| ZONE | +DISPLAY | +COMMENTS | +
| net | +Net | +Internet | +
| loc | +Local | +Local networks | +
| dmz | +DMZ | +Demilitarized zone | +
You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.
+ +You may add, delete and modify entries in the /etc/shorewall/zones file + as desired so long as you have at least one zone defined.
- +Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than "shorewall - restart".
- + color="#ff0000"> If you rename or delete a zone, you should perform "shorewall + stop; shorewall start" to install the change rather than "shorewall + restart". +Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.
+ color="#ff0000">The order of entries in the /etc/shorewall/zones file is + significant in some cases. - +/etc/shorewall/interfaces
- -This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one entry - in /etc/shorewall/interfaces for each of your interfaces. Columns - in an entry are:
- + +This file is used to tell the firewall which of your firewall's network + interfaces are connected to which zone. There will be one entry + in /etc/shorewall/interfaces for each of your interfaces. Columns + in an entry are:
+-
-
- ZONE - A zone defined in the /etc/shorewall/zones file or "-". If you - specify "-", you must use the /etc/shorewall/hosts - file to define the zones accessed via this interface. -
- INTERFACE - the name of the interface - (examples: eth0, ppp0, ipsec+). Each interface can be listed on only - one record in this file. DO NOT INCLUDE - THE LOOPBACK INTERFACE (lo) IN THIS FILE!!! -
- BROADCAST - the broadcast address(es) - for the sub-network(s) attached to the interface. This should - be left empty for P-T-P interfaces (ppp*, ippp*); if you need to - specify options for such an interface, enter "-" in this column. - If you supply the special value "detect" in this column, the firewall - will automatically determine the broadcast address. In order to -use "detect": - +
- ZONE - A zone defined in the /etc/shorewall/zones file or "-". If you + specify "-", you must use the /etc/shorewall/hosts + file to define the zones accessed via this interface. +
- INTERFACE - the name of the interface + (examples: eth0, ppp0, ipsec+). Each interface can be listed on + only one record in this file. DO NOT + INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!! +
- BROADCAST - the broadcast address(es)
+ for the sub-network(s) attached to the interface. This should
+ be left empty for P-T-P interfaces (ppp*, ippp*); if you need
+ to specify options for such an interface, enter "-" in this column.
+ If you supply the special value "detect" in this column, the firewall
+ will automatically determine the broadcast address. In order
+to use "detect":
+
-
-
- you must have iproute installed -
- the interface must be up before you start your - firewall -
- the interface must only be attached to a -single sub-network (i.e., there must have a single broadcast address). - +
- you must have iproute installed +
- the interface must be up before you start +your firewall +
- the interface must only be attached to + a single sub-network (i.e., there must have a single broadcast +address). - +
- - OPTIONS - a comma-separated list of -options. Possible options include: + +
- OPTIONS - a comma-separated list
+of options. Possible options include:
-
-
tcpflags (added in version 1.3.11) - This option causes Shorewall -to make sanity checks on the header flags in TCP packets arriving on this -interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these -flag combinations are typically used for "silent" port scans. Packets failing -these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according - to the TCP_FLAGS_DISPOSITION option.
+
-
- blacklist - This option causes incoming packets on this - interface to be checked against the tcpflags (added in version 1.3.11) - This option causes +Shorewall to make sanity checks on the header flags in TCP packets arriving +on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; +these flag combinations are typically used for "silent" port scans. Packets + failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option + in /etc/shorewall/shorewall.conf and are disposed of +according to the TCP_FLAGS_DISPOSITION option.
+
+ blacklist - This option causes incoming packets on this + interface to be checked against the blacklist.
-
- dhcp - The interface is assigned an IP address -via DHCP or is used by a DHCP server running on the firewall. -The firewall will be configured to allow DHCP traffic to and -from the interface even when the firewall is stopped. You may -also wish to use this option if you have a static IP but you are -on a LAN segment that has a lot of Laptops that use DHCP and you select -the norfc1918 option (see below).
+ dhcp - The interface is assigned an IP address + via DHCP or is used by a DHCP server running on the firewall. + The firewall will be configured to allow DHCP traffic to and + from the interface even when the firewall is stopped. You +may also wish to use this option if you have a static IP but you +are on a LAN segment that has a lot of Laptops that use DHCP and you + select the norfc1918 option (see below). - -noping - This option is deprecated and is not available -when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf. ICMP echo-request -(ping) packets addressed to the firewall will be ignored by this - interface.
+ +
-
- filterping - This option is deprecated and -is not available when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf. -ICMP echo-request (ping) packets addressed to the firewall will -be handled according to the /etc/shorewall/rules and /etc/shorewall/policy -file. If the applicable policy is DROP or REJECT and you have supplied -your own /etc/shorewall/icmpdef file then these 'ping' requests -will be passed through the rules in that file before being dropped or - rejected. If neither noping nor filterping - is specified then the firewall will automatically ACCEPT these -'ping' requests. If both noping and filterping - are specified, filterping takes precedence.noping - This option is deprecated and is not available + when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf. ICMP echo-request + (ping) packets addressed to the firewall will be ignored by this + interface.
- -
+
+ filterping - This option is deprecated + and is not available when OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf. + ICMP echo-request (ping) packets addressed to the firewall will + be handled according to the /etc/shorewall/rules and /etc/shorewall/policy + file. If the applicable policy is DROP or REJECT and you have supplied + your own /etc/shorewall/icmpdef file then these 'ping' requests + will be passed through the rules in that file before being dropped +or rejected. If neither noping nor filterping + is specified then the firewall will automatically ACCEPT these 'ping' + requests. If both noping and filterping are +specified, filterping takes precedence.routestopped - Beginning with Shorewall 1.3.4, this option - is deprecated in favor of the /etc/shorewall/routestopped - file. When the firewall is stopped, traffic to and from this - interface will be accepted and routing will occur between this - interface and other routestopped interfaces.
+ +routestopped - Beginning with Shorewall 1.3.4, this option + is deprecated in favor of the /etc/shorewall/routestopped + file. When the firewall is stopped, traffic to and from this + interface will be accepted and routing will occur between this + interface and other routestopped interfaces.
- -norfc1918 - Packets arriving on this interface and that - have a source address that is reserved in RFC 1918 or in other - RFCs will be dropped after being optionally logged. If packet mangling is enabled in /etc/shorewall/shorewall.conf - , then packets arriving on this interface that have a destination - address that is reserved by one of these RFCs will also be logged - and dropped.
-
- Addresses blocked by the standard rfc1918 file include those - addresses reserved by RFC1918 plus other ranges reserved by the + +norfc1918 - Packets arriving on this interface and that + have a source address that is reserved in RFC 1918 or in other + RFCs will be dropped after being optionally logged. If packet mangling is enabled in /etc/shorewall/shorewall.conf + , then packets arriving on this interface that have a destination + address that is reserved by one of these RFCs will also be logged + and dropped.
- -
+
+ Addresses blocked by the standard rfc1918 file include those + addresses reserved by RFC1918 plus other ranges reserved by the IANA or by other RFCs.Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses within their own - infrastructure. Also, many cable and DSL "modems" have an RFC -1918 address that can be used through a web browser for management -and monitoring functions. If you want to specify norfc1918 -on your external interface but need to allow access to certain addresses - from the above list, see FAQ 14.
+ +Beware that as IPv4 addresses become in increasingly short supply, + ISPs are beginning to use RFC 1918 addresses within their own + infrastructure. Also, many cable and DSL "modems" have an RFC + 1918 address that can be used through a web browser for management + and monitoring functions. If you want to specify norfc1918 + on your external interface but need to allow access to certain addresses + from the above list, see FAQ 14.
- -routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel will - reject any packets incoming on this interface that have a source - address that would be routed outbound through another interface - on the firewall. Warning: If - you specify this option for an interface then the interface must + +
routefilter - Invoke the Kernel's route filtering + (anti-spoofing) facility on this interface. The kernel will + reject any packets incoming on this interface that have a source + address that would be routed outbound through another interface + on the firewall. Warning: If + you specify this option for an interface then the interface must be up prior to starting the firewall.
- -multi - The interface has multiple addresses and - you want to be able to route between them. Example: you -have two addresses on your single local interface eth1, one -each in subnets 192.168.1.0/24 and 192.168.2.0/24 and you want to - route between these subnets. Because you only have one interface -in the local zone, Shorewall won't normally create a rule to forward -packets from eth1 to eth1. Adding "multi" to the entry for eth1 -will cause Shorewall to create the loc2loc chain and the appropriate -forwarding rule.
+ +multi - The interface has multiple addresses and + you want to be able to route between them. Example: you +have two addresses on your single local interface eth1, one +each in subnets 192.168.1.0/24 and 192.168.2.0/24 and you want to + route between these subnets. Because you only have one interface +in the local zone, Shorewall won't normally create a rule to forward + packets from eth1 to eth1. Adding "multi" to the entry for eth1 + will cause Shorewall to create the loc2loc chain and the appropriate + forwarding rule.
- -dropunclean - Packets from this interface that - are selected by the 'unclean' match target in iptables will - be optionally logged and then dropped. - Warning: This feature + + +
- -dropunclean - Packets from this interface that + are selected by the 'unclean' match target in iptables will + be optionally logged and then dropped. + Warning: This feature requires that UNCLEAN match support be configured in your - kernel, either in the kernel itself or as a module. UNCLEAN - support is broken in some versions of the kernel but - appears to work ok in 2.4.17-rc1.
+ kernel, either in the kernel itself or as a module. UNCLEAN + support is broken in some versions of the kernel but + appears to work ok in 2.4.17-rc1.
-
- Update 12/17/2001: The - unclean match patch from 2.4.17-rc1 is available - for download. I am currently running this - patch applied to kernel 2.4.16.
+
+ Update 12/17/2001: The + unclean match patch from 2.4.17-rc1 is available + for download. I am currently running +this patch applied to kernel 2.4.16.Update 12/20/2001: I've - seen a number of tcp connection requests with - OPT (020405B40000080A...) being dropped - in the badpkt chain. This appears to be - a bug in the remote TCP stack whereby it is 8-byte aligning - a timestamp (TCP option 8) but rather than padding with 0x01 - it is padding with 0x00. It's a tough call whether to - deny people access to your servers because of this rather - minor bug in their networking software. If you wish - to disable the check that causes these connections - to be dropped, here's - a kernel patch against 2.4.17-rc2.
- -logunclean - This option works like dropunclean - with the exception that packets selected by -the 'unclean' match target in iptables are logged - but not dropped. The level at which - the packets are logged is determined by the setting - of LOGUNCLEAN and if - LOGUNCLEAN has not been set, "info" is assumed.
+ +Update 12/20/2001: I've + seen a number of tcp connection requests +with OPT (020405B40000080A...) being +dropped in the badpkt chain. This appears to be + a bug in the remote TCP stack whereby it is 8-byte aligning + a timestamp (TCP option 8) but rather than padding with +0x01 it is padding with 0x00. It's a tough call whether +to deny people access to your servers because of this + rather minor bug in their networking software. +If you wish to disable the check that causes these +connections to be dropped, here's + a kernel patch against 2.4.17-rc2.
- -proxyarp (Added in version 1.3.5) - This option - causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp - and is used when implementing Proxy ARP Sub-netting - as described at - http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do - not set this option if you are implementing Proxy ARP - through entries in - /etc/shorewall/proxyarp.
-
-
- maclist (Added in version 1.3.10) - If this option - is specified, all connection requests from this interface are subject - to MAC Verification. May only be -specified for ethernet interfaces.
-
+
+
+
logunclean - This option works like dropunclean + with the exception that packets selected +by the 'unclean' match target in iptables are +logged but not dropped. The level +at which the packets are logged is determined by + the setting of LOGUNCLEAN and if + LOGUNCLEAN has not been set, "info" is assumed.
+ + + +proxyarp (Added in version 1.3.5) - This option
+ causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
+ and is used when implementing Proxy ARP Sub-netting
+ as described at
+ http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
+ not set this option if you are implementing Proxy ARP
+ through entries in
+ /etc/shorewall/proxyarp.
+
+ maclist (Added in version 1.3.10) - If this
+option is specified, all connection requests from this interface are
+subject to MAC Verification. May
+only be specified for ethernet interfaces.
My recommendations concerning options:
-
-
-
- External Interface -- tcpflags,blacklist,norfc1918,routefilter -
- Internal Interface -- routestopped -
- Wireless Interface -- maclist,routefilter,tcpflags
-
- - Don't use dropunclean -- It's broken in my opinion -
- Use logunclean only when you are trying to debug -a problem -
- Use dhcp,multi and proxyarp when needed.
-
-
+ - External Interface -- tcpflags,blacklist,norfc1918,routefilter +
- Internal Interface -- routestopped +
- Wireless Interface -- maclist,routefilter,tcpflags
+
+ - Don't use dropunclean -- It's broken in my opinion +
- Use logunclean only when you are trying to debug + a problem +
- Use dhcp,multi and proxyarp when
+needed.
+
+
- -
Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local network - and eth0 gets its IP address via DHCP. You want to check all packets - entering from the internet against the black list. Your /etc/shorewall/interfaces file - would be as follows:
+ +Example 1: You have a conventional firewall setup in which eth0 connects + to a Cable or DSL modem and eth1 connects to your local network + and eth0 gets its IP address via DHCP. You want to check all packets + entering from the internet against the black list. Your /etc/shorewall/interfaces file + would be as follows:
- + ++ ++ + ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918,blacklist ++ + + + + + +loc +eth1 +detect ++
+
Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:
+ +- ++ - -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918,blacklist -- + +loc -eth1 -detect --
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ - - - + + + +net +ppp0 + ++
++
+
Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:
+ +Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24
- -- + +- -++- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- +net -ppp0 ++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +loc +eth1 --
--
-192.168.1.255,192.168.12.255 ++ - - - + + +
+
Example 3: You have local interface eth1 with two IP - addresses - 192.168.1.1/24 and 192.168.12.1/24
+ +/etc/shorewall/hosts + Configuration
- -- -- - -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- + +loc -eth1 + +For most applications, specifying zones entirely in terms of network + interfaces is sufficient. There may be times though where you need to define +a zone to be a more general collection of hosts. This is the purpose of +the /etc/shorewall/hosts file.
-192.168.1.255,192.168.12.255 --
-WARNING: 90% of +Shorewall users don't need to put entries in this file and + 80% of those who try to add such entries do it wrong. + Unless you are ABSOLUTELY SURE that you need entries in + this file, don't touch it.
- - - -
/etc/shorewall/hosts - Configuration
- - -For most applications, specifying zones entirely in terms of network - interfaces is sufficient. There may be times though where you need to -define a zone to be a more general collection of hosts. This is the purpose -of the /etc/shorewall/hosts file.
- - -WARNING: 90% of - Shorewall users don't need to put entries in this file and - 80% of those who try to add such entries do it wrong. - Unless you are ABSOLUTELY SURE that you need entries in - this file, don't touch it.
- - +Columns in this file are:
- +-
-
- ZONE - A zone defined in the ZONE - A zone defined in the /etc/shorewall/zones file. -
- HOST(S) - The name of a network interface - followed by a colon (":") followed by either: - -
- - -- - -- -
- - - -- An IP address (example - eth1:192.168.1.3)
- -- A subnet in CIDR notation - (example - eth2:192.168.2.0/24)
- - - -The interface name much match an entry in /etc/shorewall/interfaces.
-
-
-
- OPTIONS - A comma-separated list of -options. - +
- HOST(S) - The name of a network +interface followed by a colon (":") followed by either: +
- - -- - -routestopped - Beginning with Shorewall - 1.3.4, this option is deprecated in favor of the - /etc/shorewall/routestopped - file. When the firewall is stopped, traffic to and from - this host (these hosts) will be accepted and routing will - occur between this host and other routestopped interfaces - and hosts.
-
-
- maclist - Added in version 1.3.10. If specified, -connection requests from the hosts specified in this entry are subject -to MAC Verification. This option is only -valid for ethernet interfaces.
-
If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the - interfaces to the zone.
- - -Note 1: You probably -DON'T want to specify any hosts for your internet zone since the hosts -that you specify will be the only ones that you will be able to access -without adding additional rules.
- - -Note 2: - The setting of the MERGE_HOSTS variable - in /etc/shorewall/shorewall.conf - has an important effect on how the host - file is processed. Please read the description - of that variable carefully.
- - -Example:
- - -Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:
- - --
-
- 192.168.1.0/25 -
- 192.168.1.128/25 - -
Your /etc/shorewall/interfaces file might look like:
- - -- -+- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - - - +- -eth1 -detect --
--
-
-
-
- An IP address (example - eth1:192.168.1.3) - -
- A subnet in CIDR notation + (example - eth2:192.168.2.0/24) + + - - + + +
- OPTIONS - A comma-separated list +of options. + +
- ACCEPT - The connection is allowed. -
- DROP - The connection request is ignored. -
- REJECT - The connection request is -rejected with an RST (TCP) or an ICMP destination-unreachable - packet being returned to the client. -
- CONTINUE - The connection is neither - ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when one - or both of the zones named in the entry are sub-zones of or -intersect with another zone. For more information, see below. - - -
- SOURCE - -The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). + +
- DEST - The - name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically - allows all traffic from the firewall to itself so the name - of the firewall zone cannot appear in both the SOURCE and DEST columns. + +
- POLICY - -The default policy for connection requests from the SOURCE -zone to the DESTINATION zone. - -
- LOG LEVEL - - Optional. If left empty, no log message is generated when - the policy is applied. Otherwise, this column should contain an -integer or name indicating a syslog level. - -
- LIMIT:BURST - - Optional. If left empty, TCP connection requests from the SOURCE - zone to the DEST zone will not be rate-limited. Otherwise, - this column specifies the maximum rate at which TCP connection -requests will be accepted followed by a colon (":") followed by the -maximum burst size that will be tolerated. Example: 10/sec:40 -specifies that the maximum rate of TCP connection requests allowed -will be 10 per second and a burst of 40 connections will be tolerated. - Connection requests in excess of these limits will be dropped. - - -
- All connection requests from the local network - to hosts on the internet are accepted. -
- All connection requests originating from the -internet are ignored and logged at level KERNEL.INFO. -
- All other connection requests are rejected and - logged. - +
- 192.168.1.0/25 +
- 192.168.1.128/25 +
- ACCEPT - The connection is allowed. +
- DROP - The connection request is +ignored. +
- REJECT - The connection request +is rejected with an RST (TCP) or an ICMP destination-unreachable + packet being returned to the client. +
- CONTINUE - The connection is neither + ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when +one or both of the zones named in the entry are sub-zones +of or intersect with another zone. For more information, see + below. + +
- SOURCE + - The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). + +
- DEST +- The name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically + allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the + SOURCE and DEST columns. + +
- POLICY + - The default policy for connection requests from the SOURCE + zone to the DESTINATION zone. + +
- LOG LEVEL + - Optional. If left empty, no log message is generated when + the policy is applied. Otherwise, this column should contain an integer + or name indicating a syslog +level. + +
- LIMIT:BURST + - Optional. If left empty, TCP connection requests +from the SOURCE zone to the DEST zone will + not be rate-limited. Otherwise, this column specifies the maximum + rate at which TCP connection requests will be accepted followed +by a colon (":") followed by the maximum burst size that will be +tolerated. Example: 10/sec:40 specifies that the maximum +rate of TCP connection requests allowed will be 10 per second and +a burst of 40 connections will be tolerated. Connection requests +in excess of these limits will be dropped. + + +
- All connection requests from the local network + to hosts on the internet are accepted. +
- All connection requests originating from the + internet are ignored and logged at level KERNEL.INFO. +
- All other connection requests are rejected +and logged. + +
- ACTION
-
-
-
-
- ACCEPT, DROP or REJECT. These have the same -meaning here as in the policy file above. -
- DNAT -- Causes the connection request to be -forwarded to the system specified in the DEST column (port -forwarding). "DNAT" stands for "Destination Network - Address Translation" -
- DNAT- -- The above ACTION (DNAT) generates two iptables
-rules: 1) and header-rewriting rule in the Netfilter 'nat' table and; 2)
-an ACCEPT rule in the Netfilter 'filter' table. DNAT- works like DNAT but
-only generates the header-rewriting rule.
-
- - REDIRECT -- Causes the connection request to - be redirected to a port on the local (firewall) system. - - -
The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). -This causes the packet to be logged at the specified level prior -to being processed according to the specified ACTION.
-
-
- The use of DNAT or REDIRECT requires that you have - NAT enabled.
-
- - SOURCE - Describes the source hosts to which
- the rule applies.. The contents of this field must begin with
- the name of a zone defined in /etc/shorewall/zones, $FW or "all".
-If the ACTION is DNAT or REDIRECT, sub-zones may be excluded from
-the rule by following the initial zone name with "!' and a comma-separated
- list of those sub-zones to be excluded. There is an example above.
-
- If the source is not 'all' then the source may be -further restricted by adding a colon (":") followed by a comma-separated - list of qualifiers. Qualifiers are may include: - - --
-
- An interface name - refers to any connection - requests arriving on the specified interface (example -loc:eth4). Beginning with Shorwall 1.3.9, the interface name may optionally -be followed by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, - net:eth0:192.0.2.0/24). -
- An IP address - refers to a connection request - from the host with the specified address (example net:155.186.235.151). - If the ACTION is DNAT, this must not be a DNS name. -
- A MAC Address in Shorewall format. -
- A subnet - refers to a connection request from - any host in the specified subnet (example net:155.186.235.0/24). - - -
- - DEST - Describes the destination host(s)
- to which the rule applies. May take any of the forms described
- above for SOURCE plus the following two additional forms:
-
-
-
-
-
- An IP address followed by a colon and the port
- number that the server is listening on
-(service names from /etc/services are not allowed - example
-loc:192.168.1.3:80).
-
- - A single port number (again, service names
-are not allowed) -- this form is only allowed if the ACTION
-is REDIRECT and refers to a server running on the firewall itself
-and listening on the specified port.
-
-
-
-
- - An IP address followed by a colon and the port
- number that the server is listening on
-(service names from /etc/services are not allowed - example
-loc:192.168.1.3:80).
- PROTO - Protocol. Must be a protocol - name from /etc/protocols, a number, "all" or "related". Specifies - the protocol of the connection request. "related" should be - specified only if you have given ALLOWRELATED="no" in /etc/shorewall/shorewall.conf - and you wish to override that setting for related connections - originating with the client(s) and server(s) specified in -this rule. When "related" is given for the protocol, the remainder - of the columns should be left blank. -
- DEST PORT(S) - Port or port range - (<low port>:<high port>) being connected to. May only - be specified if the protocol is tcp, udp or icmp. For icmp, - this column's contents are interpreted as an icmp type. If you - don't want to specify DEST PORT(S) but need to include information - in one of the columns to the right, enter "-" in this column. -You may give a list of ports and/or port ranges separated by commas. -Port numbers may be either integers or service names from /etc/services. -
- SOURCE PORTS(S) - May be used - to restrict the rule to a particular client port or port range - (a port range is specified as <low port number>:<high port - number>). If you don't want to restrict client ports but want -to specify something in the next column, enter "-" in this column. If - you wish to specify a list of port number or ranges, separate the - list elements with commas (with no embedded white space). Port numbers - may be either integers or service names from /etc/services. -
- ORIGINAL DEST - This column may only be
- non-empty if the ACTION is DNAT or REDIRECT.
-
- If DNAT or REDIRECT is the ACTION and the ORIGINAL - DEST column is left empty, any connection request arriving at -the firewall from the SOURCE that matches the rule will be forwarded - or redirected. This works fine for connection requests arriving - from the internet where the firewall has only a single external - IP address. When the firewall has multiple external IP addresses or - when the SOURCE is other than the internet, there will usually be - a desire for the rule to only apply to those connection requests - directed to a particular IP address (see Example 2 below for another - usage). That IP address (or a comma-separated list of such addresses) - is specified in the ORIGINAL DEST column.
-
- The IP address may be optionally followed by ":" -and a second IP address. This latter address, if present, is used -as the source address for packets forwarded to the server (This -is called "Source NAT" or SNAT).
-
- Note: When using SNAT, it is a good idea to -qualify the source with an IP address or subnet. Otherwise, it is likely -that SNAT will occur on connections other than those described in the -rule. The reason for this is that SNAT occurs in the Netfilter POSTROUTING -hook where it is not possible to restrict the scope of a rule by incoming -interface.
-
- Example: DNAT loc:192.168.1.0/24 - loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
-
- If SNAT is not used (no ":" and second -IP address), the original source address is used. If you want -any destination address to match the rule but want to specify -SNAT, simply use a colon followed by the SNAT address.
-
- - ACTION
+
+
+
-
+
- ACCEPT, DROP or REJECT. These have the same + meaning here as in the policy file above. +
- DNAT -- Causes the connection request to +be forwarded to the system specified in the DEST column (port + forwarding). "DNAT" stands for "Destination Network + Address Translation" +
- DNAT- -- The above ACTION (DNAT) generates two iptables
+ rules: 1) and header-rewriting rule in the Netfilter 'nat' table and;
+ 2) an ACCEPT rule in the Netfilter 'filter' table. DNAT- works like DNAT
+ but only generates the header-rewriting rule.
+
+ - REDIRECT -- Causes the connection request + to be redirected to a port on the local (firewall) system. + + +
The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This +causes the packet to be logged at the specified level prior to being +processed according to the specified ACTION.
+
+
+ The use of DNAT or REDIRECT requires that you +have NAT enabled.
+
+ - SOURCE - Describes the source hosts to
+ which the rule applies.. The contents of this field must begin
+ with the name of a zone defined in /etc/shorewall/zones, $FW
+ or "all". If the ACTION is DNAT or REDIRECT, sub-zones may be
+excluded from the rule by following the initial zone name with
+ "!' and a comma-separated list of those sub-zones to be excluded.
+There is an example above.
+
+ If the source is not 'all' then the source may +be further restricted by adding a colon (":") followed by a +comma-separated list of qualifiers. Qualifiers are may include: + + +-
+
- An interface name - refers to any connection + requests arriving on the specified interface (example +loc:eth4). Beginning with Shorwall 1.3.9, the interface name may optionally +be followed by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, + net:eth0:192.0.2.0/24). +
- An IP address - refers to a connection request + from the host with the specified address (example net:155.186.235.151). + If the ACTION is DNAT, this must not be a DNS name. +
- A MAC Address in Shorewall + format. +
- A subnet - refers to a connection request + from any host in the specified subnet (example net:155.186.235.0/24). + + +
+ - DEST - Describes the destination host(s)
+ to which the rule applies. May take any of the forms described
+ above for SOURCE plus the following two additional forms:
+
+
+
-
+
- An IP address followed by a colon and the
+ port number that the server is listening
+ on (service names from /etc/services are not allowed
+- example loc:192.168.1.3:80).
+
+ - A single port number (again, service names
+ are not allowed) -- this form is only allowed if the ACTION
+ is REDIRECT and refers to a server running on the firewall itself
+and listening on the specified port.
+
+
+
+
+ - An IP address followed by a colon and the
+ port number that the server is listening
+ on (service names from /etc/services are not allowed
+- example loc:192.168.1.3:80).
- PROTO - Protocol. Must be a protocol + name from /etc/protocols, a number, "all" or "related". Specifies + the protocol of the connection request. "related" should +be specified only if you have given ALLOWRELATED="no" in /etc/shorewall/shorewall.conf + and you wish to override that setting for related connections + originating with the client(s) and server(s) specified in +this rule. When "related" is given for the protocol, the remainder + of the columns should be left blank. +
- DEST PORT(S) - Port or port range + (<low port>:<high port>) being connected to. May only + be specified if the protocol is tcp, udp or icmp. For icmp, + this column's contents are interpreted as an icmp type. If you + don't want to specify DEST PORT(S) but need to include information + in one of the columns to the right, enter "-" in this column. +You may give a list of ports and/or port ranges separated by commas. +Port numbers may be either integers or service names from /etc/services. +
- SOURCE PORTS(S) - May be +used to restrict the rule to a particular client port or port +range (a port range is specified as <low port number>:<high + port number>). If you don't want to restrict client ports but + want to specify something in the next column, enter "-" in this column. + If you wish to specify a list of port number or ranges, separate + the list elements with commas (with no embedded white space). Port + numbers may be either integers or service names from /etc/services. +
- ORIGINAL DEST - This column may only
+ be non-empty if the ACTION is DNAT or REDIRECT.
+
+ If DNAT or REDIRECT is the ACTION and the ORIGINAL + DEST column is left empty, any connection request arriving at + the firewall from the SOURCE that matches the rule will be forwarded + or redirected. This works fine for connection requests arriving + from the internet where the firewall has only a single external + IP address. When the firewall has multiple external IP addresses or + when the SOURCE is other than the internet, there will usually be + a desire for the rule to only apply to those connection requests + directed to a particular IP address (see Example 2 below for another + usage). That IP address (or a comma-separated list of such addresses) + is specified in the ORIGINAL DEST column.
+
+ The IP address may be optionally followed by ":" + and a second IP address. This latter address, if present, is used + as the source address for packets forwarded to the server (This + is called "Source NAT" or SNAT).
+
+ Note: When using SNAT, it is a good idea to qualify +the source with an IP address or subnet. Otherwise, it is likely that +SNAT will occur on connections other than those described in the rule. +The reason for this is that SNAT occurs in the Netfilter POSTROUTING hook +where it is not possible to restrict the scope of a rule by incoming interface. +
+
+ Example: DNAT loc:192.168.1.0/24 + loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
+
+ If SNAT is not used (no ":" and second + IP address), the original source address is used. If you want + any destination address to match the rule but want to specify + SNAT, simply use a colon followed by the SNAT address.
+
+ - INTERFACE - The interface that will -masquerade the subnet; this is normally your internet interface. -This interface name can be optionally qualified by adding ":" -and a subnet or host IP. When this qualification is added, only -packets addressed to that host or subnet will be masqueraded. -
- SUBNET - The subnet that you want to
- have masqueraded through the INTERFACE. This may be expressed
- as a single IP address, a subnet or an interface name. In the
-latter instance, the interface must be configured and started before
-Shorewall is started as Shorewall will determine the subnet based
-on information obtained from the 'ip' utility.
