diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml index 9b20110f6..4f8e2a240 100644 --- a/Shorewall-docs/Documentation.xml +++ b/Shorewall-docs/Documentation.xml @@ -15,7 +15,7 @@ - 2004-01-05 + 2004-01-22 2001-2004 @@ -680,6 +680,21 @@ dmz DMZ Demilitarized zone + + + detectnets + + + (Added in version 1.4.10) - If this option is specified, + the zone named in the ZONE column will contain only the hosts + routed through the interface named in the INTERFACE column. + Do not set this option on your external + (Internet) interface! The interface must be in the + UP state when Shorewall is [re]started. + + + + My recommendations concerning options: @@ -688,7 +703,7 @@ dmz DMZ Demilitarized zone - Wireless Interface -- maclist,routefilter,tcpflags + Wireless Interface -- maclist,routefilter,tcpflags,detectnets @@ -926,7 +941,7 @@ loc eth1:192.168.1.0/24,192.168.12.0/24 to a particular connection request then the policy from /etc/shorewall/policy is applied. - Four policies are defined: + Five policies are defined: @@ -1827,14 +1842,23 @@ DNAT net loc:192.168.1.101-192.168.1.109 tcp 80 optionally qualified by adding : and a subnet or host IP. When this qualification is added, only packets addressed to that host or subnet will be masqueraded. Beginning with Shorewall version - 1.3.14, if you have set ADD_SNAT_ALIASES=Yes in , - you can cause Shorewall to create an alias label - of the form interfacename:digit (e.g., eth0:0) - by placing that label in this column. See example 5 below. Alias - labels created in this way allow the alias to be visible to the - ipconfig utility. THAT IS THE ONLY THING THAT - THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR - SHOREWALL CONFIGURATION. + 1.4.10, the interface name can be qualified with ":" + followed by a comma separated list of hosts and/or subnets. If this + list begins with ! (e.g., eth0:!192.0.2.8/29,192.0.2.32/29) + then only packets addressed to destinations not + listed will be masqueraded; otherwise (e.g., eth0:192.0.2.8/29,192.0.2.32/29), + traffic will be masqueraded if it does + match one of the listed addresses. + + Beginning with Shorewall version 1.3.14, if you have set + ADD_SNAT_ALIASES=Yes in , you can cause + Shorewall to create an alias label of the form + interfacename:digit (e.g., eth0:0) by placing + that label in this column. See example 5 below. Alias labels created + in this way allow the alias to be visible to the ipconfig utility. + THAT IS THE ONLY THING THAT THIS LABEL IS GOOD + FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL + CONFIGURATION. @@ -3091,7 +3115,9 @@ eth1 - Revision History - 1.112005-01-05TEStandards + 1.122004-01-21TEAdd + masquerade destination list.1.122004-01-18TECorrect + typo.1.112004-01-05TEStandards Compliance1.102004-01-05TEImproved formatting of DNAT- and REDIRECT- for clarity1.92003-12-25MNInitial Docbook Conversion Complete diff --git a/Shorewall-docs/Documentation_Index.xml b/Shorewall-docs/Documentation_Index.xml index 629dc4227..b32cfcdec 100644 --- a/Shorewall-docs/Documentation_Index.xml +++ b/Shorewall-docs/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2003-12-31 + 2004-01-21 2001-2003 @@ -23,7 +23,7 @@ Thomas M. Eastep - 1.4.8 + 1.4.9 Permission is granted to copy, distribute and/or modify this @@ -73,6 +73,10 @@ (virtual) Interfaces (e.g., eth0:0) + + Bandwidth Control + + Blacklisting diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml index 2ef677214..79a72ffc9 100644 --- a/Shorewall-docs/FAQ.xml +++ b/Shorewall-docs/FAQ.xml @@ -17,7 +17,7 @@ - 2004-01-20 + 2004-01-24 2001-2004 @@ -1590,7 +1590,12 @@ Creating input Chains... Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts - connected through eth1 + connected through eth1. If you are running Shorewall 1.4.10 or later, + you can consider setting the detectnets interface option on your local + interface (eth1 in the above example). That will cause Shorewall to + restrict the local zone to only those networks routed through that + interface.
