
<entry>Third VPN Zone</entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels:</para>
<table>
<title>/etc/shorewall/tunnels</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>ipsec</entry>
<entry>net</entry>
<entry>0.0.0.0/0</entry>
<entry>vpn1,vpn2,vpn3</entry>
</row>
</tbody>
</tgroup>
</table>
<para>When Shorewall is started, the zones vpn[1-3] will all be empty and
Shorewall will issue warnings to that effect. These warnings may be safely
ignored. FreeS/Wan may now be configured to have three different Road
Warrior connections with the choice of connection being based on X-509
certificates or some other means. Each of these connectioins will utilize
a different updown script that adds the remote station to the appropriate
zone when the connection comes up and that deletes the remote station when
the connection comes down. For example, when 134.28.54.2 connects for the
vpn2 zone the <quote>up</quote> part of the script will issue the command:</para>
<programlisting>/sbin/shorewall add ipsec0:134.28.54.2 vpn2</programlisting>
<para>and the <quote>down</quote> part will:</para>
<programlisting>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2</programlisting>
<section>
<title>Limitations of Dynamic Zones</title>
<para>If you include a dynamic zone in the exclude list of a DNAT rule,
the dynamically-added hosts are not excluded from the rule.</para>
<example>
<title>dyn=dynamic zone</title>
<para><informaltable><tgroup cols="7"><thead><row><entry
align="center">ACTION</entry><entry align="center">SOURCE</entry><entry
align="center">DESTINATION</entry><entry align="center">PROTOCOL</entry><entry
align="center">PORT(S)</entry><entry align="center">CLIENT PORT(S)</entry><entry
align="center">ORIGINAL DESTINATION</entry></row></thead><tbody><row><entry>DNAT</entry><entry>z!dyn</entry><entry>loc:192.168.1.3</entry><entry>tcp</entry><entry>80</entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para>
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
will have no effect on the above rule.</para>
</example>
</section>
</section>
</article>

380
Shorewall-docsN/Install.xml Normal file
View File

@ -0,0 +1,380 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Install">
<!--$Id$-->
<articleinfo>
<title>Shorewall Installation and Upgrade</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-06-25</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
</warning>
<section id="Install_RPM">
<title>Install using RPM</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install Shorewall using the RPM:</para>
<orderedlist>
<listitem>
<para>Install the RPM</para>
<programlisting><command>rpm -ivh &#60;shorewall rpm&#62;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
<programlisting><filename><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></filename></programlisting>
</note>
<note>
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with
the diagnostic:</para>
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.x-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<programlisting><command>rpm -ivh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note>
</listitem>
<listitem>
<para>Edit the <link linkend="Config_Files">configuration files</link>
to match your configuration.</para>
<warning>
<para>YOU CAN <emphasis role="bold">NOT</emphasis> SIMPLY INSTALL
THE RPM AND ISSUE A <quote>shorewall start</quote> COMMAND. SOME
CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
ISSUE A <quote>start</quote> COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF
THIS HAPPENS, ISSUE A <quote>shorewall clear</quote> COMMAND TO
RESTORE NETWORK CONNECTIVITY.</para>
</warning>
</listitem>
<listitem>
<para>Start the firewall by typing</para>
<programlisting><command>shorewall start</command></programlisting>
</listitem>
</orderedlist>
</section>
<section id="Install_Tarball">
<title>Install using tarball</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install Shorewall using the tarball and install script:</para>
<orderedlist>
<listitem>
<para>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</para>
</listitem>
<listitem>
<para>cd to the shorewall directory (the version is encoded in the
directory name as in <quote>shorewall-1.1.10</quote>).</para>
</listitem>
<listitem>
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
you need Shorewall 2.0.2 RC1 or later. If you are installing a
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
the install.sh file and change the lines</para>
<programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<para>to</para>
<programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
</listitem>
<listitem>
<para>If you are running Slackware and are installing Shorewall 2.0.3
Beta 1 or later, then type:</para>
<programlisting><emphasis role="bold">DEST=/etc/rc.d INIT=rc.firewall ./install.sh</emphasis></programlisting>
<para>Otherwise, type:</para>
<programlisting><command>./install.sh</command></programlisting>
</listitem>
<listitem>
<para>Edit the <link linkend="Config_Files">configuration files</link>
to match your configuration.</para>
</listitem>
<listitem>
<para>Enable Startup by removing <filename>/etc/shorewall/startup_disabled</filename>
(Debian users will edit <filename>/etc/default/shorewall</filename>
and set startup=1).</para>
</listitem>
<listitem>
<para>Start the firewall by typing</para>
<programlisting><command>shorewall start</command></programlisting>
</listitem>
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
<section id="LRP">
<title>Install the .lrp</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install my version of Shorewall on a fresh Bering disk, simply
replace the <quote>shorwall.lrp</quote> file on the image with the file
that you downloaded. See the <ulink url="two-interface.htm">two-interface
QuickStart Guide</ulink> for information about further steps required.</para>
</section>
<section id="Upgrade_RPM">
<title>Upgrade using RPM</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>If you already have the Shorewall RPM installed and are upgrading to
a new version:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para>Upgrade the RPM</para>
<programlisting><command>rpm -Uvh &#60;shorewall rpm file&#62;</command></programlisting>
<note>
<para>Some SuSE users have encountered a problem whereby rpm reports
a conflict with kernel &#60;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note>
<note>
<para>Beginning with Shorewall 1.4.0, Shorewall is dependent on the
iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the
diagnostic:</para>
<programlisting>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</programlisting>
<para>This may be worked around by using the --nodeps option of rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &#60;shorewall rpm&#62;</command></programlisting>
</note>
</listitem>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
<listitem>
<para>Restart the firewall.</para>
<programlisting><command>shorewall restart</command></programlisting>
</listitem>
</orderedlist>
</section>
<section id="Upgrade_Tarball">
<title>Upgrade using tarball</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>If you already have Shorewall installed and are upgrading to a new
version using the tarball:</para>
<important>
<para>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version and you have entries in the /etc/shorewall/hosts file then
please check your /etc/shorewall/interfaces file to be sure that it
contains an entry for each interface mentioned in the hosts file. Also,
there are certain 1.2 rule forms that are no longer supported under 1.4
(you must use the new 1.4 syntax). See <ulink url="errata.htm#Upgrade">the
upgrade issues</ulink> for details.</para>
</important>
<orderedlist>
<listitem>
<para>unpack the tarball.</para>
<programlisting><command>tar -zxf shorewall-x.y.z.tgz</command></programlisting>
</listitem>
<listitem>
<para>cd to the shorewall directory (the version is encoded in the
directory name as in <quote>shorewall-3.0.1</quote>).</para>
</listitem>
<listitem>
<para>If you are running <ulink url="http://www.slackware.com">Slackware</ulink>,
you should use Shorewall 2.0.2 RC1 or later. If you are installing a
Shorewall version earlier than 2.0.3 Beta 1 then you must also edit
the install.sh file and change the lines</para>
<programlisting>DEST=&#34;/etc/init.d&#34;
INIT=&#34;shorewall&#34;</programlisting>
<para>to</para>
<programlisting>DEST=&#34;/etc/rc.d&#34;
INIT=&#34;rc.firewall&#34;</programlisting>
</listitem>
<listitem>
<para>If you are running Slackware and are installing Shorewall 2.0.3
Beta 1 or later, then type:</para>
<programlisting><emphasis role="bold">DEST=/etc/rc.d INIT=rc.firewall ./install.sh</emphasis></programlisting>
<para>Otherwise, type:</para>
<programlisting><command>./install.sh</command></programlisting>
</listitem>
<listitem>
<para>See if there are any incompatibilities between your
configuration and the new Shorewall version and correct as necessary.</para>
<programlisting><command>shorewall check</command></programlisting>
</listitem>
<listitem>
<para>Start the firewall by typing</para>
<programlisting><command>shorewall start</command></programlisting>
</listitem>
<listitem>
<para>If the install script was unable to configure Shorewall to be
started automatically at boot, see <ulink
url="starting_and_stopping_shorewall.htm">these instructions</ulink>.</para>
</listitem>
</orderedlist>
</section>
<section id="LRP_Upgrade">
<title>Upgrade the .lrp</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>There appears to be no standard method for upgrading LEAF/Bering
packages — Sorry to be so unhelpful.</para>
</section>
<section id="Config_Files">
<title>Configuring Shorewall</title>
<para>You will need to edit some or all of the configuration files to
match your setup. In most cases, the <ulink
url="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</ulink>
contain all of the information you need.</para>
</section>
<section>
<title>Uninstall/Fallback</title>
<para>See <quote><ulink url="fallback.htm">Fallback and Uninstall</ulink></quote>.</para>
</section>
</article>

View File

@ -0,0 +1,203 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="usefull_links">
<!--$Id$-->
<articleinfo>
<title>Introduction</title>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<pubdate>2004-02-17</pubdate>
<copyright>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink type="" url="Copyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>The information in this document applies only to 2.0.x releases of
Shorewall.</para>
<section>
<title>Glossary</title>
<itemizedlist>
<listitem>
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
packet filter facility built into the 2.4 and later Linux kernels.</para>
</listitem>
<listitem>
<para>ipchains - the packet filter facility built into the 2.2 Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.</para>
</listitem>
<listitem>
<para>iptables - the utility program used to configure and control
Netfilter. The term <quote>iptables</quote> is often used to refer
to the combination of iptables+Netfilter (with Netfilter not in
ipchains compatibility mode).</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>What is Shorewall?</title>
<para>The Shoreline Firewall, more commonly known as <quote>Shorewall</quote>,
is high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. Shorewall does not use Netfilter&#39;s ipchains compatibility
mode and can thus take advantage of Netfilter&#39;s connection state
tracking capabilities.</para>
<para>Shorewall is not a daemon. Once Shorewall has configured
Netfilter, it&#39;s job is complete although the <ulink
url="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
used at any time to monitor the Netfilter firewall</ulink>.</para>
</section>
<section>
<title>Getting Started with Shorewall</title>
<para>New to Shorewall? Start by selecting the <ulink
url="shorewall_quickstart_guide.htm">QuickStart Guide</ulink> that most
closely match your environment and follow the step by step instructions.</para>
</section>
<section>
<title>Looking for Information?</title>
<para>The <ulink url="Documentation_Index.html">Documentation Index</ulink>
is a good place to start.</para>
</section>
</section>
<section>
<title>Shorewall Concepts</title>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you will only need to deal with a few of them.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. In the <ulink url="three-interface.htm">three-interface
sample configuration</ulink> for example, the following zone names are
used: <informaltable frame="all" pgwide="0"><tgroup align="left" cols="2"><thead
valign="middle"><row valign="middle"><entry align="left">Name</entry><entry
align="left">Description</entry></row></thead><tbody valign="middle"><row
valign="middle"><entry align="left"><varname>net</varname></entry><entry
align="left">The Internet</entry></row><row valign="middle"><entry
align="left"><varname>loc</varname></entry><entry align="left">Your Local
Network</entry></row><row valign="middle"><entry align="left"><varname>dmz</varname></entry><entry
align="left">Demilitarized Zone</entry></row></tbody></tgroup></informaltable>Zones
are defined in the <ulink url="Documentation.htm#Zones"><filename
class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
file.</para>
<para>Shorewall also recognizes the firewall system as its own zone - by
default, the firewall itself is known as <emphasis role="bold"><varname>fw</varname></emphasis>.</para>
<para>Rules about what traffic to allow and what traffic to deny are
expressed in terms of zones. <itemizedlist spacing="compact"><listitem><para>You
express your default policy for connections from one zone to another zone
in the <ulink url="Documentation.htm#Policy"><filename class="directory">/etc/shorewall/</filename><filename>policy</filename></ulink>
file. The choices for policy are:</para><itemizedlist><listitem><para>ACCEPT
- Accept the connection.</para></listitem><listitem><para>DROP - Ignore
the connection request.</para></listitem><listitem><para>REJECT - Return
an appropriate error to the connection request.</para></listitem></itemizedlist><para>Connection
request logging may be specified as part of a policy and it is
conventional to log DROP and REJECT policies.</para></listitem><listitem><para>You
define exceptions to those default policies in the <ulink
url="Documentation.htm#Rules"><filename class="directory">/etc/shorewall/</filename><filename>rules</filename></ulink>
file.</para></listitem></itemizedlist>For each connection request entering
the firewall, the request is first checked against the <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>
file. If no rule in that file matches the connection request then the
first policy in <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If there is a common action defined
for the policy in /etc/shorewall/actions (or <filename>/usr/share/shorewall/actions.std</filename>)
then that action is invoked before the policy is enforces. In the standard
Shorewall distribution, the DROP policy has a common action called
<emphasis role="bold">Drop</emphasis> and the REJECT policy has a common
action called <emphasis role="bold">Reject</emphasis>. Common actions are
used primarily to discard</para>
<para>The <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
file included with the three-interface sample has the following policies:
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>In the three-interface
sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT</programlisting> The above policy will:
<itemizedlist><listitem><para>Allow all connection requests from your
local network to the internet</para></listitem><listitem><para>Drop
(ignore) all connection requests from the internet to your firewall or
local network; these ignored connection requests will be logged using the
<emphasis>info</emphasis> syslog priority (log level).</para></listitem><listitem><para>Optionally
accept all connection requests from the firewall to the internet (if you
uncomment the additional policy)</para></listitem><listitem><para>reject
all other connection requests; these rejected connection requests will be
logged using the <emphasis>info</emphasis> syslog priority (log level).</para></listitem></itemizedlist></para>
<para>The simplest way to define a zone is to associate the zone with a
network interface using the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file. In the three-interface sample, the three zones are defined using
that file as follows:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect</programlisting>
<para>The above file defines the net zone as all hosts interfacing to the
firewall through eth0, the loc zone as all hosts interfacing through eth1
and the dmz as all hosts interfacing through eth2.</para>
</section>
<section>
<title>License</title>
<para>This program is free software; you can redistribute it and/or modify
it under the terms of <ulink url="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</ulink> as published by the Free
Software Foundation.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more detail.</para>
<para>You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</para>
</section>
</article>