-
- The subnet may be optionally followed by "!' -and a comma-separated list of addresses and/or subnets that are -to be excluded from masquerading.
- - ADDRESS - The source address to be used - for outgoing packets. This column is optional and if left blank, - the current primary IP address of the interface in the first -column is used. If you have a static IP on that interface, listing -it here makes processing of output packets a little less expensive -for the firewall. If you specify an address in this column, it must be an -IP address configured on the INTERFACE or you must have ADD_SNAT_ALIASES -enabled in /etc/shorewall/shorewall.conf. - -
- INTERFACE - The interface that will + masquerade the subnet; this is normally your internet interface. + This interface name can be optionally qualified by adding +":" and a subnet or host IP. When this qualification is added, +only packets addressed to that host or subnet will be masqueraded. +Beginning with Shorewall version 1.3.14, if you have set ADD_SNAT_ALIASES=Yes +in /etc/shorewall/shorewall.conf, you can cause Shorewall +to create an alias label of the form interfacename:digit (e.g., +eth0:0) by placing that label in this column. See example 5 below. Alias labels +created in this way allow the alias to be visible to the ipconfig utility. + THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT +APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. +
- SUBNET - The subnet that you want
+ to have masqueraded through the INTERFACE. This may be expressed
+ as a single IP address, a subnet or an interface name. In the
+latter instance, the interface must be configured and started before
+Shorewall is started as Shorewall will determine the subnet based
+on information obtained from the 'ip' utility. When using Shorewall 1.3.13 or earlier, when an interface
+ name is specified, Shorewall will only masquerade traffic from the first
+subnetwork on the named interface; if the interface interfaces to more that
+one subnetwork, you will need to add additional entries to this file for
+each of those other subnetworks. Beginning with Shorewall 1.3.14, shorewall
+will masquerade/SNAT traffic from any host that is routed through the named
+interface.
+
+ The subnet may be optionally followed by "!' + and a comma-separated list of addresses and/or subnets that +are to be excluded from masquerading.
+ - ADDRESS - The source address to be +used for outgoing packets. This column is optional and if left +blank, the current primary IP address of the interface in the +first column is used. If you have a static IP on that interface, +listing it here makes processing of output packets a little less +expensive for the firewall. If you specify an address in this column, it +must be an IP address configured on the INTERFACE or you must have ADD_SNAT_ALIASES + enabled in /etc/shorewall/shorewall.conf. + +
- ADDRESS - address of the system. -
- INTERFACE - the interface that connects - to the system. If the interface is obvious from the subnetting, - you may enter "-" in this column. -
- EXTERNAL - the external interface that - you want to honor ARP requests for the ADDRESS specified in - the first column. -
- HAVEROUTE - If - you already have - a route through - INTERFACE to - ADDRESS, this - column should - contain - "Yes" - or - "yes". - If you want - Shorewall to add - the route, - the column - should - contain - "No" - or "no". - -
- eth0 - 155.186.235.1 (internet connection) -
- eth1 - 192.168.9.0/24 (masqueraded local systems) -
- eth2 - 192.168.10.1 (interface to your DMZ) - -
- ADDRESS - address of the system. +
- INTERFACE - the interface that connects + to the system. If the interface is obvious from the subnetting, + you may enter "-" in this column. +
- EXTERNAL - the external interface + that you want to honor ARP requests for the ADDRESS specified + in the first column. +
- HAVEROUTE - If + you already have + a route through + INTERFACE to + ADDRESS, this + column +should + contain + "Yes" +or "yes". + If you want + Shorewall +to add the +route, the + column should + contain + "No" + or + "no". + +
- eth0 - 155.186.235.1 (internet connection) +
- eth1 - 192.168.9.0/24 (masqueraded local systems) +
- eth2 - 192.168.10.1 (interface to your DMZ) + +
- EXTERNAL - External IP address - This - should NOT be the primary IP address of the interface named -in the next column. -
- INTERFACE - Interface that you want -the EXTERNAL IP address to appear on. -
- INTERNAL - Internal IP address. -
- ALL - INTERFACES - - If Yes - or yes (or - left - empty), - NAT will - be - effective - +
- EXTERNAL - External IP address - + This should NOT be the primary IP address of the interface +named in the next column. +
- INTERFACE - Interface that you want + the EXTERNAL IP address to appear on. Beginning with Shorewall +version 1.3.14, if you have set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf, + you can specify an alias label of the form interfacename:digit (e.g., +eth0:0) and Shorewall will create the alias with that label. Alias labels +created in this way allow the alias to be visible to the ipconfig utility. + THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR +ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. +
- INTERNAL - Internal IP address. +
- ALL + INTERFACES + - If Yes + or yes (or + left + empty), + NAT will + be + effective + from all hosts. If No or no @@ -2480,1060 +2577,1092 @@ the EXTERNAL IP address to appear on. through the interface - named in - the - INTERFACE - column. - Note: If two or more NATed systems are connected -to the same firewall interface and you want them to be able to -communicate using their EXTERNAL IP addresses, then you will want + named in + the + INTERFACE + column. + Note: If two or more NATed systems are connected +to the same firewall interface and you want them to be able to +communicate using their EXTERNAL IP addresses, then you will want to specify the multi option in the /etc/shorewall/interface entry for that interface. -
- LOCAL - If Yes or yes and the ALL INTERFACES - column contains Yes or yes, NAT will be effective from the firewall - system. Note: For this to work, you must be running - kernel 2.4.19 or later and iptables 1.2.6a or later and you must - have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel. - +
- LOCAL - If Yes or yes and the ALL INTERFACES + column contains Yes or yes, NAT will be effective from the +firewall system. Note: For this to work, you +must be running kernel 2.4.19 or later and iptables 1.2.6a or +later and you must have enabled CONFIG_IP_NF_NAT_LOCAL + in your kernel. +
- OLD_PING_HANDLING - Added at version 1.3.14.
-If this option is set to 'Yes' then the old and confusing ICMP echo-request -(Ping) handling is enabled. This includes the 'noping' and 'filterping' interface -options and the FORWARDPING option below. If this option is set to "No" then -ping requests are handled using rules and policies just like any other connection -request. For upward compatibility with only configurations, if this option -is omitted OLD_PING_HANDLING=Yes is assumed. New Shorewall users should leave -this option set to "No".
-
-For a complete description of how ping handling works under Shorewall, see - ping.html.
-
-
- - CLEAR_TC - Added at version 1.3.13
- If this option is set to 'No' then Shorewall won't clear the current traffic -control rules during [re]start. This setting is intended for use by people -that prefer to configure traffic shaping when the network interfaces come -up rather than when the firewall is started. If that is what you want to do, -set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart -file. That way, your traffic shaping rules can still use the 'fwmark' classifier -based on packet marking defined in /etc/shorewall/tcrules. If not specified, -CLEAR_TC=Yes is assumed.
-
- - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
- If your kernel has a FORWARD chain in the mangle table, you may -set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules file to occur in that chain - rather than in the PREROUTING chain. This permits you to mark inbound -traffic based on its destination address when SNAT or Masquerading are -in use. To determine if your kernel has a FORWARD chain in the mangle table, -use the "/sbin/shorewall show mangle" command; if a FORWARD chain is displayed - then your kernel will support this option. If this option is not specified - or if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then -MARK_IN_FORWARD_CHAIN=No is assumed.
-
- - RFC1918_LOG_LEVEL - Added at version 1.3.12
- This parameter determines the level at which packets logged under - the 'norfc1918' mechanism - are logged. The value must be a valid syslog - level and if no level is given, then info is assumed. Prior to Shorewall - version 1.3.12, these packets are always logged at the info level.
- - TCP_FLAGS_DISPOSITION - Added in Version 1.3.11
- Determines the disposition of TCP packets that fail the checks enabled - by the tcpflags interface option and must - have a value of ACCEPT (accept the packet), REJECT (send an RST response) - or DROP (ignore the packet). If not set or if set to the empty value (e.g., - TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed.
- - TCP_FLAGS_LOG_LEVEL - Added in Version 1.3.11
- Determines the syslog level - for logging packets that fail the checks enabled by the tcpflags interface option.The value must be a valid - syslogd log level. If you don't want to log these packets, set to -the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
-
- - MACLIST_DISPOSITION - Added in Version 1.3.10
- Determines the disposition of connections requests that fail - MAC Verification and must have the - value ACCEPT (accept the connection request anyway), REJECT (reject the -connection request) or DROP (ignore the connection request). If not set -or if set to the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT - is assumed.
- - MACLIST_LOG_LEVEL - Added in Version 1.3.10
- Determines the syslog level - for logging connection requests that fail MAC Verification. The value must be a valid - syslogd log level. If you don't want to log these connection requests, - set to the empty value (e.g., MACLIST_LOG_LEVEL="").
+ - OLD_PING_HANDLING - Added at version
+ 1.3.14.
+ If this option is set to 'Yes' then the old and confusing ICMP echo-request + (Ping) handling is enabled. This includes the 'noping' and 'filterping' interface + options and the FORWARDPING option below. If this option is set to "No" +then ping requests are handled using rules and policies just like any other +connection request. For upward compatibility with only configurations, if +this option is omitted OLD_PING_HANDLING=Yes is assumed. New Shorewall users +should leave this option set to "No".
+
+ For a complete description of how ping handling works under Shorewall, +see ping.html.
+
+
+ - CLEAR_TC - Added at version 1.3.13
+ If this option is set to 'No' then Shorewall won't clear the current +traffic control rules during [re]start. This setting is intended for use +by people that prefer to configure traffic shaping when the network interfaces +come up rather than when the firewall is started. If that is what you want +to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart + file. That way, your traffic shaping rules can still use the 'fwmark' classifier + based on packet marking defined in /etc/shorewall/tcrules. If not specified, + CLEAR_TC=Yes is assumed.
+
+ - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
+ If your kernel has a FORWARD chain in the mangle table, you may + set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the + tcrules file to occur in that +chain rather than in the PREROUTING chain. This permits you to mark inbound + traffic based on its destination address when SNAT or Masquerading are + in use. To determine if your kernel has a FORWARD chain in the mangle + table, use the "/sbin/shorewall show mangle" command; if a FORWARD chain + is displayed then your kernel will support this option. If this option + is not specified or if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") + then MARK_IN_FORWARD_CHAIN=No is assumed.
+
+ - RFC1918_LOG_LEVEL - Added at version 1.3.12
+ This parameter determines the level at which packets logged +under the 'norfc1918' mechanism + are logged. The value must be a valid syslog level and if no level is given, + then info is assumed. Prior to Shorewall version 1.3.12, these packets + are always logged at the info level.
+ - TCP_FLAGS_DISPOSITION - Added in Version 1.3.11
+ Determines the disposition of TCP packets that fail the checks + enabled by the tcpflags interface option + and must have a value of ACCEPT (accept the packet), REJECT (send an + RST response) or DROP (ignore the packet). If not set or if set to +the empty value (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP + is assumed.
+ - TCP_FLAGS_LOG_LEVEL - Added in Version 1.3.11
+ Determines the syslog level + for logging packets that fail the checks enabled by the tcpflags interface option.The value must be a valid + syslogd log level. If you don't want to log these packets, set to + the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
- - NEWNOTSYN - Added in Version 1.3.8
- When set to "Yes" or "yes", Shorewall will filter TCP -packets that are not part of an established connention and that -are not SYN packets (SYN flag on - ACK flag off). If set to "No", Shorewall -will silently drop such packets. If not set or set to the empty value -(e.g., "NEWNOTSYN="), NEWNOTSYN=No is assumed.
-
- If you have a HA setup with failover to another firewall, - you should have NEWNOTSYN=Yes on both firewalls. You should also -select NEWNOTSYN=Yes if you have asymmetric routing.
+ - MACLIST_DISPOSITION - Added in Version 1.3.10
+ Determines the disposition of connections requests that + fail MAC Verification and must have + the value ACCEPT (accept the connection request anyway), REJECT (reject +the connection request) or DROP (ignore the connection request). If not +set or if set to the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT + is assumed.
+ - MACLIST_LOG_LEVEL - Added in Version 1.3.10
+ Determines the syslog + level for logging connection requests that fail MAC Verification. The value must be a valid + syslogd log level. If you don't want to log these connection requests, + set to the empty value (e.g., MACLIST_LOG_LEVEL="").
- - FORWARDPING - Added in Version 1.3.7 - This
-option is deprecated and is not available when OLD_PING_HANDLING=No (see
-above).
- When set to "Yes" or "yes", ICMP echo-request (ping) - packets from interfaces that specify "filterping" are ACCEPTed - by the firewall. When set to "No" or "no", such ping requests -are silently dropped unless they are handled by an explicit entry -in the rules file. If not specified, "No" is -assumed.
- - LOGNEWNOTSYN - Added in Version 1.3.6
- Beginning with version 1.3.6, Shorewall drops non-SYN - TCP packets that are not part of an existing connection. If you - would like to log these packets, set LOGNEWNOTSYN to the - syslog level at which you want - the packets logged. Example: LOGNEWNOTSYN=ULOG|
-
- Note: Packets logged under this option are -usually the result of broken remote IP stacks rather than the -result of any sort of attempt to breach your firewall.
-
- - MERGE_HOSTS - Added in Version 1.3.5
- Prior to 1.3.5, when the /etc/shorewall/hosts - file included an entry for a zone then the entire zone had -to be defined in the /etc/shorewall/hosts file and any associations - between the zone and interfaces in the /etc/shorewall/interfaces - file were ignored. This behavior is preserved if MERGE_HOSTS=No - or if MERGE_HOSTS is not set or is set to the empty value.
-
- Beginning with version 1.3.5, if MERGE_HOSTS=Yes, -then zone assignments in the /etc/shorewall/hosts file are ADDED -to those in the /etc/shorewall/interfaces file.
-
- Example:
-
- Interfaces File:
+ - NEWNOTSYN - Added in Version 1.3.8
+ When set to "Yes" or "yes", Shorewall will filter TCP + packets that are not part of an established connention and that +are not SYN packets (SYN flag on - ACK flag off). If set to "No", Shorewall + will silently drop such packets. If not set or set to the empty value + (e.g., "NEWNOTSYN="), NEWNOTSYN=No is assumed.
+
+ If you have a HA setup with failover to another firewall, + you should have NEWNOTSYN=Yes on both firewalls. You should also + select NEWNOTSYN=Yes if you have asymmetric routing.
+
+ - FORWARDPING - Added in Version 1.3.7 -
+ This option is deprecated and is not available when OLD_PING_HANDLING=No
+(see above).
+ When set to "Yes" or "yes", ICMP echo-request +(ping) packets from interfaces that specify "filterping" are +ACCEPTed by the firewall. When set to "No" or "no", such ping +requests are silently dropped unless they are handled by an explicit +entry in the rules file. If not specified, "No" + is assumed.
+ - LOGNEWNOTSYN - Added in Version 1.3.6
+ Beginning with version 1.3.6, Shorewall drops +non-SYN TCP packets that are not part of an existing connection. +If you would like to log these packets, set LOGNEWNOTSYN to +the syslog level at which you +want the packets logged. Example: LOGNEWNOTSYN=ULOG|
+
+ Note: Packets logged under this option +are usually the result of broken remote IP stacks rather than +the result of any sort of attempt to breach your firewall.
+
+ - MERGE_HOSTS - Added in Version 1.3.5
+ Prior to 1.3.5, when the /etc/shorewall/hosts + file included an entry for a zone then the entire zone had +to be defined in the /etc/shorewall/hosts file and any associations + between the zone and interfaces in the /etc/shorewall/interfaces + file were ignored. This behavior is preserved if MERGE_HOSTS=No + or if MERGE_HOSTS is not set or is set to the empty value.
+
+ Beginning with version 1.3.5, if MERGE_HOSTS=Yes, + then zone assignments in the /etc/shorewall/hosts file are +ADDED to those in the /etc/shorewall/interfaces file.
+
+ Example:
+
+ Interfaces File:
- +- -
- +- -ZONE -HOSTS -BROADCAST -OPTIONS -- -loc -eth1 -- -dhcp -- + +- -ppp+ -
-
-+ +ZONE +HOSTS +BROADCAST +OPTIONS ++ +loc +eth1 +- +dhcp ++ - - - + + +- +ppp+ +
+
+
+ Hosts File:
- Hosts File:
-
+ - +- -
- +- -ZONE -HOSTS -- + +loc -ppp+:192.168.12.0/24 -+ +ZONE +HOSTS ++ - - - + + +loc +ppp+:192.168.12.0/24 +
-
- With MERGE_HOSTS=No, the loc zone consists - of only ppp+:192.168.12.0/24; with MERGE_HOSTS=Yes, it includes - eth1:0.0.0.0/0 and ppp+:192.168.12.0/24.
-
- - DETECT_DNAT_ADDRS - Added in Version 1.3.4
- If set to "Yes" or "yes", Shorewall will detect the IP - address(es) of the interface(es) to the source zone and will include - this (these) address(es) in DNAT rules as the original destination - IP address. If set to "No" or "no", Shorewall will not detect this -(these) address(es) and any destination IP address will match the -DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is -assumed.
-
- - MULTIPORT - Added in Version 1.3.2
- If set to "Yes" or "yes", Shorewall will use the -Netfilter multiport facility. In order to use this facility, -your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). -When this support is used, Shorewall will generate a single rule -from each record in the /etc/shorewall/rules file that meets + With MERGE_HOSTS=No, the loc zone + consists of only ppp+:192.168.12.0/24; with MERGE_HOSTS=Yes, + it includes eth1:0.0.0.0/0 and ppp+:192.168.12.0/24.
+ +
+ - DETECT_DNAT_ADDRS - Added in Version
+1.3.4
+ If set to "Yes" or "yes", Shorewall will detect the + IP address(es) of the interface(es) to the source zone and will +include this (these) address(es) in DNAT rules as the original destination + IP address. If set to "No" or "no", Shorewall will not detect this +(these) address(es) and any destination IP address will match the DNAT +rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is assumed.
+
+ - MULTIPORT - Added in Version 1.3.2
+ If set to "Yes" or "yes", Shorewall will use the + Netfilter multiport facility. In order to use this facility, + your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). + When this support is used, Shorewall will generate a single rule + from each record in the /etc/shorewall/rules file that meets these criteria:
- +-
-
- No port range(s) specified -
- Specifies 15 or fewer ports +
- No port range(s) specified +
- Specifies 15 or fewer ports - +
Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range.
-
- - NAT_BEFORE_RULES
- If set to "No" or "no", port forwarding rules can -override the contents of the /etc/shorewall/nat -file. If set to "Yes" or "yes", port forwarding rules cannot override - static NAT. If not set or set to an empty value, "Yes" is assumed.
- - FW
+ +Rules not meeting those criteria will continue to generate an individual + rule for each listed port or port range.
+
+ - NAT_BEFORE_RULES
+ If set to "No" or "no", port forwarding rules +can override the contents of the /etc/shorewall/nat + file. If set to "Yes" or "yes", port forwarding rules cannot +override static NAT. If not set or set to an empty value, "Yes" +is assumed.
+ - FW
- This - parameter - specifies the - name of the - firewall zone. - If not set or - if set to an - empty -string, + This + parameter + specifies the + name of the + firewall zone. + If not set or + if set to + an empty + string, the value "fw" is assumed.
- - SUBSYSLOCK
- This parameter should be set to the name of -a file that the firewall should create if it starts successfully - and remove when it stops. Creating and removing this file -allows Shorewall to work with your distribution's initscripts. -For RedHat, this should be set to /var/lock/subsys/shorewall. + - SUBSYSLOCK
+ This parameter should be set to the name +of a file that the firewall should create if it starts successfully + and remove when it stops. Creating and removing this file + allows Shorewall to work with your distribution's initscripts. + For RedHat, this should be set to /var/lock/subsys/shorewall. For Debian, the value is /var/state/shorewall and in LEAF it is - /var/run/shorwall. - Example: - SUBSYSLOCK=/var/lock/subsys/shorewall.
- - STATEDIR
- This parameter specifies the name of a directory - where Shorewall stores state information. If the directory - doesn't exist when Shorewall starts, it will create the directory. - Example: STATEDIR=/tmp/shorewall.
-
- NOTE: If you change the STATEDIR variable -while the firewall is running, create the new directory if necessary - then copy the contents of the old directory to the new directory. -
- - ALLOWRELATED
- This parameter must be assigned the value "Yes" - ("yes") or "No" ("no") and specifies whether Shorewall -allows connection requests that are related to an already allowed -connection. If you say "No" ("no"), you can still override this -setting by including "related" rules in /etc/shorewall/rules ("related" - given as the protocol). If you specify ALLOWRELATED=No, you will -need to include rules in /etc/shorewall/icmpdef to - handle common ICMP packet types.
- - MODULESDIR
- This parameter specifies the directory where - your kernel netfilter modules may be found. If you leave -the variable empty, Shorewall will supply the value "/lib/modules/`uname - -r`/kernel/net/ipv4/netfilter.
- - LOGRATE and LOGBURST
- These parameters set the match rate and initial - burst size for logged packets. Please see the iptables man page - for a description of the behavior of these parameters (the iptables - option --limit is set by LOGRATE and --limit-burst is set by LOGBURST). - If both parameters are set empty, no rate-limiting will occur.
-
- Example:
- LOGRATE=10/minute
- LOGBURST=5
-
- - LOGFILE
+ /var/run/shorwall. + Example: + SUBSYSLOCK=/var/lock/subsys/shorewall.
+ - STATEDIR
+ This parameter specifies the name of a directory + where Shorewall stores state information. If the directory + doesn't exist when Shorewall starts, it will create the directory. + Example: STATEDIR=/tmp/shorewall.
+
+ NOTE: If you change the STATEDIR variable + while the firewall is running, create the new directory if necessary + then copy the contents of the old directory to the new directory. +
+ - ALLOWRELATED
+ This parameter must be assigned the value + "Yes" ("yes") or "No" ("no") and specifies whether Shorewall + allows connection requests that are related to an already + allowed connection. If you say "No" ("no"), you can still +override this setting by including "related" rules in /etc/shorewall/rules +("related" given as the protocol). If you specify ALLOWRELATED=No, +you will need to include rules in /etc/shorewall/icmpdef to + handle common ICMP packet types.
+ - MODULESDIR
+ This parameter specifies the directory where + your kernel netfilter modules may be found. If you leave +the variable empty, Shorewall will supply the value "/lib/modules/`uname + -r`/kernel/net/ipv4/netfilter.
+ - LOGRATE and LOGBURST
+ These parameters set the match rate and +initial burst size for logged packets. Please see the iptables +man page for a description of the behavior of these parameters +(the iptables option --limit is set by LOGRATE and --limit-burst +is set by LOGBURST). If both parameters are set empty, no rate-limiting +will occur.
+
+ Example:
+ LOGRATE=10/minute
+ LOGBURST=5
+
+ - LOGFILE
- This parameter - tells the - /sbin/shorewall - program where - to look for - Shorewall - messages when - processing the - "show - log", - "monitor", - "status" - and - "hits" - commands. - If not - assigned - or if assigned - an empty - value, - /var/log/messages - is assumed.
- - NAT_ENABLED
- This parameter determines whether Shorewall -supports NAT operations. NAT operations include:
-
- Static NAT
- Port Forwarding
- Port Redirection
- Masquerading
-
- If the parameter has no value or has a value - of "Yes" or "yes" then NAT is enabled. If the parameter has + This parameter + tells the + /sbin/shorewall + program where + to look for + Shorewall + messages when + processing + the +"show +log", "monitor", + "status" + and + "hits" + commands. + If +not assigned + or if assigned + an empty + value, + /var/log/messages + is assumed.
+ - NAT_ENABLED
+ This parameter determines whether Shorewall + supports NAT operations. NAT operations include:
+
+ Static NAT
+ Port Forwarding
+ Port Redirection
+ Masquerading
+
+ If the parameter has no value or has a value + of "Yes" or "yes" then NAT is enabled. If the parameter has a value of "no" or "No" then NAT is disabled.
-
- - MANGLE_ENABLED
- This parameter determines if packet mangling - is enabled. If the parameter has no value or has a value -of "Yes" or "yes" than packet mangling is enabled. If the parameter - has a value of "no" or "No" then packet mangling is disabled. -If packet mangling is disabled, the /etc/shorewall/tos file is +
+ - MANGLE_ENABLED
+ This parameter determines if packet mangling + is enabled. If the parameter has no value or has a value +of "Yes" or "yes" than packet mangling is enabled. If the parameter + has a value of "no" or "No" then packet mangling is disabled. +If packet mangling is disabled, the /etc/shorewall/tos file is ignored.
-
- - IP_FORWARDING
- This parameter determines whether Shorewall -enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). - Possible values are:
-
- On or on - packet forwarding will be enabled.
- Off or off - packet forwarding will be -disabled.
- Keep or keep - Shorewall will neither enable - nor disable packet forwarding.
-
- If this variable is not set or is given an -empty value (IP_FORWARD="") then IP_FORWARD=On is assumed.
-
- - ADD_IP_ALIASES
- This parameter determines whether Shorewall -automatically adds the +
+ - IP_FORWARDING
+ This parameter determines whether Shorewall + enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). + Possible values are:
+
+ On or on - packet forwarding will be +enabled.
+ Off or off - packet forwarding will +be disabled.
+ Keep or keep - Shorewall will neither + enable nor disable packet forwarding.
+
+ If this variable is not set or is given +an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed.
+
+ - ADD_IP_ALIASES
+ This parameter determines whether Shorewall + automatically adds the external address(es) in /etc/shorewall/nat . If the variable is -set to "Yes" or "yes" then Shorewall automatically adds these -aliases. If it is set to "No" or "no", you must add these aliases -yourself using your distribution's network configuration tools.
-
- If this variable is not set or is given an empty - value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
- - ADD_SNAT_ALIASES
- This parameter determines whether Shorewall automatically - adds the SNAT ADDRESS in /etc/shorewall/masq. - If the variable is set to "Yes" or "yes" then Shorewall automatically - adds these addresses. If it is set to "No" or "no", you must -add these addresses yourself using your distribution's network -configuration tools.
-
- If this variable is not set or is given an empty - value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
-
- - LOGUNCLEAN
+ href="#NAT">/etc/shorewall/nat . If the variable is set +to "Yes" or "yes" then Shorewall automatically adds these aliases. +If it is set to "No" or "no", you must add these aliases yourself +using your distribution's network configuration tools.
+
+ If this variable is not set or is given an + empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes + is assumed.
+ - ADD_SNAT_ALIASES
+ This parameter determines whether Shorewall automatically + adds the SNAT ADDRESS in /etc/shorewall/masq. + If the variable is set to "Yes" or "yes" then Shorewall automatically + adds these addresses. If it is set to "No" or "no", you must + add these addresses yourself using your distribution's network + configuration tools.
+
+ If this variable is not set or is given an + empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No + is assumed.
+
+ - LOGUNCLEAN
- This parameter - determines the - logging level - of - mangled/invalid - packets - controlled by - the 'dropunclean - and logunclean' - interface - options. If - LOGUNCLEAN - is -empty - (LOGUNCLEAN=) - then packets - selected by - 'dropclean' are - dropped - silently - ('logunclean' - packets are - logged - under - the 'info' log - level). - Otherwise, - these packets - are logged at - the specified - level - (Example: - LOGUNCLEAN=debug).
- - BLACKLIST_DISPOSITION
+ This parameter + determines the + logging level + of + mangled/invalid + packets + controlled by + the 'dropunclean + and logunclean' + interface + options. If + LOGUNCLEAN + is empty + (LOGUNCLEAN=) + then + packets + selected by + 'dropclean' are + dropped + silently + ('logunclean' + packets are + logged under + the 'info' log + level). + Otherwise, + these +packets + are logged at + the specified + level + (Example: + LOGUNCLEAN=debug).
+ - BLACKLIST_DISPOSITION
- This parameter - determines the - disposition of - packets from - blacklisted - hosts. It may - have the value - DROP if - the packets - are to - be dropped or - REJECT if the - packets are to - be replied - with an ICMP - port - unreachable - reply or a TCP - RST (tcp - only). If you - do not assign - a value - or if -you assign an - empty value - then DROP is - assumed.
- - BLACKLIST_LOGLEVEL
+ This parameter + determines the + disposition of + packets from + blacklisted + hosts. It may + have the value + DROP if + the + packets are to + be dropped or + REJECT if the + packets are to + be replied + with an ICMP + port + unreachable + reply or a TCP + RST (tcp + only). If +you do +not assign + a value or if + you assign an + empty value + then DROP is + assumed.
+ - BLACKLIST_LOGLEVEL
- This paremter - determines if - packets from + This paremter + determines if + packets from + blacklisted + hosts are + logged and it + determines the + syslog level + that they + are + to be logged + at. Its value + is a syslog level + (Example: + BLACKLIST_LOGLEVEL=debug). + +If you do not + assign a value + or if you + assign an + empty value + then packets + from blacklisted - hosts are - logged and it - determines the - syslog level - that they - are -to be logged - at. Its value - is a syslog level - (Example: - BLACKLIST_LOGLEVEL=debug). - If - you do not - assign a value - or if you - assign an - empty value - then packets - from - blacklisted - hosts are not - logged.
- - CLAMPMSS
+ hosts are not + logged.
+ - CLAMPMSS
- This parameter - enables the - TCP Clamp MSS - to PMTU - feature of - Netfilter and - is usually - required when - your internet - connection - is through - PPPoE - or PPTP. If - set to - "Yes" - or - "yes", - the feature is - enabled. If - left blank or - set to - "No" - or - "no", - the feature is - not enabled. - Note: This - option - requires - CONFIG_IP_NF_TARGET_TCPMSS - in - your kernel.
- - ROUTE_FILTER
- If this parameter is given the value "Yes" or "yes" - then route filtering (anti-spoofing) is enabled on all network - interfaces. The default value is "no".
