More documentation changes for 4.4

This commit is contained in:
Tom Eastep 2009-06-02 06:32:42 -07:00
parent 228f603d32
commit a953c1af46
4 changed files with 56 additions and 59 deletions

View File

@ -30,7 +30,7 @@
<year>2006</year> <year>2006</year>
<holder>Thomas M. Eastep</holder> <holder>2009 Thomas M. Eastep</holder>
</copyright> </copyright>
<copyright> <copyright>
@ -62,22 +62,19 @@
have IPSEC end-points on the same system where Shorewall is used.</para> have IPSEC end-points on the same system where Shorewall is used.</para>
</important> </important>
<warning> <important>
<para>To use the features described in this article, your kernel must be <para>While this article shows configuration of IPSEC using ipsec-tools,
2.6.16 or later <emphasis role="bold">or</emphasis> your kernel and Shorewall configuration is exactly the same when using OpenSwan or
iptables must include the Netfilter+ipsec patches and policy match FreeSwan.</para>
support. The Netfilter patches are available from Netfilter </important>
Patch-O-Matic-NG and are also included in some commercial distributions
(most notably <trademark>SUSE</trademark> 9.1 through 10.0).</para>
</warning>
<warning> <warning>
<para>As of this writing, the Netfilter+ipsec and policy match support are <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
broken when used with a bridge device. The problem has been reported to policy match support are broken when used with a bridge device. The
the responsible Netfilter developer who has confirmed the problem. The problem has been reported to the responsible Netfilter developer who has
problem was presumably corrected in Kernel 2.6.20 as a result of the confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
removal of deferred FORWARD/OUTPUT processing of traffic destined for a result of the removal of deferred FORWARD/OUTPUT processing of traffic
bridge. See the <ulink destined for a bridge. See the <ulink
url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
Firewalls</emphasis>"</ulink> article.</para> Firewalls</emphasis>"</ulink> article.</para>
</warning> </warning>
@ -247,7 +244,7 @@
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>Open the firewall so that the IPSEC tunnel can be established <para>Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500).</para> (allow the ESP protocol and UDP Port 500).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -895,7 +892,7 @@ net eth0 detect routefilter,dhcp,tcpflags
<programlisting>#TYPE ZONE GATEWAY GATEWAY <programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE # ZONE
ipsec:noah net 192.168.20.0/24 loc</programlisting> ipsec net 192.168.20.0/24 loc</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>

View File

@ -40,11 +40,10 @@
<title>What are Ipsets?</title> <title>What are Ipsets?</title>
<para>Ipsets are an extension to Netfilter/iptables that are currently <para>Ipsets are an extension to Netfilter/iptables that are currently
available in Patch-O-Matic-ng (<ulink available in <ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
ipsets requires that you patch your kernel and iptables and that you build Instructions for installing xtables-addons may be found in the <ulink
and install the ipset utility from <ulink url="Dynamic.html">Dynamic Zones article</ulink>.</para>
url="http://ipset.netfilter.org/">http://ipset.netfilter.org/</ulink>.</para>
<para>Ipset allows you to create one or more named sets of addresses then <para>Ipset allows you to create one or more named sets of addresses then
use those sets to define Netfilter/iptables rules. Possible uses of ipsets use those sets to define Netfilter/iptables rules. Possible uses of ipsets
@ -59,9 +58,9 @@
<listitem> <listitem>
<para>Zone definition. Using the /etc/shorewall/hosts file, you can <para>Zone definition. Using the /etc/shorewall/hosts file, you can
define a zone based on the (dynamic) contents of an ipset. Again, you <ulink url="Dynamic.html">define a zone based on the (dynamic)
can then add or delete addresses to the ipset without restarting contents of an ipset</ulink>. Again, you can then add or delete
Shorewall.</para> addresses to the ipset without restarting Shorewall.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -103,7 +102,7 @@
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para> <para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT +sshok $FW tcp 22</programlisting></para> ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>Shorewall is not in the ipset load/reload business because the <para>Shorewall is not in the ipset load/reload business because the
Netfilter rule set is never cleared. That means that there is no Netfilter rule set is never cleared. That means that there is no
@ -150,34 +149,4 @@ fi</programlisting>
ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning
if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para> if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para>
</section> </section>
<section id="Dynamic">
<title>Defining Dynamic Zones using Ipsets</title>
<para>The use of ipsets provides a much better way to define dynamic zones
than is provided by the native Shorewall implementation. To define a
dynamic zone of hosts <emphasis role="bold">dyn</emphasis> that is a
sub-zone of zone <emphasis role="bold">loc</emphasis> and that interfaces
through interface eth3, use:</para>
<para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
loc ipv4
dyn:loc ipv4</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE OPTIONS
loc eth3 …</programlisting>
<para>/etc/shorewall/hosts:</para>
<programlisting>#ZONE HOSTS OPTIONS
dyn eth3:+Dyn</programlisting>
<para>Now create an ipmap named <emphasis role="bold">Dyn</emphasis> and
you're all set. You can add and delete addresses from Dyn without having
to touch Shorewall.</para>
</section>
</article> </article>

View File

@ -254,7 +254,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same last five minutes then the new connection will use the same
provider as the connection over which that last packet was provider as the connection over which that last packet was
sent.</para> sent.</para>
<para>When used in the OUTPUT chain, it causes all matching <para>When used in the OUTPUT chain, it causes all matching

View File

@ -231,6 +231,37 @@
ip6tables/Netfilter provides the necessary support.</para> ip6tables/Netfilter provides the necessary support.</para>
</listitem> </listitem>
<listitem>
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.</para>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s) the line will be attached as a comment to the Netfilter rule(s)