View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and the 2.6 Linux Kernel</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-07-02</pubdate>
<copyright>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>General</title>
<para>Shorewall is compatible with the Linux 2.6 kernel series and
contains support for the following features that are added in that series:</para>
<orderedlist>
<listitem>
<para><ulink url="netmap.html">NETMAP</ulink> Target Support.</para>
</listitem>
<listitem>
<para><ulink url="bridge.html">Bridge/Firewall</ulink> Support
(physdev match support).</para>
</listitem>
</orderedlist>
</section>
<section>
<title>IPSEC</title>
<para>The 2.6 Linux kernel introduces a new implementation of IPSEC which
eliminates the <filename class="devicefile">ipsecN</filename> device
names. Netfilter/iptables support for this new implementation is
incomplete and therefore Shorewall support is limited. See the <ulink
url="IPSEC.htm">Shorewall IPSEC documentation</ulink>.</para>
</section>
</article>

View File

@ -0,0 +1,184 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="MAC_Validation">
<!--$Id$-->
<articleinfo>
<title>MAC Verification</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-04-05</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore, each
MAC address may be optionally associated with one or more IP addresses.</para>
<important>
<para><emphasis role="bold">MAC addresses are only visible within an
ethernet segment so all MAC addresses used in verification must belong to
devices physically connected to one of the LANs to which your firewall is
connected.</emphasis></para>
</important>
<important>
<para><emphasis role="bold">Your kernel must include MAC match support
(CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</emphasis></para>
</important>
<section>
<title>Components</title>
<para>There are four components to this facility.</para>
<orderedlist>
<listitem>
<para>The <emphasis role="bold">maclist</emphasis> interface option in
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
When this option is specified, all traffic arriving on the interface
is subjet to MAC verification.</para>
</listitem>
<listitem>
<para>The <emphasis role="bold">maclist</emphasis> option in <ulink
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>. When this
option is specified for a subnet, all traffic from that subnet is
subject to MAC verification.</para>
</listitem>
<listitem>
<para>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</para>
</listitem>
<listitem>
<para>The <emphasis role="bold">MACLIST_DISPOSITION</emphasis> and
<emphasis role="bold">MACLIST_LOG_LEVEL</emphasis> variables in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
at which connection requests that fail verification are to be logged.
If set the the empty value (e.g., MACLIST_LOG_LEVEL=&#34;&#34;) then
failing connection requests are not logged.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>/etc/shorewall/maclist</title>
<para>The columns in /etc/shorewall/maclist are:</para>
<variablelist>
<varlistentry>
<term>INTERFACE</term>
<listitem>
<para>The name of an ethernet interface on the Shorewall system.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>MAC</term>
<listitem>
<para>The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
this column although you may use that format if you so choose.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IP Address</term>
<listitem>
<para>An optional comma-separated list of IP addresses for the
device whose MAC is listed in the MAC column.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section>
<title>Examples</title>
<example>
<title>Here are my files (look <ulink url="myfiles.htm">here</ulink> for
details about my setup)</title>
<para>/etc/shorewall/shorewall.conf:</para>
<programlisting>MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255</programlisting>
<para>/etc/shorewall/maclist:</para>
<programlisting>#INTERFACE MAC IP ADDRESSES (Optional)
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</programlisting>
<para>As shown above, I use MAC Verification on my wireless zone.</para>
<para><note><para>While marketed as a wireless bridge, the WET11 behaves
like a wireless router with DHCP relay. When forwarding DHCP traffic, it
uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it&#39;s own MAC address. Consequently, I list the IP
addresses of both devices in /etc/shorewall/maclist.</para></note></para>
</example>
<example>
<title>Router in Wireless Zone</title>
<para>Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:</para>
<programlisting>eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24</programlisting>
<para>This entry accomodates traffic from the router itself
(192.168.3.253) and from the second wireless segment (192.168.4.0/24).
Remember that all traffic being sent to my firewall from the
192.168.4.0/24 segment will be forwarded by the router so that
traffic&#39;s MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic.</para>
</example>
</section>
</article>

View File

@ -0,0 +1,342 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Multiple_Zones">
<!--$Id$-->
<articleinfo>
<title>Routing on One Interface</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-03-15</pubdate>
<copyright>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>While most configurations can be handled with each of the
firewall&#39;s network interfaces assigned to a single zone, there are
cases where you will want to divide the hosts accessed through an
interface between two or more zones.</para>
<itemizedlist>
<listitem>
<para>The interface has multiple addresses on multiple subnetworks.
This case is covered in the <ulink
url="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
documentation</ulink>.</para>
</listitem>
<listitem>
<para>You are using some form of NAT and want to access a server by
its external IP address from the same LAN segment. This is covered in
<ulink url="FAQ.htm#faq2">FAQs 2 and 2a</ulink>.</para>
</listitem>
<listitem>
<para>There are routers accessible through the interface and you want
to treat the networks accessed through that router as a separate zone.</para>
</listitem>
<listitem>
<para>Some of the hosts accessed through an interface have
significantly different firewalling requirements from the others so
you want to assign them to a different zone.</para>
</listitem>
</itemizedlist>
<para>The key points to keep in mind when setting up multiple zones per
interface are:</para>
<itemizedlist>
<listitem>
<para>Shorewall generates rules for zones in the order that the zone
declarations appear in /etc/shorewall/zones.</para>
</listitem>
<listitem>
<para>The order of entries in /etc/shorewall/hosts is immaterial as
far as the generated ruleset is concerned.</para>
</listitem>
</itemizedlist>
<para><emphasis role="bold">These examples use the local zone but the same
technique works for any zone.</emphasis> Remember that Shorewall
doesn&#39;t have any conceptual knowledge of <quote>Internet</quote>,
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
the examples use private (RFC 1918) addresses but public IP addresses can
be used in exactly the same way.</para>
</section>
<section>
<title>Router in the Local Zone</title>
<para>Here is an example of a router in the local zone.</para>
<note>
<para>the <emphasis role="bold">box called <quote>Router</quote> could
be a VPN server</emphasis> or other such device; from the point of view
of this discussion, it makes no difference.</para>
</note>
<graphic fileref="images/MultiZone1.png" />
<section>
<title>Can You Use the Standard Configuration?</title>
<para>In many cases, the <ulink url="two-interface.htm">standard
two-interface Shorewall setup</ulink> will work fine in this
configuration. It will work if:</para>
<itemizedlist>
<listitem>
<para>The firewall requirements to/from the internet are the same
for 192.168.1.0/24 and 192.168.2.0/24.</para>
</listitem>
<listitem>
<para>The hosts in 192.168.1.0/24 know that the route to
192.168.2.0/24 is through the <emphasis role="bold">router</emphasis>.</para>
</listitem>
</itemizedlist>
<para>All you have to do on the firewall is add a route to
192.168.2.0/24 through the <emphasis role="bold">router</emphasis> and
restart Shorewall.</para>
</section>
<section>
<title>Will One Zone be Enough?</title>
<para>If the firewalling requirements for the two local networks is the
same but the hosts in 192.168.1.0/24 don&#39;t know how to route to
192.168.2.0/24 then you need to configure the firewall slightly
differently. This type of configuration is rather stupid from an IP
networking point of view but it is sometimes necessary because you
simply don&#39;t want to have to reconfigure all of the hosts in
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
firewall:</para>
<orderedlist>
<listitem>
<para>Add a route to 192.168.2.0/24 through the <emphasis
role="bold">Router</emphasis>.</para>
</listitem>
<listitem>
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
options for eth1 (the local firewall interface) in
/etc/shorewall/interfaces.</para>
</listitem>
<listitem>
<para>Restart Shorewall.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>I Need Separate Zones</title>
<para>If you need to make 192.168.2.0/24 into it&#39;s own zone, you can
do it one of two ways; Nested Zones or Parallel Zones.</para>
<section>
<title>Nested Zones</title>
<para>You can define one zone (called it <quote>loc</quote>) as being
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
(192.168.2.0/24) as a sub-zone.</para>
<graphic fileref="images/MultiZone1A.png" />
<para>The advantage of this approach is that the zone <quote>loc1</quote>
can use CONTINUE policies such that if a connection request
doesn&#39;t match a <quote>loc1</quote> rule, it will be matched
against the <quote>loc</quote> rules. For example, if your
loc1-&#62;net policy is CONTINUE then if a connection request from
loc1 to the internet doesn&#39;t match any rules for loc1-&#62;net
then it will be checked against the loc-&#62;net rules.</para>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 Hosts accessed through internal router
loc Local All hosts accessed via eth1</programlisting>
<note>
<para>the sub-zone (loc1) is defined first!</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
loc eth1 192.168.1.255</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
<programlisting>#ZONE HOSTS
loc1 eth1:192.168.2.0/24</programlisting>
<para>If you don&#39;t need Shorewall to set up infrastructure to
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
these two policies.</para>
<para>/etc/shorewall/policy</para>
<programlisting>#SOURCE DEST POLICY
loc loc1 NONE
loc1 loc NONE</programlisting>
</section>
<section>
<title>Parallel Zones</title>
<para>You define both zones in the /etc/shorewall/hosts file to create
two disjoint zones.</para>
<graphic fileref="images/MultiZone1B.png" />
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 Hosts accessed Directly from Firewall
loc2 Local2 Hosts accessed via the internal Router</programlisting>
<note>
<para>Here it doesn&#39;t matter which zone is defined first.</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
- eth1 192.168.1.255</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
<programlisting>#ZONE HOSTS
loc1 eth1:192.168.1.0/24
loc2 eth1:192.168.2.0/24</programlisting>
<para>You don&#39;t need Shorewall to set up infrastructure to route
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
these two policies:</para>
<programlisting>#SOURCE DEST POLICY
loc1 loc2 NONE
loc2 loc1 NONE</programlisting>
</section>
</section>
</section>
<section>
<title>Some Hosts have Special Firewalling Requirements</title>
<para>There are cases where a subset of the addresses associated with an
interface need special handling. Here&#39;s an example.</para>
<graphic fileref="images/MultiZone2.png" />
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc1 Local1 192.168.1.8-192.168.1.15
loc Local All hosts accessed via eth1</programlisting>
<note>
<para>the sub-zone (loc1) is defined first!</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
loc eth1 192.168.1.255</programlisting>
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
loc1 eth1:192.168.1.8/29</programlisting></para>
<para>You probably don&#39;t want Shorewall to set up infrastructure to
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
should add these two policies.</para>
<para><filename>/etc/shorewall/policy</filename></para>
<programlisting>#SOURCE DEST POLICY
loc loc1 NONE
loc1 loc NONE</programlisting>
</section>
<section id="OneArmed">
<title>One-armed Router</title>
<para>Nested zones may also be used to configure a <quote>one-armed</quote>
router (I don&#39;t call it a <quote>firewall</quote> because it is very
insecure. For example, if you connect to the internet via cable modem,
your next door neighbor has full access to your local systems as does
everyone else connected to the same cable modem head-end controller). Here
eth0 is configured with both a public IP address and an RFC 1918 address
(More on that topic may be found <ulink
url="Shorewall_and_Aliased_Interfaces.html">here</ulink>). Hosts in the
<quote>loc</quote> zone are configured with their default gateway set to
the Shorewall router&#39;s RFC1918 address.</para>
<para><graphic fileref="images/MultiZone3.png" /></para>
<para><filename>/etc/shorewall/zones</filename></para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local Zone
net Internet The big bad Internet</programlisting>
<note>
<para>the sub-zone (loc) is defined first!</para>
</note>
<para><filename>/etc/shorewall/interfaces</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST
net eth0 detect</programlisting>
<para><filename>/etc/shorewall/hosts</filename></para>
<programlisting>#ZONE HOSTS OPTIONS
loc eth0:192.168.1.0/24 maclist</programlisting>
<para><filename><filename>/etc/shorewall/masq</filename></filename></para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0:!192.168.1.0/24 192.168.1.0/24</programlisting>
<para>Note that the maclist option is specified in <filename>/etc/shorewall/interfaces</filename>.
This is to help protect your router from unauthorized access by your
friends and neighbors. Start without maclist then add it and configure
your <ulink url="MAC_Validation.html"><filename>/etc/shorewall/maclist</filename></ulink>
file when everything else is working.</para>
</section>
</article>