@@ -1909,7 +1914,9 @@ Creating input Chains... Revision History - 1.122004-01-20TEImprove + 1.132004-01-24TEAdd + a note about the detectnets interface + option in FAQ 9.1.122004-01-20TEImprove FAQ 16 answer.1.112004-01-14TECorrected broken link1.102004-01-09TEAdded a couple of more legacy FAQ numbers.1.92004-01-08TECorrected diff --git a/Shorewall-docs/IPSEC.xml b/Shorewall-docs/IPSEC.xml index 04490e448..09c651130 100644 --- a/Shorewall-docs/IPSEC.xml +++ b/Shorewall-docs/IPSEC.xml @@ -15,14 +15,10 @@ - 2003-10-29 + 2004-01-22 - 2001 - - 2002 - - 2003 + 2001-2004 Thomas M. Eastep @@ -37,6 +33,16 @@ + + This documentation does not cover configuring IPSEC under the 2.6 + Linux Kernel. David Hollis has provided information + about how to set up a simple tunnel under 2.6. One important point + that is not made explicit in David's post is that the vpn zone must be defined before the net zone in /etc/shorewall/zones. + +
Configuring FreeS/Wan diff --git a/Shorewall-docs/Shorewall_Squid_Usage.xml b/Shorewall-docs/Shorewall_Squid_Usage.xml index a7e0554a0..3600c5af5 100644 --- a/Shorewall-docs/Shorewall_Squid_Usage.xml +++ b/Shorewall-docs/Shorewall_Squid_Usage.xml @@ -15,10 +15,10 @@ - 2003-10-17 + 2004-01-20 - 2003 + 2003-2004 Thomas M. Eastep @@ -33,7 +33,7 @@ - + This page covers Shorewall configuration to use with Squid running as a Transparent @@ -401,7 +401,7 @@ chkconfig --level 35 iptables on
- Squid (transparent) Running in the DMZ (This is what I do) + Squid (transparent) Running in the DMZ You have a single Linux system in your DMZ with IP address 192.0.2.177. You want to run both a web server and Squid on that system. diff --git a/Shorewall-docs/Shorewall_and_Kazaa.xml b/Shorewall-docs/Shorewall_and_Kazaa.xml index e052eb7a7..c0d681d03 100644 --- a/Shorewall-docs/Shorewall_and_Kazaa.xml +++ b/Shorewall-docs/Shorewall_and_Kazaa.xml @@ -15,10 +15,10 @@ - 2003-10-22 + 2004-01-19 - 2003 + 2003-2004 Thomas M. Eastep @@ -42,7 +42,7 @@ To filter traffic from your loc zone with ftwall, you insert the following rules near the top of - your /etc/shorewall/rules file (before and ACCEPT rules whose source is the + your /etc/shorewall/rules file (before any ACCEPT rules whose source is the loc zone). QUEUE loc net tcp @@ -51,4 +51,9 @@ Now simply configure ftwall as described in the ftwall documentation and restart Shorewall. + + + There is an ftwall init script for use with SuSE + Linux at http://shorewall.net/pub/shorewall/contrib/ftwall. + \ No newline at end of file diff --git a/Shorewall-docs/blacklisting_support.xml b/Shorewall-docs/blacklisting_support.xml index 494adfff0..684ffa45e 100644 --- a/Shorewall-docs/blacklisting_support.xml +++ b/Shorewall-docs/blacklisting_support.xml @@ -15,7 +15,7 @@ - 2004-01-05 + 2004-01-17 2002-2004 @@ -140,7 +140,7 @@ option in /etc/shorewall/interfaces. - Ingore packets from a pair of systems + Ignore packets from a pair of systems shorewall drop 192.0.2.124 192.0.2.125 diff --git a/Shorewall-docs/errata.xml b/Shorewall-docs/errata.xml index c7bc993fc..b61d57b84 100644 --- a/Shorewall-docs/errata.xml +++ b/Shorewall-docs/errata.xml @@ -13,7 +13,7 @@ - 2004-01-03 + 2004-01-19 2001-2004 @@ -62,16 +62,44 @@ +
+ RFC1918 File + + Here + is the most up to date version of the rfc1918 file. +
+
Problems in Version 1.4
- All Versions + Shorewall 1.4.9 - Here - is the most up to date version of the rfc1918 file. + + + The column descriptions in the action.template file did not + match the column headings. + + + + This problem has been corrected in this + action.template file which may be installed in /etc/shorewall. + + + + The presence of IPV6 addresses on devices generates error + messages during [re]start if ADD_IP_ALIASES=Yes + or ADD_SNAT_ALIASES=Yes are specified in + /etc/shorewall/shorewall.conf. + + + + This problem has been corrected in this + firewall script which may be installed in + /usr/share/shorewall/firewall as described above.
