diff --git a/docs/6to4.xml b/docs/6to4.xml
index 93ed381c6..92e2aa949 100644
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -35,7 +35,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License
.
+ GNU Free Documentation
+ License
.
@@ -53,7 +54,7 @@
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels.
-
+
Connecting two IPv6 Networks
Suppose that we have the following situation:
@@ -62,17 +63,20 @@
We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
- accomplished through use of the /etc/shorewall/tunnels
- file and the ip
utility for network interface and routing
+ accomplished through use of the
+ /etc/shorewall/tunnels file and
+ the ip
utility for network interface and routing
configuration.
- Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
- /etc/shorewall/interfaces and /etc/shorewall/zones
- files are not used. There is no need to declare a zone to represent the
- remote IPv6 network. This remote network is not visible on IPv4 interfaces
- and to iptables. All that is visible on the IPv4 level is an IPv4 stream
- which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules
- need to be defined to handle this traffic.
+ Unlike GRE and IPIP tunneling, the
+ /etc/shorewall/policy,
+ /etc/shorewall/interfaces and
+ /etc/shorewall/zones files are not used. There is no
+ need to declare a zone to represent the remote IPv6 network. This remote
+ network is not visible on IPv4 interfaces and to iptables. All that is
+ visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
+ Separate IPv6 interfaces and ip6tables rules need to be defined to handle
+ this traffic.
In /etc/shorewall/tunnels on system A, we need
the following:
@@ -86,10 +90,10 @@
Use the following commands to setup system A:
- >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2
->ip link set dev tun6to4 up
->ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4
->ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2
+ >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2
+>ip link set dev tun6to4 up
+>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4
+>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2
Similarly, in /etc/shorewall/tunnels on system
B we have:
@@ -99,10 +103,10 @@
And use the following commands to setup system B:
- >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9
->ip link set dev tun6to4 up
->ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4
->ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1
+ >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9
+>ip link set dev tun6to4 up
+>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4
+>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1
On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
diff --git a/docs/CorpNetwork.xml b/docs/CorpNetwork.xml
deleted file mode 100644
index 92eb506e6..000000000
--- a/docs/CorpNetwork.xml
+++ /dev/null
@@ -1,557 +0,0 @@
-
-
-
-
-
-
- Corporate Network
-
-
-
- Tom
-
- Eastep
-
-
-
- Graeme
-
- Boyle
-
-
-
-
-
-
- 2003
-
- 2005
-
- Thomas M. Eastep and Graeme Boyle
-
-
-
- Permission is granted to copy, distribute and/or modify this
- document under the terms of the GNU Free Documentation License, Version
- 1.2 or any later version published by the Free Software Foundation; with
- no Invariant Sections, with no Front-Cover, and with no Back-Cover
- Texts. A copy of the license is included in the section entitled
- GNU Free Documentation
- License
.
-
-
-
-
- This document has not been updated yet, to
- reflect a correct configuration for Shorewall 3.
-
-
-
- The Network
-
-
-
-
- This configuration is used on a corporate network that has a
- Linux (RedHat 8.0) server with three interfaces, running Shorewall
- 1.4.5 release,
-
-
-
- Make sure you know what public IP addresses are currently
- being used and verify these before
- starting.
-
-
-
- Verify your DNS settings before starting
- any Shorewall configuration especially if you have split DNS.
-
-
-
- System names and Internet IP addresses have been changed to
- protect the innocent.
-
-
-
-
-
- This configuration uses a combination of One-to-one NAT and Proxy
- ARP. This is generally not relevant to a simple configuration with a
- single public IP address. If you have just a single public IP address,
- most of what you see here won't apply to your setup so beware of copying
- parts of this configuration and expecting them to work for you. What you
- copy may or may not work in your configuration.
-
-
- I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
- internet is connected to eth0. The local network is connected via eth1
- (10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
- an IPSec tunnel connecting our offices in Germany to our offices in the
- US. I host two Microsoft Exchange servers for two different companies
- behind the firewall hence, the two Exchange servers in the diagram
- below.