111
Shorewall-docsN/NAT.xml Normal file
View File

@ -0,0 +1,111 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NAT">
<!--$Id$-->
<articleinfo>
<title>One-to-one NAT</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>One-to-one NAT</title>
<important>
<para><emphasis role="bold">If all you want to do is forward ports to
servers behind your firewall, you do NOT want to use one-to-one NAT.
Port forwarding can be accomplished with simple entries in the <ulink
url="Documentation.htm#Rules">rules file</ulink>.</emphasis></para>
</important>
<para>One-to-one NAT is a way to make systems behind a firewall and
configured with private IP addresses (those reserved for private use in
RFC 1918) appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
<para>The following figure represents a one-to-one NAT environment.</para>
<graphic fileref="images/staticnat.png" />
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear to
have IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
130.252.100.18 eth0 10.1.1.2 no no
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
<para>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
<note>
<para>The <quote>ALL INTERFACES</quote> column is used to specify
whether access to the external IP from all firewall interfaces should
undergo NAT (Yes or yes) or if only access from the interface in the
INTERFACE column should undergo NAT. If you leave this column empty,
<quote>No</quote> is assumed (Shorewall 2.0.0 and later -- prior to
this, <quote>Yes</quote> was assumed). <emphasis role="bold">Specifying
<quote>Yes</quote> in this column will not allow systems on the lower
LAN to access each other using their public IP addresses.</emphasis> For
example, the lower left-hand system (10.1.1.2) cannot connect to
130.252.100.19 and expect to be connected to the lower right-hand
system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
</note>
<note>
<para>Shorewall will automatically add the external address to the
specified interface unless you specify <ulink
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
(or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
<quote>yes</quote> then you must NOT configure your own alias(es).</para>
<para><important><para>Shorewall versions earlier than 1.4.6 can only
add external addresses to an interface that is configured with a single
subnetwork -- if your external interface has addresses in more than one
subnetwork, Shorewall 1.4.5 and earlier can only add addresses to the
first one.</para></important></para>
</note>
<note>
<para>The contents of the <quote>LOCAL</quote> column determine whether
packets originating on the firewall itself and destined for the EXTERNAL
address are redirected to the internal ADDRESS. If this column contains
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
packets are redirected; otherwise, such packets are not redirected. This
feature requires kernel 2.4.19 or later and iptables 1.2.6a or later and
you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.</para>
</note>
</section>
</article>

View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NetfilterOverview">
<!--$Id$-->
<articleinfo>
<title>Netfilter Overview</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-03-12</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Netfilter Overview</title>
<para>Netfilter consists of three tables: <emphasis role="bold">Filter</emphasis>,
<emphasis role="bold">Nat</emphasis> and <emphasis role="bold">Mangle</emphasis>.
Each table has a number of build-in chains: <emphasis role="bold">PREROUTING</emphasis>,
<emphasis role="bold">INPUT</emphasis>, <emphasis role="bold">FORWARD</emphasis>,
<emphasis role="bold">OUTPUT</emphasis> and <emphasis role="bold">POSTROUTING</emphasis>.</para>
<para>Rules in the various tables are used as follows:</para>
<variablelist>
<varlistentry>
<term>Filter</term>
<listitem>
<para>Packet filtering (rejecting, dropping or accepting packets)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Nat</term>
<listitem>
<para>Network Address Translation including DNAT, SNAT and
Masquerading</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mangle</term>
<listitem>
<para>General packet header modification such as setting the TOS
value or marking packets for policy routing and traffic shaping.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The following diagram shows how packets traverse the various builtin
chains within Netfilter. Note that not all table/chain combinations are
used.</para>
<graphic fileref="images/Netfilter.png" />
<para><quote>Local Process</quote> means a process running on the
Shorewall system itself.</para>
<para>A more elaborate version of this flow is available <ulink
url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>.</para>
<para>In the above diagram are boxes similar to this:</para>
<graphic fileref="images/Legend.png" />
<para>The above box gives the name of the built-in chain (<emphasis
role="bold">INPUT</emphasis>) along with the names of the tables (<emphasis
role="bold">Mangle</emphasis> and <emphasis role="bold">Filter</emphasis>)
that the chain exists in and in the order that the chains are traversed.
The above sample indicates that packets go first through the <emphasis
role="bold">INPUT</emphasis> chain of the <emphasis role="bold">Mangle</emphasis>
table then through the <emphasis role="bold">INPUT</emphasis> chain of the
<emphasis role="bold">Filter</emphasis> table. When a chain is enclosed in
parentheses, Shorewall does not use the named chain (<emphasis role="bold">INPUT</emphasis>)
in that table (<emphasis role="bold">Mangle</emphasis>).</para>
<important>
<para>Keep in mind that chains in the <emphasis role="bold">Nat</emphasis>
table are <emphasis role="bold">only traversed for new connection
requests</emphasis> (including those related to existing connections)
while the chains in the other tables are traversed on every packet.</para>
</important>
<para>The above diagram should help you understand the output of
<quote>shorewall status</quote>.</para>
<para>Here are some excerpts from <quote>shorewall status</quote> on a
server with one interface (eth0):</para>
<programlisting>[root@lists html]# shorewall status
Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
<para>The first table shown is the <emphasis role="bold">Filter</emphasis>
table.</para>
<programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID</programlisting>
<para>The following rule indicates that all traffic destined for the
firewall that comes into the firewall on eth0 is passed to a chain called
<quote>eth0_in</quote>. That chain will be shown further down.</para>
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:&#39;
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:&#39;
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:&#39;
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
<para>Here is the eth0_in chain:</para>
<programlisting>Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
is done.</para>
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
<programlisting>NAT Table
Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
pkts bytes target prot opt in out source destination
20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128
</programlisting>
<para>And finally, the <emphasis role="bold">Mangle</emphasis> table:</para>
<programlisting>Mangle Table
Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
pkts bytes target prot opt in out source destination
1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
pkts bytes target prot opt in out source destination
1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08</programlisting>
</section>
</article>

340
Shorewall-docsN/OPENVPN.xml Normal file
View File

@ -0,0 +1,340 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="OPENVPN">
<!--$Id$-->
<articleinfo>
<title>OpenVPN Tunnels</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<author>
<firstname>Simon</firstname>
<surname>Mater</surname>
</author>
</authorgroup>
<pubdate>2003-02-04</pubdate>
<copyright>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
<holder>Simon Mater</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open
Source project and is <ulink
url="http://openvpn.sourceforge.net/license.html">licensed under the GPL</ulink>.
OpenVPN can be downloaded from <ulink url="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</ulink>.</para>
<para>OpenVPN support was added to Shorewall in version 1.3.14.</para>
<section>
<title>Bridging two Masqueraded Networks</title>
<para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" />
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the
/etc/shorewall/policy file and OpenVPN.</para>
<para>While it was possible to use the Shorewall start and stop script to
start and stop OpenVPN, I decided to use the init script of OpenVPN to
start and stop it.</para>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<table>
<title>/etc/shorewall/zones system A &#38; B</title>
<tgroup cols="3">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">DISPLAY</entry>
<entry align="center">COMMENTS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>VPN</entry>
<entry>Remote Subnet</entry>
</row>
</tbody>
</tgroup>
</table>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis role="bold">vpn</emphasis>
zone. In /etc/shorewall/interfaces:</para>
<table>
<title>etc/shorewall/interfaces system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
<table>
<title>/etc/shorewall/tunnels system A</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from the
remote gateway. If you change the port used by OpenVPN to 7777, you can
define /etc/shorewall/tunnels like this:</para>
<table>
<title>/etc/shorewall/tunnels port 7777</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn:7777</entry>
<entry>net</entry>
<entry>134.28.54.2</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>This is the OpenVPN config on system A:</para>
<programlisting>dev tun
local 206.162.148.9
remote 134.28.54.2
ifconfig 192.168.99.1 192.168.99.2
up ./route-a.up
tls-server
dh dh1024.pem
ca ca.crt
cert my-a.crt
key my-a.key
comp-lzo
verb 5</programlisting>
<para>Similarly, On system B the 192.168.1.0/24 subnet will comprise the
<emphasis role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<table>
<title>/etc/shorewall/interfaces system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">ZONE</entry>
<entry align="center">INTERFACE</entry>
<entry align="center">BROADCAST</entry>
<entry align="center">OPTIONS</entry>
</row>
</thead>
<tbody>
<row>
<entry>vpn</entry>
<entry>tun0</entry>
<entry>192.168.1.255</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>In /etc/shorewall/tunnels on system B, we have:</para>
<table>
<title>/etc/shorewall/tunnels system B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">TYPE</entry>
<entry align="center">ZONE</entry>
<entry align="center">GATEWAY</entry>
<entry align="center">GATEWAY ZONE</entry>
</row>
</thead>
<tbody>
<row>
<entry>openvpn</entry>
<entry>net</entry>
<entry>206.191.148.9</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>And in the OpenVPN config on system B:</para>
<programlisting>dev tun
local 134.28.54.2
remote 206.162.148.9
ifconfig 192.168.99.2 192.168.99.1
up ./route-b.up
tls-client
ca ca.crt
cert my-b.crt
key my-b.key
comp-lzo
verb 5</programlisting>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<table>
<title>/etc/shorewall/policy system A &#38; B</title>
<tgroup cols="4">
<thead>
<row>
<entry align="center">SOURCE</entry>
<entry align="center">DEST</entry>
<entry align="center">POLICY</entry>
<entry align="center">LOG LEVEL</entry>
</row>
</thead>
<tbody>
<row>
<entry>loc</entry>
<entry>vpn</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
<row>
<entry>vpn</entry>
<entry>loc</entry>
<entry>ACCEPT</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</para>
</section>
</article>

1457
Shorewall-docsN/PPTP.xml Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,192 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="ProxyARP">
<!--$Id$-->
<articleinfo>
<title>Proxy ARP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-02-14</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet. Before
you try to use this technique, I strongly recommend that you read the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink>.</para>
<section>
<title>Example</title>
<para>The following figure represents a Proxy ARP environment.</para>
<graphic fileref="images/proxyarp.png" />
<para>Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper
(130.252.100.*) subnet. Assuming that the upper firewall interface is eth0
and the lower interface is eth1, this is accomplished using the following
entries in <filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
130.252.100.18 eth1 eth0 no yes
130.252.100.19 eth1 eth0 no yes </programlisting>
<para>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
in the above example) are not included in any specification in
<filename>/etc/shorewall/masq</filename> or <filename>/etc/shorewall/nat</filename>.</para>
<note>
<para>I&#39;ve used an RFC1918 IP address for eth1 - that IP address is
largely irrelevant (see below).</para>
</note>
<para>The lower systems (130.252.100.18 and 130.252.100.19) should have
their subnet mask and default gateway configured exactly the same way that
the Firewall system&#39;s eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the
firewall rather than behind it.</para>
<warning>
<para>Do not add the Proxy ARP&#39;ed address(es) (130.252.100.18 and
130.252.100.19 in the above example) to the external interface (eth0 in
this example) of the firewall.</para>
</warning>
<para>While the address given to the firewall interface is largely
irrelevant, one approach you can take is to make that address the same as
the address of your external interface!</para>
<graphic align="center" fileref="images/proxyarp1.png" />
<para>It the diagram above, <filename class="devicefile">eth1</filename>
has been given the address 130.252.100.17, the same as
<filename>eth0</filename>. Note though that the VLSM is 32 so there is no
network associated with this address. This is the approach <ulink
url="myfiles.htm">that I take with my DMZ</ulink>.</para>
<warning>
<para>Your distribution&#39;s network configuration GUI may not be
capable of configuring a device in this way. It may complain about the
duplicate address or it may configure the address incorrectly. Here is
what the above configuration should look like when viewed using
<command>ip</command> (the part of the output that is in <emphasis
role="bold">bold text</emphasis> is relevant):</para>
<programlisting>gateway:~# <command>ip addr ls eth1</command>
3: eth1: &#60;BROADCAST,MULTICAST,UP&#62; mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:d1:db:12 brd ff:ff:ff:ff:ff:ff
<emphasis role="bold">inet 130.252.100.17/32 scope global eth1</emphasis>
gateway:~#</programlisting>
<para>Note in particular that there is no broadcast address. <ulink
url="myfiles.htm#Interfaces">Here is how I configure a device in this
way under Debian</ulink>.</para>
</warning>
</section>
<section>
<title>ARP cache</title>
<para>A word of warning is in order here. ISPs typically configure their
routers with a long ARP cache timeout. If you move a system from parallel
to your firewall to behind your firewall with Proxy ARP, it will probably
be HOURS before that system can communicate with the internet. There are a
couple of things that you can try:</para>
<orderedlist>
<listitem>
<para>A reading of <citetitle>TCP/IP Illustrated, Vol 1</citetitle> by
Stevens reveals<footnote><para>Courtesy of Bradey Honsinger</para></footnote>
that a <quote>gratuitous</quote> ARP packet should cause the ISP&#39;s
router to refresh their ARP cache (section 4.7). A gratuitous ARP is
simply a host requesting the MAC address for its own IP; in addition
to ensuring that the IP address isn&#39;t a duplicate...</para>
<blockquote>
<para>if the host sending the gratuitous ARP has just changed its
hardware address..., this packet causes any other host...that has an
entry in its cache for the old hardware address to update its ARP
cache entry accordingly.</para>
</blockquote>
<para>Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using
proxy ARP (or one-to-one NAT for that matter). Happily enough, recent
versions of Redhat&#39;s iputils package include <quote>arping</quote>,
whose <quote>-U</quote> flag does just that:</para>
<programlisting>arping -U -I &#60;<emphasis>net if</emphasis>&#62; &#60;<emphasis>newly proxied IP</emphasis>&#62;
arping -U -I eth0 66.58.99.83 # for example</programlisting>
<para>Stevens goes on to mention that not all systems respond
correctly to gratuitous ARPs, but googling for <quote>arping -U</quote>
seems to support the idea that it works most of the time.</para>
<para>To use arping with Proxy ARP in the above example, you would
have to:</para>
<programlisting>shorewall clear
ip addr add 130.252.100.18 dev eth0
ip addr add 130.252.100.19 dev eth0
arping -U -I eth0 130.252.100.18
arping -U -I eth0 130.252.100.19
ip addr del 130.252.100.18 dev eth0
ip addr del 130.252.100.19 dev eth0
shorewall start</programlisting>
</listitem>
<listitem>
<para>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can&#39;t or won&#39;t purge individual entries.</para>
</listitem>
</orderedlist>
<para>You can determine if your ISP&#39;s gateway ARP cache is stale using
ping and tcpdump. Suppose that we suspect that the gateway router has a
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as
follows:</para>
<programlisting>tcpdump -nei eth0 icmp</programlisting>
<para>Now from 130.252.100.19, ping the ISP&#39;s gateway (which we will
assume is 130.252.100.254):</para>
<programlisting>ping 130.252.100.254</programlisting>
<para>We can now observe the tcpdump output:</para>
<programlisting>13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 &#62; 130.252.100.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 &#62; 130.252.100.177 : icmp: echo reply</programlisting>
<para>Notice that the source MAC address in the echo request is different
from the destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall&#39;s eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left. In
other words, the gateway&#39;s ARP cache still associates 130.252.100.19
with the NIC in that system rather than with the firewall&#39;s eth0.</para>
</section>
</article>

