From abf477019cf31edeb59cdc5dc10b9b8512c73238 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 22 Oct 2005 17:37:38 +0000 Subject: [PATCH] Fiddle with the document about my configuration git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2922 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation_Index.xml | 26 ++-- Shorewall-docs2/OPENVPN.xml | 4 +- Shorewall-docs2/bridge.xml | 12 +- Shorewall-docs2/configuration_file_basics.xml | 18 +-- Shorewall-docs2/dhcp.xml | 28 +++-- Shorewall-docs2/myfiles.xml | 118 +++++++++++++----- Shorewall-docs2/standalone.xml | 31 +++-- Shorewall-docs2/three-interface.xml | 36 ++++-- Shorewall-docs2/two-interface.xml | 64 +++++----- Shorewall-docs2/useful_links.xml | 15 +++ 10 files changed, 225 insertions(+), 127 deletions(-) diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index ca1748fb8..12f9d85b2 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -23,7 +23,7 @@ Thomas M. Eastep - 2.4.0 + 3.0.0 Permission is granted to copy, distribute and/or modify this @@ -134,20 +134,6 @@ Please review the appropriate guide before trying to use this documentation directly. - - Are you running Shorewall on Mandrake - Linux with a two-interface setup? - - If so and if you configured your system while running a Mandrake - release earlier than 10.0 final then this documentation will not apply - directly to your environment. If you want to use the documentation that - you find here, you will want to consider uninstalling what you have and - installing a configuration that matches this documentation. See the Two-interface QuickStart Guide for - details. - - 2.6 Kernel @@ -617,6 +603,11 @@ SMB + + Squid with + Shorewall + + Starting/stopping the Firewall @@ -631,12 +622,11 @@ - Squid with - Shorewall + Static (one-to-one) NAT - Static (one-to-one) NAT + Support diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml index 6e9ee92fb..e810f75dc 100644 --- a/Shorewall-docs2/OPENVPN.xml +++ b/Shorewall-docs2/OPENVPN.xml @@ -5,7 +5,7 @@ - OpenVPN Tunnels + OpenVPN Tunnels and Bridges @@ -21,7 +21,7 @@ - 2005-10-18 + 2005-10-19 2003 diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index 8e67690a4..2f6c9d96e 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ - 2005-10-02 + 2005-10-21 2004 @@ -83,6 +83,11 @@
Requirements + Note that if you need a bridge but do not need to restrict the + traffic through the bridge then any version of Shorewall will work. See + the Simple Bridge documentation for + details. + In order to use Shorewall as a bridging firewall: @@ -112,11 +117,6 @@ installed. - - Note that if you need a bridge but do not need to restrict the - traffic through the bridge then any version of Shorewall will work. See - the Simple Bridge documentation for - details.
diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml index 3802e03cc..ce715e5eb 100644 --- a/Shorewall-docs2/configuration_file_basics.xml +++ b/Shorewall-docs2/configuration_file_basics.xml @@ -15,7 +15,7 @@ - 2005-09-29 + 2005-10-20 2001-2005 @@ -127,8 +127,8 @@ - /etc/shorewall/tunnels - defines IPSEC, - GRE and IPIP tunnels with end-points on the firewall system. + /etc/shorewall/tunnels - defines tunnels + (VPN) with end-points on the firewall system. @@ -173,7 +173,8 @@ /etc/shorewall/actions and - /usr/share/shorewall/action.template. + /usr/share/shorewall/action.template allow + user-defined actions. @@ -227,13 +228,13 @@ ACCEPT net $FW tcp www #This is an end-of-line commentLine Continuation You may continue lines in the configuration files using the usual - backslash (\) followed immediately by a new line - character. + backslash (\) followed immediately by a new line character + (Enter key). Line Continuation - ACCEPT net $FW tcp \ + ACCEPT net $FW tcp \↵ smtp,www,pop3,imap #Services running on the firewall
@@ -488,7 +489,8 @@ Shorewall has detected the following iptables/netfilter capabilities: Packet Type Match: Not available Policy Match: Available Physdev Match: Available - IP range Match: Available <-------------- + IP range Match: Available <-------------- +
diff --git a/Shorewall-docs2/dhcp.xml b/Shorewall-docs2/dhcp.xml index b67c5a63c..00d6c719f 100755 --- a/Shorewall-docs2/dhcp.xml +++ b/Shorewall-docs2/dhcp.xml @@ -33,7 +33,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -42,8 +43,8 @@ at a level below Netfilter. Hence, Netfilter (and therefore Shorewall) cannot be used effectively to police DHCP. The dhcp interface option described in this article allows for Netfilter to stay - out of DHCP's way for those operations that can be controlled by - Netfilter and prevents unwanted logging of DHCP-related traffic by + out of DHCP's way for those operations that can be controlled by Netfilter + and prevents unwanted logging of DHCP-related traffic by Shorewall-generated Netfilter logging rules. @@ -65,8 +66,6 @@ modifying /etc/sysconfig/dhcpd. - -