-
-
- Summary
-
-
-
- SNAT for all systems connected to the LAN - Internal addresses
- 10.10.x.x to external address 192.0.18.127.
-
-
-
- One-to-one NAT for Polaris (Exchange
- Server #2). Internal address 10.10.1.8 and external address
- 192.0.18.70.
-
-
-
- One-to-one NAT for Sims (Inventory
- Management server). Internal address 10.10.1.56 and external address
- 192.0.18.75.
-
-
-
- One-to-one NAT for Project (Project Web
- Server). Internal address 10.10.1.55 and external address
- 192.0.18.84.
-
-
-
- One-to-one NAT for Fortress (Exchange
- Server). Internal address 10.10.1.252 and external address
- 192.0.18.93.
-
-
-
- One-to-one NAT for BBSRV (Blackberry
- Server). Internal address 10.10.1.230 and external address
- 192.0.18.97.
-
-
-
- One-to-one NAT for Intweb (Intranet Web
- Server). Internal address 10.10.1.60 and external address
- 192.0.18.115.
-
-
-
- The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
- with RH8.0.
-
- The Firewall is also a proxy server running Privoxy 3.0.
-
- The single system in the DMZ (address 192.0.18.80) runs sendmail,
- imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
- That server is managed through Proxy ARP.
-
- All administration and publishing is done using ssh/scp. I have X
- installed on the firewall and the system in the DMZ. X applications
- tunnel through SSH to Hummingbird Exceed running on a PC located in the
- LAN. Access to the firewall using SSH is restricted to systems in the
- LAN, DMZ or the system Kaos which is on the Internet and managed by
- me.
-
- ![]()
-
- The Ethernet 0 interface in the Server is configured with IP
- address 192.0.18.68, netmask 255.255.255.192. The server's default
- gateway is 192.0.18.65, the Router connected to my network and the ISP.
- This is the same default gateway used by the firewall itself. On the
- firewall, Shorewall automatically adds a host route to 192.0.18.80
- through Ethernet 2 (192.168.21.1) because of the entry in
- /etc/shorewall/proxyarp (see below). I modified the start, stop and init
- scripts to include the fixes suggested when having an IPSec
- tunnel.
-
-
-
- Some Mistakes I Made
-
- Yes, believe it or not, I made some really basic mistakes when
- building this firewall. Firstly, I had the new firewall setup in
- parallel with the old firewall so that there was no interruption of
- service to my users. During my out-bound testing, I set up systems on
- the LAN to utilize the firewall which worked fine. When testing my NAT
- connections, from the outside, these would fail and I could not
- understand why. Eventually, I changed the default route on the internal
- system I was trying to access, to point to the new firewall and
- bingo
, everything worked as expected. This oversight
- delayed my deployment by a couple of days not to mention level of
- frustration it produced.
-
- Another problem that I encountered was in setting up the Proxyarp
- system in the DMZ. Initially I forgot to remove the entry for the eth2
- from the /etc/shorewall/masq file. Once my file settings were correct, I
- started verifying that the ARP caches on the firewall, as well as the
- outside system kaos
, were showing the correct Ethernet
- MAC address. However, in testing remote access, I could access the
- system in the DMZ only from the firewall and LAN but not from the
- Internet. The message I received was connection denied
on
- all protocols. What I did not realize was that a helpful
- administrator that had turned on an old system and assigned the same
- address as the one I was using for Proxyarp without notifying me. How
- did I work this out. I shutdown the system in the DMZ, rebooted the
- router and flushed the ARP cache on the firewall and kaos. Then, from
- kaos, I started pinging that IP address and checked the updated ARP
- cache and lo-and-behold a different MAC address showed up. High levels
- of frustration etc., etc. The administrator will not be doing that
- again! :-)
-
-
-
- Lessons Learned
-
-
-
- Read the documentation.
-
-
-
- Draw your network topology before starting.
-
-
-
- Understand what services you are going to allow in and out of
- the firewall, whether they are TCP or UDP packets and make a note of
- these port numbers.