-
+ This parameter
+ enables the
+ TCP Clamp MSS
+ to PMTU
+ feature of
+ Netfilter and
+ is usually
+ required when
+ your internet
+ connection
+ is
+ through PPPoE
+ or PPTP. If
+ set to
+ "Yes"
+ or
+ "yes",
+ the feature is
+ enabled. If
+ left blank or
+ set to
+ "No"
+ or
+ "no",
+ the feature is
+ not enabled.
+ Note:
+This option
+ requires
+ CONFIG_IP_NF_TARGET_TCPMSS
+
+ in
+ your kernel.
+ - ROUTE_FILTER
+ If this parameter is given the value "Yes" or +"yes" then route filtering (anti-spoofing) is enabled +on all network interfaces. The default value is "no".
+
- SOURCE -- The source zone. May be qualified - by following the zone name with a colon (":") and either an - IP address, an IP subnet, a MAC address in Shorewall - Format or the name of an interface. This column may also -contain the name of - the firewall - zone to indicate packets originating - on the firewall itself or "all" to indicate any source. -
- DEST -- The destination zone. May be - qualified by following the zone name with a colon (":") and - either an IP address or an IP subnet. Because packets are marked - prior to routing, you may not specify the name of an interface. - This column may also contain "all" to indicate any destination. -
- PROTOCOL -- The name of a protocol -in /etc/protocols or the protocol's number. -
- SOURCE PORT(S) -- The source port or - a port range. For all ports, place a hyphen ("-") in this -column. -
- DEST PORT(S) -- The destination port - or a port range. To indicate all ports, place a hyphen ("-") - in this column. -
- TOS -- The type of service. Must be -one of the following: - +
- SOURCE -- The source zone. May be + qualified by following the zone name with a colon (":") +and either an IP address, an IP subnet, a MAC address in Shorewall Format or the name of an interface. + This column may also contain the name of + the firewall + zone to + indicate packets originating on the firewall itself or "all" to + indicate any source. +
- DEST -- The destination zone. May + be qualified by following the zone name with a colon (":") + and either an IP address or an IP subnet. Because packets are + marked prior to routing, you may not specify the name of an + interface. This column may also contain "all" to indicate any + destination. +
- PROTOCOL -- The name of a protocol + in /etc/protocols or the protocol's number. +
- SOURCE PORT(S) -- The source port + or a port range. For all ports, place a hyphen ("-") in +this column. +
- DEST PORT(S) -- The destination +port or a port range. To indicate all ports, place a hyphen +("-") in this column. +
- TOS -- The type of service. Must +be one of the following: +
- ADDRESS/SUBNET - As described above. -
- PROTOCOL - Optional. If specified, only packets - specifying this protocol will be blocked. -
- PORTS - Optional; may only be given if PROTOCOL
- is tcp, udp or icmp. Expressed as a comma-separated list of port numbers
- or service names (from /etc/services). If present, only packets destined
- for the specified protocol and one of the listed ports are blocked.
- When the PROTOCOL is icmp, the PORTS column contains a comma-separated
- list of ICMP type numbers or names (see "iptables -h icmp").
-
-
+ - ADDRESS/SUBNET - As described above. +
- PROTOCOL - Optional. If specified, only + packets specifying this protocol will be blocked. +
- PORTS - Optional; may only be given if
+PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated list
+of port numbers or service names (from /etc/services). If present,
+only packets destined for the specified protocol and one of the listed
+ports are blocked. When the PROTOCOL is icmp, the PORTS column contains
+a comma-separated list of ICMP type numbers or names (see "iptables
+-h icmp").
+
+
- SUBNET - The subnet using VLSM notation - (e.g., 192.168.0.0/16). +
- SUBNET - The subnet using VLSM + notation (e.g., 192.168.0.0/16). -
- TARGET - What to do with -packets to/from the SUBNET: - +
- TARGET - What to do with
+ packets to/from the SUBNET:
+
+
-
-
- RETURN - Process the packet normally - thru the rules and policies. +
- RETURN - Process the packet +normally thru the rules and policies. -
- DROP - Silently drop the packet. +
- DROP - Silently drop the packet. -
- logdrop - Log then drop the packet - -- see the RFC1918_LOG_LEVEL parameter above. +
- logdrop - Log then drop the +packet -- see the RFC1918_LOG_LEVEL parameter above. - + +
-
+
+
- INTERFACE - The firewall interface - through which the host(s) comminicate with the firewall. +
- INTERFACE - The firewall interface + through which the host(s) comminicate with the firewall. -
- HOST(S) - (Optional) - A comma-separated - list of IP/Subnet addresses. If not supplied or supplied as "-" then - 0.0.0.0/0 is assumed. - +
- HOST(S) - (Optional) - A comma-separated + list of IP/Subnet addresses. If not supplied or supplied as "-" +then 0.0.0.0/0 is assumed. +
- You are trying to test from inside -your firewall (no, that won't work -- see FAQ -#2). -
- You have a more basic problem with -your local system such as an incorrect default gateway configured -(it should be set to the IP address of your firewall's internal -interface). - +
- You are trying to test from inside + your firewall (no, that won't work -- see FAQ + #2). +
- You have a more basic problem with + your local system such as an incorrect default gateway configured + (it should be set to the IP address of your firewall's internal + interface). +
- As root, type "iptables -t nat -Z". This clears - the NetFilter counters in the nat table. -
- Try to connect to the redirected port from an -external host. -
- As root type "shorewall show nat" -
- Locate the appropriate DNAT rule. It will be -in a chain called zone_dnat where zone is the -zone that includes the ('net' in the above examples). -
- Is the packet count in the first column non-zero? - If so, the connection request is reaching the firewall and is being - redirected to the server. In this case, the problem is usually -a missing or incorrect default gateway setting on the server (the -server's default gateway should be the IP address of the firewall's -interface to the server). -
- If the packet count is zero: +
- As root, type "iptables -t nat -Z". This clears + the NetFilter counters in the nat table. +
- Try to connect to the redirected port from +an external host. +
- As root type "shorewall show nat" +
- Locate the appropriate DNAT rule. It will +be in a chain called <source zone>_dnat ('net_dnat' +in the above examples). +
- Is the packet count in the first column non-zero? + If so, the connection request is reaching the firewall and is +being redirected to the server. In this case, the problem is usually + a missing or incorrect default gateway setting on the server (the + server's default gateway should be the IP address of the firewall's + interface to the server). +
- If the packet count is zero: - +
- the connection request is not reaching your -server (possibly it is being blocked by your ISP); or -
- you are trying to connect to a secondary IP -address on your firewall and your rule is only redirecting the primary -IP address (You need to specify the secondary IP address in the "ORIG. - DEST." column in your DNAT rule); or -
- your DNAT rule doesn't match the connection
-request in some other way. In that case, you may have to use a packet
-sniffer such as tcpdump or ethereal to further diagnose the problem.
-
+ - the connection request is not reaching your + server (possibly it is being blocked by your ISP); or +
- you are trying to connect to a secondary +IP address on your firewall and your rule is only redirecting the + primary IP address (You need to specify the secondary IP address +in the "ORIG. DEST." column in your DNAT rule); or +
- your DNAT rule doesn't match the connection
+ request in some other way. In that case, you may have to use a
+packet sniffer such as tcpdump or ethereal to further diagnose the
+problem.
+
-
+
- Having an internet-accessible server - in your local network is like raising foxes in the corner -of your hen house. If the server is compromised, there's nothing - between that server and your other internal systems. For the - cost of another NIC and a cross-over cable, you can put your -server in a DMZ such that it is isolated from your local systems - - assuming that the Server can be located near the Firewall, of course - :-) -
- The accessibility problem is best solved - using Bind Version - 9 "views" (or using a separate DNS server for local clients) such - that www.mydomain.com resolves to 130.141.100.69 externally and -192.168.1.5 internally. That's what I do here at shorewall.net for -my local systems that use static NAT. - +
- Having an internet-accessible server + in your local network is like raising foxes in the corner + of your hen house. If the server is compromised, there's nothing + between that server and your other internal systems. For +the cost of another NIC and a cross-over cable, you can put + your server in a DMZ such that it is isolated from your local systems + - assuming that the Server can be located near the Firewall, +of course :-) +
- The accessibility problem is best + solved using Bind Version + 9 "views" (or using a separate DNS server for local clients) +such that www.mydomain.com resolves to 130.141.100.69 externally +and 192.168.1.5 internally. That's what I do here at shorewall.net +for my local systems that use static NAT. +
- They are late-arriving replies to DNS queries. -
- They are corrupted reply packets. +
- They are late-arriving replies to DNS queries. +
- They are corrupted reply packets. +
- +
-
-
-
The default gateway on each local system isn't set to - the IP address of the local firewall interface.
-
- -
+
+
The default gateway on each local system isn't set to + the IP address of the local firewall interface.
+
+ -
-
-
The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.
-
- -
+
+
The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.
+
+ -
-
-
The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and hasn't -enabled UDP and TCP port 53 from the firewall to the internet.
-
-
+
+ - man1918 - The destination address -is listed in /etc/shorewall/rfc1918 with a logdrop target - -- see /etc/shorewall/rfc1918. -
- rfc1918 - The source address is listed - in /etc/shorewall/rfc1918 with a logdrop target -- see - /etc/shorewall/rfc1918. -
- all2<zone>, <zone>2all - or all2all - You have a policy that specifies a log level - and this packet is being logged under that policy. If you intend - to ACCEPT this traffic then you need a man1918 - The destination address + is listed in /etc/shorewall/rfc1918 with a logdrop target + -- see /etc/shorewall/rfc1918. +
- rfc1918 - The source address is + listed in /etc/shorewall/rfc1918 with a logdrop target + -- see /etc/shorewall/rfc1918. +
- all2<zone>, <zone>2all
+ or all2all - You have a policy that specifies a log level
+ and this packet is being logged under that policy. If you intend
+ to ACCEPT this traffic then you need a rule to that effect.
-
- - <zone1>2<zone2> - Either - you have a policy for <zone1> - to <zone2> that specifies a log level and -this packet is being logged under that policy or this packet -matches a rule that includes -a log level. -
- <interface>_mac - The packet is being
- logged under the maclist
+
- <zone1>2<zone2> - +Either you have a policy for + <zone1> to <zone2> that specifies +a log level and this packet is being logged under that policy +or this packet matches a rule +that includes a log level.
+- <interface>_mac - The packet is +being logged under the maclist interface option.
-
-- logpkt - The packet is being logged - under the logunclean +
+- logpkt - The packet is being logged + under the logunclean interface option.
-- badpkt - The packet is being logged - under the dropunclean interface option as specified - in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
-- blacklst - The packet is being logged - because the source IP is blacklisted in thebadpkt - The packet is being logged + under the dropunclean interface option as specified + in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
+- blacklst - The packet is being +logged because the source IP is blacklisted in the /etc/shorewall/blacklist file.
-- newnotsyn - The packet is being logged - because it is a TCP packet that is not part of any current connection - yet it is not a syn packet. Options affecting the logging of such - packets include NEWNOTSYN and LOGNEWNOTSYN - in /etc/shorewall/shorewall.conf.
-- INPUT or FORWARD - The packet - has a source IP address that isn't in any of your defined zones - ("shorewall check" and look at the printed zone definitions) or -the chain is FORWARD and the destination IP isn't in any of your defined - zones.
-- logflags - The packet is being logged because - it failed the checks implemented by the tcpflags newnotsyn - The packet is being + logged because it is a TCP packet that is not part of any current + connection yet it is not a syn packet. Options affecting the logging + of such packets include NEWNOTSYN and LOGNEWNOTSYN + in /etc/shorewall/shorewall.conf.
+- INPUT or FORWARD - The packet + has a source IP address that isn't in any of your defined zones + ("shorewall check" and look at the printed zone definitions) +or the chain is FORWARD and the destination IP isn't in any of your +defined zones.
+- logflags - The packet is being logged because + it failed the checks implemented by the tcpflags interface option.
- +
- - Install the RPM (rpm -ivh <shorewall rpm>).
-
- Note: Some SuSE users have encountered a problem whereby rpm reports -a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. -If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps -<shorewall rpm>).
- - Edit the configuration files to match -your configuration. WARNING - YOU CAN NOT -SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION -IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND -AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK -TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK -CONNECTIVITY. -
- Start the firewall by typing "shorewall start" - +
- Install the RPM (rpm -ivh <shorewall rpm>).
+
+ Note: Some SuSE users have encountered a problem whereby rpm +reports a conflict with kernel <= 2.2 even though a 2.4 kernel is +installed. If this happens, simply use the --nodeps option to rpm (rpm +-ivh --nodeps <shorewall rpm>).
+ - Edit the configuration files to match + your configuration. WARNING - YOU CAN NOT + SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND + AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY +NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO +RESTORE NETWORK CONNECTIVITY. +
- Start the firewall by typing "shorewall start" +
- unpack the tarball (tar -zxf shorewall-x.y.z.tgz). -
- cd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-1.1.10"). -
- If you are using unpack the tarball (tar -zxf shorewall-x.y.z.tgz). +
- cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-1.1.10"). +
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" -
- If you are using SuSe then type +
- If you are using SuSe then type "./install.sh /etc/init.d" -
- If your distribution has directory /etc/rc.d/init.d or -/etc/init.d then type "./install.sh" -
- For other distributions, determine where your distribution -installs init scripts and type "./install.sh <init script directory> -
- Edit the configuration files to match -your configuration. -
- Start the firewall by typing "shorewall start" -
- If the install script was unable to configure Shorewall to be started -automatically at boot, see If your distribution has directory /etc/rc.d/init.d +or /etc/init.d then type "./install.sh" +
- For other distributions, determine where your distribution + installs init scripts and type "./install.sh <init script +directory> +
- Edit the configuration files to match + your configuration. +
- Start the firewall by typing "shorewall start" +
- If the install script was unable to configure Shorewall to be started + automatically at boot, see these instructions. - +
- Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If
-you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
- you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
-shorewall-1.2-0.noarch.rpm").
-
Note: Some SuSE users have encountered a problem whereby -rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is -installed. If this happens, simply use the --nodeps option to rpm (rpm --Uvh --nodeps <shorewall rpm>).
-
-
- - See if there are any incompatibilities between your configuration -and the new Shorewall version (type "shorewall check") and correct as -necessary. -
- Restart the firewall (shorewall restart). - -
- unpack the tarball (tar -zxf shorewall-x.y.z.tgz). -
- cd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-3.0.1"). -
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" -
- If you are using SuSe then type - "./install.sh /etc/init.d" -
- If your distribution has directory /etc/rc.d/init.d or -/etc/init.d then type "./install.sh" -
- For other distributions, determine where your distribution -installs init scripts and type "./install.sh <init script directory> +
- Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If
+ you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
+installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
+ -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
+
Note: Some SuSE users have encountered a problem whereby + rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel +is installed. If this happens, simply use the --nodeps option to rpm (rpm + -Uvh --nodeps <shorewall rpm>).
+
+ - See if there are any incompatibilities between your configuration and the new Shorewall version (type "shorewall check") and correct as necessary. -
- Restart the firewall by typing "shorewall restart" - +
- Restart the firewall (shorewall restart). +
- /etc/shorewall/shorewall.conf - used to set several firewall - parameters. -
- /etc/shorewall/params - use this file to set shell variables that -you will expand in other files. -
- /etc/shorewall/zones - partition the firewall's view of the world - into zones. -
- /etc/shorewall/policy - establishes firewall high-level policy. -
- /etc/shorewall/interfaces - describes the interfaces on the - firewall system. -
- /etc/shorewall/hosts - allows defining zones in terms of individual - hosts and subnetworks. -
- /etc/shorewall/maclist - verification of the MAC addresses of devices.
-
- - /etc/shorewall/masq - directs the firewall where to use many-to-one - (dynamic) NAT a.k.a. Masquerading. -
- /etc/shorewall/modules - directs the firewall to load kernel modules. -
- /etc/shorewall/rules - defines rules that are exceptions to the - overall policies established in /etc/shorewall/policy. -
- /etc/shorewall/nat - defines static NAT rules. -
- /etc/shorewall/proxyarp - defines use of Proxy ARP. -
- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines -hosts accessible when Shorewall is stopped. -
- /etc/shorewall/tcrules - defines marking of packets for later use -by traffic control/shaping. -
- /etc/shorewall/tos - defines rules for setting the TOS field in packet - headers. -
- /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on - the firewall system. -
- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses. - +
- unpack the tarball (tar -zxf shorewall-x.y.z.tgz). +
- cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1"). +
- If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh" +
- If you are using SuSe then type + "./install.sh /etc/init.d" +
- If your distribution has directory /etc/rc.d/init.d +or /etc/init.d then type "./install.sh" +
- For other distributions, determine where your distribution + installs init scripts and type "./install.sh <init script +directory> +
- See if there are any incompatibilities between your configuration + and the new Shorewall version (type "shorewall check") and correct as +necessary. +
- Restart the firewall by typing "shorewall restart" +
- /etc/shorewall/shorewall.conf - used to set several firewall + parameters. +
- /etc/shorewall/params - use this file to set shell variables that + you will expand in other files. +
- /etc/shorewall/zones - partition the firewall's view of the world + into zones. +
- /etc/shorewall/policy - establishes firewall high-level policy. +
- /etc/shorewall/interfaces - describes the interfaces on the + firewall system. +
- /etc/shorewall/hosts - allows defining zones in terms of individual + hosts and subnetworks. +
- /etc/shorewall/maclist - verification of the MAC addresses of devices.
+
+ - /etc/shorewall/masq - directs the firewall where to use many-to-one + (dynamic) NAT a.k.a. Masquerading. +
- /etc/shorewall/modules - directs the firewall to load kernel modules. +
- /etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy. +
- /etc/shorewall/nat - defines static NAT rules. +
- /etc/shorewall/proxyarp - defines use of Proxy ARP. +
- /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines + hosts accessible when Shorewall is stopped. +
- /etc/shorewall/tcrules - defines marking of packets for later use + by traffic control/shaping. +
- /etc/shorewall/tos - defines rules for setting the TOS field in +packet headers. +
- /etc/shorewall/tunnels - defines IPSEC tunnels with end-points on + the firewall system. +
- /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses. + +
- An OLD_PING_HANDLING option has been added to shorewall.conf. When
+ set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies + just like any other connection request. The FORWARDPING=Yes option in shorewall.conf + and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will + all generate an error.
+
+
+ - It is now possible to direct Shorewall to create a "label" such as
+ "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes.
+ This is done by specifying the label instead of just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered in the SUBNET column of the /etc/shorewall/masq
+ file, Shorewall previously masqueraded traffic from only the first subnet
+ defined on that interface. It did not masquerade traffic from:
+
+ a) The subnets associated with other addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface name in the +SUBNET column, shorewall will use the firewall's routing table to construct +the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+ +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254[root@gateway test]# shorewall start
+
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+ When upgrading to Shorewall 1.3.14, if you have multiple local subnets +connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq + entry, your /etc/shorewall/masq file will need changing. In most cases, +you will simply be able to remove redundant entries. In some cases though, +you might want to change from using the interface name to listing specific +subnetworks if the change described above will cause masquerading to occur +on subnetworks that you don't wish to masquerade.
+
+ Example 2 -- Suppose that your current config is as follows:
+
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+ In this case, the second entry in /etc/shorewall/masq is no longer required.
+
+ Example 3 -- What if your current configuration is like this?
+
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+ In this case, you would want to change the entry in /etc/shorewall/masq + to:
+ +#INTERFACE SUBNET ADDRESS
+
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+ - A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
- file. DNAT- is intended for advanced users who wish to minimize the number
- of rules that connection requests must traverse.
-
- A Shorewall DNAT rule actually generates two iptables rules: a header -rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. -A DNAT- rule only generates the first of these rules. This is handy when -you have several DNAT rules that would generate the same ACCEPT rule.
-
- Here are three rules from my previous rules file:
-
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
-
- These three rules ended up generating _three_ copies of
-
- ACCEPT net dmz:206.124.146.177 tcp smtp
-
- By writing the rules this way, I end up with only one copy of the ACCEPT - rule.
-
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now prints out the applicable policy
- between each pair of zones.
-
-
- - A new CLEAR_TC option has been added to shorewall.conf. If this
-option is set to 'No' then Shorewall won't clear the current traffic control
-rules during [re]start. This setting is intended for use by people that
-prefer to configure traffic shaping when the network interfaces come up rather
-than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
- and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
- your traffic shaping rules can still use the 'fwmark' classifier based on
- packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been added that allows distribution
- packagers to easily move the shared directory (default /usr/lib/shorewall).
- Users should never have a need to change the value of this shorewall.conf
- setting.
-
-
- - "shorewall refresh" now reloads the traffic shaping rules (tcrules - and tcstart). -
- "shorewall debug [re]start" now turns off debugging after an -error occurs. This places the point of the failure near the end of the -trace rather than up in the middle of it. -
- "shorewall [re]start" has been speeded up by more than 40% with - my configuration. Your milage may vary. -
- A "shorewall show classifiers" command has been added which shows - the current packet classification filters. The output from this command - is also added as a separate page in "shorewall monitor" -
- ULOG (must be all caps) is now accepted as a valid syslog level - and causes the subject packets to be logged using the ULOG target rather - than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a -separate log file. -
- If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the mangle -table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking - input packets based on their destination even when you are using Masquerading - or SNAT. -
- I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with -one of these names, don't worry -- the upgrade process won't overwrite -your file. -
- I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies
- the syslog level at which packets are logged as a result of entries in
-the /etc/shorewall/rfc1918 file. Previously, these packets were always
-logged at the 'info' level.
+ - A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
+ file. DNAT- is intended for advanced users who wish to minimize the number
+ of rules that connection requests must traverse.
+
+ A Shorewall DNAT rule actually generates two iptables rules: a header + rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. + A DNAT- rule only generates the first of these rules. This is handy when + you have several DNAT rules that would generate the same ACCEPT rule.
+
+ Here are three rules from my previous rules file:
+
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
+
+ These three rules ended up generating _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177 tcp smtp
+
+ By writing the rules this way, I end up with only one copy of the + ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
+
+
+ - The 'shorewall check' command now prints out the applicable policy
+ between each pair of zones.
+
+
+ - A new CLEAR_TC option has been added to shorewall.conf. If this
+ option is set to 'No' then Shorewall won't clear the current traffic control
+ rules during [re]start. This setting is intended for use by people that
+prefer to configure traffic shaping when the network interfaces come up rather
+than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
+ and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
+way, your traffic shaping rules can still use the 'fwmark' classifier based
+on packet marking defined in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable has been added that allows distribution
+ packagers to easily move the shared directory (default /usr/lib/shorewall).
+ Users should never have a need to change the value of this shorewall.conf
+ setting.
- "shorewall refresh" now reloads the traffic shaping rules - (tcrules and tcstart). -
- "shorewall debug [re]start" now turns off debugging after - an error occurs. This places the point of the failure near the end of - the trace rather than up in the middle of it. -
- "shorewall [re]start" has been speeded up by more than 40% - with my configuration. Your milage may vary. -
- A "shorewall show classifiers" command has been added which - shows the current packet classification filters. The output from this - command is also added as a separate page in "shorewall monitor" -
- ULOG (must be all caps) is now accepted as a valid syslog - level and causes the subject packets to be logged using the ULOG target - rather than the LOG target. This allows you to run ulogd (available -from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a -separate log file. -
- If you are running a kernel that has a FORWARD chain in -the mangle table ("shorewall show mangle" will show you the chains in -the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. - This allows for marking input packets based on their destination even -when you are using Masquerading or SNAT. -
- I have cluttered up the /etc/shorewall directory with empty - 'init', 'start', 'stop' and 'stopped' files. If you already have a file - with one of these names, don't worry -- the upgrade process won't overwrite - your file. - +
- "shorewall refresh" now reloads the traffic shaping rules +(tcrules and tcstart). +
- "shorewall debug [re]start" now turns off debugging after +an error occurs. This places the point of the failure near the end of +the trace rather than up in the middle of it. +
- "shorewall [re]start" has been speeded up by more than 40% +with my configuration. Your milage may vary. +
- A "shorewall show classifiers" command has been added which + shows the current packet classification filters. The output from this + command is also added as a separate page in "shorewall monitor" +
- ULOG (must be all caps) is now accepted as a valid syslog +level and causes the subject packets to be logged using the ULOG target +rather than the LOG target. This allows you to run ulogd (available +from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to +a separate log file. +
- If you are running a kernel that has a FORWARD chain in the + mangle table ("shorewall show mangle" will show you the chains in the + mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking + input packets based on their destination even when you are using Masquerading + or SNAT. +
- I have cluttered up the /etc/shorewall directory with empty + 'init', 'start', 'stop' and 'stopped' files. If you already have a +file with one of these names, don't worry -- the upgrade process won't +overwrite your file. +
- I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies
+ the syslog level at which packets are logged as a result of entries in
+ the /etc/shorewall/rfc1918 file. Previously, these packets were always
+logged at the 'info' level.
+
+
- "shorewall refresh" now reloads the traffic shaping rules + (tcrules and tcstart). +
- "shorewall debug [re]start" now turns off debugging after + an error occurs. This places the point of the failure near the end of + the trace rather than up in the middle of it. +
- "shorewall [re]start" has been speeded up by more than + 40% with my configuration. Your milage may vary. +
- A "shorewall show classifiers" command has been added +which shows the current packet classification filters. The output from +this command is also added as a separate page in "shorewall monitor" +
- ULOG (must be all caps) is now accepted as a valid syslog + level and causes the subject packets to be logged using the ULOG target + rather than the LOG target. This allows you to run ulogd (available +from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to +a separate log file. +
- If you are running a kernel that has a FORWARD chain +in the mangle table ("shorewall show mangle" will show you the chains +in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. + This allows for marking input packets based on their destination even +when you are using Masquerading or SNAT. +
- I have cluttered up the /etc/shorewall directory with +empty 'init', 'start', 'stop' and 'stopped' files. If you already have +a file with one of these names, don't worry -- the upgrade process won't +overwrite your file. + +
- A 'tcpflags' option has been added to entries in - /etc/shorewall/interfaces. -This option causes Shorewall to make a set of sanity check on TCP packet +
- A 'tcpflags' option has been added to entries +in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP packet header flags. -
- It is now allowed to use 'all' in the SOURCE or DEST
- column in a rule. When used,
- 'all' must appear by itself (in may not be qualified) and it does not
- enable intra-zone traffic. For example, the rule
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic from 'loc' to 'loc'.
- - Shorewall's use of the 'echo' command is now compatible - with bash clones such as ash and dash. -
- fw->fw policies now generate a startup error. -fw->fw rules generate a warning and are ignored - +
- It is now allowed to use 'all' in the SOURCE or
+ DEST column in a rule.
+When used, 'all' must appear by itself (in may not be qualified) and
+it does not enable intra-zone traffic. For example, the rule
+
+ ACCEPT loc all tcp 80
+
+ does not enable http traffic from 'loc' to 'loc'.
+ - Shorewall's use of the 'echo' command is now compatible + with bash clones such as ash and dash. +
- fw->fw policies now generate a startup error. + fw->fw rules generate a warning and are ignored +
- You may now define -the contents of a zone dynamically with the "shorewall add" and "shorewall - delete" commands. These commands are expected to be used +
- You may now define + the contents of a zone dynamically with the "shorewall add" and "shorewall + delete" commands. These commands are expected to be used primarily within FreeS/Wan updown -scripts. -
- Shorewall can now do MAC verification on ethernet segments. -You can specify the set of allowed MAC addresses on the segment -and you can optionally tie each MAC address to one or more IP addresses. -
- PPTP Servers and Clients running on the firewall - system may now be defined in the /etc/shorewall/tunnels - file. -
- A new 'ipsecnat' tunnel type is supported for -use when the remote IPSEC endpoint is -behind a NAT gateway. -
- The PATH used by Shorewall may now be specified - in /etc/shorewall/shorewall.conf. -
- The main firewall script is now /usr/lib/shorewall/firewall. - The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall - to do the real work. This change makes custom distributions such - as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall - that tends to have distribution-dependent code - + href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan updown scripts. +
- Shorewall can now do MAC verification on ethernet +segments. You can specify the set of allowed MAC addresses on the +segment and you can optionally tie each MAC address to one or more +IP addresses. +
- PPTP Servers and Clients running on the firewall + system may now be defined in the /etc/shorewall/tunnels + file. +
- A new 'ipsecnat' tunnel type is supported for + use when the remote IPSEC endpoint is + behind a NAT gateway. +
- The PATH used by Shorewall may now be specified + in /etc/shorewall/shorewall.conf. +
- The main firewall script is now /usr/lib/shorewall/firewall. + The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall + to do the real work. This change makes custom distributions such + as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall + that tends to have distribution-dependent code +
- You may now define + the contents of a zone dynamically with the "shorewall add" and "shorewall + delete" commands. These commands are expected to be used +primarily within FreeS/Wan updown + scripts. +
- Shorewall can now do MAC verification on ethernet segments. + You can specify the set of allowed MAC addresses on the segment + and you can optionally tie each MAC address to one or more IP addresses. +
- PPTP Servers and Clients running on the firewall + system may now be defined in the /etc/shorewall/tunnels + file. +
- A new 'ipsecnat' tunnel type is supported +for use when the remote IPSEC endpoint +is behind a NAT gateway. +
- The PATH used by Shorewall may now be specified + in /etc/shorewall/shorewall.conf. +
- The main firewall script is now /usr/lib/shorewall/firewall. + The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall + to do the real work. This change makes custom distributions such + as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall + that tends to have distribution-dependent code. + +
- You may now define - the contents of a zone dynamically with the "shorewall add" and "shorewall - delete" commands. These commands are expected to be used primarily - within FreeS/Wan - updown scripts. -
- Shorewall can now do MAC verification on ethernet segments. - You can specify the set of allowed MAC addresses on the segment -and you can optionally tie each MAC address to one or more IP addresses. -
- PPTP Servers and Clients running on the firewall - system may now be defined in the /etc/shorewall/tunnels - file. -
- A new 'ipsecnat' tunnel type is supported for -use when the remote IPSEC endpoint is -behind a NAT gateway. -
- The PATH used by Shorewall may now be specified - in /etc/shorewall/shorewall.conf. -
- The main firewall script is now /usr/lib/shorewall/firewall. - The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall - to do the real work. This change makes custom distributions such - as for Debian and for Gentoo easier to manage since it is /etc/init.d/shorewall - that tends to have distribution-dependent code. - -
- DNS Names are - now allowed in Shorewall config files (although I recommend against - using them). -
- The connection SOURCE may now be qualified - by both interface and IP address in a DNS Names are +now allowed in Shorewall config files (although I recommend against + using them). +
- The connection SOURCE may now be +qualified by both interface and IP address in a Shorewall rule. -
- Shorewall startup is now disabled after - initial installation until the file /etc/shorewall/startup_disabled - is removed. This avoids nasty surprises during reboot for users - who install Shorewall but don't configure it. -
- The 'functions' and 'version' files and
-the 'firewall' symbolic link have been moved from /var/lib/shorewall
- to /usr/lib/shorewall to appease the LFS police at Debian.