@@ -75,22 +74,25 @@ Specify the dhcp option for this interface in the - /etc/shorewall/interfaces - file. This will generate rules that will allow DHCP to and from + /etc/shorewall/interfaces + file. This will generate rules that will allow DHCP to and from your firewall system. If you know that the dynamic address is always going to be in - the same subnet, you can specify the subnet address in the - interface's entry in the /etc/shorewall/interfaces + the same subnet, you can specify the subnet address in the interface's + entry in the /etc/shorewall/interfaces file. - If you don't know the subnet address in advance, you should - specify detect for the interface's subnet address - in the /etc/shorewall/interfaces + If you don't know the subnet address in advance, you should + specify detect for the interface's subnet address in + the /etc/shorewall/interfaces file and start Shorewall after the interface has started. @@ -98,7 +100,7 @@ In the event that the subnet address might change while Shorewall is started, you need to arrange for a shorewall refresh command to be executed when a new dynamic IP address - gets assigned to the interface. Check your DHCP client's + gets assigned to the interface. Check your DHCP client's documentation. diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index d04c274e6..763c1678b 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2005-10-13 + 2005-10-22 2001-2005 @@ -52,15 +52,16 @@ releases. - I have DSL service and have 5 static IP addresses - (206.124.146.176-180). My DSL modem (Westell 2200) is - connected to eth2 and has IP address 192.168.1.1 (factory default). The - modem is configured in bridge mode so PPPoE is not - involved. I have a local network connected to eth3 (subnet - 192.168.1.0/24), a wireless network (192.168.3.0/24) connected to eth0, - and a DMZ connected to eth1 (206.124.146.176/32). Note that I configure - the same IP address on both eth1 - and eth2. + I have DSL service with 5 static IP addresses (206.124.146.176-180). + My DSL modem (Westell 2200) is connected to eth2 and has IP + address 192.168.1.1 (factory default). The modem is configured in + bridge mode so PPPoE is not involved. I have a local + network connected to eth3 which is bridged to interface tun0 via bridge + br0 (subnet 192.168.1.0/24), a wireless network (192.168.3.0/24) connected + to eth0, and a DMZ connected to eth1 (206.124.146.176/32). Note that I + configure the same IP address on both eth1 and eth2. In this configuration: @@ -80,7 +81,7 @@ I use SNAT through 206.124.146.179 for my Wife's Windows XP system Tarry, my crash and burn - system "Wookie", and our SuSE 10.0 laptop Tipper which + system "Wookie", our SuSE 10.0 laptop Tipper which connects through the Wireless Access Point (wap) via a Wireless Bridge (wet), and my work laptop (eastepnc6000) when it is not docked in my office. @@ -113,13 +114,13 @@ WAP11.  In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification and OpenVPN. + url="OPENVPN.html">OpenVPN in bridge mode. The single system in the DMZ (address 206.124.146.177) runs postfix, - Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP - server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail to - fetch our email from our old and current ISPs. That server is accessible - from the Internet through Proxy + Courier IMAP (imap and imaps), DNS (Bind 9), a Web server (Apache) and an + FTP server (Pure-ftpd) under Fedora Core 4. The system also runs fetchmail + to fetch our email from our old and current ISPs. That server is + accessible from the Internet through Proxy ARP. The firewall system itself runs a DHCP server that serves the local @@ -144,11 +145,10 @@ /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up. - The firewall is configured with OpenVPN for VPN access from our - second home in Omak, - Washington or when we are otherwise out of town. We run a second - instance of OpenVPN that is used to bridge the - wireless laptops in the Wifi zone to the local lan. + In addition to the Openvpn bridge, the firewall hosts an OpenVPN + Tunnel server for VPN access from our second home in Omak, Washington or when we are + otherwise out of town. Eastepnc6000 is shown in both the local LAN and in the Wifi zone @@ -624,15 +624,25 @@ $EXT_IF 1.5mbit 384kbit /etc/shorewall/tcclasses