View File

@ -0,0 +1,152 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Release Model</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-07-03</pubdate>
<copyright>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Shorewall Releases</title>
<orderedlist>
<listitem>
<para>Releases have a three-level identification
<firstterm>x.y.z</firstterm> (e.g., 2.0.3).</para>
</listitem>
<listitem>
<para>The first two levels (<emphasis>x.y</emphasis>) designate the
<firstterm>Major Release Number</firstterm> (e.g., 2.0).</para>
</listitem>
<listitem>
<para>The third level (<emphasis>z</emphasis>) designates the
<firstterm>Minor Release Number</firstterm>.</para>
</listitem>
<listitem>
<para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
<firstterm>Stable Releases</firstterm>. No new features are added to
stable releases and new minor releases of a stable release will only
contain bug fixes. Installing a new minor release for the major
release that you are currently running involves no migration issues
(for example, if you are running 1.4.10 and I release 1.4.11, your
current configuration is 100% compatible with the new release).</para>
</listitem>
<listitem>
<para>Support is available through the <ulink
url="http://lists.shorewall.net">Mailing List</ulink> for the two most
recent Stable Releases.</para>
</listitem>
<listitem>
<para>Odd numbered major releases (e.g., 2.1, 2.3, ...) are
<firstterm>Development Releases</firstterm>. Development releases are
where new functionality is introduced. Documentation for new features
will be available but it may not be up to the standards of the stable
release documentation. Sites running Development Releases should be
prepared to play an active role in testing new features. Bug fixes and
problem resolution for the development release take a back seat to
support of the stable releases. Problem reports for the current
development release should be sent to the <ulink
url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
Mailing List</ulink>.</para>
</listitem>
<listitem>
<para>When the level of functionality of the current development
release is judged adaquate, the <firstterm>Beta period</firstterm> for
a new Stable release will begin. Beta releases have identifications of
the form <emphasis>x.y.0-BetaN</emphasis> where <emphasis>x.y</emphasis>
is the number of the next Stable Release and <emphasis>N</emphasis>=1,2,3...
. Betas are expected to occur rougly once per year. Beta releases may
contain new functionality not present in the previous beta release
(e.g., 2.2.0-Beta4 may contain functionality not present in
2.2.0-Beta3). When I&#39;m confident that the current Beta release is
stable, I will release the first <firstterm>Release Candidate</firstterm>.
Release candidates have identifications of the form
<emphasis>x.y.0-RCn</emphasis> where <emphasis>x.y</emphasis> is the
number of the next Stable Release and <emphasis>n</emphasis>=1,2,3...
. Release candidates contain no new functionailty -- they only contain
bug fixes. When the stability of the current release candidate is
judged to be sufficient then that release candidate will be released
as the new stable release (e.g., 2.2.0). At that time, the new stable
release and the prior stable release are those that are supported.</para>
</listitem>
<listitem>
<para>What does it mean for a major release to be
<firstterm>supported</firstterm>? It means that I will answer
questions about the release and that if a bug is found, I will fix the
bug and include the fix in the next minor release.</para>
</listitem>
<listitem>
<para>Between minor releases, bug fixes will continue to be made
available through the <ulink url="errata.htm">Errata page</ulink> for
each major release.</para>
</listitem>
</orderedlist>
<para>The currently-supported major releases are 1.4 and 2.0.</para>
</section>
<section>
<title>Old Release Model</title>
<para>This release model described above was adopted on 2003-07-03. Prior
to that time, a different release model was followed. Highlights of that
model were:</para>
<orderedlist>
<listitem>
<para>Releases were numbered in a manner similar to the current
release model.</para>
</listitem>
<listitem>
<para>New functionality was added in minor releases of the current
major release. There was no concept of Stable vs Development major
releases.</para>
</listitem>
<listitem>
<para>Bug fix only releases were always against the last minor release
of a major release and had identifications of the form
<emphasis>x.y.zX</emphasis> (e.g., 2.0.3c) where <emphasis>X</emphasis>=1,b,c,...
. Consequently, if a user required a bug fix but was not running the
last minor release of the associated major release then it was
necessary to accept new functionailty along with the bug fix.</para>
</listitem>
</orderedlist>
</section>
</article>

View File

@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_Doesnt">
<!--$Id$-->
<articleinfo>
<title>Some Things that Shorewall Does Not Do</title>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<pubdate>2004-06-08</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Shorewall Does not:</title>
<itemizedlist>
<listitem>
<para>Act as a <quote>Personal Firewall</quote> that allows internet
access by application.</para>
</listitem>
<listitem>
<para>Work with an Operating System other than Linux (version &#62;=
2.4.0)</para>
</listitem>
<listitem>
<para>Do content filtering:</para>
<itemizedlist>
<listitem>
<para>HTTP - better to use <ulink url="Shorewall_Squid_Usage.html">Squid</ulink>
for that.</para>
</listitem>
<listitem>
<para>Email -- Install something like <ulink
url="http://www.postfix.org">Postfix</ulink> on your firewall and
integrate it with <ulink url="http://www.spamassassin.org/">SpamAssassin</ulink>
and <ulink url="http://www.ijs.si/software/amavisd/">Amavisd-new</ulink>.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Set up Routing (except to support <ulink url="ProxyARP.htm">Proxy
ARP</ulink>)</para>
</listitem>
<listitem>
<para>Do Traffic Shaping/Bandwidth Management (although it provides
<ulink url="traffic_shaping.htm">hooks to interface to Traffic
Control/Bandwidth Management solutions</ulink>)</para>
</listitem>
<listitem>
<para>Configure/manage Network Devices (your Distribution includes
tools for that).</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>In Addition:</title>
<itemizedlist>
<listitem>
<para>Shorewall does not contain any support for Netfilter <ulink
url="http://www.netfilter.org/documentation/pomlist/pom-summary.html">Patch-O-Matic</ulink>
features or any other features that require kernel patching --
Shorewall only supports features from released kernels.</para>
</listitem>
</itemizedlist>
</section>
</article>

View File

@ -0,0 +1,317 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_Squid_Usage">
<!--$Id$-->
<articleinfo>
<title>Using Shorewall with Squid</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-04-19</pubdate>
<copyright>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para></para>
<para>This page covers Shorewall configuration to use with <ulink
url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
Proxy or as a Manual Proxy.</para>
<para>If you are running Shorewall 1.3, please see <ulink
url="1.3/Shorewall_Squid_Usage.html">this documentation</ulink>.</para>
<section>
<title>Squid as a Transparent Proxy</title>
<caution>
<para>Please observe the following general requirements:</para>
<itemizedlist>
<listitem>
<para>In all cases, Squid should be configured to run as a transrent
proxy as described at <ulink
url="http://tldp.org/HOWTO/mini/TransparentProxy.html">http://tldp.org/HOWTO/mini/TransparentProxy.html</ulink>.</para>
</listitem>
<listitem>
<para>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don&#39;t
have those files, siimply create them.</para>
</listitem>
<listitem>
<para>When the Squid server is in the DMZ zone or in the local zone,
that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.</para>
</listitem>
<listitem>
<para>You must have iptables installed on your Squid server.</para>
</listitem>
<listitem>
<para>If you run a Shorewall version earlier than 1.4.6, you must
have NAT and MANGLE enabled in your /etc/shorewall/conf file</para>
<programlisting>NAT_ENABLED=Yes
MANGLE_ENABLED=Yes</programlisting>
</listitem>
</itemizedlist>
</caution>
</section>
<section>
<title>Configurations</title>
<para>Three different configurations are covered:</para>
<simplelist>
<member>Squid (transparent) Running on the Firewall</member>
<member>Squid (transparent) Running in the local Network</member>
<member>Squid (transparent) Running in a DMZ</member>
</simplelist>
<section id="Firewall">
<title>Squid (transparent) Running on the Firewall</title>
<para>You want to redirect all local www connection requests EXCEPT
those to your own http server (206.124.146.177) to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers.</para>
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177
ACCEPT fw net tcp www</programlisting>
<para>There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want
requests destined for 130.252.100.0/24 to not be routed to Squid.</para>
<para>If you are running Shorewall version 1.4.5 or later, you may just
add the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule.</para>
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
REDIRECT loc 3228 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
<para>If you are running a Shorewall version earlier than 1.4.5, you
must add a manual rule in /etc/shorewall/start:</para>
<programlisting><command>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN</command></programlisting>
<para>To exclude additional hosts or networks, just add additional
similar rules.</para>
</section>
<section id="Local">
<title>Squid (transparent) Running in the local network</title>
<para>You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the internet..</para>
<orderedlist>
<listitem>
<para>* On your firewall system, issue the following command</para>
<programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
fi</command></programlisting>
</listitem>
<listitem>
<important>
<para>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.</para>
</important>
<para>If you are running Shorewall 1.4.2 or later, then in
<filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc loc tcp www</programlisting>
<orderedlist numeration="loweralpha">
<listitem>
<para>Alternativfely, if you are running Shorewall 1.4.0 you can
have the following policy in place of the above rule.</para>
<para><filename>/etc/shorewall/policy</filename></para>
<programlisting>#SOURCE DESTINATION POLICY
loc loc ACCEPT</programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>In <filename>/etc/shorewall/start</filename> add:</para>
<programlisting><command>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem>
<listitem>
<para>On 192.168.1.3, arrange for the following command to be
executed after networking has come up</para>
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:</para>
<programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</command></programlisting>
</listitem>
</orderedlist>
</section>
<section id="DMZ">
<title>Squid (transparent) Running in the DMZ</title>
<para>You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.</para>
<orderedlist>
<listitem>
<para>On your firewall system, issue the following command</para>
<programlisting><command>echo 202 www.out &#62;&#62; /etc/iproute2/rt_tables</command></programlisting>
</listitem>
<listitem>
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi</command></programlisting>
</listitem>
<listitem>
<para>Do <emphasis role="bold">one</emphasis> of the following:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>In <filename>/etc/shorewall/start</filename> add</para>
<programlisting><command>iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</command></programlisting>
</listitem>
<listitem>
<para>Set MARK_IN_FORWARD_CHAIN=No in <filename>/etc/shorewall/shorewall.conf</filename>
and add the following entry in <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202 eth2 0.0.0.0 tcp 80</programlisting>
</listitem>
<listitem>
<para>Run Shorewall 1.3.14 or later and add the following entry
in <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT
202:P eth2 0.0.0.0 tcp 80</programlisting>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>In <filename>/etc/shorewall/rules</filename>, you will need:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc dmz tcp 80
ACCEPT dmz net tcp 80</programlisting>
</listitem>
<listitem>
<para>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up</para>
<programlisting><command>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</command></programlisting>
<para>If you are running RedHat on the server, you can simply
execute the following commands after you have typed the iptables
command above:</para>
<programlisting><command>iptables-save &#62; /etc/sysconfig/iptables
chkconfig --level 35 iptables on</command></programlisting>
</listitem>
</orderedlist>
</section>
</section>
<section>
<title>Squid as a Manual Proxy</title>
<para>Assume that Squid is running in zone SZ and listening on port SP;
all web sites that are to be accessed through Squid are in the
<quote>net</quote> zone. Then for each zone Z that needs access to the
Squid server.</para>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80</programlisting>
<example>
<title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title>
<para><filename>/etc/shorewall/rules:</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT loc fw tcp 8080
ACCEPT fw net tcp 80</programlisting></para>
</example>
</section>
</article>