-
-
-
- Try to get quiet time to build the firewall - you need to
- focus on the job at hand.
-
-
-
- When asking for assistance, be honest and include as much
- detail as requested. Don't try and hide IP addresses etc., you will
- probably screw up the logs and make receiving assistance
- harder.
-
-
-
- Read the documentation.
-
-
-
-
-
- Futures
-
- This is by no means the final configuration. In the near future, I
- will be moving more systems from the LAN to the DMZ. I will also be
- watching the logs for port scan programs etc. but, this should be
- standard security maintenance.
-
-
-
-
- Configuration Files
-
- Here are copies of my files. I have removed most of the internal
- documentation for the purpose of this space however, my system still has
- the original files with all the comments and I highly recommend you do the
- same.
-
-
- Shorewall.conf
-
- ##############################################################################
-# /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
-# match your setup
-#
-# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
-#
-# This file should be placed in /etc/shorewall
-#
-# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
-##############################################################################
-# L O G G I N G
-##############################################################################
-LOGFILE=/var/log/messages
-LOGFORMAT=Shorewall:%s:%s:
-LOGRATE=
-LOGBURST=
-LOGUNCLEAN=info
-BLACKLIST_LOGLEVEL=
-LOGNEWNOTSYN=
-MACLIST_LOG_LEVEL=info
-TCP_FLAGS_LOG_LEVEL=debug
-RFC1918_LOG_LEVEL=debug
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-SUBSYSLOCK=/var/lock/subsys/shorewall
-STATEDIR=/var/lib/shorewall
-MODULESDIR=
-FW=fw
-NAT_ENABLED=Yes
-MANGLE_ENABLED=Yes
-IP_FORWARDING=On
-ADD_IP_ALIASES=Yes
-ADD_SNAT_ALIASES=Yes
-TC_ENABLED=Yes
-CLEAR_TC=No
-MARK_IN_FORWARD_CHAIN=No
-CLAMPMSS=No
-ROUTE_FILTER=Yes
-NAT_BEFORE_RULES=No
-MULTIPORT=Yes
-DETECT_DNAT_IPADDRS=Yes
-MUTEX_TIMEOUT=60
-NEWNOTSYN=Yes
-BLACKLIST_DISPOSITION=DROP
-MACLIST_DISPOSITION=REJECT
-TCP_FLAGS_DISPOSITION=DROP
-#LAST LINE -- DO NOT REMOVE
-
-
-
- Zones File
-
- #
-# Shorewall 1.4 -- Sample Zone File For Two Interfaces
-# /etc/shorewall/zones
-#
-# This file determines your network zones. Columns are:
-#
-# ZONE Short name of the zone
-# DISPLAY Display name of the zone
-# COMMENTS Comments about the zone
-#
-#ZONE DISPLAY COMMENTS
-net Net Internet
-loc Local Local Networks
-dmz DMZ Demilitarized Zone
-vpn1 VPN1 VPN to Germany
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- Interfaces File
-
- ##############################################################################
-#ZONE INTERFACE BROADCAST OPTIONS
-net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags
-loc eth1 detect dhcp,routefilter
-dmz eth2 detect
-vpn1 ipsec0
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
-
- Routestopped File
-
- #INTERFACE HOST(S)
-eth1 -
-eth2 -
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
- Policy File
-
- ###############################################################################
-#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
-loc net ACCEPT
-loc fw ACCEPT
-loc dmz ACCEPT
-# If you want open access to the Internet from your Firewall
-# remove the comment from the following line.