@@ -437,9 +465,11 @@ Aborted (core dumped)
- Revision History + Revision History4 - 1.32004-01-03TEAdded + 1.42004-01-19TEIPV6 + address problems. Make RFC1918 file section more prominent.1.32004-01-14TEConfusing + template file in 1.4.91.32004-01-03TEAdded note about REJECT RedHat Kernal problem being corrected.1.22003-12-29TEUpdated RFC1918 file1.12003-12-17TEInitial Conversion to Docbook XML diff --git a/Shorewall-docs/myfiles.xml b/Shorewall-docs/myfiles.xml index d05bc622d..e0707ceea 100644 --- a/Shorewall-docs/myfiles.xml +++ b/Shorewall-docs/myfiles.xml @@ -15,7 +15,7 @@ - 2004-01-08 + 2004-01-20 2001-2004 @@ -66,8 +66,9 @@ - One-to-one NAT for EastepLaptop (My work system). Internal - address 192.168.1.7 and external address 206.124.146.180. + One-to-one NAT for EastepLaptop (My work system -- Windows XP + SP2). Internal address 192.168.1.7 and external address + 206.124.146.180. @@ -86,7 +87,7 @@ - The firewall runs on a 256MB PII/233 with RH9.0. + The firewall runs on a 256MB PII/233 with Debian Sarge (Testing). Wookie, Ursa and the Firewall all run Samba and the Firewall acts as a WINS server. @@ -100,19 +101,20 @@ The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP - server (Pure-ftpd). The system also runs fetchmail to fetch our email from - our old and current ISPs. That server is managed through Proxy ARP. + server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to + fetch our email from our old and current ISPs. That server is managed + through Proxy ARP. The firewall system itself runs a DHCP server that serves the local network. - All administration and publishing is done using ssh/scp. I have X - installed on the firewall but no X server or desktop is installed. X - applications tunnel through SSH to XWin.exe running on Ursa. The server - does have a desktop environment installed and that desktop environment is - available via XDMCP from the local zone. For the most part though, X - tunneled through SSH is used for server administration and the server runs - at run level 3 (multi-user console mode on RedHat). + All administration and publishing is done using ssh/scp. I have a + desktop environment installed on the firewall but I am not usually logged + in to it. X applications tunnel through SSH to Ursa. The server also has a + desktop environment installed and that desktop environment is available + via XDMCP from the local zone. For the most part though, X tunneled + through SSH is used for server administration and the server runs at run + level 3 (multi-user console mode on RedHat). I run an SNMP server on my firewall to serve MRTG running @@ -120,9 +122,9 @@ ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway - used by the firewall itself). On the firewall, my /sbin/ifup-local script - (see below) adds a host route to 206.124.146.177 through eth1 when that - interface is brought up. + used by the firewall itself). On the firewall, an entry in my + /etc/network/interfaces file (see below) adds a host route to + 206.124.146.177 through eth1 when that interface is brought up. Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for Road Warrior access. @@ -541,90 +543,24 @@ ACCEPT all all icmp
- Init File + /etc/network/interfaces
- This file deals with redirecting html requests to Squid on the DMZ server. -
+ This file is Debian specific. My additional entry (which is + displayed in bold type) adds a route + to my DMZ server when eth1 is brought up. It allows me to enter + Yes in the HAVEROUTE column of my + Proxy ARP file. -