View File

@ -0,0 +1,292 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_and_Aliased_Interfaces">
<!--$Id$-->
<articleinfo>
<title>Shorewall and Aliased Interfaces</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-06-29</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Background</title>
<para>The traditional net-tools contain a program called
<emphasis>ifconfig</emphasis> which is used to configure network devices.
ifconfig introduced the concept of <emphasis>aliased</emphasis> or
<emphasis>virtual</emphasis> interfaces. These virtual interfaces have
names of the form <emphasis>interface:integer</emphasis> (e.g., <filename
class="devicefile">eth0:0</filename>) and ifconfig treats them more or
less like real interfaces.</para>
<example>
<title>ifconfig</title>
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11 Base address:0x2000
[root@gateway root]# </programlisting>
</example>
<para>The ifconfig utility is being gradually phased out in favor of the
ip utility which is part of the <emphasis>iproute</emphasis> package. The
ip utility does not use the concept of aliases or virtual interfaces but
rather treats additional addresses on an interface as objects in their own
right. The ip utility does provide for interaction with ifconfig in that
it allows addresses to be <emphasis>labeled</emphasis> where these labels
take the form of ipconfig virtual interfaces.</para>
<example>
<title>ip</title>
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
2: eth0: &#60;BROADCAST,MULTICAST,UP&#62; mtu 1500 qdisc htb qlen 100
link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]# </programlisting>
<para><note><para>One <emphasis role="bold">cannot</emphasis> type
<quote><command>ip addr show dev eth0:0</command></quote> because
<quote><filename class="devicefile">eth0:0</filename></quote> is a label
for a particular address rather than a device name.</para><programlisting>[root@gateway root]# <command>ip addr show dev eth0:0</command>
Device &#34;eth0:0&#34; does not exist.
[root@gateway root]#</programlisting></note></para>
</example>
<para>The iptables program doesn&#39;t support virtual interfaces in
either it&#39;s <quote>-i</quote> or <quote>-o</quote> command options; as
a consequence, Shorewall does not allow them to be used in the
/etc/shorewall/interfaces file or anywhere else except as described in the
discussion below.</para>
</section>
<section>
<title>Adding Addresses to Interfaces</title>
<para>Most distributions have a facility for adding additional addresses
to interfaces. If you have already used your distribution&#39;s capability
to add your required addresses, you can skip this section.</para>
<para>Shorewall provides facilities for automatically adding addresses to
interfaces as described in the following section. It is also easy to add
them yourself using the <emphasis role="bold">ip</emphasis> utility. The
above alias was added using:</para>
<programlisting><command>ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
<para>You probably want to arrange to add these addresses when the device
is started rather than placing commands like the above in one of the
Shorewall extension scripts. For example, on RedHat systems, you can place
the commands in /sbin/ifup-local:</para>
<programlisting>#!/bin/sh
case $1 in
eth0)
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
;;
esac</programlisting>
<para>RedHat systems also allow adding such aliases from the network
administration GUI (which only works well if you have a graphical
environment on your firewall).</para>
</section>
<section>
<title>So how do I handle more than one address on an interface?</title>
<para>The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we&#39;ll take a look at common
scenarios.</para>
<section>
<title>Separate Rules</title>
<para>If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW
zone with the IP address.</para>
<example>
<title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example>
</section>
<section>
<title>DNAT</title>
<para>Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the
<filename>/etc/shorewall/rules</filename> file:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
</section>
<section>
<title>SNAT</title>
<para>If you wanted to use eth0:0 as the IP address for outbound
connections from your local zone (eth1), then in <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SUBNET ADDRESS
eth0 eth1 206.124.146.178</programlisting>
<para>Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in <filename>/etc/shorewall/shorewall.con</filename>f.
Beginning with Shorewall 1.3.14, Shorewall can actually create the
<quote>label</quote> (virtual interface) so that you can see the created
address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you
specify the virtual interface name in the INTERFACE column as follows.</para>
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
eth0:0 eth1 206.124.146.178</programlisting></para>
<para>Shorewall can also set up SNAT to round-robin over a range of IP
addresses. Do do that, you specify a range of IP addresses in the
ADDRESS column. If you specify a label in the INTERFACE column,
Shorewall will use that label for the first address of the range and
will increment the label by one for each subsequent label.</para>
<para><filename>/etc/shorewall/masq</filename><programlisting>#INTERFACE SUBNET ADDRESS
eth0:0 eth1 206.124.146.178-206.124.146.180</programlisting></para>
<para>The above would create three IP addresses:</para>
<programlisting>eth0:0 = 206.124.146.178
eth0:1 = 206.124.146.179
eth0:2 = 206.124.146.180</programlisting>
</section>
<section>
<title>One-to-one NAT</title>
<para>If you wanted to use one-to-one NAT to link <filename
class="devicefile">eth0:0</filename> with local address 192.168.1.3, you
would have the following in <filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
<para>Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
(virtual interface) so that you can see the created address using
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
virtual interface name in the INTERFACE column as follows.</para>
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
<para>In either case, to create rules in <filename>/etc/shorewall/rules</filename>
that pertain only to this NAT pair, you simply qualify the local zone
with the internal IP address.</para>
<example>
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
</example>
</section>
<section>
<title>MULTIPLE SUBNETS</title>
<para>Sometimes multiple IP addresses are used because there are
multiple subnetworks configured on a LAN segment. This technique does
not provide for any security between the subnetworks if the users of the
systems have administrative privileges because in that case, the users
can simply manipulate their system&#39;s routing table to bypass your
firewall/router. Nevertheless, there are cases where you simply want to
consider the LAN segment itself as a zone and allow your firewall/router
to route between the two subnetworks.</para>
<example>
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You simply want your firewall to route
between these two subnetworks.</title>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone
</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
log eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">routeback</emphasis> </programlisting>
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
ACCEPT rules for the traffic that you want to permit.</para>
</example>
<example>
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into
separate zones and control the access between them (the users of the
systems do not have administrative privileges).</title>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone 1
loc2 Local2 Local Zone 2</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- eth1 192.168.1.255,192.168.20.255 </programlisting>
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOSTS OPTIONS
loc eth1:192.168.1.0/24
loc2 eth1:192.168.20.0/24</programlisting>
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
ACCEPT rules for the traffic that you want to permit.</para>
</example>
</section>
</section>
</article>

View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Shorewall_and_Kazaa">
<!--$Id$-->
<articleinfo>
<title>Kazaa Filtering</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<copyright>
<year>2003-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
user-space filter for applications based on the <quote>Fast Track</quote>
peer to peer protocol. Applications using this protocol include Kazaa,
KazaaLite, iMash and Grokster.</para>
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
insert the following rules <emphasis role="bold">near the top</emphasis> of
your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
<quote>loc</quote> zone).</para>
<programlisting> #ACTION SOURCE DEST PROTO
QUEUE loc net tcp
QUEUE loc net udp
QUEUE loc fw udp</programlisting>
<para>Now simply configure ftwall as described in the ftwall documentation
and restart Shorewall.</para>
<tip>
<para>There are ftwall init scripts for use with <trademark>SuSE</trademark>
and <trademark>Debian</trademark> Linux at <ulink
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip>
</article>

View File

@ -0,0 +1,209 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="UserSets">
<!--$Id$-->
<articleinfo>
<title>Controlling Output Traffic by UID/GID</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-09-19</pubdate>
<copyright>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Overview</title>
<para>This capability was added in Shorewall release 1.4.7.</para>
<para>Netfilter provides the capability to filter packets generated on the
firewall system by User Id and/or Group Id. Shorewall provides two
separate but related ways to use this Netfilter capability:</para>
<itemizedlist>
<listitem>
<para>Shorewall allows you to define collections of users called
<quote><link linkend="UserSet">User Sets</link></quote> and then to
restrict certain rules in /etc/shorewall/rules to a given User Set.</para>
</listitem>
<listitem>
<para>Shorewall also allows you to restrict a given <link
linkend="Rule">rule</link> to a particular user and/or group.</para>
</listitem>
</itemizedlist>
<para>Since only packets created by programs running on the Shorewall box
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
using either of the facilities.</para>
</section>
<section id="UserSet">
<title>User Sets</title>
<para>Given the way that this facility is implemented in Shorewall, it is
not possible to control logging of individual rules using a User Set and
logging is rather specified on the User Set itself.</para>
<para>User Sets are defined in the /etc/shorewall/usersets file. Columns
in that file include:</para>
<variablelist>
<varlistentry>
<term>USERSET</term>
<listitem>
<para>The name of a User Set. Must be a legal shell identifier of no
more than six (6) characters in length.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REJECT</term>
<listitem>
<para>Log level for connections rejected for this User Set.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ACCEPT</term>
<listitem>
<para>Log level for connections accepted for this User Set.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DROP</term>
<listitem>
<para>Log level for connections dropped for this User Set.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In the REJECT and ACCEPT columns, if you don&#39;t want to specify a
value in the column but you want to specify a value in a following column,
you may enter <quote>-</quote>.</para>
<para>Users and/or groups are added to User Sets using the
/etc/shorewall/users file. Columns in that file are:</para>
<variablelist>
<varlistentry>
<term>USERSET</term>
<listitem>
<para>The name of a User Set defined in /etc/shorewall/usersets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USER</term>
<listitem>
<para>The name of a user defined on the system or a user number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GROUP</term>
<listitem>
<para>The name of a group defined on the system or a number.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Only one of the USER and GROUP column needs to be non-empty. If you
wish to specify a GROUP but not a USER, enter <quote>-</quote> in the user
column.</para>
<para>If both USER and GROUP are specified then only programs running
under that USER:GROUP pair will match rules specifying the User Set named
in the USERSET column.</para>
<para>Once a user set has been defined, its name may be placed in the USER
SET column of the /etc/shorewall/rules file.</para>
<important>
<para>When the name of a user set is given in the USER SET column, you
may not include a log level in the ACTION column; logging of such rules
is governed solely by the user set&#39;s definition in the
/etc/shorewall/userset file.</para>
</important>
<example>
<title>You want members of the <quote>admin</quote> group and
<quote>root</quote> to be able to use ssh on the firewall to connect to
local systems. You want to log all connections accepted for these users
using syslog at the <quote>info</quote> level.</title>
<para>/etc/shorewall/usersets</para>
<programlisting>#USERSET REJECT ACCEPT DROP
admins - info</programlisting>
<para>/etc/shorewall/users</para>
<programlisting>#USERSET USER GROUP
admins - admin
admins root</programlisting>
<para>/etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
# PORT(S) DESTINATION SET
ACCEPT $FW loc tcp 22 - - - admins</programlisting>
</example>
</section>
<section id="Rule">
<title>Restricting a rule to a particular user and/or group</title>
<para>In cases where you may want to restrict a rule to a particular user
and/or group, the USER SET column in the rules file may be specified as:</para>
<programlisting>[ &#60;<emphasis>user name or number</emphasis>&#62; ] : [ &#60;<emphasis>group name or number</emphasis>&#62; ]</programlisting>
<para>When a user and/or group name is given in the USER SET column, it is
OK to specify a log level in the ACTION column.</para>
<example>
<title>You want user <emphasis role="bold">mail</emphasis> to be able to
send email from the firewall to the local net zone</title>
<para>/etc/shorewall/rules (be sure to note the <quote>:</quote> in the
USER SET column entry).</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
# PORT(S) DESTINATION SET
ACCEPT $FW loc tcp 25 - - - mail:</programlisting>
</example>
</section>
</article>

View File

@ -0,0 +1,303 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>User-defined Actions</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-03-25</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Creating a New Action</title>
<para>Prior to Shorewall version 1.4.9, rules in <filename>/etc/shorewall/rules</filename>
were limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
Beginning with Shorewall version 1.4.9, users may use sequences of these
elementary operations to define more complex actions.</para>
<para>To define a new action:</para>
<orderedlist>
<listitem>
<para>Add a line to <filename><filename>/etc/shorewall/actions</filename></filename>
that names your new action. Action names must be valid shell variable
names as well as valid Netfilter chain names. It is recommended that
the name you select for a new action begins with with a capital
letter; that way, the name won&#39;t conflict with a Shorewall-defined
chain name.</para>
<para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
or REJECT. When this is done, the named action will become the
<emphasis>common action </emphasis>for policies of type ACCEPT, DROP
or REJECT respectively. The common action is applied immediately
before the policy is enforced (before any logging is done under that
policy) and is used mainly to suppress logging of uninteresting
traffic which would otherwise clog your logs. The same policy name can
appear in multiple actions; the last such action for each policy name
is the one which Shorewall will use.</para>
<para>Shorewall includes pre-defined actions for DROP and REJECT --
see below.</para>
</listitem>
<listitem>
<para>Once you have defined your new action name (ActionName), then
copy /usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
(for example, if your new action name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
</listitem>
<listitem>
<para>Now modify the new file to define the new action.</para>
</listitem>
</orderedlist>
<para>Columns in the action.template file are as follows:</para>
<itemizedlist>
<listitem>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
&#60;<emphasis>action</emphasis>&#62; where &#60;<emphasis>action</emphasis>&#62;
is a previously-defined action (that is, it must precede the action
being defined in this file in your <filename>/etc/shorewall/actions</filename>
file). These actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon
(<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case) as
a log level.This will log to the ULOG target for routing to a separate
log through use of ulogd (<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
</listitem>
<listitem>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; mac addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another colon
(<quote>:</quote>) and an IP/MAC/subnet address as described above
(e.g., eth1:192.168.1.5).</para>
</listitem>
<listitem>
<para>DEST - Location of Server. Same as above with the exception that
MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to
256 IP addresses using the syntax &#60;<emphasis>first ip</emphasis>&#62;-&#60;<emphasis>last
ip</emphasis>&#62;.</para>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <quote>udp</quote>,
<quote>icmp</quote>, a number, or <quote>all</quote>.</para>
</listitem>
<listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port
names (from <filename>/etc/services</filename>), port numbers or port
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &#60;<emphasis>low port</emphasis>&#62;:&#60;<emphasis>high
port</emphasis>&#62;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if
any of the following ields are supplied. In that case, it is suggested
that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
CLIENT PORT(S) list below:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem>
<para>No port ranges are included.</para>
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port
names, port numbers or port ranges.</para>
<para>If you don&#39;t want to restrict client ports but need to
specify an ADDRESS in the next column, then place &#34;-&#34; in this
column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
DEST PORT(S) list above:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem>
<para>No port ranges are included.</para>
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each port.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &#60;<emphasis>rate</emphasis>&#62;/&#60;<emphasis>interval</emphasis>&#62;[:&#60;<emphasis>burst</emphasis>&#62;]</programlisting>where
&#60;<emphasis>rate</emphasis>&#62; is the number of connections per
&#60;<emphasis>interval</emphasis>&#62; (<quote>sec</quote> or
<quote>min</quote>) and &#60;<emphasis>burst</emphasis>&#62; is the
largest burst permitted. If no &#60;<emphasis>burst</emphasis>&#62; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as their
source), you may control connections based on the effective UID and/or
GID of the process requesting the connection. This column can contain
any of the following:</para>
<simplelist>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;[:]</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;[:]</member>
<member>[!]:&#60;<emphasis>group number</emphasis>&#62;</member>
<member>[!]:&#60;<emphasis>group name</emphasis>&#62;</member>
<member>[!]&#60;<emphasis>user number</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
number</emphasis>&#62;</member>
<member>[!]&#60;<emphasis>user inumber</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
<member>[!]&#60;<emphasis>user name</emphasis>&#62;:&#60;<emphasis>group
name</emphasis>&#62;</member>
</simplelist>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash (&#34;-:).</para>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename> you
might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc fw tcp 22</programlisting>
</section>
<section>
<title>Standard Actions In Shorewall 2.0</title>
<para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
<para>The <filename>/usr/share/shorewall/actions.std</filename> file
includes the common actions <quote>Drop</quote> for DROP policies and
<quote>Reject</quote> for REJECT policies.</para>
<example>
<title>Example of Using a Standard Action</title>
<para>Suppose that you wish to enable ftp from your local network to
your firewall. In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO ...
AllowFTP loc fw</programlisting>
</example>
<para><filename>/usr/share/shorewall/actions.std</filename> is processed
before <filename>/etc/shorewall/actions</filename> and if you have any
actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
your version in <filename class="directory">/etc/shorewall</filename> will
be the one used. So if you wish to modify a standard action, simply copy
the associated action file from <filename class="directory">/usr/share/shorewall
</filename>to <filename class="directory">/etc/shorewall and modify</filename>
it to suit your needs. The next <command>shorewall restart</command> will
cause your action to be installed in place of the standard one. In
particular, if you want to modify the common actions <quote>Drop</quote>
or <quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
<filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
and modify that copy as desired.</para>
</section>
<section>
<title>Creating an Action using an Extension Script</title>
<para>There may be cases where you wish to create a chain with rules that
can&#39;t be constructed using the tools defined in the action.template.
In that case, you can use an extension script.<note><para>If you actually
need an action to drop broadcast packets, use the <command>dropBcast</command>
standard action rather than create one like this.</para></note></para>
<example>
<title>An action to drop all broadcast packets</title>
<para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
<para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting></para>
<para>/etc/shorewall/DropBcasts<programlisting>run_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP</programlisting></para>
</example>
</section>
</article>