-fw net ACCEPT
-fw loc ACCEPT
-fw dmz ACCEPT
-dmz fw ACCEPT
-dmz loc ACCEPT
-dmz net ACCEPT
-#
-# Adding VPN Access
-loc vpn1 ACCEPT
-dmz vpn1 ACCEPT
-fw vpn1 ACCEPT
-vpn1 loc ACCEPT
-vpn1 dmz ACCEPT
-vpn1 fw ACCEPT
-#
-net all DROP info
-all all REJECT info
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- Masq File
-
- #INTERFACE SUBNET ADDRESS
-eth0 eth1 192.0.18.126
-#
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- NAT File
-
- #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
-#
-# Intranet Web Server
-192.0.18.115 eth0:0 10.10.1.60 No No
-#
-# Project Web Server
-192.0.18.84 eth0:1 10.10.1.55 No No
-#
-# Blackberry Server
-192.0.18.97 eth0:2 10.10.1.55 No No
-#
-# Corporate Mail Server
-192.0.18.93 eth0:3 10.10.1.252 No No
-#
-# Second Corp Mail Server
-192.0.18.70 eth0:4 10.10.1.8 No No
-#
-# Sims Server
-192.0.18.75 eth0:5 10.10.1.56 No No
-#
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-
-
- Proxy ARP File
-
- #ADDRESS INTERFACE EXTERNAL HAVEROUTE
-#
-# The Corporate email server in the DMZ
-192.0.18.80 eth2 eth0 No
-#
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
- Tunnels File
-
- # TYPE ZONE GATEWAY GATEWAY ZONE PORT
-ipsec net 134.147.129.82
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
- Rules File (The shell variables are set in
- /etc/shorewall/params)
-
- ##############################################################################
-#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
-# PORT PORT(S) DEST
-#
-# Accept DNS connections from the firewall to the network
-#
-ACCEPT fw net tcp 53
-ACCEPT fw net udp 53
-#
-# Accept SSH from internet interface from kaos only
-#
-ACCEPT net:192.0.18.98 fw tcp 22
-#
-# Accept connections from the local network for administration
-#
-ACCEPT loc fw tcp 20:22
-ACCEPT loc net tcp 22
-ACCEPT loc fw tcp 53
-ACCEPT loc fw udp 53
-ACCEPT loc net tcp 53
-ACCEPT loc net udp 53
-#
-# Allow Ping To And From Firewall
-#
-ACCEPT loc fw icmp 8
-ACCEPT loc dmz icmp 8
-ACCEPT loc net icmp 8
-ACCEPT dmz fw icmp 8
-ACCEPT dmz loc icmp 8
-ACCEPT dmz net icmp 8
-DROP net fw icmp 8
-DROP net loc icmp 8
-DROP net dmz icmp 8
-ACCEPT fw loc icmp 8
-ACCEPT fw dmz icmp 8
-DROP fw net icmp 8
-#
-# Accept proxy web connections from the inside
-#
-ACCEPT loc fw tcp 8118
-#
-# Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems
-# From a specific IP Address on the Internet.
-#
-# ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http
-# ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632
-#
-# Intranet web server
-ACCEPT net loc:10.10.1.60 tcp 443
-ACCEPT dmz loc:10.10.1.60 tcp 443
-#
-# Projects web server
-ACCEPT net loc:10.10.1.55 tcp 80
-ACCEPT dmz loc:10.10.1.55 tcp 80
-#
-# Blackberry Server
-ACCEPT net loc:10.10.1.230 tcp 3101
-#
-# Corporate Email Server
-ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443
-#
-# Corporate #2 Email Server
-ACCEPT net loc:10.10.1.8 tcp 25,80,110,443
-#
-# Sims Server
-ACCEPT net loc:10.10.1.56 tcp 80,443
-ACCEPT net loc:10.10.1.56 tcp 7001:7002
-ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632
-#
-# Access to DMZ
-ACCEPT loc dmz udp 53,177
-ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110
-ACCEPT net dmz udp 53
-ACCEPT net dmz tcp 25,53,22,21,123
-ACCEPT dmz net tcp 25,53,80,123,443,21,22
-ACCEPT dmz net udp 53
-#
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
- Start File
-
- ############################################################################
-# Shorewall 1.4 -- /etc/shorewall/start
-#
-# Add commands below that you want to be executed after shorewall has
-# been started or restarted.
-#
-qt service ipsec start
-
-
-
- Stop File
-
- ############################################################################
-# Shorewall 1.4 -- /etc/shorewall/stop
-#
-# Add commands below that you want to be executed at the beginning of a
-# shorewall stop
command.