- My traffic shaping configuration is the "WonderShaper" My traffic shaping configuration is basically the "WonderShaper" + example - from tc4shorewall. + from tc4shorewall with a little tweaking. #INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay $EXT_IF 20 9*full/10 9*full/10 2 default $EXT_IF 30 6*full/10 6*full/10 3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + + Sent 3144472390 bytes 4019424 pkts (dropped 0, overlimits 0) + +Device tun0: +qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 + Sent 0 bytes 0 pkts (dropped 0, overlimits 0) + +
@@ -644,17 +654,69 @@ $EXT_IF 30 6*full/10 6*full/10 3 throttled and rsync gets throttled even more. - The class id for tc4shorewall-generated classes is 1:<100 + - mark value>. The rules below are using the Netfilter CLASSIFY - target to classify the traffic directly without having to first mark - then classify based on the marks. + The class id for tc4shorewall-generated classes is + <device number>:<100 + mark + value> where the first device in + /etc/shorewall/tcdevices is device number 1, + the second is device number 2 and so on. The rules below are using + the Netfilter CLASSIFY target to classify the traffic directly + without having to first mark then classify based on the + marks. #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1:110 192.168.0.0/22 $EXT_IF -1:130 206.124.146.177 $EXT_IF tcp - 873 +1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + Here is the output of shorewall show tc while + the Shorewall mirrors were receiving updates via rsync and the link + was otherwise idle. Note the rate limiting imposed by the 1:30 + Class. + + Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005 + +... + +Device eth2: +qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17 + Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779) + backlog 20p +qdisc ingress ffff: ---------------- + Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0) +qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec + Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0) +qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec + Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0) +qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec + Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0) + backlog 20p +class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0 + Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0) + rate 424bit + lended: 417516 borrowed: 0 giants: 0 + tokens: 36864 ctokens: 36864 + +class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7 + Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0) + rate 231568bit 19pps + lended: 0 borrowed: 0 giants: 0 + tokens: -26280 ctokens: -26280 + +class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 + Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0) + rate 230848bit 19pps backlog 18p + lended: 48784 borrowed: 0 giants: 0 + tokens: -106401 ctokens: -106401 + +class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0 + Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0) + rate 1000bit + lended: 177773 borrowed: 0 giants: 0 + tokens: 41126 ctokens: 41126 + +... diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index a8a50c215..e112828b8 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -15,7 +15,7 @@ - 2005-09-30 + 2005-10-20 2002-2005 @@ -132,12 +132,29 @@ /etc/shorewall -- for simple setups, you only need to deal with a few of these as described in this guide. After you have installed - Shorewall, download the one-interface - sample, un-tar it (tar -zxvf one-interface.tgz) and and copy the - files to /etc/shorewall (they will replace files with the same names that - were placed in /etc/shorewall during Shorewall - installation). + Shorewall, you can find the Samples as follows: + + + + If you installed using an RPM, the samples will be in the + Samples/one-interface/ subdirectory of the Shorewall documentation + directory. If you don't know where the Shorewall documentation + directory is, you can find the samples using this command: + + ~# rpm -ql shorewall | fgrep one-interface +/usr/share/doc/packages/shorewall/Samples/one-interface +/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces +/usr/share/doc/packages/shorewall/Samples/one-interface/policy +/usr/share/doc/packages/shorewall/Samples/one-interface/rules +/usr/share/doc/packages/shorewall/Samples/one-interface/zones +~# + + + + If you installed using the tarball, the samples are in the + Samples/one-interface directory in the tarball. + + Note