- # -# Add a second routing table with my server as the default gateway -# Use this routing table with all packets marked with value 1 -# -if [ -z "`ip route list table 202 2> /dev/null`" ] ; then - run_ip rule add fwmark 1 table www.out - run_ip route add default via 206.124.146.177 dev eth1 table www.out - run_ip route flush cache -fi -
-
- -
- /etc/iproute2/rt_tables - -
- This file deals with redirecting html requests to Squid on the DMZ server. -
- -
- # -# reserved values -# -#255 local -#254 main -#253 default -#0 unspec - -# -# local -- I added the entry below -# -202 www.out -
-
- -
- Tcrules File - -
- This file deals with redirecting html requests to Squid on the DMZ server - -- in my setup, it is not used for - traffic shapping/control. -
- -
- #MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) -1:P eth2,eth3 !192.168.0.0/16 tcp 80 -
-
- -
- Tcstart File - -
- My tcstart file is just the HTB version of The WonderShaper. -
-
- -
- /sbin/ifup-local - -
- This file is Redhat specific and adds a route to my DMZ server - when eth1 is brought up. It allows me to enter Yes in - the HAVEROUTE column of my Proxy ARP file. - - #!/bin/sh - -case $1 in - eth1) - ip route add 206.124.146.177 dev eth1 - ;; -esac + ... +auto eth1 +iface eth1 inet static + address 192.168.2.1 + netmask 255.255.255.0 + network 192.168.2.0 + broadcast 192.168.2.255 + up ip route add 206.124.146.177 dev eth1 +...
diff --git a/Shorewall-docs/traffic_shaping.xml b/Shorewall-docs/traffic_shaping.xml index defe36811..a914ffc40 100755 --- a/Shorewall-docs/traffic_shaping.xml +++ b/Shorewall-docs/traffic_shaping.xml @@ -15,10 +15,10 @@ - 2003-10-21 + 2004-01-21 - 2001-2003 + 2001-2004 Thomas M. Eastep @@ -223,6 +223,21 @@ omitted, any source port is acceptable. Specified as a comma-separate list of port names, port numbers or port ranges. + + + USER (Added in Shorewall version 1.4.10) - (Optional) This + column may only be non-empty if the SOURCE is the firewall itself. + When this column is non-empty, the rule applies only if the program + generating the output is running under the effective user and/or + group. It may contain : + + [<user name or number>]:[<group name or number>] + + + The colon is optionnal when specifying only a user. + + Examples : john: / john / :users / john:users + @@ -233,7 +248,7 @@ originating on the firewall itself should be marked with 3. - + MARK @@ -243,10 +258,6 @@ DESTINATION PROTOCOL - - PORT(S) - - CLIENT PORT(S) @@ -259,10 +270,6 @@ 0.0.0.0/0 all - - - - @@ -273,10 +280,6 @@ 0.0.0.0/0 all - - - - @@ -287,10 +290,6 @@ 0.0.0.0/0 all - - - - @@ -301,10 +300,6 @@ 0.0.0.0/0 all - - - - @@ -318,7 +313,7 @@ destined for 155.186.235.151 should be marked with 12. - + MARK @@ -328,10 +323,6 @@ DESTINATION PROTOCOL - - PORT(S) - - CLIENT PORT(S) @@ -344,10 +335,6 @@ 155.186.235.151 47 - - - - @@ -361,7 +348,7 @@ 155.186.235.151 should be marked with 22. - + MARK @@ -373,8 +360,6 @@ PROTOCOL PORT(S) - - CLIENT PORT(S) @@ -389,8 +374,6 @@ tcp 22 - - @@ -405,10 +388,7 @@ url="http://lartc.org/wondershaper/">The Wonder Shaper (I just copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper README). WonderShaper DOES NOT USE THE - /etc/shorewall/tcrules file. While I currently have entries in - /etc/shorewall/tcrules, I do so for policy routing for Squid and not - for Traffic Shaping. + /etc/shorewall/tcrules file.