-
-
+ - Shorewall startup is now disabled +after initial installation until the file /etc/shorewall/startup_disabled + is removed. This avoids nasty surprises during reboot for users + who install Shorewall but don't configure it. +
- The 'functions' and 'version' files
+and the 'firewall' symbolic link have been moved from /var/lib/shorewall
+ to /usr/lib/shorewall to appease the LFS police at Debian.
+
+
- Mailing List Archive Search was not - available. -
- The Site Search index was incomplete -
- Only one page of matches was presented. - - -
- Mailing List Archive Search was not -available. -
- The Site Search index was incomplete -
- Only one page of matches was presented. - -
- A NEWNOTSYN option has been - added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established connection - and that are not 'SYN' packets (SYN flag on and ACK flag off). -
- The need for the 'multi' option -to communicate between zones za and zb on the same interface -is removed in the case where the chain 'za2zb' and/or 'zb2za' -exists. 'za2zb' will exist if: - - -
- There is a policy for za - to zb; or -
- There is at least one rule -for za to zb. +
- Mailing List Archive Search was +not available. +
- The Site Search index was incomplete +
- Only one page of matches was presented. -
The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.
+Your /etc/shorewall/hosts file might look like:
- - -- - -- - -- -
-- -ZONE -HOST(S) -OPTIONS -- -loc1 -eth1:192.168.1.0/25 --
-- +loc2 -eth1:192.168.1.128/25 -routestopped -The interface name much match an entry in /etc/shorewall/interfaces.
+ + + ++
+ + +-
Hosts in 'loc2' can communicate with the firewall while Shorewall is - stopped -- those in 'loc1' cannot.
- - -Nested and Overlapping -Zones
- - -The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow - you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that - they appear in the /etc/shorewall/zones file. So if you have nested -zones, you want the sub-zone to appear before the super-zone and -in the case of overlapping zones, the rules that will apply to hosts -that belong to both zones is determined by which zone appears first -in /etc/shorewall/zones.
- - -Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special -CONTINUE policy described below.
- - -- /etc/shorewall/policy Configuration.
- - -This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in terms - of clients who initiate connections and servers who - receive those connection requests. Policies defined in /etc/shorewall/policy - describe which zones are allowed to establish connections with -other zones.
- - -Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to a particular - connection request then the policy from /etc/shorewall/policy -is applied.
- - -Four policies are defined:
- - --
-
routestopped - Beginning with Shorewall
+ 1.3.4, this option is deprecated in favor of the
+ /etc/shorewall/routestopped
+ file. When the firewall is stopped, traffic to and from
+ this host (these hosts) will be accepted and routing will
+ occur between this host and other routestopped interfaces
+ and hosts.
+
+ maclist - Added in version 1.3.10. If specified,
+ connection requests from the hosts specified in this entry are subject
+ to MAC Verification. This option is only
+ valid for ethernet interfaces.
+
For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time that - the policy is applied.
+If you don't define any hosts for a zone, the hosts in the zone default + to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the + interfaces to the zone.
- -Entries in /etc/shorewall/policy have four columns as follows:
+ +Note 1: You probably DON'T +want to specify any hosts for your internet zone since the hosts that +you specify will be the only ones that you will be able to access without +adding additional rules.
- --
+
+
Note 2: + The setting of the MERGE_HOSTS variable + in /etc/shorewall/shorewall.conf + has an important effect on how the host + file is processed. Please read the description + of that variable carefully.
-Example:
-Your local interface is eth1 and you have two groups of local hosts that + you want to make into separate zones:
-In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.
- - -The policy file installed by default is as follows:
- - -- - -- - -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -net -ACCEPT -- -
--
-- -net -all -DROP -info --
-- - - - - - - - -all -all -REJECT -info --
-
This table may be interpreted as follows:
- - +-
-
WARNING:
- -The firewall script processes the - /etc/shorewall/policy file from top to bottom and uses the - first applicable policy that it finds. For example, in the -following policy file, the policy for (loc, loc) connections would -be ACCEPT as specified in the first entry even though the third entry -in the file specifies REJECT.
- -- + + +- -Your /etc/shorewall/interfaces file might look like:
+ + +++- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -all -ACCEPT --
--
-- -net -all -DROP -info --
-- + +loc -loc -REJECT -info --
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ - + - +- +eth1 +detect ++
+
- The CONTINUE policy
+ +The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.
- -Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones to -be managed under the rules of all of these zones. Let's look at -an example:
+ +Your /etc/shorewall/hosts file might look like:
- -/etc/shorewall/zones:
- - -- + +- -+ ++- -
-- -ZONE -DISPLAY -COMMENTS -- -sam -Sam -Sam's system at home -- -net -Internet -The Internet -- + +loc -Loc -Local Network -+ +ZONE +HOST(S) +OPTIONS ++ +loc1 +eth1:192.168.1.0/25 ++
++ - + - +loc2 +eth1:192.168.1.128/25 +routestopped +
/etc/shorewall/interfaces:
+ +Hosts in 'loc2' can communicate with the firewall while Shorewall is + stopped -- those in 'loc1' cannot.
- -- + ++ + + +Nested and Overlapping Zones
+ + +The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order that + they appear in the /etc/shorewall/zones file. So if you have nested + zones, you want the sub-zone to appear before the super-zone and + in the case of overlapping zones, the rules that will apply to hosts + that belong to both zones is determined by which zone appears first + in /etc/shorewall/zones.
+ + +Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special + CONTINUE policy described below.
+ + ++ /etc/shorewall/policy Configuration.
+ + +This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in terms + of clients who initiate connections and servers who + receive those connection requests. Policies defined in /etc/shorewall/policy + describe which zones are allowed to establish connections with + other zones.
+ + +Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to a particular + connection request then the policy from /etc/shorewall/policy +is applied.
+ + +Four policies are defined:
+ + ++
+ + +For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time that + the policy is applied.
+ + +Entries in /etc/shorewall/policy have four columns as follows:
+ + ++ +
+ + +In the SOURCE and DEST columns, you can enter "all" to indicate all + zones.
+ + +The policy file installed by default is as follows:
+ + ++ ++- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -- -eth0 -detect -dhcp,norfc1918 -- + +loc -eth1 -detect -routestopped -+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +net +ACCEPT ++ +
++
++ +net +all +DROP +info ++
++ - + - +all +all +REJECT +info ++
+
This table may be interpreted as follows:
+ + +-
+
/etc/shorewall/hosts:
+WARNING:
-- +-The firewall script processes the + /etc/shorewall/policy file from top to bottom and uses the + first applicable policy that it finds. For example, in the + following policy file, the policy for (loc, loc) connections would + be ACCEPT as specified in the first entry even though the third entry + in the file specifies REJECT.
+ + +++- -
-- -ZONE -HOST(S) -OPTIONS -- - -net -eth0:0.0.0.0/0 --
-- + +sam -eth0:206.191.149.197 -routestopped -+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +all +ACCEPT ++
++
++ +net +all +DROP +info ++
++ - + - +loc +loc +REJECT +info ++
+
Note that Sam's home system is a member of both the sam zone - and the net zone - and as described above , that means that sam - must be listed before net in /etc/shorewall/zones.
++ The CONTINUE policy
-/etc/shorewall/policy:
+Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones to +be managed under the rules of all of these zones. Let's look at an +example:
-+-/etc/shorewall/zones:
+ + ++- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -- - -loc -net -ACCEPT --
-- - -sam -all -CONTINUE --
-- -net -all -DROP -info -- + +all -all -REJECT -info -+ +ZONE +DISPLAY +COMMENTS ++ +sam +Sam +Sam's system at home ++ +net +Internet +The Internet ++ - + - +loc +Loc +Local Network +
The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source -zone is sam and if there is no match then the connection request - should be treated under rules where the source zone is net. - It is important that this policy be listed BEFORE the next policy - (net to all).
+/etc/shorewall/interfaces:
-Partial /etc/shorewall/rules:
- - -- +-++- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL - -
- DEST- - -... --
--
--
--
--
--
-- -DNAT -sam -loc:192.168.1.3 -tcp -ssh -- --
-- -DNAT -net -loc:192.168.1.5 -tcp -www -- --
-- + +... --
--
--
--
--
--
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +- +eth0 +detect +dhcp,norfc1918 ++ - + - +loc +eth1 +detect +routestopped +
Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to 192.168.1.3. - Like all hosts in the net zone, Sam can connect to the firewall's - internet interface on TCP port 80 and the connection request will - be forwarded to 192.168.1.5. The order of the rules is not significant.
+/etc/shorewall/hosts:
- -Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can SSH -to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When -Sam connects to the firewall's external IP, he should be connected -to the firewall itself. Because of the way that Netfilter is constructed, - this requires two rules as follows:
- - -- --- - + +
++- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- --
--
--
--
--
--
--
-- +... --
--
--
--
--
-+
-+ +ZONE +HOST(S) +OPTIONS ++ - -net +eth0:0.0.0.0/0 ++
+- -DNAT -sam -fw -tcp -ssh -- --
-- -DNAT -net!sam -loc:192.168.1.3 -tcp -ssh -- --
-- +... --
--
--
--
--
--
-+ - - + + + +sam +eth0:206.191.149.197 +routestopped +
The first rule allows Sam SSH - access to the firewall. The second - rule says that any clients from the - net zone with the exception of those - in the 'sam' zone should have their - connection port forwarded to - 192.168.1.3. If you need to exclude - more than one zone in this way, - you can list the zones - separated by commas -(e.g., net!sam,joe,fred). - This technique also may be used when - the ACTION is REDIRECT.
+Note that Sam's home system is a member of both the sam zone + and the net zone + and as described above , that means that sam + must be listed before net in /etc/shorewall/zones.
+ +/etc/shorewall/policy:
- -- /etc/shorewall/rules
- - - -The /etc/shorewall/rules file defines exceptions to the policies established
- in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules
- for each of these rules.
-
Shorewall automatically enables firewall->firewall traffic over the
- loopback interface (lo) -- that traffic cannot be regulated using rules
- and any rule that tries to regulate such traffic will generate a warning
- and will be ignored.
-
Entries in the file have the following columns:
- --
-
Example 1. You wish to forward all - ssh connection requests from the internet to local system 192.168.1.3. -
- - -- + +- -++- + +
-+ +SOURCE +DEST +POLICY +LOG LEVEL ++ -loc +net +ACCEPT ++
+- ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL +
- DEST+ - -sam +all +CONTINUE ++
+- +DNAT -net -loc:192.168.1.3 -tcp -ssh --
--
-+ +net +all +DROP +info ++ - - + +all +all +REJECT +info +
Example 2. You want to redirect all local www connection requests - EXCEPT those to - your own http server - (206.124.146.177) to a Squid - transparent proxy running on the firewall and listening - on port 3128. Squid will of course require access to remote web + +
The second entry above says that when Sam is the client, connection + requests should first be process under rules where the source + zone is sam and if there is no match then the connection request + should be treated under rules where the source zone is net. + It is important that this policy be listed BEFORE the next policy + (net to all).
+ + +Partial /etc/shorewall/rules:
+ + ++ ++ + ++ + +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + +... ++
++
++
++
++
++
++ +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++
++ +DNAT +net +loc:192.168.1.5 +tcp +www +- ++
++ + + + + + + + +... ++
++
++
++
++
++
+
Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. + Like all hosts in the net zone, Sam can connect to the firewall's + internet interface on TCP port 80 and the connection request +will be forwarded to 192.168.1.5. The order of the rules is not +significant.
+ + +Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH +to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When +Sam connects to the firewall's external IP, he should be connected +to the firewall itself. Because of the way that Netfilter is constructed, + this requires two rules as follows:
+ + ++ ++ + ++ + +
+ +
++ + +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ ++
++
++
++
++
++
++
++ +... ++
++
++
++
++
++ +
++ +DNAT +sam +fw +tcp +ssh +- ++
++ +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++
++ + + + + + + +... ++
++
++
++
++
++
+
The first rule allows Sam SSH + access to the firewall. The second + rule says that any clients from the + net zone with the exception of those + in the 'sam' zone should have their + connection port forwarded to + 192.168.1.3. If you need to exclude + more than one zone in this way, + you can list the zones + separated by commas + (e.g., net!sam,joe,fred). + This technique also may be used when + the ACTION is REDIRECT.
+ + + ++ /etc/shorewall/rules
+ + + +The /etc/shorewall/rules file defines exceptions to the policies established
+ in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules
+ for each of these rules.
+
Shorewall automatically enables firewall->firewall traffic over the
+ loopback interface (lo) -- that traffic cannot be regulated using
+rules and any rule that tries to regulate such traffic will generate
+a warning and will be ignored.
+
Entries in the file have the following columns:
+ +-
+
Example 1. You wish to forward all + ssh connection requests from the internet to local system 192.168.1.3. +
+ + ++ ++ + ++ + +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + + + + + + + + + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++
++
+
Example 2. You want to redirect all local www connection requests + EXCEPT those to + your own http server + (206.124.146.177) to a Squid + transparent proxy running on the firewall and listening + on port 3128. Squid will of course require access to remote web servers. This example shows yet another use for the ORIGINAL DEST column; here, connection requests that were NOT (notice the "!") originally - destined to 206.124.146.177 - are redirected to local + destined to 206.124.146.177 + are redirected to local port 3128.
- -- -- - -- - -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL - -
- DEST- -REDIRECT -loc -3128 -tcp -www -- -
-!206.124.146.177 -- - - - - - - - - -ACCEPT -fw -net -tcp -www --
--
-
Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.
- -- +-++- + -
-- ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL +
- DEST+ -ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL -
+ DEST- - -ACCEPT -net -dmz:155.186.235.222 -tcp -www -- --
-- + +ACCEPT -loc -dmz:155.186.235.222 -tcp -www --
--
-+ +REDIRECT +loc +3128 +tcp +www +- +
+!206.124.146.177 ++ - - + + + - +ACCEPT +fw +net +tcp +www ++
++
+
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
- DMZ. Your internet interface address is 155.186.235.151 and
-you want the FTP server to be accessible from the internet in addition
- to the local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks.
- Note that since the server is in the 192.168.2.0/24 subnetwork, we
- can assume that access to the server from that subnet will not involve
- the firewall (but see FAQ 2). Note that
-unless you have more
-than one external IP
-address, you can leave
- the ORIGINAL DEST column
- blank in the first rule. You
- cannot leave it blank in the
- second rule though because
- then all ftp connections
- originating in the local
- subnet 192.168.1.0/24
-would be sent to 192.168.2.2
- regardless of the
- site that the user
-was trying to connect
-to. That is clearly
-not what you want 
- .
Example 3. You want to run a web server at 155.186.235.222 in your + DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.
-- + face="Century Gothic, Arial, Helvetica"> +- - - -- + -
-- ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL +
- DEST+ -ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL -
+ DEST- -DNAT -net -dmz:192.168.2.2 -tcp -ftp --
--
-- + +DNAT -loc:192.168.1.0/24 -dmz:192.168.2.2 -tcp -ftp -- -155.186.235.151 -+ - - - - - - - - -ACCEPT +net +dmz:155.186.235.222 +tcp +www +- ++
+
If you are running wu-ftpd, you should restrict the range of passive - in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this entry - is appropriate:
- - - -- - - -- - - -passive ports 0.0.0.0/0 65500 65534
-
If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.
- - - -The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with any usage - on the firewall system.
- - - -Example 5. You - wish to allow unlimited - DMZ access to the host - with MAC address - 02:00:08:E3:FA:55.
- - - -- -- - - Example 6. - You wish to allow access to the SMTP server in your DMZ from all zones.- - -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL - -
- DEST- - - - - - -ACCEPT -loc:~02-00-08-E3-FA-55 -dmz -all --
--
--
-
- -
-- Example 7 (For advanced users running Shorewall version 1.3.13 -or later). From the internet, you with to forward tcp port 25 directed - to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also - want to allow access from the internet directly to tcp port 25 on 192.0.2.177. -- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- - - - -ACCEPT -
-all -
-dmz -
-tcp -
-25 -
--
--
-
- Note: When 'all' is used as a source or destination, intra-zone - traffic is not affected. In this example, if there were two DMZ interfaces - then the above rule would NOT enable SMTP traffic between hosts on these - interfaces.
-
- -
-- Using "DNAT-" rather than "DNAT" avoids two extra copies of the third - rule from being generated.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.178 -
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.179 -
-- - - -ACCEPT -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
--
--
-
- -
Look here for information on other services. -
- - - -- /etc/shorewall/common
- - - -Shorewall allows - definition of rules that - apply between all zones. - By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual - requirements. Rather - than modify - /etc/shorewall/common.def, - you should - copy that - file to /etc/shorewall/common - and modify - that file.
- - - -The /etc/shorewall/common - file is - expected to - contain iptables - commands; rather than - running iptables - directly, you should run - it indirectly using the - Shorewall function -'run_iptables'. -That way, if iptables - encounters an error, the - firewall will be safely - stopped.
- - - -- /etc/shorewall/masq
- - - -The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). There is one entry - in the file for each subnet that you want to masquerade. In order - to make use of this feature, you must have NAT - enabled .
- - - -Columns are:
- --
-
Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq - file would look like:
- - -- -+ - -- - -
-- -INTERFACE -SUBNET -ADDRESS -- +eth0 -192.168.9.0/24 --
-+ - + - +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++
++
+
Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 -subnet to the remote subnet 10.1.0.0/16 only.
+ + Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
+ DMZ. Your internet interface address is 155.186.235.151 and
+ you want the FTP server to be accessible from the internet in addition
+ to the local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks.
+ Note that since the server is in the 192.168.2.0/24 subnetwork, we
+ can assume that access to the server from that subnet will not involve
+ the firewall (but see FAQ 2). Note that
+ unless you have more
+ than one external
+IP address, you can leave
+ the ORIGINAL DEST column
+ blank in the first rule. You
+ cannot leave it blank in the
+ second rule though because
+ then all ftp connections
+ originating in the local
+ subnet 192.168.1.0/24
+ would be sent to 192.168.2.2
+ regardless of the
+ site that the user
+ was trying to connect
+ to. That is clearly
+ not what you want
+ .
- + +- -++- + -
-- -INTERFACE -SUBNET -ADDRESS -- +ipsec0:10.1.0.0/16 -192.168.9.0/24 --
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++
++
++ - + - +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp +- +155.186.235.151 +
Example 3: You have a DSL line connected on eth0 and a local - network + + +
If you are running wu-ftpd, you should restrict the range of passive + in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions + so I use port range 65500-65535. In /etc/ftpaccess, this entry + is appropriate:
+ + + ++ + + ++ + + + +passive ports 0.0.0.0/0 65500 65534
+
If you are running pure-ftpd, you would include "-p 65500:65534" on + the pure-ftpd runline.
+ + + + +The important point here is to ensure that the port range used for FTP + passive connections is unique and will not overlap with any usage + on the firewall system.
+ + + + +Example 5. You + wish to allow unlimited + DMZ access to the host + with MAC address + 02:00:08:E3:FA:55.
+ + + + ++ ++ + + Example 6. + You wish to allow access to the SMTP server in your DMZ from all zones.+ + +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + + + + + + + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++
++
++
+
+ +
++ Example 7 (For advanced users running Shorewall version 1.3.13 + or later). From the internet, you with to forward tcp port 25 directed + to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also + want to allow access from the internet directly to tcp port 25 on 192.0.2.177. ++ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ + + + +ACCEPT +
+all +
+dmz +
+tcp +
+25 +
++
++
+
+ Note: When 'all' is used as a source or destination, intra-zone + traffic is not affected. In this example, if there were two DMZ interfaces + then the above rule would NOT enable SMTP traffic between hosts on these + interfaces.
+
+ +
++ Using "DNAT-" rather than "DNAT" avoids two extra copies of the + third rule from being generated.+ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.178 +
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.179 +
++ + + +ACCEPT +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
++
++
+
+ +
Look here for information on other services. +
+ + + + ++ /etc/shorewall/common
+ + + + +Shorewall allows + definition of rules that + apply between all zones. + By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather + than modify + /etc/shorewall/common.def, + you should + copy that + file to /etc/shorewall/common + and modify + that file.
+ + + + +The /etc/shorewall/common + file is + expected to + contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function +'run_iptables'. That +way, if iptables + encounters an error, the + firewall will be safely + stopped.
+ + + + ++ /etc/shorewall/masq
+ + + + +The /etc/shorewall/masq file is used to define classical IP Masquerading + and Source Network Address Translation (SNAT). There is one entry + in the file for each subnet that you want to masquerade. In order + to make use of this feature, you must have NAT + enabled .
+ + + + +Columns are:
+ +-
+
Example 1: You have eth0 connected to a cable modem and eth1 + connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq + file would look like:
+ + ++ ++ + ++ + +
++ +INTERFACE +SUBNET +ADDRESS ++ + + + + + + + + + +eth0 +192.168.9.0/24 ++
+
Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 +subnet to the remote subnet 10.1.0.0/16 only.
+ + ++ ++ + ++ + +
++ +INTERFACE +SUBNET +ADDRESS ++ + + + + + + + + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++
+
Example 3: You have a DSL line connected on eth0 and a local + network (192.168.10.0/24) connected to eth1. You want all local->net connections to use source address 206.124.146.176.
- -- -- - -- -
-- -INTERFACE -SUBNET -ADDRESS -- - - - - - - -eth0 -192.168.10.0/24 -206.124.146.176 -
Example 4: - Same as example 3 - except that you wish - to exclude - 192.168.10.44 and - 192.168.10.45 from - the SNAT rule.
- - - - +- ++ - -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth0 -192.168.10.0/24!192.168.10.44,192.168.10.45 -206.124.146.176 -+ +INTERFACE +SUBNET +ADDRESS ++ - - + + +eth0 +192.168.10.0/24 +206.124.146.176 +
- /etc/shorewall/proxyarp
+ +Example 4: + Same as example 3 + except that you wish + to exclude + 192.168.10.44 and + 192.168.10.45 from + the SNAT rule.
- -If you want to - use proxy ARP on an - entire sub-network, - I suggest that you - look at - - http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If -you decide to use + +
+ ++ + Example +5 (Shorewall version >= 1.3.14): You have a second IP address (206.124.146.177) +assigned to you and wish to use it for SNAT of the subnet 192.168.12.0/24. +You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes +in /etc/shorewall/shorewall.conf.+ + +
++ +INTERFACE +SUBNET +ADDRESS ++ + + + + + + + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
+ +
+ ++ ++ + +
++ +INTERFACE +SUBNET +ADDRESS ++ + + + + + + + +eth0:0 +192.168.12.0/24 +206.124.146.177 +
+ /etc/shorewall/proxyarp
+ + + + +If you want to + use proxy ARP on an + entire sub-network, + I suggest that you + look at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. + If + you decide to use the technique described in that HOWTO, you can set the proxy_arp flag for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including - the + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including + the proxyarp option in the interface's record in /etc/shorewall/interfaces. When using Proxy ARP - sub-netting, - you do NOT - include any -entries in /etc/shorewall/proxyarp. -
- - - - -The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is - typically used for - enabling Proxy ARP - on a small set of - systems since you - need one entry - in - this file for each - system using proxy - ARP. Columns are:
- --
-
Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers on the - LAN segment connected to the interface specified in the EXTERNAL - column of the change/added entry(s). If you are having problems communicating - between an individual host (A) on that segment and a system whose - entry has changed, you may need to flush the ARP cache on host A -as well.
- - - -ISPs typically have ARP configured with long -TTL (hours!) so if your ISPs router has a stale cache entry (as seen using -"tcpdump -nei <external interface> host <IP addr>"), it may -take a long while to time out. I personally have had to contact my ISP -and ask them to delete a stale entry in order to restore a system to working -order after changing my proxy ARP settings.
- - - - -Example: - You have public IP addresses 155.182.235.0/28. You configure your - firewall as follows:
- --
-
In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the firewall's - eth0 and you configure 155.186.235.1 as the default gateway. -In your /etc/shorewall/proxyarp file, you will have:
- - -- -- - -- - -
-- -ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- - - - - - - - - - -155.186.235.4 -eth2 -eth0 -No -
Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. See - the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in the -HAVEROUTE column.
- - -To learn how I use Proxy ARP in my DMZ, see my -configuration files.
- - -Warning: Do not use Proxy ARP and -FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to the IPSEC tunnel -device (ipsecX) rather than to the interface that you specify in -the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the -time to debug this problem so I can't say if it is a bug in the Kernel -or in FreeS/Wan.
- -You might be able to work around this problem using the following - (I haven't tried it):
- -In /etc/shorewall/init, include:
- -qt service ipsec stop
- -In /etc/shorewall/start, include:
- -qt service ipsec start
- - -- /etc/shorewall/nat
+ sub-netting, + you do NOT + include any + entries in /etc/shorewall/proxyarp. + -The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that you -wish to define. In order to make use of this feature, you must -have NAT enabled .
+The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is + typically used for + enabling Proxy ARP + on a small set of + systems since you + need one entry + in + this file for each + system using proxy + ARP. Columns are:
+ +-
+
Note: After you have made a change to the /etc/shorewall/proxyarp + file, you may need to flush the ARP cache of all routers on the + LAN segment connected to the interface specified in the EXTERNAL + column of the change/added entry(s). If you are having problems communicating + between an individual host (A) on that segment and a system whose + entry has changed, you may need to flush the ARP cache on host A + as well.
+ + + +ISPs typically have ARP configured with long TTL + (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump + -nei <external interface> host <IP addr>"), it may take a long +while to time out. I personally have had to contact my ISP and ask them +to delete a stale entry in order to restore a system to working order after +changing my proxy ARP settings.
+Example: + You have public IP addresses 155.182.235.0/28. You configure your + firewall as follows:
+ +-
+
In your DMZ, you want to install a Web/FTP server with public address + 155.186.235.4. On the Web server, you subnet just like the firewall's + eth0 and you configure 155.186.235.1 as the default gateway. +In your /etc/shorewall/proxyarp file, you will have:
+ + ++ ++ + ++ + +
++ +ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE ++ + + + + + + + + + +155.186.235.4 +eth2 +eth0 +No +
Note: You may want to configure the servers in your DMZ with a subnet + that is smaller than the subnet of your internet interface. See + the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) + for details. In this case you will want to place "Yes" in the + HAVEROUTE column.
+ + +To learn how I use Proxy ARP in my DMZ, see my configuration +files.
+ + +Warning: Do not use Proxy ARP and + FreeS/Wan on the same system unless you are prepared to suffer the consequences. + If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC tunnel + device (ipsecX) rather than to the interface that you specify in + the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the + time to debug this problem so I can't say if it is a bug in the Kernel + or in FreeS/Wan.
+ +You might be able to work around this problem using the following + (I haven't tried it):
+ +In /etc/shorewall/init, include:
+ +qt service ipsec stop
+ +In /etc/shorewall/start, include:
+ +qt service ipsec start
+ + ++ /etc/shorewall/nat
+ + + + +The /etc/shorewall/nat file is used to define static NAT. There is one + entry in the file for each static NAT relationship that you +wish to define. In order to make use of this feature, you must +have NAT enabled .
+ + + +- IMPORTANT: If - all you want to do - is forward ports - to servers behind - your firewall, you - do NOT want to use - static NAT. Port - forwarding -can be accomplished - with + color="#ff0000"> + IMPORTANT: If + all you want to do + is forward ports + to servers behind + your firewall, you + do NOT want to use + static NAT. Port + forwarding can +be accomplished + with simple entries in the @@ -2443,33 +2534,39 @@ can be accomplish because the internal systems are accessed using - the same - IP address - internally - and externally.
+ the same + IP address + internally + and externally. - +Columns in an entry are:
- +-
-
Look here for additional information and an example. - -
+ + Look here for additional information and an example.
-
-
- /etc/shorewall/tunnels
+
The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP - and PPTP tunnels with end-points on your firewall. To use ipsec, - you must install version 1.9, 1.91 or the current FreeS/WAN development -snapshot.
- -Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 results - in kernel compilation errors.
+ ++ /etc/shorewall/tunnels
- -Instructions for setting up IPSEC tunnels may - be found here, instructions for -IPIP and GRE tunnels are here and The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, +OpenVPN and PPTP tunnels + with end-points on your firewall. To use ipsec, you must install +version 1.9, 1.91 or the current FreeS/WAN development snapshot. +
+ + +Note: For kernels 2.4.4 and above, you will need to use version 1.91 + or a development snapshot as patching with version 1.9 results + in kernel compilation errors.
+ + +Instructions for setting up IPSEC tunnels may + be found here, instructions for + IPIP and GRE tunnels are here and instructions for PPTP tunnels are here.
- +/etc/shorewall/shorewall.conf
- +This file is used to set the following firewall parameters:
- +-
-
- /etc/shorewall/modules Configuration
+ ++ /etc/shorewall/modules Configuration
- -The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall - will source this file during start/restart provided that it exists - and that the directory specified by the MODULESDIR parameter exists - (see /etc/shorewall/shorewall.conf above).