to Debian Users diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 1e313301b..9e7170054 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2005-10-03 + 2005-10-20 2002-2005 @@ -192,14 +192,32 @@ - After you have installed Shorewall, download - the three-interface - sample, un-tar it (tar - three-interfaces.tgz) and and copy the - files to /etc/shorewall (the files will replace files - with the same names that were placed in - /etc/shorewall when Shorewall was installed). + After you have installed Shorewall, locate the three-interface + Sample configuration: + + + + If you installed using an RPM, the samples will be in the + Samples/three-interfaces/ subdirectory of the Shorewall documentation + directory. If you don't know where the Shorewall documentation + directory is, you can find the samples using this command: + + ~# rpm -ql shorewall | fgrep three-interfaces +/usr/share/doc/packages/shorewall/Samples/three-interfaces +/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces +/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq +/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy +/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped +/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules +/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones +~# + + + + If you installed using the tarball, the samples are in the + Samples/three-interfaces directory in the tarball. + + As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration diff --git a/Shorewall-docs2/two-interface.xml b/Shorewall-docs2/two-interface.xml index 3b10a47b3..8a7d4ff5b 100644 --- a/Shorewall-docs2/two-interface.xml +++ b/Shorewall-docs2/two-interface.xml @@ -12,7 +12,7 @@ Eastep - 2005-10-03 + 2005-10-21 2002- @@ -78,33 +78,7 @@ - - Shorewall and <trademark>Mandrake</trademark> 9.0+ - - If you are running Shorewall under - Mandrake 9.0 or later, you can easily configure - the above setup using the Mandrake - Internet Connection Sharing applet. From the - Mandrake Control Center, - select Network & - Internet then - Connection Sharing. - - Note however, that the Shorewall configuration produced by - Mandrake Internet Connection Sharing is strange - and is apt to confuse you if you use the rest of this documentation - (it has two local zones; loc and - masq where loc is empty; this - conflicts with this documentation which assumes a single local zone - loc). We therefore recommend that once you have set - up this sharing that you uninstall the Mandrake - Shorewall RPM and install the one from the download page then follow the instructions - in this Guide. - - The above Shorewall Issue is corrected in - Mandrake 10.0 and later. - + If you edit your configuration files on a Windows system, you must save them as Unix files if your editor supports that option @@ -199,14 +173,32 @@ After you have installed - Shorewall, download the two-interface - sample, un-tar it (tar - - two-interfaces.tgz) and and copy the - files to /etc/shorewall - (these files will replace files with the same - name). + Shorewall, locate the two-interfaces samples: + + + + If you installed using an RPM, the samples will be in the + Samples/two-interfaces/ subdirectory of the Shorewall + documentation directory. If you don't know where the Shorewall + documentation directory is, you can find the samples using this + command: + + ~# rpm -ql shorewall | fgrep two-interfaces +/usr/share/doc/packages/shorewall/Samples/two-interfaces +/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces +/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq +/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy +/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped +/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules +/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones +~# + + + + If you installed using the tarball, the samples are in the + Samples/two-interfaces directory in the tarball. + + As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration instructions and default entries. diff --git a/Shorewall-docs2/useful_links.xml b/Shorewall-docs2/useful_links.xml index 007083ec2..4a58f98d4 100644 --- a/Shorewall-docs2/useful_links.xml +++ b/Shorewall-docs2/useful_links.xml @@ -65,6 +65,21 @@ Iptables Tutorial: http://iptables-tutorial.frozentux.net/ + + + Debian apt-get sources for Shorewall: http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian + + + + About the Shorewall Author: http://www.shorewall.net/shoreline.htm + + + + Tom's 2005 LinuxFest NW Presentation: http://www.shorewall.net/LinuxFest.pdf +