124
Shorewall-docsN/VPN.xml Normal file
View File

@ -0,0 +1,124 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="VPN">
<!--$Id$-->
<articleinfo>
<title>VPN</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2002-12-21</pubdate>
<copyright>
<year>2002</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Virtual Private Networking (VPN)</title>
<para>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking (VPN).
The two most common means for doing this are IPSEC and PPTP. The basic
setup is shown in the following diagram:</para>
<graphic fileref="images/VPN.png" />
<para>A system with an RFC 1918 address needs to access a remote network
through a remote gateway. For this example, we will assume that the local
system has IP address 192.168.1.12 and that the remote gateway has IP
address 192.0.2.224.</para>
<para>If PPTP is being used, there are no firewall requirements beyond the
default loc-&#62;net ACCEPT policy. There is one restriction however: Only
one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
<para>If IPSEC is being used then only one system may connect to the
remote gateway and there are firewall configuration requirements as
follows:</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT</entry>
<entry align="center">CLIENT PORT</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>50</entry>
<entry></entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>DNAT</entry>
<entry>net:192.0.2.224</entry>
<entry>loc:192.168.1.12</entry>
<entry>udp</entry>
<entry>500</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <ulink url="Documentation.htm#Tunnels">http://www.shorewall.net/Documentation.htm#Tunnels</ulink>
or <ulink url="PPTP.htm">http://www.shorewall.net/PPTP.htm</ulink>.</para>
</section>
</article>

View File

@ -0,0 +1,170 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall Blacklisting Support</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-02-17</pubdate>
<copyright>
<year>2002-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of blacklist
filtering:</para>
<orderedlist>
<listitem>
<para>BLACKLISTNEWONLY=No --&#x00A0; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.</para>
</listitem>
<listitem>
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the
blacklists.</para>
</listitem>
</orderedlist>
<important>
<para><emphasis role="bold">Only the source address is checked against
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</para>
</important>
<important>
<para><emphasis role="bold">Neither form of Shorewall blacklisting is
appropriate for blacklisting 1,000s of different addresses</emphasis>.
The blacklists will take forever to load and will have a very negative
effect on firewall performance.</para>
</important>
</section>
<section>
<title>Static Blacklisting</title>
<para>Shorewall static blacklisting support has the following
configuration parameters:</para>
<itemizedlist>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in
<ulink url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and Port numbers/Service names in the blacklist file.</para>
</listitem>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
</listitem>
<listitem>
<para>The black list is refreshed from <filename>/etc/shorewall/blacklist</filename>
by the <quote><ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
refresh</command></ulink></quote> command.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Dynamic Blacklisting</title>
<para>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn&#39;t use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</para>
<itemizedlist>
<listitem>
<para>drop <emphasis>&#60;ip address list&#62;</emphasis> - causes
packets from the listed IP addresses to be silently dropped by the
firewall.</para>
</listitem>
<listitem>
<para>reject <emphasis>&#60;ip address list&#62;</emphasis> - causes
packets from the listed IP addresses to be rejected by the firewall.</para>
</listitem>
<listitem>
<para>allow <emphasis>&#60;ip address list&#62;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> command.</para>
</listitem>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting configuration.</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
option in <filename>/etc/shorewall/interfaces</filename>.</para>
<example>
<title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<example>
<title>Re-enable packetes from a system</title>
<programlisting> <command>shorewall allow 192.0.2.125</command></programlisting>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
</section>
</article>

399
Shorewall-docsN/bridge.xml Executable file
View File

@ -0,0 +1,399 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Shorewall and Bridged Firewalls</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-06-11</pubdate>
<copyright>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Background</title>
<para>Systems where Shorewall runs normally function as
<firstterm>routers</firstterm>. In the context of the Open System
Interconnect (OSI) reference model, a router operates at layer 3.
Beginning with Shorewall version 2.0.1, Shorewall may also be deployed on
a GNU Linux System that acts as a <firstterm>bridge</firstterm>. Bridges
are layer-2 devices in the OSI model (think of a bridge as an ethernet
switch).</para>
<para>Some differences between routers and bridges are:</para>
<orderedlist>
<listitem>
<para>Routers determine packet destination based on the destination IP
address while bridges route traffic based on the destination MAC
address in the ethernet frame.</para>
</listitem>
<listitem>
<para>As a consequence of the first difference, routers can be
connected to more than one IP network while a bridge may be part of
only a single network.</para>
</listitem>
<listitem>
<para>A router cannot forward broadcast packets while a bridge can.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Requirements</title>
<para>In order to use Shorewall with a bridging firewall:</para>
<itemizedlist>
<listitem>
<para>Your kernel must contain bridge support (CONFIG_BRIDGE=m or
CONFIG_BRIDGE=y).</para>
</listitem>
<listitem>
<para>Your kernel must contain Netfilter physdev match support
(CONFIG_IP_NF_MATCH_PHYSDEV=m or CONFIG_IP_NF_MATCH_PHYSDEV=y).
Physdev match is standard in the 2.6 kernel series but must be patched
into the 2.4 kernels (see <ulink url="http://bridge.sf.net">http://bridge.sf.net</ulink>).</para>
</listitem>
<listitem>
<para>Your iptables must contain physdev match support. iptables 1.2.9
and later contain this support.</para>
</listitem>
<listitem>
<para>You must have the bridge utilities (bridge-utils) package
installed.</para>
</listitem>
<listitem>
<para>You must be running Shorewall 2.0.1 Beta 1 or later.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Application</title>
<para>The following diagram shows a typical application of a
bridge/firewall. There is already an existing router in place whose
internal interface supports a network and you want to insert a firewall
between the router and the systems in the local network. In the example
shown, the network uses RFC 1918 addresses but that is not a requirement;
the bridge would work exactly the same if public IP addresses were used
(remember that the bridge doesn&#39;t deal with IP addresses).</para>
<graphic fileref="images/bridge.png" />
<para>There are a several key differences in this setup and a normal
Shorewall configuration:</para>
<itemizedlist>
<listitem>
<para>The Shorewall system (the Bridge/Firewall) has only a single IP
address even though it has two ethernet interfaces! The IP address is
configured on the bridge itself rather than on either of the network
cards.</para>
</listitem>
<listitem>
<para>The systems connected to the LAN are configured with the
router&#39;s IP address (192.168.1.254 in the above diagram) as their
default gateway.</para>
</listitem>
<listitem>
<para><command>traceroute</command> doesn&#39;t detect the
Bridge/Firewall as an intermediate router.</para>
</listitem>
<listitem>
<para>If the router runs a DHCP server, the hosts connected to the LAN
can use that server without having <command>dhcrelay</command> running
on the Bridge/Firewall.</para>
</listitem>
</itemizedlist>
<para>There are other possibilities here -- there could be a hub or switch
between the router and the Bridge/Firewall and there could be other
systems connected to that switch. All of the systems on the local side of
the <emphasis role="bold">router</emphasis> would still be configured with
IP addresses in 192.168.1.0/24 as shown below.<graphic
fileref="images/bridge3.png" /></para>
</section>
<section>
<title>Configuring the Bridge</title>
<para>Configuring the bridge itself is quite simple and uses the
<command>brctl</command> utility from the bridge-utils package. Bridge
configuration information may be found at <ulink
url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
<para>Unfortunately, Linux distributions don&#39;t have good bridge
configuration tools and the network configuration GUIs don&#39;t detect
the presence of bridge devices. You may refer to <ulink
url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink>
for an example of configuring a three-port bridge at system boot under
<trademark>SuSE</trademark>. Here is an excerpt from a Debian
<filename>/etc/network/interfaces</filename> file for a two-port bridge
with a static IP address:</para>
<blockquote>
<programlisting>auto br0
iface br0 inet static
address 192.168.1.253
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
pre-up /sbin/ip link set eth0 up
pre-up /sbin/ip link set eth1 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 eth1</programlisting>
</blockquote>
<para>While it is not a requirement to give the bridge an IP address,
doing so allows the bridge/firewall to access other systems and allows the
bridge/firewall to be managed remotely. The bridge must also have an IP
address for REJECT rules and policies to work correctly — otherwise REJECT
behaves the same as DROP.</para>
<para>The bridge may have its IP address assigned via DHCP. Here&#39;s an
example of an /etc/sysconfig/network/ifcfg-br0 file from a
<trademark>SuSE</trademark> system:</para>
<blockquote>
<programlisting>BOOTPROTO=&#39;dhcp&#39;
REMOTE_IPADDR=&#39;&#39;
STARTMODE=&#39;onboot&#39;
UNIQUE=&#39;3hqH.MjuOqWfSZ+C&#39;
WIRELESS=&#39;no&#39;
MTU=&#39;&#39;</programlisting>
</blockquote>
<para>Here&#39;s an /etc/sysconfig/network-scripts/ifcfg-br0 file for a
<trademark>Mandrake</trademark> system:</para>
<blockquote>
<programlisting>DEVICE=br0
BOOTPROTO=dhcp
ONBOOT=yes</programlisting>
</blockquote>
<para>On both the SuSE and Mandrake systems, a separate script is required
to configure the bridge itself (again see <ulink url="myfiles.htm">my
configuration files</ulink> for an example - <filename>/etc/init.d/bridge</filename>).</para>
<para>Axel Westerhold has contributed this example of configuring a bridge
with a static IP address on a Fedora System (Core 1 and Core 2 Test 1).
Note that these files also configure the bridge itself so there is no need
for a separate bridge config script.</para>
<blockquote>
<para><filename>/etc/sysconfig/network-scripts/ifcfg-br0:</filename></para>
<programlisting>DEVICE=br0
TYPE=Bridge
IPADDR=192.168.50.14
NETMASK=255.255.255.0
ONBOOT=yes</programlisting>
<para><filename>/etc/sysconfig/network-scripts/ifcfg-eth0:</filename><programlisting>DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes</programlisting><filename>/etc/sysconfig/network-scripts/ifcfg-eth1:</filename><programlisting>DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes</programlisting></para>
</blockquote>
<para>Florin Grad at <trademark>Mandrake</trademark> provides this script
for configuring a bridge:</para>
<blockquote>
<programlisting>#!/bin/sh
# chkconfig: 2345 05 89
# description: Layer 2 Bridge
#
[ -f /etc/sysconfig/bridge ] &#38;&#38; . /etc/sysconfig/bridge
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
do_stop() {
echo &#34;Stopping Bridge&#34;
for i in $INTERFACES $BRIDGE_INTERFACE ; do
ip link set $i down
done
brctl delbr $BRIDGE_INTERFACE
}
do_start() {
echo &#34;Starting Bridge&#34;
for i in $INTERFACES ; do
ip link set $i up
done
brctl addbr br0
for i in $INTERFACES ; do
ip link set $i up
brctl addif br0 $i
done
ifup $BRIDGE_INTERFACE
}
case &#34;$1&#34; in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo &#34;Usage: $0 {start|stop|restart}&#34;
exit 1
esac
exit 0</programlisting>
<para>The <filename>/etc/sysconfig/bridge file</filename>:</para>
<programlisting>BRIDGE_INTERFACE=br0 #The name of your Bridge
INTERFACES=&#34;eth0 eth1&#34; #The physical interfaces to be bridged</programlisting>
</blockquote>
<para>Users who successfully configure bridges on other distributions,
with static or dynamic IP addresses, are encouraged to send <ulink
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I
can post it here.</para>
</section>
<section>
<title>Configuring Shorewall</title>
<para>Bridging in Shorewall is enabled using the BRIDGING option in
<filename>/etc/shorewall/shorewall.conf</filename>:</para>
<programlisting>BRIDGING=Yes</programlisting>
<para>In the scenario pictured above, there would probably be two zones
defined -- one for the internet and one for the local LAN so in
<filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>A conventional two-zone policy file is appropriate here —
<filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para>Only the bridge device itself is configured with an IP address so
only that device is defined to Shorewall in <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- br0 192.168.1.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The zones are defined using the <filename>/etc/shorewall/hosts</filename>
file. Assuming that the router is connected to <filename
class="devicefile">eth0</filename> and the switch to <filename
class="devicefile">eth1</filename>:</para>
<programlisting>#ZONE HOST(S) OPTIONS
net br0:eth0
loc br0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
<para>When Shorewall is stopped, you want to allow only local traffic
through the bridge — <filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
<programlisting>#INTERFACE HOST(S) OPTIONS
br0 192.168.1.0/24 routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <filename>/etc/shorewall/rules</filename> file from the
two-interface sample is a good place to start for defining a set of
firewall rules.</para>
</section>
<section>
<title>Combination Router/Bridge</title>
<para>A system running Shorewall doesn&#39;t have to be exclusively a
bridge or a router -- it can act as both. Here&#39;s an example:<graphic
fileref="images/bridge2.png" /></para>
<para>This is basically the same setup as shown in the <ulink
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
exception that the DMZ is bridged rather than using Proxy ARP. Changes in
the configuration shown in the Setup Guide are as follows:</para>
<orderedlist>
<listitem>
<para>The <filename>/etc/shorewall/proxyarp</filename> file is empty
in this confiiguration.</para>
</listitem>
<listitem>
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- br0 detect routefilter
loc eth1 detect</programlisting></para>
</listitem>
<listitem>
<para>The <filename>/etc/shorewall/hosts</filename> file would have:</para>
<programlisting>#ZONE HOSTS OPTIONS
net br0:eth0
dmz br0:eth2</programlisting>
</listitem>
</orderedlist>
</section>
<section>
<title>Limitations</title>
<para>Bridging doesn&#39; t work with some wireless cards — see <ulink
url="http://bridge.sf.net">http://bridge.sf.net</ulink>.</para>
</section>
</article>