+ +The file /etc/shorewall/modules contains commands for loading the kernel + modules required by Shorewall-defined firewall rules. Shorewall + will source this file during start/restart provided that it exists + and that the directory specified by the MODULESDIR parameter exists + (see /etc/shorewall/shorewall.conf above).
- -The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.
+ +The file that is released with Shorewall calls the Shorewall function + "loadmodule" for the set of modules that I load.
- +The loadmodule function is called as follows:
- -- - - -- - - +loadmodule - <modulename> - [ <module parameters> ]
-
+ + + ++ + + +loadmodule + <modulename> + [ <module parameters> ]
+
where
- -+ ++- +-<modulename>
- -+ + +- - + +- -+ +is the name of the modules without the trailing ".o" (example - ip_conntrack).
-is the name of the modules without the trailing ".o" (example + ip_conntrack).
+<module parameters>
- - -+ + +-+ + + + ++Optional parameters to the insmod utility.
+Optional parameters to the insmod utility.
-
The function determines if the module named by <modulename> + is already loaded and if not then the function determines + if the ".o" file corresponding to the module exists in the moduledirectory; + if so, then the following command is executed:
- -The function determines if the module named by <modulename> - is already loaded and if not then the function determines - if the ".o" file corresponding to the module exists in the moduledirectory; - if so, then the following command is executed:
+ +- --- - - - -- - - - -insmod moduledirectory/<modulename>.o <module - parameters>
-If the file doesn't exist, the function determines of the ".o.gz" - file corresponding to the module exists in the moduledirectory. -If it does, the function assumes that the running configuration supports -compressed modules and execute the following command:
- - - - -- - - - -- - - - -insmod moduledirectory/<modulename>.o.gz <module - parameters>
-- /etc/shorewall/tos Configuration
+ +insmod moduledirectory/<modulename>.o <module + parameters>
+
The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, - protocol, source port and destination port. In order for this - file to be processed by Shorewall, you must have If the file doesn't exist, the function determines of the ".o.gz" +file corresponding to the module exists in the moduledirectory. If +it does, the function assumes that the running configuration supports compressed + modules and execute the following command:
+ + + + ++ + + + ++ + + + +insmod moduledirectory/<modulename>.o.gz <module + parameters>
+
+ /etc/shorewall/tos Configuration
+ + + + +The /etc/shorewall/tos file allows you to set the Type of Service field + in packet headers based on packet source, packet destination, + protocol, source port and destination port. In order for this + file to be processed by Shorewall, you must have mangle support enabled .
- +Entries in the file have the following columns:
- +-
-
- - -- - - -- - - --Minimize-Delay (16)
-
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)
The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.
- - - ++ + ++ + + ++ + + ++Minimize-Delay (16)
+
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)
The /etc/shorewall/tos file that is included with Shorewall contains + the following entries.
+ + + +++ - -- + -
-- -SOURCE -DEST -PROTOCOL -SOURCE -
- PORT(S)DEST PORT(S) -TOS -- -all -all -tcp -- -ssh -16 -- -all -all -tcp -ssh -- -16 -- -all -all -tcp -- -ftp -16 -- -all -all -tcp -ftp -- -16 -- -all -all -tcp -- -ftp-data -8 -- +all -all -tcp -ftp-data -- -8 -+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ - - + + - +all +all +tcp +ftp-data +- +8 +
WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos file. -
+ +WARNING: Users have reported that odd routing problems result from + adding the ESP and AH protocols to the /etc/shorewall/tos file. +
- +/etc/shorewall/blacklist
- -Each - line - in - /etc/shorewall/blacklist - contains - - an - IP - address, a MAC address in Shorewall Format - or - subnet - address. - - Example:
+ +Each + line + in + /etc/shorewall/blacklist + contains - + an + IP + address, a MAC address in Shorewall Format + or + subnet + address. + + Example:
+ +130.252.100.69- -
206.124.146.0/24
Packets - from - hosts - listed - in - - the - blacklist - file - will - be + +
Packets
+ from
+ hosts
+ listed
+ in
- disposed
- of
- according
- to
- the
+ the
+ blacklist
+ file
+ will
+ be
-value
- assigned
- to
- the BLACKLIST_DISPOSITION
-
- and BLACKLIST_LOGLEVEL variables
+ disposed
+ of
+ according
+ to
+ the
-in
- /etc/shorewall/shorewall.conf.
- Only
- packets
+ value
+ assigned
+ to
+ the BLACKLIST_DISPOSITION
- arriving
- on
- interfaces
- that
- have
+ and BLACKLIST_LOGLEVEL variables
- the
- 'blacklist'
- option
+ in
+ /etc/shorewall/shorewall.conf.
+ Only
+ packets
- in
- /etc/shorewall/interfaces
- are
- checked
+ arriving
+ on
+ interfaces
+ that
+ have
- against
- the
- blacklist. The black list is designed to prevent
-listed hosts/subnets from accessing services on your
-network.
-
+ +
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-
-
-
Shorewall also has a dynamic blacklist - capability.
+ +Shorewall also has a dynamic blacklist + capability.
- -IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, I suggest - that you install and configure Squid (IMPORTANT: The Shorewall blacklist file is NOT + designed to police your users' web browsing -- to do that, I suggest + that you install and configure Squid (http://www.squid-cache.org).
- + +/etc/shorewall/rfc1918 (Added in Version 1.3.1)
- -This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:
+ + +This file lists the subnets affected by the norfc1918 + interface option. Columns in the file are:
- + +-
-
/etc/shorewall/routestopped (Added in Version - 1.3.4)
+ + +/etc/shorewall/routestopped (Added in Version + 1.3.4)
- -This file defines the hosts that are accessible from the firewall when - the firewall is stopped. Columns in the file are:
+ + +This file defines the hosts that are accessible from the firewall when + the firewall is stopped. Columns in the file are:
- + +-
-
Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces - through eth1 and your local hosts through eth2.
+ + +Example: When your firewall is stopped, you want firewall accessibility + from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces + through eth1 and your local hosts through eth2.
- -- + +++ ++- -
-+ +- + -INTERFACE +INTERFACE -HOST(S) +HOST(S) -+ - + -eth2 +eth2 -192.168.1.0/24 +192.168.1.0/24 -+ - + - - + + + +eth1 +eth1 -- +- -
/etc/shorewall/maclist (Added in Version 1.3.10)
- This file is described in the MAC Validation Documentation.-
- -
Updated 1/21/2003 - Tom Eastep -
++ +
Updated 1/31/2003 - Tom Eastep +
- +Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
+
+
- -
-
+
+
diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm index 376151c69..e363a0ade 100644 --- a/Shorewall-docs/FAQ.htm +++ b/Shorewall-docs/FAQ.htm @@ -2,1088 +2,1113 @@ - + - + - + - +
| + |
-
+
+
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions
- but it doesn't work.
-
1b. I'm still having problems with - port forwarding
- - - - - -3. I want to use Netmeeting -or MSN Instant Messenger with Shorewall. What do I -do?
- - - -4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!
- -5. I've installed Shorewall and now - I can't ping through the firewall
- -6. Where are the log messages - written and how do I change the destination?
+ + + +1a. Ok -- I followed those instructions
+ but it doesn't work.
+
1b. I'm still having problems with + port forwarding
+ + + + + +3. I want to use Netmeeting + or MSN Instant Messenger with Shorewall. What do +I do?
+ + + +4a. I just ran an nmap UDP scan + of my firewall and it showed 100s of ports as open!!!!
+ +5. I've installed Shorewall and now + I can't ping through the firewall
+ +6. Where are the log messages + written and how do I change the destination?
- -6a. Are there any log parsers - that work with Shorewall?
+ +6a. Are there any log parsers + that work with Shorewall?
+6b. DROP messages on port 10619 are flooding the logs with their connect
-requests. Can i exclude these error messages for this port temporarily from
-logging in Shorewall?
-
8. When I try to start Shorewall - on RedHat I get messages about insmod failing -- what's - wrong?
- -9. Why can't Shorewall detect - my interfaces properly?
- -10. What distributions does - it work with?
- -11. What features does it -support?
- + href="#faq6b"> on port 10619 are flooding the logs with their connect + requests. Can i exclude these error messages for this port temporarily from + logging in Shorewall?+ + + + + + +
8. When I try to start Shorewall + on RedHat I get messages about insmod failing -- what's + wrong?
+ +9. Why can't Shorewall detect + my interfaces properly?
+ + +10. What distributions does + it work with?
+ +11. What features does it + support?
+ - +13. Why do you call it "Shorewall"?
- - - - - -15. My local systems can't see - out to the net
- -16. Shorewall is writing log messages
- all over my console making it unusable!
-
-
- 18. Is there any way to use - aliased ip addresses with Shorewall, and maintain separate - rulesets for different IPs?
-
- 19. I have added entries to -/etc/shorewall/tcrules but they don't seem to do anything. -Why?
-
- 20. I have just set up a server. - Do I have to change Shorewall to allow access to my server from -the internet?
-
- 21. I see these strange log entries - occasionally; what are they?
-
- 22. I have some iptables commands that - I want to run when Shorewall starts. Which file do I put them in?
+ + + + + +
15. My local systems can't see + out to the net
+ +16. Shorewall is writing log messages
+ all over my console making it unusable!
+
+
+ 18. Is there any way to +use aliased ip addresses with Shorewall, and maintain separate + rulesets for different IPs?
+
+ 19. I have added entries +to /etc/shorewall/tcrules but they don't seem to do +anything. Why?
+
+ 20. I have just set up a +server. Do I have to change Shorewall to allow access to my server + from the internet?
+
+ 21. I see these strange log +entries occasionally; what are they?
+
+ 22. I have some iptables commands that + I want to run when Shorewall starts. Which file do I put them +in?
+
+ 23. Why do you use such ugly fonts + on your web site?
- 23. Why do you use such ugly fonts on - your web site?
-
- 24: How can I allow conections to let's -say the ssh port only from specific IP Addresses on the internet?
- -
-
1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've looked -everywhere and can't find how to do it.
- + 24: How can I allow conections to let's + say the ssh port only from specific IP Addresses on the internet?+ +
+
1. I want to forward UDP port 7777 to + my my personal PC with IP address 192.168.1.5. I've looked + everywhere and can't find how to do it.
+Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a port-forwarding - rule to a local system is as follows:
- -- + href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of a port-forwarding + rule to a local system is as follows: + ++ ++- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- + +DNAT -net -loc:<local IP address>[:<local - port>] -<protocol> -<port #> --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ - - - + + +DNAT +net +loc:<local IP address>[:<local + port>] +<protocol> +<port #> ++
++
+So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:
- -- ++ +So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:
+ ++- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- + +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ - - - + + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
+If - you want to forward requests directed to a particular address ( <external - IP> ) on your firewall to an internal system:- -- ++ +If + you want to forward requests directed to a particular address ( <external + IP> ) on your firewall to an internal system:+ ++- -- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- + +DNAT -net -loc:<local IP address>[:<local - port>] -<protocol> -<port #> -- -<external IP> -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ - - - + + +DNAT +net +loc:<local IP address>[:<local + port>] +<protocol> +<port #> +- +<external IP> +1a. Ok -- I followed those instructions - but it doesn't work
- +
1a. Ok -- I followed those instructions + but it doesn't work
+Answer: That is usually the result of one of two things:
- +-
-
1b. I'm still having problems with port - forwarding
- Answer: To further diagnose this problem:- + +
1b. I'm still having problems with port + forwarding
+ Answer: To further diagnose this problem:+
-
-
-
-
2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local network. - External clients can browse http://www.mydomain.com but internal - clients can't.
- + +2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local network. + External clients can browse http://www.mydomain.com but internal + clients can't.
+Answer: I have two objections to this setup.
- +-
-
If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external - interface is eth0 and your internal interface is eth1 and that - eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do - the following:
- -a) In /etc/shorewall/interfaces, specify "multi" as an option - for eth1 (No longer required as of Shorewall version 1.3.9).
- -If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your external + interface is eth0 and your internal interface is eth1 and + that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, + do the following:
+ +a) In /etc/shorewall/interfaces, specify "multi" as an option + for eth1 (No longer required as of Shorewall version 1.3.9).
+ +b) In /etc/shorewall/rules, add:
-- +
+-- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -130.151.100.69:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ - - - + + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +130.151.100.69:192.168.1.254 +
That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and are running - Shorewall 1.3.4 or later then include this in /etc/shorewall/params:
-That rule only works of course if you have a static external + IP address. If you have a dynamic IP address and are running + Shorewall 1.3.4 or later then include this in /etc/shorewall/params:
+ETH0_IP=`find_interface_address eth0`-
and make your DNAT rule:
-- +
+-- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE PORT -ORIG. DEST. -- + +DNAT -loc:192.168.1.0/24 -loc:192.168.1.5 -tcp -www -- -$ETH0_IP:192.168.1.254 -+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ - - - + + +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 +
Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time that you - get a new IP address.
-2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses - to hosts in Z. Hosts in Z cannot communicate with each other using - their external (non-RFC1918 addresses) so they can't access each - other using their DNS names.
- -Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external and internal - clients to access a NATed host using the host's DNS name.
- -Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 - addresses and can be accessed externally and internally using - the same address.
- -If you don't like those solutions and prefer routing all Z->Z -traffic through your firewall then:
- -a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
- (If you are running a Shorewall version earlier than 1.3.9).
- b) Set the Z->Z policy to ACCEPT.
- c) Masquerade Z to itself.
-
- Example:
Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each time that + you get a new IP address.
+2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 addresses + to hosts in Z. Hosts in Z cannot communicate with each other +using their external (non-RFC1918 addresses) so they can't access +each other using their DNS names.
+ +Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external and + internal clients to access a NATed host using the host's DNS + name.
+ +Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 + addresses and can be accessed externally and internally using + the same address.
+ +If you don't like those solutions and prefer routing all +Z->Z traffic through your firewall then:
+ +a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
+ (If you are running a Shorewall version earlier than 1.3.9).
+ b) Set the Z->Z policy to ACCEPT.
+ c) Masquerade Z to itself.
+
+ Example:
Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24
+ Subnet: 192.168.2.0/24 +
In /etc/shorewall/interfaces:
- -- + +++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- + +dmz -eth2 -192.168.2.255 -multi -+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ - - - + + +dmz +eth2 +192.168.2.255 +multi +
In /etc/shorewall/policy:
- -- + ++ ++- -- -
-- -SOURCE -DESTINATION -POLICY -LIMIT:BURST -- + +dmz -dmz -ACCEPT --
-+ +SOURCE +DESTINATION +POLICY +LIMIT:BURST ++ - - - + + +dmz +dmz +ACCEPT ++
+-- +dmz dmz ACCEPT-
In /etc/shorewall/masq:
- -- + ++ ++- -- -
-- -INTERFACE -SUBNET -ADDRESS -- + +eth2 -192.168.2.0/24 --
-+ +INTERFACE +SUBNET +ADDRESS ++ - - - + + +eth2 +192.168.2.0/24 ++
+3. I want to use Netmeeting or MSN Instant -Messenger with Shorewall. What do I do?
- +
3. I want to use Netmeeting or MSN Instant + Messenger with Shorewall. What do I do?
+Answer: There is an H.323 connection - tracking/NAT module that may help with Netmeeting. Look -here for a solution for MSN -IM but be aware that there are significant security risks involved with this -solution. Also check the Netfilter mailing list archives at http://www.netfilter.org. -
- -4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' - rather than 'blocked'. Why?
- -Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 rather - than dropping them. This is necessary to prevent outgoing -connection problems to services that use the 'Auth' mechanism -for identifying requesting users. Shorewall also rejects TCP - ports 135, 137 and 139 as well as UDP ports 137-139. These are ports -that are used by Windows (Windows can be configured to use -the DCE cell locator on port 135). Rejecting these connection requests - rather than dropping them cuts down slightly on the amount of Windows - chatter on LAN segments connected to the Firewall.
- -If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server in violation - of your Service Agreement.
- -4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!
- -Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing back - from your firewall then it reports the port as open. If you - want to see which UDP ports are really open, temporarily change - your net->all policy to REJECT, restart Shorewall and do the - nmap UDP scan again.
- -5. I've installed Shorewall and now I - can't ping through the firewall
- -Answer: If you want your firewall to be totally open - for "ping":
- + href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection + tracking/NAT module that may help with Netmeeting. Look + here for a solution for +MSN IM but be aware that there are significant security risks involved +with this solution. Also check the Netfilter mailing list archives +at http://www.netfilter.org. + + +4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' + rather than 'blocked'. Why?
+ +Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port 113 rather + than dropping them. This is necessary to prevent outgoing + connection problems to services that use the 'Auth' mechanism + for identifying requesting users. Shorewall also rejects TCP + ports 135, 137 and 139 as well as UDP ports 137-139. These are +ports that are used by Windows (Windows can be configured + to use the DCE cell locator on port 135). Rejecting these connection +requests rather than dropping them cuts down slightly on the amount +of Windows chatter on LAN segments connected to the Firewall.
+ +If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web server in +violation of your Service Agreement.
+ +4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!
+ +Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing +back from your firewall then it reports the port as open. +If you want to see which UDP ports are really open, temporarily +change your net->all policy to REJECT, restart Shorewall and +do the nmap UDP scan again.
+ +5. I've installed Shorewall and now I + can't ping through the firewall
+ +Answer: If you want your firewall to be totally open + for "ping":
+a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
- b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
- c) Add the following to /etc/shorewall/icmpdef:
-
- -- For a complete description of Shorewall 'ping' management, see this page. - -run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-
-
6. Where are the log messages written - and how do I change the destination?
- -Answer: NetFilter uses the kernel's equivalent of syslog -(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility -(see "man openlog") and you get to choose the log level (again, see "man -syslog") in your policies and rules. The destination for messaged -logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart syslogd - (on a RedHat system, "service syslog restart").
- -By default, older versions of Shorewall ratelimited log messages - through settings in /etc/shorewall/shorewall.conf - -- If you want to log all messages, set:
- -+ c) Add the following to /etc/shorewall/icmpdef: + + +
+ ++ For a complete description of Shorewall 'ping' management, see + this page. + +run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT
+
+
6. Where are the log messages written + and how do I change the destination?
+ +Answer: NetFilter uses the kernel's equivalent of +syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) +facility (see "man openlog") and you get to choose the log level (again, +see "man syslog") in your policies + and rules. The destination for messaged + logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure to restart + syslogd (on a RedHat system, "service syslog restart").
+ +By default, older versions of Shorewall ratelimited log messages + through settings in +/etc/shorewall/shorewall.conf -- If you want to log all messages, +set:
+ +LOGLIMIT=""-
LOGBURST=""
Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.
6a. Are there any log parsers that work - with Shorewall?
- -Answer: Here are several links that may be helpful: -
- -- +
6a. Are there any log parsers that work + with Shorewall?
+ +Answer: Here are several links that may be helpful: +
+ ++- I personnaly use Logwatch. It emails me a report each day from - my various systems with each report summarizing the logged activity on - the corresponding system. - -http://www.shorewall.net/pub/shorewall/parsefw/
-
- http://www.fireparse.com
- http://www.fireparse.com
+ http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
-
6b. DROP messages on port 10619 -are flooding the logs with their connect requests. Can i exclude these -error messages for this port temporarily from logging in Shorewall?
-Temporarily add the following rule:+ http://www.logwatch.org
+ http://gege.org/iptables
+ + + I personnaly use Logwatch. It emails me a report each day +from my various systems with each report summarizing the logged activity + on the corresponding system. + +
6b. DROP messages on port 10619 + are flooding the logs with their connect requests. Can i exclude these + error messages for this port temporarily from logging in Shorewall?
+ Temporarily add the following rule:+
DROP net fw udp 10619-
6c. All day long I get a steady flow -of these DROP messages from port 53 to some high numbered port. They get -dropped, but what the heck are they?
+ +6c. All day long I get a steady flow + of these DROP messages from port 53 to some high numbered port. They get + dropped, but what the heck are they?
+Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00-Answer: There are two possibilities:
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
+ Answer: There are two possibilities:
+
-
-
-
+ You can distinguish the difference by setting the logunclean option + (/etc/shorewall/interfaces) on + your external interface (eth0 in the above example). If they get logged twice, + they are corrupted. I solve this problem by using an /etc/shorewall/common + file like this:+ The above file is also include in all of my sample configurations available + in the Quick Start Guides.
+ +-The above file is also include in all of my sample configurations available -in the Quick Start Guides.#-
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that command - work?
- -The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed in /etc/shorewall/routestopped' - are activated. If you want to totally open up your firewall, - you must use the 'shorewall clear' command.
- -8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?
- -Answer: The output you will see looks something like - this:
- +
+ +
7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't that command + work?
+ +The 'stop' command is intended to place your firewall into + a safe state whereby only those hosts listed in /etc/shorewall/routestopped' + are activated. If you want to totally open up your firewall, + you must use the 'shorewall clear' command.
+ +8. When I try to start Shorewall on RedHat, + I get messages about insmod failing -- what's wrong?
+ +Answer: The output you will see looks something like + this:
+/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy- -
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
This is usually cured by the following sequence of commands: -
- -This is usually cured by the following sequence of commands: +
+ +service ipchains stop-
chkconfig --delete ipchains
rmmod ipchains
Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) shipped - with RH7.2.
-Also, be sure to check the errata + for problems concerning the version of iptables (v1.2.3) + shipped with RH7.2.
+- -
9. Why can't Shorewall detect my interfaces - properly?
- -I just installed Shorewall and when I issue the start command, - I see the following:
- -9. Why can't Shorewall detect my interfaces + properly?
+ +I just installed Shorewall and when I issue the start command, + I see the following:
+ +Processing /etc/shorewall/shorewall.conf ...-
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...
Why can't Shorewall detect my interfaces properly?
-Answer: The above output is perfectly normal. The Net - zone is defined as all hosts that are connected through eth0 and the local - zone is defined as all hosts connected through eth1
-Answer: The above output is perfectly normal. The +Net zone is defined as all hosts that are connected through eth0 and the +local zone is defined as all hosts connected through eth1
+10. What Distributions does it work + with?
+ +Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.
-10. What Distributions does it work - with?
- -Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.
-11. What Features does it have?
+ +Answer: See the Shorewall + Feature List.
-Answer: See the Shorewall - Feature List.
-12. Why isn't there a GUI?
+ +Answer: Every time I've started to work on one, I +find myself doing other things. I guess I just don't care enough if +Shorewall has a GUI to invest the effort to create one myself. There +are several Shorewall GUI projects underway however and I will publish +links to them when the authors feel that they are ready.
-Answer: Every time I've started to work on one, I find -myself doing other things. I guess I just don't care enough if Shorewall -has a GUI to invest the effort to create one myself. There are several -Shorewall GUI projects underway however and I will publish links to -them when the authors feel that they are ready.
-13. Why do you call it "Shorewall"?
+ +Answer: Shorewall is a concatenation of "Shoreline" + (the city +where I live) and "Firewall". The full name of +the product is actually "Shoreline Firewall" but "Shorewall" is must +more commonly used.
-Answer: Shorewall is a concatenation of "Shoreline" - (the city where - I live) and "Firewall". The full name of the product - is actually "Shoreline Firewall" but "Shorewall" is must more commonly -used.
- -14. I'm connected via a cable modem - and it has an internal web server that allows me to configure/monitor - it but as expected if I enable rfc1918 blocking for my eth0 - interface (the internet one), it also blocks the cable modems -web server.
+14. I'm connected via a cable modem + and it has an internal web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 + interface (the internet one), it also blocks the cable modems + web server.
+ +Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 +address of the modem in/out but still block all other rfc1918 +addresses?
+ +Answer: If you are running a version of Shorewall +earlier than 1.3.1, create /etc/shorewall/start and in it, place the +following:
-Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 address - of the modem in/out but still block all other rfc1918 addresses?
- -Answer: If you are running a version of Shorewall earlier -than 1.3.1, create /etc/shorewall/start and in it, place the following:
- -run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT-
If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:
-- +
If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:
+++- -
+- +SUBNET -TARGET ++ +SUBNET +TARGET ++ + + + + + +192.168.100.1 +RETURN +
Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+
Note: If you add a second IP address to your external firewall
+ interface to correspond to the modem address, you must also
+ make an entry in /etc/shorewall/rfc1918 for that address. For
+ example, if you configure the address 192.168.100.2 on your firewall,
+ then you would add two entries to /etc/shorewall/rfc1918:
+
+ +-+ +
-+ SUBNET +
+TARGET
+- +192.168.100.1 -RETURN +192.168.100.1 +
+RETURN +
++ - - + +192.168.100.2 +
+RETURN
+
Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-
Note: If you add a second IP address to your external firewall
- interface to correspond to the modem address, you must also
-make an entry in /etc/shorewall/rfc1918 for that address. For example,
- if you configure the address 192.168.100.2 on your firewall, then
- you would add two entries to /etc/shorewall/rfc1918:
-
- --- -
-- -SUBNET -
-TARGET -
-- -192.168.100.1 -
-RETURN -
-- - - - - - -192.168.100.2 -
-RETURN -
-
14a. Even though it assigns public IP - addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC -1918 filtering on my external interface, my DHCP client cannot renew its -lease.
-The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.
-15. My local systems can't see out to - the net
- -Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers with -eyes and what those computers will "see" when things are working -properly. That aside, the most common causes of this problem are:
- + +14a. Even though it assigns public +IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable +RFC 1918 filtering on my external interface, my DHCP client cannot renew +its lease.
+The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.
+15. My local systems can't see out to + the net
+ +Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers with + eyes and what those computers will "see" when things are working + properly. That aside, the most common causes of this problem + are:
+-
-
The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't + enabled UDP and TCP port 53 from the firewall to the internet.
+ +16. Shorewall is writing log messages - all over my console making it unusable!
- -Answer: "man dmesg" -- add a suitable 'dmesg' command
- to your startup scripts or place it in /etc/shorewall/start.
- Under RedHat, the max log level that is sent to the console
- is specified in /etc/sysconfig/init in the LOGLEVEL variable.
-
17. How do I find out why this traffic is getting - logged?
- Answer: Logging occurs out of a number -of chains (as indicated in the log message) in Shorewall:- + +
16. Shorewall is writing log messages + all over my console making it unusable!
+ +Answer: "man dmesg" -- add a suitable 'dmesg' command
+ to your startup scripts or place it in /etc/shorewall/start.
+ Under RedHat, the max log level that is sent to the console
+ is specified in /etc/sysconfig/init in the LOGLEVEL variable.
+
17. How do I find out why this traffic is getting + logged?
+ Answer: Logging occurs out of a number + of chains (as indicated in the log message) in Shorewall:+
-
-
18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different IPs?
- Answer: Yes. You simply use the IP address -in your rules (or if you use NAT, use the local IP address in your -rules). Note: The ":n" notation (e.g., eth0:0) is deprecated -and will disappear eventually. Neither iproute (ip and tc) nor iptables -supports that notation so neither does Shorewall.-
- Example 1:
-
- /etc/shorewall/rules + +
18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different +IPs?
+ Answer: Yes. You simply use the IP address + in your rules (or if you use NAT, use the local IP address in your + rules). Note: The ":n" notation (e.g., eth0:0) is deprecated + and will disappear eventually. Neither iproute (ip and tc) nor + iptables supports that notation so neither does Shorewall.+
+ Example 1:
+
+ /etc/shorewall/rules
# Accept AUTH but only on address 192.0.2.125- Example 2 -(NAT):
ACCEPT net fw:192.0.2.125 tcp auth
-
- /etc/shorewall/nat
- + Example + 2 (NAT):
+
+ /etc/shorewall/nat
+
192.0.2.126 eth0 10.1.1.126- /etc/shorewall/rules + /etc/shorewall/rules
# Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)- Example 3 (DNAT):
ACCEPT net loc:10.1.1.126 tcp www
- + Example 3 (DNAT):
+
# Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127+ +
DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127
19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?
+ You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf + so the contents of the tcrules file are simply being ignored.+ +
20. I have just set up a server. Do I have
+ to change Shorewall to allow access to my server from the internet?
+
+ Yes. Consult the QuickStart guide that you
+used during your initial setup for information about how to set up
+rules for your server.-
19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?
- You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf - so the contents of the tcrules file are simply being ignored.- -
20. I have just set up a server. Do I have
- to change Shorewall to allow access to my server from the internet?
-
- Yes. Consult the QuickStart guide that
-you used during your initial setup for information about how to set
- up rules for your server.- -
21. I see these strange log entries occasionally;
- what are they?
-
-
-++ 192.0.2.3 is external on my firewall... 172.16.0.0/24 +is my internal LAN21. I see these strange log entries occasionally; + what are they?
+ +
+- 192.0.2.3 is external on my firewall... 172.16.0.0/24 is -my internal LANNov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00-
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- Answer: While most people associate the Internet Control - Message Protocol (ICMP) with 'ping', ICMP is a key piece of the internet. - ICMP is used to report problems back to the sender of a packet; this - is what is happening here. Unfortunately, where NAT is involved (including - SNAT, DNAT and Masquerade), there are a lot of broken implementations. - That is what you are seeing with these messages.
-
- Here is my interpretation of what is happening -- to confirm - this analysis, one would have to have packet sniffers placed a both -ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a -UDP DNS query to 192.0.2.3 and your DNS server tried to send a response - (the response information is in the brackets -- note source port 53 which - marks this as a DNS reply). When the response was returned to to 206.124.146.179, - it rewrote the destination IP TO 172.16.1.10 and forwarded the packet -to 172.16.1.10 who no longer had a connection on UDP port 2857. This causes - a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. - As this packet is sent back through 206.124.146.179, that box correctly - changes the source address in the packet to 206.124.146.179 but doesn't - reset the DST IP in the original DNS response similarly. When the ICMP - reaches your firewall (192.0.2.3), your firewall has no record of having - sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related - to anything that was sent. The final result is that the packet gets logged - and dropped in the all2all chain. I have also seen cases where the source - IP in the ICMP itself isn't set back to the external IP of the remote NAT - gateway; that causes your firewall to log and drop the packet out of the - rfc1918 chain because the source IP is reserved by RFC 1918.