-#
-qt service ipsec stop
-
-
-
- Init File
-
- ############################################################################
-# Shorewall 1.4 -- /etc/shorewall/init
-#
-# Add commands below that you want to be executed at the beginning of
-# a shorewall start
or shorewall restart
command.
-#
-qt service ipsec stop
-
-
-
\ No newline at end of file
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index f67cb6200..a757e51d3 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -170,8 +170,7 @@
- Corporate Network
- Example
+ DHCP
Multiple Zones Through One
Interface
@@ -182,7 +181,8 @@
- DHCP
+ ECN Disabling by host or
+ subnet
My Shorewall
Configuration
@@ -192,8 +192,8 @@
- ECN Disabling by host or
- subnet
+ Extension
+ Scripts (User Exits)
Netfilter
Overview
@@ -202,8 +202,8 @@
- Extension
- Scripts (User Exits)
+ Fallback/Uninstall
Network Mapping
@@ -212,8 +212,7 @@
- Fallback/Uninstall
+ FAQs
One-to-one NAT (Static
NAT)
@@ -224,7 +223,8 @@
- FAQs
+ Features
OpenVPN
@@ -233,8 +233,8 @@
- Features
+ Forwarding Traffic on the
+ Same Interface
Operating
Shorewall
@@ -243,8 +243,7 @@
- Forwarding Traffic on the
- Same Interface
+ FTP and Shorewall
Packet
Marking
@@ -254,7 +253,8 @@
- FTP and Shorewall
+ Getting help or answers to
+ questions
Packet Processing in a
Shorewall-based Firewall
@@ -263,8 +263,8 @@
- Getting help or answers to
- questions
+ Installation/Upgrade
+ (Français)
'Ping' Management
@@ -273,8 +273,7 @@
- Installation/Upgrade
- (Français)
+ IPP2P
Port Information
@@ -283,7 +282,7 @@
- IPP2P
+
Port Knocking and Other Uses
of the 'Recent Match'
diff --git a/docs/Introduction.xml b/docs/Introduction.xml
index aeeba6339..82bc69211 100644
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -32,8 +32,8 @@
-
- Introduction
+
+ Introduction
The information in this document applies only to 4.x releases of
Shorewall.
@@ -64,7 +64,7 @@
-
+
What is Shorewall?
The Shoreline Firewall, more commonly known as
@@ -305,8 +305,8 @@ ACCEPT net $FW tcp 22
-
- Shorewall Packages
+
+ Shorewall Packages
Shorewall 4.0 consists of four packages.
diff --git a/docs/ReleaseModel.xml b/docs/ReleaseModel.xml
index 97b0794dc..41ed9dba4 100644
--- a/docs/ReleaseModel.xml
+++ b/docs/ReleaseModel.xml
@@ -128,8 +128,8 @@
The currently-supported major releases are 3.2.x and 3.4.x.
-
- Old Release Model
+
+ Old Release Model
This release model described above was adopted on 2004-07-03 and
modified 2004-07-21. Prior to 2004-07-03, a different release model was
diff --git a/docs/ping.xml b/docs/ping.xml
index 64ba24ffa..eb7ed4ca0 100644
--- a/docs/ping.xml
+++ b/docs/ping.xml
@@ -58,7 +58,7 @@
#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT z1 z2
-
+
Ping from local zone to firewall
To permit ping from the local zone to the firewall:
@@ -82,7 +82,7 @@ Ping/ACCEPT loc $FW
#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP z1 z2
-
+
Silently drop pings from the Internet
To drop ping from the internet, you would need this rule in
diff --git a/docs/survey-200603.xml b/docs/survey-200603.xml
index 046d2d973..a89406d0f 100644
--- a/docs/survey-200603.xml
+++ b/docs/survey-200603.xml
@@ -57,8 +57,8 @@
have a survey module, but when i last looked at them, they were more
limited and harder to use than Zoomerang.
-
- Survey and results links
+
+ Survey and results links
The survey is still open as of this writing, and can be accessed
at the