View File

@ -0,0 +1,472 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Configuration Files</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-04-20</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para>If you copy or edit your configuration files on a system running
Microsoft Windows, you must run them through <ulink
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
before you use them with Shorewall.</para>
</caution>
<section id="Files">
<title>Files</title>
<para><itemizedlist><listitem><para><filename>/etc/shorewall/shorewall.conf</filename>
- used to set several firewall parameters.</para></listitem><listitem><para><filename>/etc/shorewall/params</filename>
- use this file to set shell variables that you will expand in other
files.</para></listitem><listitem><para><filename>/etc/shorewall/zones</filename>
- partition the firewall&#39;s view of the world into zones.</para></listitem><listitem><para><filename>/etc/shorewall/policy</filename>
- establishes firewall high-level policy.</para></listitem><listitem><para><filename>/etc/shorewall/interfaces</filename>
- describes the interfaces on the firewall system.</para></listitem><listitem><para><filename>/etc/shorewall/hosts</filename>
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para><filename>/etc/shorewall/masq</filename>
- directs the firewall where to use many-to-one (dynamic) Network Address
Translation (a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</para></listitem><listitem><para><filename>/etc/shorewall/modules</filename>
- directs the firewall to load kernel modules.</para></listitem><listitem><para><filename>/etc/shorewall/rules</filename>
- defines rules that are exceptions to the overall policies established in
/etc/shorewall/policy.</para></listitem><listitem><para><filename>/etc/shorewall/nat</filename>
- defines one-to-one NAT rules.</para></listitem><listitem><para><filename>/etc/shorewall/proxyarp</filename>
- defines use of Proxy ARP.</para></listitem><listitem><para><filename>/etc/shorewall/routestopped</filename>
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
stopped.</para></listitem><listitem><para><filename>/etc/shorewall/tcrules
</filename>- defines marking of packets for later use by traffic
control/shaping or policy routing.</para></listitem><listitem><para><filename>/etc/shorewall/tos</filename>
- defines rules for setting the TOS field in packet headers.</para></listitem><listitem><para><filename>/etc/shorewall/tunnels</filename>
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
system.</para></listitem><listitem><para><filename>/etc/shorewall/blacklist</filename>
- lists blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para><filename>/etc/shorewall/init</filename>
- commands that you wish to execute at the beginning of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/start</filename>
- commands that you wish to execute at the completion of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para><filename>/etc/shorewall/stop
</filename>- commands that you wish to execute at the beginning of a
<quote>shorewall stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/stopped</filename>
- commands that you wish to execute at the completion of a <quote>shorewall
stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/ecn</filename>
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
and <filename>/usr/share/shorewall/action.template</filename> - define
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
later).</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.std</filename>
- Actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/shorewall/actions.*</filename>
- Details of actions defined by Shorewall.</para></listitem><listitem><para><filename>/usr/share/rfc1918</filename>
— Defines the behavior of the &#39;norfc1918&#39; interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
you need to change this file, copy it to <filename>/etc/shorewall</filename>
and modify the copy</emphasis>.</para></listitem><listitem><para><filename>/usr/share/bogons</filename>
— Defines the behavior of the &#39;nobogons&#39; interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis role="bold">If
you need to change this file, copy it to <filename>/etc/shorewall</filename>
and modify the copy</emphasis>.</para></listitem></itemizedlist></para>
</section>
<section>
<title>Special Note about /etc/shorewall/shorewall.conf</title>
<para>It is a good idea to modify your /etc/shorewall/shorewall.conf file,
even if you just add a comment that says &#34;I modified this file&#34;.
That way, your package manager won&#39;t overwrite the file with future
updated versions. Such overwrites can cause unwanted changes in the
behavior of Shorewall.</para>
</section>
<section id="Comments">
<title>Comments</title>
<para>You may place comments in configuration files by making the first
non-whitespace character a pound sign (<quote>#</quote>). You may also
place comments at the end of any line, again by delimiting the comment
from the rest of the line with a pound sign.</para>
<example>
<title>Comments in a Configuration File</title>
<programlisting># This is a comment
ACCEPT net fw tcp www #This is an end-of-line comment</programlisting>
</example>
</section>
<section id="Continuation">
<title>Line Continuation</title>
<para>You may continue lines in the configuration files using the usual
backslash (<quote>\</quote>) followed immediately by a new line character.</para>
<example>
<title>Line Continuation</title>
<programlisting>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</programlisting>
</example>
</section>
<section id="INCLUDE">
<title>INCLUDE Directive</title>
<para>Beginning with Shorewall version 1.4.2, any file may contain INCLUDE
directives. An INCLUDE directive consists of the word INCLUDE followed by
a path name and causes the contents of the named file to be logically
included into the file containing the INCLUDE. Relative path names given
in an INCLUDE directive are assumed to reside in /etc/shorewall or in an
alternate configuration directory if one has been specified for the
command.</para>
<para>INCLUDE&#39;s may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.</para>
<example>
<title>Use of INCLUDE</title>
<programlisting> shorewall/params.mgmt:
&#x00A0;&#x00A0; MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
&#x00A0;&#x00A0; TIME_SERVERS=4.4.4.4
&#x00A0;&#x00A0; BACKUP_SERVERS=5.5.5.5
&#x00A0;&#x00A0; ----- end params.mgmt -----
&#x00A0;&#x00A0; shorewall/params:
&#x00A0;&#x00A0; # Shorewall 1.3 /etc/shorewall/params
&#x00A0;&#x00A0; [..]
&#x00A0;&#x00A0; #######################################
&#x00A0;
&#x00A0;&#x00A0; INCLUDE params.mgmt&#x00A0;&#x00A0;&#x00A0;
&#x00A0;
&#x00A0;&#x00A0; # params unique to this host here
&#x00A0;&#x00A0; #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
&#x00A0;&#x00A0; ----- end params -----
&#x00A0;&#x00A0; shorewall/rules.mgmt:
&#x00A0;&#x00A0; ACCEPT net:$MGMT_SERVERS&#x00A0;&#x00A0;&#x00A0;$FW&#x00A0;&#x00A0;&#x00A0; tcp&#x00A0;&#x00A0;&#x00A0; 22
&#x00A0;&#x00A0; ACCEPT $FW&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; net:$TIME_SERVERS&#x00A0;&#x00A0;&#x00A0; udp&#x00A0;&#x00A0;&#x00A0; 123
&#x00A0;&#x00A0; ACCEPT $FW&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; net:$BACKUP_SERVERS&#x00A0; tcp&#x00A0;&#x00A0;&#x00A0; 22
&#x00A0;&#x00A0; ----- end rules.mgmt -----
&#x00A0;&#x00A0; shorewall/rules:
&#x00A0;&#x00A0; # Shorewall version 1.3 - Rules File
&#x00A0;&#x00A0; [..]
&#x00A0;&#x00A0; #######################################
&#x00A0;
&#x00A0;&#x00A0; INCLUDE rules.mgmt&#x00A0;&#x00A0;&#x00A0;&#x00A0;
&#x00A0;
&#x00A0;&#x00A0; # rules unique to this host here
&#x00A0;&#x00A0; #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
&#x00A0;&#x00A0; ----- end rules -----</programlisting>
</example>
</section>
<section id="dnsnames">
<title>Using DNS Names</title>
<caution>
<para>I personally recommend strongly against using DNS names in
Shorewall configuration files. If you use DNS names and you are called
out of bed at 2:00AM because Shorewall won&#39;t start as a result of
DNS problems then don&#39;t say that you were not forewarned.</para>
</caution>
<para>Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS Names.</para>
<para>DNS names in iptables rules aren&#39;t nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&#62;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall&#39;s ruleset.</para>
<para>If your firewall rules include DNS names then:</para>
<itemizedlist>
<listitem>
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
firewall won&#39;t start.</para>
</listitem>
<listitem>
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
your firewall won&#39;t start.</para>
</listitem>
<listitem>
<para>If your Name Server(s) is(are) down then your firewall won&#39;t
start.</para>
</listitem>
<listitem>
<para>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won&#39;t start.</para>
</listitem>
<listitem>
<para>Factors totally outside your control (your ISP&#39;s router is
down for example), can prevent your firewall from starting.</para>
</listitem>
<listitem>
<para>You must bring up your network interfaces prior to starting your
firewall.</para>
</listitem>
</itemizedlist>
<para>Each DNS name much be fully qualified and include a minumum of two
periods (although one may be trailing). This restriction is imposed by
Shorewall to insure backward compatibility with existing configuration
files.</para>
<example>
<title>Valid DNS Names</title>
<itemizedlist>
<listitem>
<para>mail.shorewall.net</para>
</listitem>
<listitem>
<para>shorewall.net. (note the trailing period).</para>
</listitem>
</itemizedlist>
</example>
<example>
<title>Invalid DNS Names</title>
<itemizedlist>
<listitem>
<para>mail (not fully qualified)</para>
</listitem>
<listitem>
<para>shorewall.net (only one period)</para>
</listitem>
</itemizedlist>
</example>
<para>DNS names may not be used as:</para>
<itemizedlist>
<listitem>
<para>The server address in a DNAT rule (/etc/shorewall/rules file)</para>
</listitem>
<listitem>
<para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
</listitem>
<listitem>
<para>In the <filename>/etc/shorewall/nat</filename> file.</para>
</listitem>
</itemizedlist>
<para>These restrictions are imposed by Netfilter and not by Shorewall.</para>
</section>
<section id="Compliment">
<title>Complementing an Address or Subnet</title>
<para>Where specifying an IP address, a subnet or an interface, you can
precede the item with <quote>!</quote> to specify the complement of the
item. For example, !192.168.1.4 means <quote>any host but 192.168.1.4</quote>.
There must be no white space following the <quote>!</quote>.</para>
</section>
<section id="Lists">
<title>Comma-separated Lists</title>
<para>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</para>
<itemizedlist>
<listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
Invalid: routefilter,&#x00A0;&#x00A0;&#x00A0;&#x00A0; dhcp,&#x00A0;&#x00A0;&#x00A0;&#x00A0; norfc1818</programlisting></para>
</listitem>
<listitem>
<para>If you use line continuation to break a comma-separated list,
the continuation line(s) must begin in column 1 (or there would be
embedded white space)</para>
</listitem>
<listitem>
<para>Entries in a comma-separated list may appear in any order.</para>
</listitem>
</itemizedlist>
</section>
<section id="Ports">
<title>Port Numbers/Service Names</title>
<para>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services.</para>
</section>
<section id="Ranges">
<title>Port Ranges</title>
<para>If you need to specify a range of ports, the proper syntax is
&#60;low port number&#62;:&#60;high port number&#62;. For example, if you
want to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.</para>
</section>
<section id="Variables">
<title>Using Shell Variables</title>
<para>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</para>
<para>It is suggested that variable names begin with an upper case letter
to distinguish them from variables used internally within the Shorewall
programs</para>
<example>
<title>Using Shell Variables</title>
<programlisting>&#x00A0;&#x00A0;&#x00A0; /etc/shorewall/params
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
&#x00A0;&#x00A0;&#x00A0; /etc/shorewall/interfaces record:
net $NET_IF $NET_BCAST $NET_OPTIONS
&#x00A0;&#x00A0;&#x00A0; The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,norfc1918
</programlisting>
<para>Variables may be used anywhere in the other configuration files.</para>
</example>
</section>
<section id="MAC">
<title>Using MAC Addresses</title>
<para>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. In order to control traffic
to/from a host by its MAC address, the host must be on the same network as
the firewall.</para>
<para>To use this feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</para>
<para>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.</para>
<para>In GNU/Linux, MAC addresses are usually written as a series of 6 hex
numbers separated by colons.</para>
<example>
<title>MAC Address of an Ethernet Controller</title>
<programlisting> &#x00A0;&#x00A0;&#x00A0;&#x00A0; [root@gateway root]# <command>ifconfig eth0</command>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; eth0 Link encap:Ethernet HWaddr <emphasis
role="bold">02:00:08:E3:FA:55</emphasis>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
&#x00A0;&#x00A0;&#x00A0;&#x00A0; RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
&#x00A0;&#x00A0;&#x00A0;&#x00A0; collisions:30394 txqueuelen:100
&#x00A0;&#x00A0;&#x00A0;&#x00A0; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 (1582.8 Mb)
&#x00A0;&#x00A0;&#x00A0;&#x00A0; Interrupt:11 Base address:0x1800
</programlisting>
</example>
<para>Because Shorewall uses colons as a separator for address fields,
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
<note>
<para>It is not necessary to use the special Shorewall notation in the
<filename><ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
file.</para>
</note>
</section>
<section id="Levels">
<title>Shorewall Configurations</title>
<para>Shorewall allows you to have configuration directories other than
<filename class="directory">/etc/shorewall</filename>. The shorewall
check, start and restart commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those files
not in the alternate directory will be read from <filename
class="directory">/etc/shorewall</filename>.</para>
<para>This facility permits you to easily create a test or temporary
configuration by</para>
<orderedlist>
<listitem>
<para>copying the files that need modification from /etc/shorewall to
a separate directory;</para>
</listitem>
<listitem>
<para>modify those files in the separate directory; and</para>
</listitem>
<listitem>
<para>specifying the separate directory in a shorewall start or
shorewall restart command (e.g., <command>shorewall -c /etc/testconfig
restart</command> )</para>
</listitem>
</orderedlist>
<para>The <ulink url="starting_and_stopping_shorewall.htm">try command</ulink>
allows you to attempt to restart using an alternate configuration and if
an error occurs to automatically restart the standard configuration.</para>
</section>
</article>