- -22. I have some iptables commands that - I want to run when Shorewall starts. Which file do I put them +
+
+ Answer: While most people associate the Internet + Control Message Protocol (ICMP) with 'ping', ICMP is a key piece +of the internet. ICMP is used to report problems back to the sender +of a packet; this is what is happening here. Unfortunately, where NAT +is involved (including SNAT, DNAT and Masquerade), there are a lot +of broken implementations. That is what you are seeing with these messages.
+
+ Here is my interpretation of what is happening -- to confirm + this analysis, one would have to have packet sniffers placed a both + ends of the connection.
+
+ Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent + a UDP DNS query to 192.0.2.3 and your DNS server tried to send a +response (the response information is in the brackets -- note source +port 53 which marks this as a DNS reply). When the response was returned +to to 206.124.146.179, it rewrote the destination IP TO 172.16.1.10 +and forwarded the packet to 172.16.1.10 who no longer had a connection +on UDP port 2857. This causes a port unreachable (type 3, code 3) to +be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, + that box correctly changes the source address in the packet to 206.124.146.179 + but doesn't reset the DST IP in the original DNS response similarly. + When the ICMP reaches your firewall (192.0.2.3), your firewall has +no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't + appear to be related to anything that was sent. The final result is +that the packet gets logged and dropped in the all2all chain. I have also +seen cases where the source IP in the ICMP itself isn't set back to the +external IP of the remote NAT gateway; that causes your firewall to log +and drop the packet out of the rfc1918 chain because the source IP is +reserved by RFC 1918.
+ +
22. I have some iptables commands that + I want to run when Shorewall starts. Which file do I put them in?
- You can place these commands in one of the Shorewall Extension Scripts. -Be sure that you look at the contents of the chain(s) that you will be modifying - with your commands to be sure that the commands will do what they are -intended. Many iptables commands published in HOWTOs and other instructional -material use the -A command which adds the rules to the end of the chain. -Most chains that Shorewall constructs end with an unconditional DROP, -ACCEPT or REJECT rule and any rules that you add after that will be ignored. + You can place these commands in one of the Shorewall Extension Scripts. Be +sure that you look at the contents of the chain(s) that you will be modifying + with your commands to be sure that the commands will do what they are + intended. Many iptables commands published in HOWTOs and other instructional + material use the -A command which adds the rules to the end of the chain. + Most chains that Shorewall constructs end with an unconditional DROP, +ACCEPT or REJECT rule and any rules that you add after that will be ignored. Check "man iptables" and look at the -I (--insert) command.+ +
23. Why do you use such ugly fonts on your + web site?
+ The Shorewall web site is almost font neutral (it doesn't explicitly + specify fonts except on a few pages) so the fonts you see are largely the + default fonts configured in your browser. If you don't like them then reconfigure + your browser.+ +
24. How can I allow conections to let's say + the ssh port only from specific IP Addresses on the internet?
+ In the SOURCE column of the rule, follow "net" by a colon and a list + of the host/subnet addresses as a comma-separated list.-
23. Why do you use such ugly fonts on your - web site?
- The Shorewall web site is almost font neutral (it doesn't explicitly - specify fonts except on a few pages) so the fonts you see are largely the - default fonts configured in your browser. If you don't like them then reconfigure - your browser.- -
24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the internet?
- In the SOURCE column of the rule, follow "net" by a colon and a list of - the host/subnet addresses as a comma-separated list.-
net:<ip1>,<ip2>,...- Example:
- + Example:
+
ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22- +
Copyright
-© 2001, 2002, 2003 Thomas M. Eastep.
-
Copyright ©
+2001, 2002, 2003 Thomas M. Eastep.
+
+
+
diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm index 1c3c4f4bf..9438668ed 100644 --- a/Shorewall-docs/Install.htm +++ b/Shorewall-docs/Install.htm @@ -1,207 +1,221 @@ - +
- Shorewall Installation and -Upgrade- |
-
+ Shorewall Installation and + Upgrade+ |
+
Before upgrading, be sure to review the Upgrade Issues
- +Install using RPM
- Install using tarball
- Upgrade using RPM
- Upgrade using tarball
- Configuring Shorewall
- Uninstall/Fallback
+Install the .lrp
+ Upgrade using RPM
+ Upgrade using tarball
+Upgrade the .lrp
+ Configuring Shorewall
+ Uninstall/Fallback +
To install Shorewall using the RPM:
- -If you have RedHat 7.2 and are running iptables version 1.2.3 (at a -shell prompt, type "/sbin/iptables --version"), you must upgrade to version -1.2.4 either from the RedHat update - site or from the Shorewall Errata page before - attempting to start Shorewall.
- + +If you have RedHat 7.2 and are running iptables version 1.2.3 (at a + shell prompt, type "/sbin/iptables --version"), you must upgrade to version + 1.2.4 either from the RedHat update + site or from the Shorewall Errata page before + attempting to start Shorewall.
+-
-
To install Shorewall using the tarball -and install script:
- + +To install Shorewall using the tarball + and install script:
+-
-
If you already have the Shorewall RPM installed -and are upgrading to a new version:
- -If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and -you have entries in the /etc/shorewall/hosts file then please check your - /etc/shorewall/interfaces file to be sure that it contains an entry for -each interface mentioned in the hosts file. Also, there are certain 1.2 -rule forms that are no longer supported under 1.3 (you must use the new -1.3 syntax). See the upgrade issues for details. -You can check your rules and host file for 1.3 compatibility using the "shorewall -check" command after installing the latest version of 1.3.
- --
-
If you already have Shorewall installed and -are upgrading to a new version using the tarball:
- -If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and -you have entries in the /etc/shorewall/hosts file then please check your - /etc/shorewall/interfaces file to be sure that it contains an entry for -each interface mentioned in the hosts file. Also, there are certain 1.2 -rule forms that are no longer supported under 1.3 (you must use the new -1.3 syntax). See the upgrade issues for -details. You can check your rules and host file for 1.3 compatibility using + +
To install my version of Shorewall on a fresh Bering +disk, simply replace the "shorwall.lrp" file on the image with the file that +you downloaded. See the two-interface QuickStart +Guide for information about further steps required.
+If you already have the Shorewall RPM installed + and are upgrading to a new version:
+ +If you are upgrading from a 1.2 version of Shorewall to a 1.3 version +and you have entries in the /etc/shorewall/hosts file then please check +your /etc/shorewall/interfaces file to be sure that it contains an entry +for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.3 (you must use the +new 1.3 syntax). See the upgrade issues for +details. You can check your rules and host file for 1.3 compatibility using the "shorewall check" command after installing the latest version of 1.3.
- +-
-
Configuring Shorewall
- -You will need to edit some or all of these configuration files to match -your setup. In most cases, the Shorewall - QuickStart Guides contain all of the information you need.
- + +If you already have Shorewall installed +and are upgrading to a new version using the tarball:
+ +If you are upgrading from a 1.2 version of Shorewall to a 1.3 version +and you have entries in the /etc/shorewall/hosts file then please check +your /etc/shorewall/interfaces file to be sure that it contains an entry +for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.3 (you must use the +new 1.3 syntax). See the upgrade issues +for details. You can check your rules and host file for 1.3 compatibility +using the "shorewall check" command after installing the latest version +of 1.3.
+-
-
Updated 10/28/2002 - Tom Eastep -
- -Copyright - © 2001, 2002 Thomas M. Eastep.
-+ If you already have a running Bering installation +and wish to upgrade to a later version of Shorewall:
+
+ UNDER CONSTRUCTION...
+
Configuring Shorewall
+ +You will need to edit some or all of these configuration files to match + your setup. In most cases, the Shorewall QuickStart Guides +contain all of the information you need.
+ +-
+
Updated 1/30/2003 - Tom Eastep +
+ +Copyright © 2001, 2002, 2003 Thomas M. Eastep.
++
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index 244081bd0..ade35d905 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -2,2019 +2,2260 @@ - + +
| + |
-
+
Shorewall News Archive- |
-
1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. - the PDF may be downloaded from
- 1/28/2003 - Shorewall 1.3.14-Beta2 + +Includes the Beta 1 content plus restores VLAN device names of the form +$dev.$vid (e.g., eth0.1)
+ +1/25/2003 - Shorewall 1.3.14-Beta1
+
The Beta includes the following changes:
+
-
+
1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. + the PDF may be downloaded from
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/- http://slovakia.shorewall.net/pub/shorewall/pdf/ + http://slovakia.shorewall.net/pub/shorewall/pdf/ +
1/17/2003 - shorewall.net has MOVED
- +Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and
-ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
-big thanks to Alex for making this happen.
-
+ +
1/13/2003 - Shorewall 1.3.13
-
Just includes a few things that I had on the burner:
-
-
-
1/6/2003 - BURNOUT -
- -Until further notice, I will not be involved in either Shorewall Development - or Shorewall Support
- --Tom Eastep
-
12/30/2002 - Shorewall Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. - the PDF may be downloaded from
- - ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
12/27/2002 - Shorewall 1.3.12 Released
- - Features include:
-
-
-
12/20/2002 - Shorewall 1.3.12 Beta 3
-
- -
12/20/2002 - Shorewall 1.3.12 Beta 2
- -The first public Beta version of Shorewall 1.3.12 is now available (Beta
- 1 was made available only to a limited audience).
-
- +
1/6/2003 - BURNOUT +
+ +Until further notice, I will not be involved in either Shorewall Development + or Shorewall Support
+ +-Tom Eastep
+
12/30/2002 - Shorewall Documentation in PDF Format
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. + the PDF may be downloaded from
+ + ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+
12/27/2002 - Shorewall 1.3.12 Released
+ + Features include:
+
-
-
- + +
12/20/2002 - Shorewall 1.3.12 Beta 3
+
+ +
12/20/2002 - Shorewall 1.3.12 Beta 2
+ +The first public Beta version of Shorewall 1.3.12 is now available (Beta
+ 1 was made available only to a limited audience).
+
+ +
-
+
+
http://www.shorewall.net/pub/shorewall/Beta- + +
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
12/12/2002 - Mandrake Multi Network Firewall 
-
- + + Shorewall is at the center of MandrakeSoft's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
+
12/7/2002 - Shorewall Support for Mandrake 9.0
- -Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am now in a position - to support Shorewall users who run Mandrake 9.0.
- + +Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. + I have installed 9.0 on one of my systems and I am now in a position + to support Shorewall users who run Mandrake 9.0.
+12/6/2002 - Debian 1.3.11a Packages Available
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +12/3/2002 - Shorewall 1.3.11a
- -This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users -who don't need rules of this type need not upgrade to 1.3.11.
- + +This is a bug-fix roll up which includes Roger Aich's fix for DNAT with + excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users + who don't need rules of this type need not upgrade to 1.3.11.
+11/24/2002 - Shorewall 1.3.11
- +In this version:
- +-
-
11/14/2002 - Shorewall Documentation in PDF Format
- -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from
- + +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. + the PDF may be downloaded from
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-
11/09/2002 - Shorewall is Back at SourceForge -
- + + +11/09/2002 - Shorewall is Back at SourceForge +
+ +The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
-
11/09/2002 - Shorewall 1.3.10
- +In this version:
- +-
-
10/24/2002 - Shorewall is now in Gentoo Linux
-
- + + Alexandru Hartmann reports that his Shorewall package + is now a part of the Gentoo Linux + distribution. Thanks Alex!
+
10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:+ In this version:
+ +
-
+
+ + + +
10/10/2002 - Debian 1.3.9b Packages Available
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +10/9/2002 - Shorewall 1.3.9b
+ This release rolls up fixes to the installer and + to the firewall script.+ +
10/6/2002 - Shorewall.net now running on RH8.0
+
+ The firewall and server here at shorewall.net
+ are now running RedHat release 8.0.
+
+ 9/30/2002 - Shorewall 1.3.9a
+ +
9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.+ +
9/28/2002 - Shorewall 1.3.9
+ +In this version:
+
-
-
- - - -
10/10/2002 - Debian 1.3.9b Packages Available
-
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -10/9/2002 - Shorewall 1.3.9b
- This release rolls up fixes to the installer and -to the firewall script.- -
10/6/2002 - Shorewall.net now running on RH8.0
-
- The firewall and server here at shorewall.net are
- now running RedHat release 8.0.
-
- 9/30/2002 - Shorewall 1.3.9a
- -
9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.- -
9/28/2002 - Shorewall 1.3.9
- -In this version:
-
-
-
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
- Restored
-
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored+ +
- A couple of recent configuration changes
- at www.shorewall.net broke the Search facility:+ A couple of recent configuration changes + at www.shorewall.net broke the Search facility:
- -
- + ++- Hopefully these problems are now corrected. - --
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
- A couple of recent configuration changes -at www.shorewall.net had the negative effect of breaking the -Search facility:
-
- --
- Hopefully these problems are now corrected.
- -9/18/2002 - Debian 1.3.8 Packages Available
- -
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -9/16/2002 - Shorewall 1.3.8
- -In this version:
- -
--
-
+
9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability
+ Restored
+
+
-
+
- Mailing List Archive Search was +not available. +
- The Site Search index was incomplete +
- Only one page of matches was presented. + +
+ +
9/18/2002 - Debian 1.3.8 Packages Available
+
Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +9/16/2002 - Shorewall 1.3.8
+ + +In this version:
+
-
+
- A NEWNOTSYN option has been + added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established connection + and that are not 'SYN' packets (SYN flag on and ACK flag off). +
- The need for the 'multi' option + to communicate between zones za and zb on the same interface + is removed in the case where the chain 'za2zb' and/or 'zb2za' + exists. 'za2zb' will exist if: + + + +
- There is a policy for + za to zb; or +
- There is at least one rule + for za to zb. + + + +
-
+
-
-
- The /etc/shorewall/blacklist file
- now contains three columns. In addition to the SUBNET/ADDRESS
- column, there are optional PROTOCOL and PORT columns to block
- only certain applications from the blacklisted addresses.
-
-
+ - The /etc/shorewall/blacklist
+file now contains three columns. In addition to the SUBNET/ADDRESS
+ column, there are optional PROTOCOL and PORT columns to block
+ only certain applications from the blacklisted addresses.
+
+
+
9/11/2002 - Debian 1.3.7c Packages Available
- +Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +9/2/2002 - Shorewall 1.3.7c
- -This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).
+ +This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).
- +8/31/2002 - I'm not available
- -I'm currently on vacation -- please respect my need for a couple of - weeks free of Shorewall problem reports.
+ +I'm currently on vacation -- please respect my need for a couple of +weeks free of Shorewall problem reports.
- +-Tom
- +8/26/2002 - Shorewall 1.3.7b
- -This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.
+ +This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.
- +8/26/2002 - French FTP Mirror is Operational
- +ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.
+ href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available. - +8/25/2002 - Shorewall Mirror in France
- -Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.
- +8/25/2002 - Shorewall 1.3.7a Debian Packages Available
- -Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at Lorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
- -- Shorewall 1.3.7a released8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author
+ -- Shorewall 1.3.7a released
-
1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.
+ +1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.
- +8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
- +Features in this release include:
- +-
-
- The 'icmp.def' file is now empty! - The rules in that file were required in ipchains firewalls - but are not required in Shorewall. Users who have ALLOWRELATED=No - in shorewall.conf should -see the Upgrade Issues. -
- A 'FORWARDPING' option has been - added to shorewall.conf. - The effect of setting this variable to Yes is the same as - the effect of adding an ACCEPT rule for ICMP echo-request - in /etc/shorewall/icmpdef. - Users who have such a rule in icmpdef are encouraged +
- The 'icmp.def' file is now +empty! The rules in that file were required in ipchains +firewalls but are not required in Shorewall. Users who have + ALLOWRELATED=No in shorewall.conf + should see the Upgrade Issues. +
- A 'FORWARDPING' option has +been added to shorewall.conf. + The effect of setting this variable to Yes is the same as + the effect of adding an ACCEPT rule for ICMP echo-request + in /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes. -
- The loopback CLASS A Network (127.0.0.0/8) - has been added to the rfc1918 file. -
- Shorewall now works with iptables - 1.2.7 -
- The documentation and web site -no longer uses FrontPage themes. - +
- The loopback CLASS A Network + (127.0.0.0/8) has been added to the rfc1918 file. +
- Shorewall now works with iptables + 1.2.7 +
- The documentation and web site + no longer uses FrontPage themes. + +
I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input has led - to marked improvement in Shorewall in the last two releases.
+ +I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input has +led to marked improvement in Shorewall in the last two +releases.
- +8/13/2002 - Documentation in the CVS Repository
- -The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.
+ +The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.
- +8/7/2002 - STABLE branch added to CVS Repository
- -This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get the latest - stable tree.
+ +This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the +latest stable tree.
- -8/7/2002 - Upgrade Issues section added - to the Errata Page
+ +8/7/2002 - Upgrade Issues section +added to the Errata Page
- -Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.
+ +Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.
- +8/7/2002 - Shorewall 1.3.6
- +This is primarily a bug-fix rollup with a couple of new features:
- +-
-
- The latest QuickStart Guides - including the Shorewall Setup -Guide. -
- Shorewall will now DROP TCP packets - that are not part of or related to an existing connection - and that are not SYN packets. These "New not SYN" packets - may be optionally logged by setting the LOGNEWNOTSYN option - in /etc/shorewall/shorewall.conf. -
- The processing of "New not SYN" - packets may be extended by commands in the new newnotsyn extension script. - +
- The latest QuickStart Guides + including the Shorewall Setup + Guide. +
- Shorewall will now DROP TCP +packets that are not part of or related to an existing connection + and that are not SYN packets. These "New not SYN" packets + may be optionally logged by setting the LOGNEWNOTSYN option + in /etc/shorewall/shorewall.conf. +
- The processing of "New not +SYN" packets may be extended by commands in the new + newnotsyn extension script. + +
7/30/2002 - Shorewall 1.3.5b Released
- +This interim release:
- +-
-
- Causes the firewall script to -remove the lock file if it is killed. -
- Once again allows lists in the -second column of the /etc/shorewall/hosts - file. -
- Includes the latest Causes the firewall script +to remove the lock file if it is killed. +
- Once again allows lists in +the second column of the /etc/shorewall/hosts file. +
- Includes the latest QuickStart Guides. - + +
7/29/2002 - New Shorewall Setup Guide Available
- +The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are setting - up Shorewall to manage multiple public IP addresses and by - people who want to learn more about Shorewall than is described - in the single-address guides. Feedback on the new guide is welcome.
+ href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are setting + up Shorewall to manage multiple public IP addresses and +by people who want to learn more about Shorewall than is described + in the single-address guides. Feedback on the new guide is +welcome. - +7/28/2002 - Shorewall 1.3.5 Debian Package Available
- -Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/27/2002 - Shorewall 1.3.5a Released
- +This interim release restores correct handling of REDIRECT rules.
- +7/26/2002 - Shorewall 1.3.5 Released
- -This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.
+ +This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.
- +In this version:
- +-
-
- Empty and invalid source and destination - qualifiers are now detected in the rules file. It is a - good idea to use the 'shorewall check' command before you - issue a 'shorewall restart' command be be sure that you don't - have any configuration problems that will prevent a successful -restart. -
- Added MERGE_HOSTS variable - in shorewall.conf to provide - saner behavior of the /etc/shorewall/hosts file. -
- The time that the counters were - last reset is now displayed in the heading of the 'status' - and 'show' commands. -
- A proxyarp option has been - added for entries in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in - the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes - Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp. -
- The Samples have been updated -to reflect the new capabilities in this release. - +
- Empty and invalid source and + destination qualifiers are now detected in the rules + file. It is a good idea to use the 'shorewall check' command + before you issue a 'shorewall restart' command be be sure +that you don't have any configuration problems that will prevent + a successful restart. +
- Added MERGE_HOSTS variable + in shorewall.conf to provide + saner behavior of the /etc/shorewall/hosts file. +
- The time that the counters +were last reset is now displayed in the heading of the +'status' and 'show' commands. +
- A proxyarp option has + been added for entries in /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in + the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for an interface causes + Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp. +
- The Samples have been updated + to reflect the new capabilities in this release. + +
7/16/2002 - New Mirror in Argentina
- -Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!
+ +Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!
- +7/16/2002 - Shorewall 1.3.4 Released
- +In this version:
- +-
-
- A new /etc/shorewall/routestopped - file has been added. This file is intended to eventually - replace the routestopped option in the /etc/shorewall/interface - and /etc/shorewall/hosts files. This new file makes remote - firewall administration easier by allowing any IP or subnet to - be enabled while Shorewall is stopped. -
- An /etc/shorewall/stopped extension script has been added. - This script is invoked after Shorewall has stopped. -
- A DETECT_DNAT_ADDRS option - has been added to /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply when - the destination address is the external interface's primary - IP address. -
- The QuickStart Guide has - been broken into three guides and has been almost entirely - rewritten. -
- The Samples have been updated -to reflect the new capabilities in this release. - +
- A new /etc/shorewall/routestopped + file has been added. This file is intended to eventually + replace the routestopped option in the /etc/shorewall/interface + and /etc/shorewall/hosts files. This new file makes remote + firewall administration easier by allowing any IP or subnet to + be enabled while Shorewall is stopped. +
- An /etc/shorewall/stopped extension script has been added. + This script is invoked after Shorewall has stopped. +
- A DETECT_DNAT_ADDRS option + has been added to /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only apply + when the destination address is the external interface's + primary IP address. +
- The QuickStart Guide has + been broken into three guides and has been almost entirely + rewritten. +
- The Samples have been updated + to reflect the new capabilities in this release. + +
7/8/2002 - Shorewall 1.3.3 Debian Package Available
- +Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/6/2002 - Shorewall 1.3.3 Released
- +In this version:
- +-
-
- Entries in /etc/shorewall/interface - that use the wildcard character ("+") now have the "multi" - option assumed. -
- The 'rfc1918' chain in the mangle - table has been renamed 'man1918' to make log messages - generated from that chain distinguishable from those generated - by the 'rfc1918' chain in the filter table. -
- Interface names appearing in the - hosts file are now validated against the interfaces file. -
- The TARGET column in the rfc1918 - file is now checked for correctness. -
- The chain structure in the nat -table has been changed to reduce the number of rules that -a packet must traverse and to correct problems with NAT_BEFORE_RULES=No -
- The "hits" command has been enhanced. - +
- Entries in /etc/shorewall/interface + that use the wildcard character ("+") now have the "multi" + option assumed. +
- The 'rfc1918' chain in the +mangle table has been renamed 'man1918' to make log +messages generated from that chain distinguishable from those + generated by the 'rfc1918' chain in the filter table. +
- Interface names appearing in + the hosts file are now validated against the interfaces + file. +
- The TARGET column in the rfc1918 + file is now checked for correctness. +
- The chain structure in the +nat table has been changed to reduce the number of rules +that a packet must traverse and to correct problems with + NAT_BEFORE_RULES=No +
- The "hits" command has been +enhanced. + +
6/25/2002 - Samples Updated for 1.3.2
- -The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.
+ +The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.
- +6/25/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/19/2002 - Documentation Available in PDF Format
- -Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.
+ +Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.
- +6/16/2002 - Shorewall 1.3.2 Released
- +In this version:
- +-
-
- A logwatch command has -been added to /sbin/shorewall. -
- A dynamic blacklist facility - has been added. -
- Support for the Netfilter multiport match function - has been added. -
- The files firewall, functions - and version have been moved from /etc/shorewall - to /var/lib/shorewall. - +
- A logwatch command has been + added to /sbin/shorewall. +
- A dynamic blacklist facility + has been added. +
- Support for the Netfilter multiport match function + has been added. +
- The files firewall, functions + and version have been moved from +/etc/shorewall to /var/lib/shorewall. + +
6/6/2002 - Why CVS Web access is Password Protected
- -Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:
+ +Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:
- +-
-
- Ignore robot.txt files. -
- Recursively copy everything that - they find. -
- Should be classified as weapons - rather than tools. - +
- Ignore robot.txt files. +
- Recursively copy everything +that they find. +
- Should be classified as weapons + rather than tools. + +
These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the cgi-generated - HTML resulting in 1000s of executions of the cvsweb.cgi script. - Yesterday, I spend several hours implementing measures to -block these tools but unfortunately, these measures resulted -in my server OOM-ing under even moderate load.
- -Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web access will - remain Password Protected.
+ +These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated + HTML resulting in 1000s of executions of the cvsweb.cgi + script. Yesterday, I spend several hours implementing measures + to block these tools but unfortunately, these measures resulted + in my server OOM-ing under even moderate load.
- + +Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access + will remain Password Protected.
+ +6/5/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/2/2002 - Samples Corrected
- -The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems have -been corrected in the The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have + been corrected in the 1.3.1 samples.
- +6/1/2002 - Shorewall 1.3.1 Released
- +Hot on the heels of 1.3.0, this release:
- +-
-
- Corrects a serious problem with - "all <zone> CONTINUE" policies. This - problem is present in all versions of Shorewall that support - the CONTINUE policy. These previous versions optimized away - the "all2<zone>" chain and replaced it with the -"all2all" chain with the usual result that a policy of REJECT was -enforced rather than the intended CONTINUE policy. -
- Adds an /etc/shorewall/rfc1918 - file for defining the exact behavior of theCorrects a serious problem +with "all <zone> CONTINUE" policies. + This problem is present in all versions of Shorewall that + support the CONTINUE policy. These previous versions optimized + away the "all2<zone>" chain and replaced it with +the "all2all" chain with the usual result that a policy of REJECT + was enforced rather than the intended CONTINUE policy. +
- Adds an /etc/shorewall/rfc1918 + file for defining the exact behavior of the 'norfc1918' interface option. - + +
5/29/2002 - Shorewall 1.3.0 Released
- -In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:
+ +In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:
- +-
-
- A 'filterping' interface option - that allows ICMP echo-request (ping) requests addressed - to the firewall to be handled by entries in /etc/shorewall/rules - and /etc/shorewall/policy. - +
- A 'filterping' interface option + that allows ICMP echo-request (ping) requests addressed + to the firewall to be handled by entries in /etc/shorewall/rules + and /etc/shorewall/policy. + +
5/23/2002 - Shorewall 1.3 RC1 Available
- -In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:
+ +In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:
- +-
-
- Support for the /etc/shorewall/whitelist - file has been withdrawn. If you need whitelisting, see - these instructions. - +
- Support for the /etc/shorewall/whitelist + file has been withdrawn. If you need whitelisting, +see these instructions. + +
5/19/2002 - Shorewall 1.3 Beta 2 Available
- -In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:
+ +In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:
- +-
-
- The structure of the firewall -is changed markedly. There is now an INPUT and a FORWARD -chain for each interface; this reduces the number of rules that - a packet must traverse, especially in complicated setups. -
- Sub-zones may now be excluded - from DNAT and REDIRECT rules. -
- The names of the columns in a -number of the configuration files have been changed to -be more consistent and self-explanatory and the documentation -has been updated accordingly. -
- The sample configurations have -been updated for 1.3. - +
- The structure of the firewall + is changed markedly. There is now an INPUT and a FORWARD + chain for each interface; this reduces the number of rules +that a packet must traverse, especially in complicated setups. +
- Sub-zones may now be excluded + from DNAT and REDIRECT rules. +
- The names of the columns in +a number of the configuration files have been changed +to be more consistent and self-explanatory and the documentation + has been updated accordingly. +
- The sample configurations have + been updated for 1.3. + +
5/17/2002 - Shorewall 1.3 Beta 1 Available
- -Beta 1 carries the version designation 1.2.90 and implements the following - features:
+ +Beta 1 carries the version designation 1.2.90 and implements the following + features:
- +-
-
- Simplified rule syntax which makes - the intent of each rule clearer and hopefully makes Shorewall - easier to learn. -
- Upward compatibility with 1.2 -configuration files has been maintained so that current -users can migrate to the new syntax at their convenience. -
- WARNING: - Compatibility with the old parameterized sample configurations - has NOT been maintained. Users still running those configurations - should migrate to the new sample configurations before upgrading - to 1.3 Beta 1. - +
- Simplified rule syntax which + makes the intent of each rule clearer and hopefully +makes Shorewall easier to learn. +
- Upward compatibility with 1.2 + configuration files has been maintained so that current + users can migrate to the new syntax at their convenience. +
- WARNING: + Compatibility with the old parameterized sample configurations + has NOT been maintained. Users still running those configurations + should migrate to the new sample configurations before +upgrading to 1.3 Beta 1. + +
5/4/2002 - Shorewall 1.2.13 is Available
- +In this version:
- +-
-
- White-listing is supported. -
- SYN-flood protection is - added. -
- IP addresses added under ADD_IP_ALIASES and ADD_SNAT_ALIASES - now inherit the VLSM and Broadcast Address of the interface's - primary IP address. -
- The order in which port forwarding - DNAT and Static DNAT can - now be reversed so that port forwarding rules can override - the contents of /etc/shorewall/nat. - - +
- SYN-flood protection is + added. +
- IP addresses added under ADD_IP_ALIASES and ADD_SNAT_ALIASES + now inherit the VLSM and Broadcast Address of the interface's + primary IP address. +
- The order in which port forwarding + DNAT and Static DNAT can now be reversed so that +port forwarding rules can override the contents of /etc/shorewall/nat. + +
4/30/2002 - Shorewall Debian News
- -Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.
+ +Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.
- +4/20/2002 - Shorewall 1.2.12 is Available
- +-
-
- The 'try' command works again -
- There is now a single RPM that -also works with SuSE. - +
- The 'try' command works again +
- There is now a single RPM that + also works with SuSE. + +
4/17/2002 - Shorewall Debian News
- +Lorenzo Marignoni reports that:
- +-
-
- Shorewall 1.2.10 is in the - Debian - Testing Branch -
- Shorewall 1.2.11 is in the - Debian - Unstable Branch - +
- Shorewall 1.2.10 is in the + Debian + Testing Branch +
- Shorewall 1.2.11 is in the + Debian + Unstable Branch + +
Thanks, Lorenzo!
- +4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
- -Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.
+ +Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 + SuSE RPM available.
- +4/13/2002 - Shorewall 1.2.11 Available
- +In this version:
- +-
-
- The 'try' command now accepts -an optional timeout. If the timeout is given in the command, - the standard configuration will automatically be restarted - after the new configuration has been running for that length of - time. This prevents a remote admin from being locked out of the - firewall in the case where the new configuration starts but prevents - access. -
- Kernel route filtering may now -be enabled globally using the new ROUTE_FILTER parameter - in /etc/shorewall/shorewall.conf. -
- Individual IP source addresses -and/or subnets may now be excluded from masquerading/SNAT. -
- Simple "Yes/No" and "On/Off" values - are now case-insensitive in /etc/shorewall/shorewall.conf. - +
- The 'try' command now accepts + an optional timeout. If the timeout is given in the command, + the standard configuration will automatically be restarted + after the new configuration has been running for that length + of time. This prevents a remote admin from being locked out +of the firewall in the case where the new configuration starts +but prevents access. +
- Kernel route filtering may +now be enabled globally using the new ROUTE_FILTER +parameter in /etc/shorewall/shorewall.conf. +
- Individual IP source addresses + and/or subnets may now be excluded from masquerading/SNAT. +
- Simple "Yes/No" and "On/Off" + values are now case-insensitive in /etc/shorewall/shorewall.conf. + +
4/13/2002 - Hamburg Mirror now has FTP
- +Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall. - Thanks Stefan!
+ href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall. + Thanks Stefan! - +4/12/2002 - New Mirror in Hamburg
- -Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net. -
+ +Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at http://germany.shorewall.net. +
- +4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
- -Version 1.1 of the QuickStart - Guide is now available. Thanks to those who have read - version 1.0 and offered their suggestions. Corrections have - also been made to the sample scripts.
+ +Version 1.1 of the QuickStart + Guide is now available. Thanks to those who have +read version 1.0 and offered their suggestions. Corrections +have also been made to the sample scripts.
- +4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
- -Version 1.0 of the QuickStart - Guide is now available. This Guide and its accompanying - sample configurations are expected to provide a replacement - for the recently withdrawn parameterized samples.
+ +Version 1.0 of the QuickStart + Guide is now available. This Guide and its accompanying + sample configurations are expected to provide a replacement + for the recently withdrawn parameterized samples.
- +4/8/2002 - Parameterized Samples Withdrawn
- +Although the parameterized - samples have allowed people to get a firewall up and - running quickly, they have unfortunately set the wrong level - of expectation among those who have used them. I am therefore - withdrawing support for the samples and I am recommending that - they not be used in new Shorewall installations.
+ href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall up +and running quickly, they have unfortunately set the wrong +level of expectation among those who have used them. I am +therefore withdrawing support for the samples and I am recommending + that they not be used in new Shorewall installations. - +4/2/2002 - Updated Log Parser
- -John Lodge has provided an updated - version of his CGI-based - log parser with corrected date handling.
+ +John Lodge has provided an updated + version of his CGI-based + log parser with corrected date handling.
- +3/30/2002 - Shorewall Website Search Improvements
- -The quick search on the home page now excludes the mailing list archives. - The Extended Search allows - excluding the archives or restricting the search to just -the archives. An archive search form is also available on the -mailing list information page.
+ +The quick search on the home page now excludes the mailing list archives. + The Extended Search +allows excluding the archives or restricting the search +to just the archives. An archive search form is also available +on the mailing list information page.
- +3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
- +-
-
- The 1.2.10 Debian Package is -available at The 1.2.10 Debian Package is + available at http://security.dsi.unimi.it/~lorenzo/debian.html. -
- Shorewall 1.2.9 is now in the - Debian - Unstable Distribution. - +
- Shorewall 1.2.9 is now in the + Debian + Unstable Distribution. + +
3/25/2002 - Log Parser Available
- +John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.
+ href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John. - +3/20/2002 - Shorewall 1.2.10 Released
- +In this version:
- +-
-
- A "shorewall try" command has -been added (syntax: shorewall try <configuration - directory>). This command attempts "shorewall -c - <configuration directory> start" and if that results -in the firewall being stopped due to an error, a "shorewall start" - command is executed. The 'try' command allows you to create -a new configuration and attempt - to start it; if there is an error that leaves your firewall -in the stopped state, it will automatically be restarted using - the default configuration (in /etc/shorewall). -
- A new variable ADD_SNAT_ALIASES - has been added to /etc/shorewall/shorewall.conf. - If this variable is set to "Yes", Shorewall will automatically - add IP addresses listed in the third column of the A "shorewall try" command has + been added (syntax: shorewall try <configuration + directory>). This command attempts "shorewall -c + <configuration directory> start" and if that results + in the firewall being stopped due to an error, a "shorewall +start" command is executed. The 'try' command allows you to +create a new configuration + and attempt to start it; if there is an error that leaves +your firewall in the stopped state, it will automatically be restarted + using the default configuration (in /etc/shorewall). +
- A new variable ADD_SNAT_ALIASES + has been added to /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will automatically + add IP addresses listed in the third column of the /etc/shorewall/masq file. -
- Copyright notices have been added - to the documenation. - +
- Copyright notices have been +added to the documenation. + +
3/11/2002 - Shorewall 1.2.9 Released
- +In this version:
- +-
-
- Filtering by MAC address has been added. - MAC addresses may be used as the source address in: +
- Filtering by MAC address has been added.
+ MAC addresses may be used as the source address in:
-
+
-
-
- Filtering rules (Filtering rules (/etc/shorewall/rules) -
- Traffic Control Classification - Rules (/etc/shorewall/tcrules) -
- TOS Rules (Traffic Control Classification + Rules (/etc/shorewall/tcrules) +
- TOS Rules (/etc/shorewall/tos) -
- Blacklist (Blacklist (/etc/shorewall/blacklist) - + +
- - Several bugs have been fixed -
- The 1.2.9 Debian Package is also
- available at
+
- Several bugs have been fixed
+- The 1.2.9 Debian Package is +also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- + +
3/1/2002 - 1.2.8 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/25/2002 - New Two-interface Sample
- -I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
- + + +I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+ +2/23/2002 - Shorewall 1.2.8 Released
- -Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies for - any inconvenience my carelessness may have caused.
+ +Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies + for any inconvenience my carelessness may have caused.
- +2/22/2002 - Shorewall 1.2.7 Released
- +In this version:
- +-
-
- UPnP probes (UDP destination port - 1900) are now silently dropped in the common chain -
- RFC 1918 checking in the mangle - table has been streamlined to no longer require packet - marking. RFC 1918 checking in the filter table has been +
- UPnP probes (UDP destination + port 1900) are now silently dropped in the common + chain +
- RFC 1918 checking in the mangle + table has been streamlined to no longer require packet + marking. RFC 1918 checking in the filter table has been changed to require half as many rules as previously. -
- A 'shorewall check' command has - been added that does a cursory validation of the zones, - interfaces, hosts, rules and policy files. - +
- A 'shorewall check' command +has been added that does a cursory validation of the +zones, interfaces, hosts, rules and policy files. + +
2/18/2002 - 1.2.6 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/8/2002 - Shorewall 1.2.6 Released
- +In this version:
- +-
-
- $-variables may now be used anywhere - in the configuration files except /etc/shorewall/zones. -
- The interfaces and hosts files -now have their contents validated before any changes are -made to the existing Netfilter configuration. The appearance - of a zone name that isn't defined in /etc/shorewall/zones causes -"shorewall start" and "shorewall restart" to abort without changing - the Shorewall state. Unknown options in either file cause a warning - to be issued. -
- A problem occurring when BLACKLIST_LOGLEVEL - was not set has been corrected. - +
- $-variables may now be used +anywhere in the configuration files except /etc/shorewall/zones. +
- The interfaces and hosts files + now have their contents validated before any changes + are made to the existing Netfilter configuration. The appearance + of a zone name that isn't defined in /etc/shorewall/zones + causes "shorewall start" and "shorewall restart" to abort without +changing the Shorewall state. Unknown options in either file +cause a warning to be issued. +
- A problem occurring when BLACKLIST_LOGLEVEL + was not set has been corrected. + +
2/4/2002 - Shorewall 1.2.5 Debian Package Available
- +see http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/1/2002 - Shorewall 1.2.5 Released
- -Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.
+ +Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.
- +In version 1.2.5:
- +-
-
- The installation problems have -been corrected. -
- The installation problems have + been corrected. +
- SNAT is now supported. -
- A "shorewall version" command has - been added -
- The default value of the STATEDIR - variable in /etc/shorewall/shorewall.conf has been changed - to /var/lib/shorewall in order to conform to the GNU/Linux - File Hierarchy Standard, Version 2.2. - +
- A "shorewall version" command + has been added +
- The default value of the STATEDIR + variable in /etc/shorewall/shorewall.conf has been changed + to /var/lib/shorewall in order to conform to the GNU/Linux + File Hierarchy Standard, Version 2.2. + +
1/28/2002 - Shorewall 1.2.4 Released
- +-
-
- The "fw" zone The "fw" zone may now be given a different name. -
- You may now place end-of-line comments - (preceded by '#') in any of the configuration files -
- There is now protection against -against two state changing operations occuring concurrently. -This is implemented using the 'lockfile' utility if it is -available (lockfile is part of procmail); otherwise, a less robust - technique is used. The lockfile is created in the STATEDIR defined - in /etc/shorewall/shorewall.conf and has the name "lock". -
- "shorewall start" no longer fails - if "detect" is specified in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255. - +
- You may now place end-of-line + comments (preceded by '#') in any of the configuration + files +
- There is now protection against + against two state changing operations occuring concurrently. + This is implemented using the 'lockfile' utility if it +is available (lockfile is part of procmail); otherwise, a less + robust technique is used. The lockfile is created in the STATEDIR + defined in /etc/shorewall/shorewall.conf and has the name +"lock". +
- "shorewall start" no longer +fails if "detect" is specified in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255. + +
1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
- +1/20/2002 - Corrected firewall script available
- -Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.
+ +Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.
- +1/19/2002 - Shorewall 1.2.3 Released
- +This is a minor feature and bugfix release. The single new feature is:
- +-
-
- Support for TCP MSS Clamp to PMTU - -- This support is usually required when the internet connection - is via PPPoE or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf. - +
- Support for TCP MSS Clamp to +PMTU -- This support is usually required when the internet + connection is via PPPoE or PPTP and may be enabled using the + CLAMPMSS option in /etc/shorewall/shorewall.conf. + +
The following problems were corrected:
- + +-
-
- The "shorewall status" command -no longer hangs. -
- The "shorewall monitor" command -now displays the icmpdef chain -
- The CLIENT PORT(S) column in tcrules - is no longer ignored - +
- The "shorewall status" command + no longer hangs. +
- The "shorewall monitor" command + now displays the icmpdef chain +
- The CLIENT PORT(S) column in +tcrules is no longer ignored + +
1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
- -Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.
+ +Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.
- +1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There is a link - to Lorenzo's site from the Shorewall -download page.
+ href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There is a +link to Lorenzo's site from the Shorewall + download page. - +1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.
+ href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health. - +1/8/2002 - Shorewall 1.2.2 Released
- +In version 1.2.2
- +-
-
- Support for IP blacklisting has -been added +
- Support for IP blacklisting
+has been added
-
+
-
-
- You specify whether you want -packets from blacklisted hosts dropped or rejected -using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf -
- You specify whether you want -packets from blacklisted hosts logged and at what -syslog level using the BLACKLIST_LOGLEVEL - setting in /etc/shorewall/shorewall.conf -
- You list the IP addresses/subnets - that you wish to blacklist in You specify whether you want + packets from blacklisted hosts dropped or rejected + using the BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf +
- You specify whether you want + packets from blacklisted hosts logged and at what + syslog level using the BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf +
- You list the IP addresses/subnets + that you wish to blacklist in /etc/shorewall/blacklist -
- You specify the interfaces you - want checked against the blacklist using the new -"blacklist" option -in /etc/shorewall/interfaces. -
- The black list is refreshed from - /etc/shorewall/blacklist by the "shorewall refresh" - command. +
- You specify the interfaces +you want checked against the blacklist using the +new "blacklist" option + in /etc/shorewall/interfaces. +
- The black list is refreshed + from /etc/shorewall/blacklist by the "shorewall +refresh" command. - + +
- - Use of TCP RST replies has been -expanded + +
- Use of TCP RST replies has been
+ expanded
-
+
-
-
- TCP connection requests rejected - because of a REJECT policy are now replied with a -TCP RST packet. -
- TCP connection requests rejected - because of a protocol=all rule in /etc/shorewall/rules - are now replied with a TCP RST packet. +
- TCP connection requests rejected + because of a REJECT policy are now replied with a + TCP RST packet. +
- TCP connection requests rejected + because of a protocol=all rule in /etc/shorewall/rules + are now replied with a TCP RST packet. - + +
- - A LOGFILE specification -has been added to /etc/shorewall/shorewall.conf. LOGFILE is used - to tell the /sbin/shorewall program where to look for Shorewall - messages. - + +
- A LOGFILE specification has + been added to /etc/shorewall/shorewall.conf. LOGFILE is used + to tell the /sbin/shorewall program where to look for Shorewall + messages. + +
1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two new rules - added:
+ target="_blank">version 1.2.0) released. These are minor updates + to the previously-released samples. There are two new +rules added: - +-
-
- Unless you have explicitly enabled - Auth connections (tcp port 113) to your firewall, these - connections will be REJECTED rather than DROPPED. This +
- Unless you have explicitly enabled + Auth connections (tcp port 113) to your firewall, these + connections will be REJECTED rather than DROPPED. This speeds up connection establishment to some servers. -
- Orphan DNS replies are now silently - dropped. - +
- Orphan DNS replies are now silently + dropped. + +
See the README file for upgrade instructions.
- + +1/1/2002 - Shorewall Mailing List Moving
- -The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you are a - current subscriber to the list at Sourceforge, please see these instructions. - If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
+ +The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If you are + a current subscriber to the list at Sourceforge, please see these instructions. + If you would like to subscribe to the new list, visit +http://www.shorewall.net/mailman/listinfo/shorewall-users.
- +12/31/2001 - Shorewall 1.2.1 Released
- +In version 1.2.1:
- +-
-
- Logging of Mangled/Invalid - Packets is added. -
- The tunnel script - has been corrected. -
- 'shorewall show tc' now correctly - handles tunnels. - -
12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001
+12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001
+ +Version 1.2 contains the following new features:
- +-
-
- Support for Support for Traffic Control/Shaping -
- Support for Filtering of Mangled/Invalid -Packets -
- Support for GRE - Tunnels - +
- Support for Filtering of Mangled/Invalid Packets +
- Support for GRE Tunnels + +
For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x users - will not be forced into a quick upgrade to 1.2.0 just to have - access to bug fixes.
+ +For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users + will not be forced into a quick upgrade to 1.2.0 just to have + access to bug fixes.
-For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading to 1.2.0:
+ +For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading to 1.2.0:
-- + +- -++rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-
12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. This - web site is mirrored at http://www.infohiiway.com/shorewall - and the ftp site is at 12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This + web site is mirrored at http://www.infohiiway.com/shorewall + and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
- +11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample + Configurations has been released. In this version: - +-
-
- Ping is now allowed between the -zones. -
- In the three-interface configuration, - it is now possible to configure the internet services that - are to be available to servers in the DMZ. - +
- Ping is now allowed between +the zones. +
- In the three-interface configuration, + it is now possible to configure the internet services + that are to be available to servers in the DMZ. + +
11/20/2001 - The current version of Shorewall is 1.1.18.
- +In this version:
- +-
-
- The spelling of ADD_IP_ALIASES -has been corrected in the shorewall.conf file -
- The logic for deleting user-defined - chains has been simplified so that it avoids a bug in the - LRP version of the 'cut' utility. -
- The /var/lib/lrpkg/shorwall.conf - file has been corrected to properly display the NAT entry - in that file. - +
- The spelling of ADD_IP_ALIASES + has been corrected in the shorewall.conf file +
- The logic for deleting user-defined + chains has been simplified so that it avoids a bug in + the LRP version of the 'cut' utility. +
- The /var/lib/lrpkg/shorwall.conf + file has been corrected to properly display the NAT entry + in that file. + +
11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror in + +
11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
- -11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:
+ +11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:
- +-
-
- One Interface -- for a standalone - system. -
- Two Interfaces -- A masquerading - firewall. -
- Three Interfaces -- A masquerading - firewall with DMZ. - +
- One Interface -- for a standalone + system. +
- Two Interfaces -- A masquerading + firewall. +
- Three Interfaces -- A masquerading + firewall with DMZ. + +
Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.
+ href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions. - -11/1/2001 - The current version of Shorewall is 1.1.17. I intend - this to be the last of the 1.1 Shorewall releases.
+ +11/1/2001 - The current version of Shorewall is 1.1.17. I intend + this to be the last of the 1.1 Shorewall releases.
- +In this version:
- +-
-
- The handling of ADD_IP_ALIASES has - been corrected. - +
- The handling of ADD_IP_ALIASES has + been corrected. + +
10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:
+ +10/22/2001 - The current version of Shorewall is 1.1.16. In this + version:
- +-
-
- A new "shorewall show connections" - command has been added. -
- In the "shorewall monitor" output, - the currently tracked connections are now shown on a +
- A new "shorewall show connections" + command has been added. +
- In the "shorewall monitor" output, + the currently tracked connections are now shown on a separate page. -
- Prior to this release, Shorewall - unconditionally added the external IP adddress(es) specified - in /etc/shorewall/nat. Beginning with version 1.1.16, - a new parameter (ADD_IP_ALIASES) - may be set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static NAT. - +
- Prior to this release, Shorewall + unconditionally added the external IP adddress(es) specified + in /etc/shorewall/nat. Beginning with version 1.1.16, + a new parameter (ADD_IP_ALIASES) + may be set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's + network configuration tools to be used in static NAT. + + +
10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:
+ + +-
+
- Support for nested zones has +been improved. See the documentation + for details +
- Shorewall now correctly checks + the alternate configuration directory for the 'zones' + file. + +
10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:
+10/4/2001 - The current version of Shorewall is 1.1.14. In this + version
- +-
-
- Support for nested zones has been - improved. See the documentation - for details -
- Shorewall now correctly checks -the alternate configuration directory for the 'zones' -file. - -
10/4/2001 - The current version of Shorewall is 1.1.14. In this - version
- --
-
- Shorewall now supports alternate - configuration directories. When an alternate directory - is specified when starting or restarting Shorewall (e.g., - "shorewall -c /etc/testconf restart"), Shorewall will first - look for configuration files in the alternate directory then in +
- Shorewall now supports alternate
+ configuration directories. When an alternate directory
+ is specified when starting or restarting Shorewall (e.g.,
+ "shorewall -c /etc/testconf restart"), Shorewall will first
+ look for configuration files in the alternate directory then in
/etc/shorewall. To create an alternate configuration simply:
- 1. Create a New Directory
- 2. Copy to that directory any of -your configuration files that you want to change.
- 3. Modify the copied files as needed.
- 4. Restart Shorewall specifying the - new directory.
- - The rules for allowing/disallowing
- icmp echo-requests (pings) are now moved after rules
-created when processing the rules file. This allows you to
- add rules that selectively allow/deny ping based on source or
+ 1. Create a New Directory
+ 2. Copy to that directory any +of your configuration files that you want to change.
+ 3. Modify the copied files as +needed.
+ 4. Restart Shorewall specifying + the new directory.
+ - The rules for allowing/disallowing + icmp echo-requests (pings) are now moved after rules + created when processing the rules file. This allows you to + add rules that selectively allow/deny ping based on source or destination address. -
- Rules that specify multiple client - ip addresses or subnets no longer cause startup failures. -
- Zone names in the policy file are - now validated against the zones file. -
- If you have packet mangling support - enabled, the "norfc1918" - interface option now logs and drops any incoming packets +
- Rules that specify multiple +client ip addresses or subnets no longer cause startup +failures. +
- Zone names in the policy file + are now validated against the zones file. +
- If you have packet mangling support + enabled, the "norfc1918" + interface option now logs and drops any incoming packets on the interface that have an RFC 1918 destination address. - + +
9/12/2001 - The current version of Shorewall is 1.1.13. In this - version
+ +9/12/2001 - The current version of Shorewall is 1.1.13. In this + version
+-
-
- Shell variables can now be used -to parameterize Shorewall rules. -
- The second column in the hosts
-file may now contain a comma-separated list.
-
- Example:
- sea eth0:130.252.100.0/24,206.191.149.0/24
- - Handling of multi-zone interfaces - has been improved. See the documentation for the /etc/shorewall/interfaces - file. - +
- Shell variables can now be used + to parameterize Shorewall rules. +
- The second column in the hosts
+ file may now contain a comma-separated list.
+
+ Example:
+ sea eth0:130.252.100.0/24,206.191.149.0/24
+ - Handling of multi-zone interfaces + has been improved. See the documentation for the /etc/shorewall/interfaces + file. + +
8/28/2001 - The current version of Shorewall is 1.1.12. In this - version
+ +8/28/2001 - The current version of Shorewall is 1.1.12. In this + version
+-
-
- Several columns in the rules file - may now contain comma-separated lists. -
- Shorewall is now more rigorous -in parsing the options in /etc/shorewall/interfaces. -
- Complementation using "!" is now - supported in rules. - +
- Several columns in the rules +file may now contain comma-separated lists. +
- Shorewall is now more rigorous + in parsing the options in /etc/shorewall/interfaces. +
- Complementation using "!" is +now supported in rules. + +
7/28/2001 - The current version of Shorewall is 1.1.11. In this - version
+ +7/28/2001 - The current version of Shorewall is 1.1.11. In this + version
+-
-
- A "shorewall refresh" command has - been added to allow for refreshing the rules associated -with the broadcast address on a dynamic interface. This -command should be used in place of "shorewall restart" when the - internet interface's IP address changes. -
- The /etc/shorewall/start file (if - any) is now processed after all temporary rules have been - deleted. This change prevents the accidental removal of - rules added during the processing of that file. -
- The "dhcp" interface option is -now applicable to firewall interfaces used by a DHCP server -running on the firewall. -
- The RPM can now be built from the - .tgz file using "rpm -tb" - +
- A "shorewall refresh" command + has been added to allow for refreshing the rules associated + with the broadcast address on a dynamic interface. This + command should be used in place of "shorewall restart" when +the internet interface's IP address changes. +
- The /etc/shorewall/start file + (if any) is now processed after all temporary rules +have been deleted. This change prevents the accidental + removal of rules added during the processing of that file. +
- The "dhcp" interface option +is now applicable to firewall interfaces used by a DHCP +server running on the firewall. +
- The RPM can now be built from + the .tgz file using "rpm -tb" + +
7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+ +7/6/2001 - The current version of Shorewall is 1.1.10. In this +version
+-
-
- Shorewall now enables Ipv4 Packet - Forwarding by default. Packet forwarding may be disabled - by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. - If you don't want Shorewall to enable or disable packet forwarding, - add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf - file. -
- The "shorewall hits" command no -longer lists extraneous service names in its last report. -
- Erroneous instructions in the comments - at the head of the firewall script have been corrected. - +
- Shorewall now enables Ipv4 Packet + Forwarding by default. Packet forwarding may be disabled + by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. + If you don't want Shorewall to enable or disable packet + forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf + file. +
- The "shorewall hits" command +no longer lists extraneous service names in its last report. +
- Erroneous instructions in the + comments at the head of the firewall script have been + corrected. + +
6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+ +6/23/2001 - The current version of Shorewall is 1.1.9. In this +version
+-
-
- The "tunnels" file really - is in the RPM now. -
- SNAT can now be applied to port-forwarded - connections. -
- A bug which would cause firewall - start failures in some dhcp configurations has been fixed. -
- The firewall script now issues -a message if you have the name of an interface in the -second column in an entry in /etc/shorewall/masq and that +
- The "tunnels" file really + is in the RPM now. +
- SNAT can now be applied to port-forwarded + connections. +
- A bug which would cause firewall + start failures in some dhcp configurations has been fixed. +
- The firewall script now issues + a message if you have the name of an interface in the + second column in an entry in /etc/shorewall/masq and that interface is not up. -
- You can now configure Shorewall -so that it doesn't require the NAT -and/or mangle netfilter modules. -
- Thanks to Alex Polishchuk, the -"hits" command from seawall is now in shorewall. -
- Support for IPIP - tunnels has been added. - +
- You can now configure Shorewall + so that it doesn't require the + NAT and/or mangle netfilter modules. +
- Thanks to Alex Polishchuk, +the "hits" command from seawall is now in shorewall. +
- Support for IPIP tunnels has been added. + +
6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+ +6/18/2001 - The current version of Shorewall is 1.1.8. In this +version
+-
-
- A typo in the sample rules file -has been corrected. -
- It is now possible to restrict -masquerading by destination host -or subnet. -
- It is now possible to have static - NAT rules applied to packets originating - on the firewall itself. - +
- A typo in the sample rules file + has been corrected. +
- It is now possible to restrict + masquerading by destination host + or subnet. +
- It is now possible to have static + NAT rules applied to packets originating + on the firewall itself. + +
6/2/2001 - The current version of Shorewall is 1.1.7. In this version
+-
-
- The TOS rules are now deleted when - the firewall is stopped. -
- The .rpm will now install regardless - of which version of iptables is installed. -
- The .rpm will now install without - iproute2 being installed. -
- The documentation has been cleaned - up. -
- The sample configuration files -included in Shorewall have been formatted to 80 columns -for ease of editing on a VGA console. - +
- The TOS rules are now deleted + when the firewall is stopped. +
- The .rpm will now install regardless + of which version of iptables is installed. +
- The .rpm will now install without + iproute2 being installed. +
- The documentation has been cleaned + up. +
- The sample configuration files + included in Shorewall have been formatted to 80 columns + for ease of editing on a VGA console. + +
5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+ +5/25/2001 - The current version of Shorewall is 1.1.6. In this +version
+-
-
- You may now rate-limit the - packet log. -
- Previous versions of - Shorewall have an implementation of Static NAT which violates the - principle of least surprise. NAT only occurs for packets - arriving at (DNAT) or send from (SNAT) the interface named - in the INTERFACE column of /etc/shorewall/nat. Beginning with -version 1.1.6, NAT effective regardless of which interface packets -come from or are destined to. To get compatibility with prior versions, - I have added a new "ALL "ALL -INTERFACES" column to /etc/shorewall/nat. By placing - "no" or "No" in the new column, the NAT behavior of prior versions -may be retained. -
- The treatment of IPSEC Tunnels where the remote gateway -is a standalone system has been improved. Previously, it was - necessary to include an additional rule allowing UDP port 500 traffic -to pass through the tunnel. Shorewall will now create this rule -automatically when you place the name of the remote peer's zone in -a new GATEWAY ZONE column in /etc/shorewall/tunnels. - +
- You may now rate-limit the +packet log. +
- Previous versions + of Shorewall have an implementation of Static NAT which violates + the principle of least surprise. NAT only occurs for packets + arriving at (DNAT) or send from (SNAT) the interface named + in the INTERFACE column of /etc/shorewall/nat. Beginning with + version 1.1.6, NAT effective regardless of which interface packets + come from or are destined to. To get compatibility with prior versions, + I have added a new "ALL "ALL + INTERFACES" column to /etc/shorewall/nat. By placing + "no" or "No" in the new column, the NAT behavior of prior +versions may be retained. +
- The treatment of IPSEC Tunnels where the remote +gateway is a standalone system has been improved. Previously, + it was necessary to include an additional rule allowing UDP port +500 traffic to pass through the tunnel. Shorewall will now create + this rule automatically when you place the name of the remote peer's + zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. + +
5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+ +5/20/2001 - The current version of Shorewall is 1.1.5. In this +version
+-
-
- You may now pass parameters - when loading netfilter modules and you can specify the modules - to load. -
- Compressed modules are now loaded. - This requires that you modutils support loading compressed - modules. -
- You may now set the Type of Service - (TOS) field in packets. -
- Corrected rules generated for port - redirection (again). - +
- You may now pass parameters + when loading netfilter modules and you can specify the modules + to load. +
- Compressed modules are now loaded. + This requires that you modutils support loading compressed + modules. +
- You may now set the Type of Service + (TOS) field in packets. +
- Corrected rules generated for + port redirection (again). + +
5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+ +5/10/2001 - The current version of Shorewall is 1.1.4. In this +version
+-
-
- Accepting RELATED connections - is now optional. -
- Corrected problem where if "shorewall - start" aborted early (due to kernel configuration errors - for example), superfluous 'sed' error messages were reported. -
- Corrected rules generated for port - redirection. -
- The order in which iptables kernel - modules are loaded has been corrected (Thanks to Mark - Pavlidis). - +
- Accepting RELATED connections + is now optional. +
- Corrected problem where if "shorewall + start" aborted early (due to kernel configuration errors + for example), superfluous 'sed' error messages were +reported. +
- Corrected rules generated for + port redirection. +
- The order in which iptables +kernel modules are loaded has been corrected (Thanks +to Mark Pavlidis). + +
4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+ +4/28/2001 - The current version of Shorewall is 1.1.3. In this +version
+-
-
- Correct message issued when Proxy - ARP address added (Thanks to Jason Kirtland). -
- /tmp/shorewallpolicy-$$ is now -removed if there is an error while starting the firewall. -
- /etc/shorewall/icmp.def and /etc/shorewall/common.def - are now used to define the icmpdef and common chains unless - overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common. -
- In the .lrp, the file /var/lib/lrpkg/shorwall.conf - has been corrected. An extra space after "/etc/shorwall/policy" - has been removed and "/etc/shorwall/rules" has been added. -
- When a sub-shell encounters a fatal - error and has stopped the firewall, it now kills the main - shell so that the main shell will not continue. -
- A problem has been corrected where - a sub-shell stopped the firewall and main shell continued - resulting in a perplexing error message referring to "common.so" - resulted. -
- Previously, placing "-" in the -PORT(S) column in /etc/shorewall/rules resulted in an error -message during start. This has been corrected. -
- The first line of "install.sh" -has been corrected -- I had inadvertently deleted the initial - "#". - +
- Correct message issued when +Proxy ARP address added (Thanks to Jason Kirtland). +
- /tmp/shorewallpolicy-$$ is now + removed if there is an error while starting the firewall. +
- /etc/shorewall/icmp.def and +/etc/shorewall/common.def are now used to define the +icmpdef and common chains unless overridden by the presence + of /etc/shorewall/icmpdef or /etc/shorewall/common. +
- In the .lrp, the file /var/lib/lrpkg/shorwall.conf + has been corrected. An extra space after "/etc/shorwall/policy" + has been removed and "/etc/shorwall/rules" has been added. +
- When a sub-shell encounters +a fatal error and has stopped the firewall, it now kills + the main shell so that the main shell will not continue. +
- A problem has been corrected +where a sub-shell stopped the firewall and main shell +continued resulting in a perplexing error message referring +to "common.so" resulted. +
- Previously, placing "-" in the + PORT(S) column in /etc/shorewall/rules resulted in an error + message during start. This has been corrected. +
- The first line of "install.sh" + has been corrected -- I had inadvertently deleted the initial + "#". + +
4/12/2001 - The current version of Shorewall is 1.1.2. In this version
- + + +4/12/2001 - The current version of Shorewall is 1.1.2. In this +version
+ +-
-
- Port redirection now works again. -
- The icmpdef and common chains may now be user-defined. -
- The firewall no longer fails to -start if "routefilter" is specified for an interface that -isn't started. A warning message is now issued in this -case. -
- The LRP Version is renamed "shorwall" - for 8,3 MSDOS file system compatibility. -
- A couple of LRP-specific problems - were corrected. - +
- Port redirection now works again. +
- The icmpdef and common chains + may now be user-defined. +
- The firewall no longer fails +to start if "routefilter" is specified for an interface + that isn't started. A warning message is now issued + in this case. +
- The LRP Version is renamed "shorwall" + for 8,3 MSDOS file system compatibility. +
- A couple of LRP-specific problems + were corrected. + +
4/8/2001 - Shorewall is now affiliated with the Leaf Project 
-
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
+-
-
- The common chain is traversed from - INPUT, OUTPUT and FORWARD before logging occurs -
- The source has been cleaned up -dramatically -
- DHCP DISCOVER packets with RFC1918 - source addresses no longer generate log messages. Linux - DHCP clients generate such packets and it's annoying -to see them logged. - +
- The common chain is traversed + from INPUT, OUTPUT and FORWARD before logging occurs +
- The source has been cleaned +up dramatically +
- DHCP DISCOVER packets with RFC1918 + source addresses no longer generate log messages. Linux + DHCP clients generate such packets and it's annoying + to see them logged. + +
3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
+-
-
- Log messages now indicate the packet - disposition. -
- Error messages have been improved. -
- The ability to define zones consisting - of an enumerated set of hosts and/or subnetworks has - been added. -
- The zone-to-zone chain matrix is - now sparse so that only those chains that contain meaningful - rules are defined. -
- 240.0.0.0/4 and 169.254.0.0/16 -have been added to the source subnetworks whose packets -are dropped under the norfc1918 interface +
- Log messages now indicate the + packet disposition. +
- Error messages have been improved. +
- The ability to define zones +consisting of an enumerated set of hosts and/or subnetworks +has been added. +
- The zone-to-zone chain matrix + is now sparse so that only those chains that contain + meaningful rules are defined. +
- 240.0.0.0/4 and 169.254.0.0/16 + have been added to the source subnetworks whose packets + are dropped under the norfc1918 interface option. -
- Exits are now provided for executing - an user-defined script when a chain is defined, when - the firewall is initialized, when the firewall is started, - when the firewall is stopped and when the firewall is cleared. -
- The Linux kernel's route filtering - facility can now be specified selectively on network - interfaces. - +
- Exits are now provided for executing + an user-defined script when a chain is defined, when + the firewall is initialized, when the firewall is started, + when the firewall is stopped and when the firewall is cleared. +
- The Linux kernel's route filtering + facility can now be specified selectively on network + interfaces. + +
3/19/2001 - The current version of Shorewall is 1.0.4. This version:
+-
-
- Allows user-defined zones. Shorewall - now has only one pre-defined zone (fw) with the remaining - zones being defined in the new configuration file /etc/shorewall/zones. - The /etc/shorewall/zones file released in this version - provides behavior that is compatible with Shorewall 1.0.3. -
- Adds the ability to specify logging - in entries in the /etc/shorewall/rules file. -
- Correct handling of the icmp-def - chain so that only ICMP packets are sent through the - chain. -
- Compresses the output of "shorewall - monitor" if awk is installed. Allows the command to work - if awk isn't installed (although it's not pretty). - -
3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.