106
Shorewall-docsN/dhcp.xml Executable file
View File

@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>DHCP</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-05-24</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>For most operations, DHCP software interfaces to the Linux IP stack
at a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
cannot be used effectively to police DHCP. The <quote>dhcp</quote>
interface option described in this article allows for Netfilter to stay
out of DHCP&#39;s way for those operations that can be controlled by
Netfilter and prevents unwanted logging of DHCP-related traffic by
Shorewall-generated Netfilter logging rules.</para>
</note>
<section>
<title>If you want to Run a DHCP Server on your firewall</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option on each interface to be
served by your server in the <filename><ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink></filename>
file. This will generate rules that will allow DHCP to and from your
firewall system.</para>
</listitem>
<listitem>
<para>When starting <quote>dhcpd</quote>, you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
</listitem>
</itemizedlist>
<para></para>
</section>
<section>
<title>If a Firewall Interface gets its IP Address via DHCP</title>
<itemizedlist>
<listitem>
<para>Specify the <quote>dhcp</quote> option for this interface in the
<ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file.&#x00A0;This will generate rules that will allow DHCP to and from
your firewall system.</para>
</listitem>
<listitem>
<para>If you know that the dynamic address is always going to be in
the same subnet, you can specify the subnet address in the
interface&#39;s entry in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file.</para>
</listitem>
<listitem>
<para>If you don&#39;t know the subnet address in advance, you should
specify <quote>detect</quote> for the interface&#39;s subnet address
in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
file and start Shorewall after the interface has started.</para>
</listitem>
<listitem>
<para>In the event that the subnet address might change while
Shorewall is started, you need to arrange for a <quote>shorewall
refresh</quote> command to be executed when a new dynamic IP address
gets assigned to the interface. Check your DHCP client&#39;s
documentation.</para>
</listitem>
</itemizedlist>
</section>
</article>

339
Shorewall-docsN/errata.xml Normal file
View File

@ -0,0 +1,339 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<articleinfo>
<title>Shorewall Errata</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2004-07-02</pubdate>
<copyright>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<itemizedlist>
<listitem>
<para>If you use a Windows system to download a corrected script, be
sure to run the script through <ulink
url="http://www.megaloman.com/~hany/software/hd2u/">dos2unix</ulink>
after you have moved it to your Linux system.</para>
</listitem>
<listitem>
<para>If you are installing Shorewall for the first time and plan to
use the .tgz and install.sh script, you can untar the archive, replace
the <quote>firewall</quote> script in the untarred directory with the
one you downloaded below, and then run install.sh.</para>
</listitem>
<listitem>
<para>When the instructions say to install a corrected firewall script
in /usr/share/shorewall/firewall, you may rename the existing file
before copying in the new file.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DO NOT INSTALL CORRECTED COMPONENTS ON A
RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.</emphasis>
For example, do NOT install the 2.0.2 firewall script if you are
running 2.0.0-RC2</para>
</listitem>
</itemizedlist>
</caution>
<section>
<title>RFC1918 File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. This file only
applies to Shorewall version 2.0.0 and its bugfix updates. In Shorewall
2.0.1 and later releases, the <filename>bogons</filename> file lists IP
ranges that are reserved by the IANA and the <filename>rfc1918</filename>
file only lists those three ranges that are reserved by <ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
</section>
<section>
<title>Bogons File</title>
<para><ulink url="http://shorewall.net/pub/shorewall/errata/2.0.1/bogons">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>.</para>
</section>
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.3a and 2.0.3b</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis>.</para>
</listitem>
<listitem>
<para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
<emphasis role="bold">shorewall stop</emphasis> fails without
removing the lock file.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in Shorewall version 2.0.3c.</para>
</section>
<section>
<title>Shorewall 2.0.3a</title>
<itemizedlist>
<listitem>
<para>Slackware users find that version 2.0.3a fails to start
because their <command>mktemp</command> utility does not support the
-d option. This may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
corrected <filename>functions</filename> file</ulink> in <filename
class="directory">/var/lib/shorewall/functions</filename>.</para>
</listitem>
<listitem>
<para>Shorewall fails to start if there is no <command>mktemp</command>
utility.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in Shorewall version 2.0.3b.</para>
</section>
<section>
<title>Shorewall 2.0.3</title>
<itemizedlist>
<listitem>
<para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
will result in an error message and Shorewall fails to start. This
problem is fixed in Shorewall version 2.0.3a.</para>
</listitem>
<listitem>
<para>A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
2.0.3a.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.2</title>
<itemizedlist>
<listitem>
<para>Temporary restore files with names of the form
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
/var/lib/shorewall.</para>
</listitem>
<listitem>
<para>&#34;shorewall restore&#34; and &#34;shorewall -f start&#34;
do not load kernel modules.</para>
<para><emphasis role="bold">The above two problems are corrected in
Shorewall 2.0.2a</emphasis></para>
</listitem>
<listitem>
<para>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.</para>
</listitem>
<listitem>
<para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para>
<para><emphasis role="bold">The above four problems are corrected in
Shorewall 2.0.2b</emphasis></para>
</listitem>
<listitem>
<para>DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.</para>
<para><emphasis role="bold">The above five problems are corrected in
Shorewall 2.0.2c</emphasis></para>
</listitem>
<listitem>
<para>During start and restart, Shorewall is detecting capabilities
before loading kernel modules. Consequently, if kernel module
autoloading is disabled, capabilities can be mis-detected during
boot.</para>
</listitem>
<listitem>
<para>The <emphasis>newnotsyn</emphasis> option in
<filename>/etc/shorewall/hosts</filename> has no effect.</para>
<para><emphasis role="bold">The above seven problems are corrected
in Shorewall 2.0.2d</emphasis></para>
</listitem>
<listitem>
<para>Use of the LOG target in an action results in two LOG or ULOG
rules.</para>
<para><emphasis role="bold">The above eight problems are corrected
in Shorewall 2.0.2e</emphasis></para>
</listitem>
<listitem>
<para>Kernel modules fail to load when MODULE_SUFFIX isn&#39;t set
in shorewall.conf</para>
<para><emphasis role="bold">All of the above problems are corrected
in Shorewall 2.0.2f</emphasis></para>
</listitem>
</itemizedlist>
<para>These problems are all corrected by the <filename>firewall</filename>
and <filename>functions</filename> files in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
Both files must be installed in <filename>/usr/share/shorewall/</filename>
as described above.</para>
</section>
<section>
<title>Shorewall 2.0.1</title>
<itemizedlist>
<listitem>
<para>Confusing message mentioning IPV6 occur at startup.</para>
</listitem>
<listitem>
<para>Modules listed in /etc/shorewall/modules don&#39;t load or
produce errors on Mandrake 10.0 Final.</para>
</listitem>
<listitem>
<para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being deleted.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in <filename>/usr/share/shorewall/firewall</filename>
as described above.</para>
<itemizedlist>
<listitem>
<para>When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
version of the script</ulink>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.1/2.0.0</title>
<itemizedlist>
<listitem>
<para>On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the <filename>init.debian.sh</filename>
file in the Shorewall distribution directory (shorewall-2.0.x) with
the updated file before running <command>install.sh</command> from
that directory.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.0</title>
<itemizedlist>
<listitem>
<para>When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it can be eliminated by installing
the script from the link below.</para>
</listitem>
<listitem>
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
</itemizedlist>
<para>The first problem has been corrected in Shorewall update 2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described above.</para>
</section>
</section>
<section>
<title>Upgrade Issues</title>
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
separate page</ulink>.</para>
</section>
<section>
<title>Problem with iptables 1.2.9</title>
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink> or you need to use the <ulink
url="http://www.netfilter.org/downloads.html#cvs">CVS version of iptables</ulink>.</para>
</section>
<section>
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
<ulink url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note>
<para>RedHat have corrected this problem in their 2.4.20-27.x kernels.</para>
</note>
</section>
</article>

View File

@ -0,0 +1,93 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Fallback and Uninstall</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2001-03-26</pubdate>
<copyright>
<year>2001</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Falling Back to the Previous Version of Shorewall using the
Fallback Script</title>
<para>If you install Shorewall and discover that it doesn&#39;t work for
you, you can fall back to your previously installed version. To do that:</para>
<itemizedlist>
<listitem>
<para>cd to the distribution directory for the version of Seattle
Firewall that you are currently running (NOT the version that you want
to fall back to).</para>
</listitem>
<listitem>
<para>Type <quote>./fallback.sh</quote></para>
</listitem>
</itemizedlist>
<caution>
<para>The fallback script will replace /etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
/etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
these files from before the current version was installed. Any changes
to any of these files will be lost.</para>
</caution>
</section>
<section>
<title>Falling Back to the Previous Version of Shorewall using rpm</title>
<para>If your previous version of Shorewall was installed using RPM, you
may fall back to that version by typing <quote>rpm -Uvh --force &#60;old
rpm&#62;</quote> at a root shell prompt (Example: <quote>rpm -Uvh --force
/downloads/shorewall-3.1=0noarch.rpm</quote> would fall back to the 3.1-0
version of Shorewall).</para>
</section>
<section>
<title>Uninstalling Shorewall</title>
<para>If you no longer wish to use Shorewall, you may remove it by:</para>
<itemizedlist>
<listitem>
<para>cd to the distribution directory for the version of Shorewall
that you have installed.</para>
</listitem>
<listitem>
<para>type <quote>./uninstall.sh</quote></para>
</listitem>
</itemizedlist>
<para>If you installed using an rpm, at a root shell prompt type
<quote>rpm -e shorewall</quote>.</para>
</section>
</article>

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 101 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 50 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 49 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 52 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 36 KiB

BIN
Shorewall-docsN/images/Legend.png Executable file

Binary file not shown.

2473
Shorewall-docsN/images/Legend.vdx Executable file

File diff suppressed because it is too large Load Diff

BIN
Shorewall-docsN/images/Legend.vsd Executable file

Binary file not shown.

BIN
Shorewall-docsN/images/Logo.png Executable file

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

BIN
Shorewall-docsN/images/Logo1.png Executable file

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

BIN
Shorewall-docsN/images/Logo3.png Executable file

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

6399
Shorewall-docsN/images/Mobile.vdx Executable file

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 35 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 65 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 82 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 90 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.0 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.0 KiB

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Binary file not shown.

BIN
Shorewall-docsN/images/Tom.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

Binary file not shown.

File diff suppressed because it is too large Load Diff

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More