+3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.
+ +-
-
- The PATH variable in the firewall - script now includes /usr/local/bin and /usr/local/sbin. -
- DMZ-related chains are now correctly - deleted if the DMZ is deleted. -
- The interface OPTIONS for "gw" -interfaces are no longer ignored. - +
- The PATH variable in the firewall + script now includes /usr/local/bin and /usr/local/sbin. +
- DMZ-related chains are now correctly + deleted if the DMZ is deleted. +
- The interface OPTIONS for "gw" + interfaces are no longer ignored. + +
3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and it supports - IPSEC tunnels with end-points on the firewall. There is also - a .lrp available now.
- -Updated 1/18/2003 - Tom Eastep -
+ +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports + IPSEC tunnels with end-points on the firewall. There is also + a .lrp available now.
- + +Updated 1/28/2003 - Tom Eastep +
+ + Copyright © 2001, 2002 Thomas M. Eastep.
-
+
+
diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html index 6a35828e7..a310704f3 100644 --- a/Shorewall-docs/Shorewall_Squid_Usage.html +++ b/Shorewall-docs/Shorewall_Squid_Usage.html @@ -2,407 +2,489 @@
+ |
- 
- - |
+ + Using Shorewall with Squid |
- -
+ | |
- 
- - |
- This page covers Shorewall configuration to use with Squid running as a Transparent +
+ This page covers Shorewall configuration to use with Squid running as a Transparent Proxy.
-
-
+
- Please observe the following general requirements:-
-
- In all cases, Squid should be configured to run
+ Please observe the following general requirements:+
+
+ In all cases, Squid should be configured to run
as a transparent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html.-
-
- The following instructions mention the files /etc/shorewall/start
- and /etc/shorewall/init -- if you don't have those files, siimply create
+ +
+ The following instructions mention the files /etc/shorewall/start
+ and /etc/shorewall/init -- if you don't have those files, siimply create
them.-
-
- When the Squid server is in the DMZ zone or in
-the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
- file entries. That is because the packets being routed to the Squid server
+ +
+ When the Squid server is in the DMZ zone or in
+the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
+ file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.-
-
- You must have iproute2 (ip utility) installed
+ +
+ You must have iproute2 (ip utility) installed
on your firewall.-
-
- You must have iptables installed on your Squid
+ +
+ You must have iptables installed on your Squid
server.-
-
- You must have NAT and MANGLE enabled in your /etc/shorewall/conf
+ +
+ You must have NAT and MANGLE enabled in your /etc/shorewall/conf
file-
- NAT_ENABLED=Yes
- MANGLE_ENABLED=Yes
-
- Three different configurations are covered:
- +
+ NAT_ENABLED=Yes
+ MANGLE_ENABLED=Yes
+
+ Three different configurations are covered:
+
-
-
- Squid running on the -Firewall. -
- Squid running in the local -network -
- Squid running in the DMZ - +
- Squid running on the + Firewall. +
- Squid running in the +local network +
- Squid running in the DMZ +
Squid Running on the Firewall
- You want to redirect all local www connection requests EXCEPT - those to your own - http server (206.124.146.177) - to a Squid transparent - proxy running on the firewall and listening on port 3128. Squid - will of course require access to remote web servers.-
- In /etc/shorewall/rules:
-
+ You want to redirect all local www connection requests EXCEPT + those to your own + http server (206.124.146.177) + to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid + will of course require access to remote web servers.
+
+ In /etc/shorewall/rules:
+
+ +
++ ++ + +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +REDIRECT +loc +3128 +tcp +www +- +
+!206.124.146.177 ++ + + + + + + + + + +ACCEPT +fw +net +tcp +www ++
++
+
+
Squid Running in the local network
+ You want to redirect all local www connection requests to a Squid + transparent proxy + running in your local zone at 192.168.1.3 and listening on port 3128. +Your local interface is eth1. There may also be a web server running on 192.168.1.3. +It is assumed that web access is already enabled from the local zone to the +internet.+ +
WARNING: This setup may conflict with
+ other aspects of your gateway including but not limited to traffic shaping
+ and route redirection. For that reason, I don't recommend it.
+
-
+
- On your firewall system, issue the following command
+
+
+
++ +echo 202 www.out >> /etc/iproute2/rt_tables+
-
+
- In /etc/shorewall/init, put:
+
+
+
++ +if [ -z "`ip rule list | grep www.out`" ] ; then+
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
-
+
- In /etc/shorewall/rules:
+
+ ++ + +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + + + + + + + + + +ACCEPT +
+loc +loc +
+tcp +www +
+
+
+
+ - Alternativfely, you can have the following policy:
+
+ ++ +
++ +SOURCE +
+DESTINATION +
+POLICY +
+LOG LEVEL +
+BURST PARAMETERS +
++ + + +loc +
+loc +
+ACCEPT +
+
+
+
+
+ - In /etc/shorewall/start add:
+
+
+
--- - -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL - -
- DEST- -REDIRECT -loc -3128 -tcp -www -- -
-!206.124.146.177 -- - - - - - - - - - -ACCEPT -fw -net -tcp -www --
--
-
+iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
Squid Running in the local network
- You want to redirect all local www connection requests to a Squid - transparent proxy -running in your local zone at 192.168.1.3 and listening on port 3128. -Your local interface is eth1. There may also be a web server running on -192.168.1.3. It is assumed that web access is already enabled from the local -zone to the internet.- -
WARNING: This setup may conflict with
- other aspects of your gateway including but not limited to traffic shaping
- and route redirection. For that reason, I don't recommend it.
-
-
+
- On 192.168.1.3, arrange for the following command to be executed
+ after networking has come up
+ +iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
+
- - On your firewall system, issue the following command
-
-
- In /etc/shorewall/init, put:
-
-
- - In /etc/shorewall/rules:
-
+If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
+ +
++
-- - -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL - -
- DEST- - - - - - - - - - +ACCEPT -
-loc -loc -
-tcp -www -
-
-iptables-save > /etc/sysconfig/iptables
+ + +
chkconfig --level 35 iptables start
+ +Squid Running in the DMZ (This is what I do)
+ You have a single Linux system in your DMZ with IP address 192.0.2.177. + You want to run both a web server and Squid on that system. Your DMZ interface + is eth1 and your local interface is eth2.
+ +-
+
- On your firewall system, issue the following command
+
+
+
+
+ +echo 202 www.out >> /etc/iproute2/rt_tables
+-
+
- In /etc/shorewall/init, put:
+
+
+
+
+ +if [ -z "`ip rule list | grep www.out`" ] ; then
+
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi-
+
- Do one of the following:
+
+A) In /etc/shorewall/start add
+
+
+
+
+ +iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
+B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf +and add the following entry in /etc/shorewall/tcrules:
+
++
++
+ ++ +
-+ +MARK +
+SOURCE +
+DESTINATION +
+PROTOCOL +
+PORT +
+CLIENT PORT +
++ +202 +
+eth2 +
+0.0.0.0/0 +
+tcp +
+80 +
+- +
+
- -- Alternativfely, you can have the following policy:
+
-
- -+ +C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:
+ +
+ ++
+
-- SOURCE -
-DESTINATION -
-POLICY -
-LOG LEVEL -
-BURST PARAMETERS +
-MARK +
+SOURCE +
+DESTINATION +
+PROTOCOL +
+PORT +
+CLIENT PORT
+- loc
+202:P -
loc
+eth2 -
ACCEPT
+0.0.0.0/0 -
+tcp -
+80 +
+-
- -- In /etc/shorewall/start add:
- - - -
--
- +iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
+-
-
- On 192.168.1.3, arrange for the following command to be executed
-after networking has come up
- -iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
-
+ - In /etc/shorewall/rules, you will need:
If you are running RedHat on the server, you can simply execute - the following commands after you have typed the iptables command above:
--
- -
- -iptables-save > /etc/sysconfig/iptables
-
chkconfig --level 35 iptables start
- -Squid Running in the DMZ (This is what I do)
- You have a single Linux system in your DMZ with IP address 192.0.2.177. - You want to run both a web server and Squid on that system. Your DMZ interface - is eth1 and your local interface is eth2.
- --
-
- On your firewall system, issue the following command
-
-
-
-
- -echo 202 www.out >> /etc/iproute2/rt_tables
--
-
- In /etc/shorewall/init, put:
-
-
-
-
- -if [ -z "`ip rule list | grep www.out`" ] ; then
-
ip rule add fwmark 202 table www.out
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi-
-
- In /etc/shorewall/start add:
-
-
-
-
- -iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
--
-
- In /etc/shorewall/rules, you will need: - -
- -- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-CLIENT -
- PORT(2)
-ORIGINAL -
- DEST
-- - - + +ACCEPT -
-dmz -
-net -
-tcp -
-80 -
-
-
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+CLIENT +
+ PORT(2)
+ORIGINAL +
+ DEST
++ + +ACCEPT +
+dmz +
+net +
+tcp +
+80 +
+
+
+
--
-
- On 192.0.2.177 (your Web/Squid server), arrange for the following
- command to be executed after networking has come up
- -iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
-
-
-
If you are running RedHat on the server, you can simply execute - the following commands after you have typed the iptables command above:
- -
+
-
+
+ +-
+
- On 192.0.2.177 (your Web/Squid server), arrange for the following
+ command to be executed after networking has come up
+ +iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
+
+
If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
+ +
++
- +
+iptables-save > /etc/sysconfig/iptables
-
chkconfig --level 35 iptables start
- -Updated 1/10/2003 - Tom Eastep -
+ +Updated 1/23/2003 - Tom Eastep +
- Copyright © 2003 Thomas M. Eastep.
-
-
-
+
+
+
+
diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm index d5ffceda7..1c40f74ab 100644 --- a/Shorewall-docs/Shorewall_index_frame.htm +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -2,164 +2,166 @@ - + - + - + - +Shorewall Index -- + + - + Copyright © 2001-2003 Thomas M. Eastep.
- +
+
-
-
-
+
+ +
-
-
-
+
+
+
diff --git a/Shorewall-docs/Shorewall_sfindex_frame.htm b/Shorewall-docs/Shorewall_sfindex_frame.htm index b27b937c0..37404fe88 100644 --- a/Shorewall-docs/Shorewall_sfindex_frame.htm +++ b/Shorewall-docs/Shorewall_sfindex_frame.htm @@ -2,164 +2,166 @@ - + - + - + - +Shorewall Index -+ + - + Copyright © 2001-2003 Thomas M. Eastep.
- + + +
-
-
-
-
+
+
+
+
diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm index ecde1a8da..0007f0e49 100644 --- a/Shorewall-docs/errata.htm +++ b/Shorewall-docs/errata.htm @@ -2,619 +2,635 @@ +Shorewall 1.3 Errata - + + - + - +- -
- -- ++ + - - -- - -Shorewall Errata/Upgrade Issues
-IMPORTANT
- --
-
-
-
-
If you use a Windows system to download - a corrected script, be sure to run the script through - dos2unix after you have moved - it to your Linux system.
-
- -
-
-
If you are installing Shorewall for the -first time and plan to use the .tgz and install.sh script, you can -untar the archive, replace the 'firewall' script in the untarred directory - with the one you downloaded below, and then run install.sh.
-
- -
-
-
If you are running a Shorewall version earlier - than 1.3.11, when the instructions say to install a corrected firewall - script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall - or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite - the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall - or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall - and /var/lib/shorewall/firewall are symbolic links that point - to the 'shorewall' file used by your system initialization scripts - to start Shorewall during boot. It is that file that must be overwritten - with the corrected script. Beginning with Shorewall 1.3.11, -you may rename the existing file before copying in the new file.
-
- -
-
DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. -For example, do NOT install the 1.3.9a firewall script if you are running -1.3.7c.
-
-
+
Shorewall Errata/Upgrade Issues
+ + + + +IMPORTANT
+ +-
+
-
+
+
If you use a Windows system to download + a corrected script, be sure to run the script through + dos2unix after you have moved + it to your Linux system.
+
+ -
+
+
If you are installing Shorewall for the first +time and plan to use the .tgz and install.sh script, you can untar +the archive, replace the 'firewall' script in the untarred directory + with the one you downloaded below, and then run install.sh.
+
+ -
+
+
If you are running a Shorewall version earlier + than 1.3.11, when the instructions say to install a corrected firewall + script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall + or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite + the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall + and /var/lib/shorewall/firewall are symbolic links that point + to the 'shorewall' file used by your system initialization scripts + to start Shorewall during boot. It is that file that must be +overwritten with the corrected script. Beginning with Shorewall +1.3.11, you may rename the existing file before copying in the new file.
+
+ -
+
DO NOT INSTALL CORRECTED COMPONENTS + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For + example, do NOT install the 1.3.9a firewall script if you are running +1.3.7c.
+
+
+
-
-
- Upgrade Issues -
- Problems - in Version 1.3 -
- Upgrade Issues +
- Problems + in Version 1.3 +
- Problems in Version 1.2 -
- Problems in Version 1.1 -
- Problem with iptables version 1.2.3 - on RH7.2 -
- Problems
+
- Problem with iptables version 1.2.3 + on RH7.2
+- Problems with kernels >= 2.4.18 and RedHat iptables
-- Problems installing/upgrading +
- Problems installing/upgrading RPM on SuSE
-- Problems with iptables version +
- Problems with iptables version 1.2.7 and MULTIPORT=Yes
-- Problems with RH Kernel 2.4.18-10 and -NAT
- +
-- Problems with RH Kernel 2.4.18-10 and + NAT
+
+
+ +
Problems in Version 1.3
- +Version 1.3.13
- +-
-
- The 'shorewall add' command produces an error message referring to -'find_interfaces_by_maclist'. -
- The 'shorewall delete' command can leave behind undeleted rules.
+ - The 'shorewall add' command produces an error message referring to + 'find_interfaces_by_maclist'. +
- The 'shorewall delete' command can leave behind undeleted rules.
+
+
+
+-
+
- VLAN interface names of the form "ethn.m" (e.g., eth0.1)
+are not supported in this version or in 1.3.12. If you need such support,
+post on the users list and I can provide you with a patched version.
-
- +Version 1.3.12
- +-
-
- If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is -the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is +
- If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
+the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is
corrected by this
- firewall script which may be installed in /usr/lib/shorewall as described
- above.
-
-
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
+ firewall script which may be installed in /usr/lib/shorewall as described
+ above.
- VLAN interface names of the form "ethn.m" (e.g., eth0.1) +are not supported in this version or in 1.3.13. If you need such support, +post on the users list and I can provide you with a patched version.
+ - +
+Version 1.3.12 LRP
- --
-
- The .lrp was missing the /etc/shorewall/routestopped file -- a new
- lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.
-
-
-
Version 1.3.11a
-
-
- This
- copy of /etc/shorewall/rfc1918 reflects the recent allocation of 82.0.0.0/8.
+ - The .lrp was missing the /etc/shorewall/routestopped file -- a
+new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.
Version 1.3.11a
+ +-
+
- This
+ copy of /etc/shorewall/rfc1918 reflects the recent allocation of 82.0.0.0/8.
+
+
+
Version 1.3.11
- +-
-
- When installing/upgrading using the .rpm, you may receive the +
- When installing/upgrading using the .rpm, you may receive the
following warnings:
-
- user teastep does not exist - using root
- group teastep does not exist - using root
-
- These warnings are harmless and may be ignored. Users downloading -the .rpm from shorewall.net or mirrors should no longer see these warnings +
+ user teastep does not exist - using root
+ group teastep does not exist - using root
+
+ These warnings are harmless and may be ignored. Users downloading +the .rpm from shorewall.net or mirrors should no longer see these warnings as the .rpm you will get from there has been corrected.
- - DNAT rules that exclude a source subzone (SOURCE column contains - ! followed by a sub-zone list) result in an error message and Shorewall +
- DNAT rules that exclude a source subzone (SOURCE column contains
+ ! followed by a sub-zone list) result in an error message and Shorewall
fails to start.
+
+ Install this + corrected script in /usr/lib/shorewall/firewall to correct this problem. + Thanks go to Roger Aich who analyzed this problem and provided a fix.
- Install this - corrected script in /usr/lib/shorewall/firewall to correct this problem. - Thanks go to Roger Aich who analyzed this problem and provided a fix.
-
- This problem is corrected in version 1.3.11a.
-
-
+ This problem is corrected in version 1.3.11a.
+ +Version 1.3.10
- +-
-
- If you experience problems connecting to a PPTP server running - on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, +
- If you experience problems connecting to a PPTP server running
+ on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
this
- version of the firewall script may help. Please report any cases
-where installing this script in /usr/lib/shorewall/firewall solved your
-connection problems. Beginning with version 1.3.10, it is safe to save
-the old version of /usr/lib/shorewall/firewall before copying in the
-new one since /usr/lib/shorewall/firewall is the real script now and
-not just a symbolic link to the real script.
-
-
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
+ version of the firewall script may help. Please report any cases where
+ installing this script in /usr/lib/shorewall/firewall solved your connection
+ problems. Beginning with version 1.3.10, it is safe to save the old version
+ of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
+ is the real script now and not just a symbolic link to the real script.
+ +Version 1.3.9a
- --
-
- If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No - then the following message appears during "shorewall [re]start": - -
-
+
- If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No + then the following message appears during "shorewall [re]start": + +
recalculate_interfacess: command not found
- +The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - corrects this problem.Copy the script to /usr/lib/shorewall/firewall -as described above.
- -
-Alternatively, edit /usr/lob/shorewall/firewall and change the - single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' - to 'recalculate_interface'.
- -
--
-
- The installer (install.sh) issues a misleading message "Common
- functions installed in /var/lib/shorewall/functions" whereas the file
- is installed in /usr/lib/shorewall/functions. The installer also performs
- incorrectly when updating old configurations that had the file /etc/shorewall/functions.
- Here
- is an updated version that corrects these problems.
-
-
-
+Alternatively, edit /usr/lob/shorewall/firewall and change the + single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' + to 'recalculate_interface'.
-
+Version 1.3.9
- TUNNELS Broken in 1.3.9!!! There is an updated firewall - script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall as described above.
-
- Version 1.3.8-
-
- Use of shell variables in the LOG LEVEL or SYNPARMS -columns of the policy file doesn't work. -
- A DNAT rule with the same original and new IP addresses
- but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
- tcp 25 - 10.1.1.1")
-
-
+ - The installer (install.sh) issues a misleading message "Common
+ functions installed in /var/lib/shorewall/functions" whereas the file
+ is installed in /usr/lib/shorewall/functions. The installer also performs
+ incorrectly when updating old configurations that had the file /etc/shorewall/functions.
+ Here
+ is an updated version that corrects these problems.
+
+
Version 1.3.7b
- -DNAT rules where the source zone is 'fw' ($FW) - result in an error message. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.
- -Version 1.3.7a
- -"shorewall refresh" is not creating the proper - rule for FORWARDPING=Yes. Consequently, after - "shorewall refresh", the firewall will not forward - icmp echo-request (ping) packets. Installing - - this corrected firewall script in /var/lib/shorewall/firewall - as described above corrects this problem.
- -Version <= 1.3.7a
- -If "norfc1918" and "dhcp" are both specified as - options on a given interface then RFC 1918 - checking is occurring before DHCP checking. This - means that if a DHCP client broadcasts using an - RFC 1918 source address, then the firewall will - reject the broadcast (usually logging it). This - has two problems:
- --
-
- If the firewall is running - a DHCP server, the client won't be - able to obtain an IP address lease -from that server. -
- With this order of checking, - the "dhcp" option cannot be used as - a noise-reduction measure where there - are both dynamic and static clients - on a LAN segment. - -
- This version of the 1.3.7a firewall script - corrects the problem. It must be installed - in /var/lib/shorewall as described -above.
- -Version 1.3.7
- -Version 1.3.7 dead on arrival -- please use - version 1.3.7a and check your version against - these md5sums -- if there's a difference, please - download again.
- -d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
- -
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrpIn other words, type "md5sum <whatever package you downloaded> - and compare the result with what you see above.
- -I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the - .7 version in each sequence from now on.
- -Version 1.3.6
- + +Version 1.3.9
+ TUNNELS Broken in 1.3.9!!! There is an updated firewall + script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall as described above.
+
+ Version 1.3.8-
-
-
-
-
If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, - an error occurs when the firewall script attempts to add - an SNAT alias.
-
- -
-
-
The logunclean and dropunclean options - cause errors during startup when Shorewall is run with iptables - 1.2.7.
+ - Use of shell variables in the LOG LEVEL or SYNPARMS + columns of the policy file doesn't work. +
- A DNAT rule with the same original and new IP addresses
+ but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
+ tcp 25 - 10.1.1.1")
Version 1.3.7b
+ +DNAT rules where the source zone is 'fw' ($FW) + result in an error message. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this problem.
+ +Version 1.3.7a
+ +"shorewall refresh" is not creating the proper + rule for FORWARDPING=Yes. Consequently, after + "shorewall refresh", the firewall will not forward + icmp echo-request (ping) packets. Installing + + this corrected firewall script in /var/lib/shorewall/firewall + as described above corrects this problem.
+ +Version <= 1.3.7a
+ +If "norfc1918" and "dhcp" are both specified as + options on a given interface then RFC 1918 + checking is occurring before DHCP checking. This + means that if a DHCP client broadcasts using an + RFC 1918 source address, then the firewall will + reject the broadcast (usually logging it). This + has two problems:
+ +-
+
- If the firewall is +running a DHCP server, the client +won't be able to obtain an IP address + lease from that server. +
- With this order of +checking, the "dhcp" option cannot +be used as a noise-reduction measure +where there are both dynamic and static + clients on a LAN segment. + +
+ This version of the 1.3.7a firewall script + corrects the problem. It must be installed + in /var/lib/shorewall as described +above.
+ +Version 1.3.7
+ +Version 1.3.7 dead on arrival -- please use + version 1.3.7a and check your version against + these md5sums -- if there's a difference, please + download again.
+ +d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
+ +
6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrpIn other words, type "md5sum <whatever package you downloaded> + and compare the result with what you see above.
+ +I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the + .7 version in each sequence from now on.
+ +Version 1.3.6
+ +-
+
-
+
+
+
If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, + an error occurs when the firewall script attempts to add + an SNAT alias.
+
+ -
+
+
The logunclean and dropunclean options + cause errors during startup when Shorewall is run with iptables + 1.2.7.
+
+
+
These problems are fixed in - this correct firewall script which must be installed in - /var/lib/shorewall/ as described above. These problems are also - corrected in version 1.3.7.
- + href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also + corrected in version 1.3.7. +Two-interface Samples 1.3.6 (file two-interfaces.tgz)
- -A line was inadvertently deleted from the "interfaces - file" -- this line should be added back in if the version that you + +
A line was inadvertently deleted from the "interfaces + file" -- this line should be added back in if the version that you downloaded is missing it:
- +net eth0 detect routefilter,dhcp,norfc1918
- -If you downloaded two-interfaces-a.tgz then the above - line should already be in the file.
- + +If you downloaded two-interfaces-a.tgz then the above + line should already be in the file.
+Version 1.3.5-1.3.5b
- -The new 'proxyarp' interface option doesn't work :-( - This is fixed in - this corrected firewall script which must be installed in - /var/lib/shorewall/ as described above.
- + +The new 'proxyarp' interface option doesn't work :-( + This is fixed in + this corrected firewall script which must be installed in + /var/lib/shorewall/ as described above.
+Versions 1.3.4-1.3.5a
- -Prior to version 1.3.4, host file entries such as the - following were allowed:
- -+ ++Prior to version 1.3.4, host file entries such as the + following were allowed:
+ +- -adm eth0:1.2.4.5,eth0:5.6.7.8
--+ +That capability was lost in version 1.3.4 so that it is only - possible to include a single host specification on each line. +
+- -That capability was lost in version 1.3.4 so that it is only + possible to include a single host specification on each line. This problem is corrected by this - modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.
-++ +- +This problem is corrected in version 1.3.5b.
-Version 1.3.5
- -REDIRECT rules are broken in this version. Install - - this corrected firewall script in /var/lib/pub/shorewall/firewall - as instructed above. This problem is corrected in version + +
REDIRECT rules are broken in this version. Install + + this corrected firewall script in /var/lib/pub/shorewall/firewall + as instructed above. This problem is corrected in version 1.3.5a.
- +Version 1.3.n, n < 4
- -The "shorewall start" and "shorewall restart" commands - to not verify that the zones named in the /etc/shorewall/policy -file have been previously defined in the /etc/shorewall/zones -file. The "shorewall check" command does perform this verification -so it's a good idea to run that command after you have made configuration + +
The "shorewall start" and "shorewall restart" commands + to not verify that the zones named in the /etc/shorewall/policy file + have been previously defined in the /etc/shorewall/zones file. +The "shorewall check" command does perform this verification so +it's a good idea to run that command after you have made configuration changes.
- +Version 1.3.n, n < 3
- -If you have upgraded from Shorewall 1.2 and after - "Activating rules..." you see the message: "iptables: No chains/target/match - by that name" then you probably have an entry in /etc/shorewall/hosts - that specifies an interface that you didn't include in -/etc/shorewall/interfaces. To correct this problem, you - must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and + +
If you have upgraded from Shorewall 1.2 and after + "Activating rules..." you see the message: "iptables: No chains/target/match + by that name" then you probably have an entry in /etc/shorewall/hosts + that specifies an interface that you didn't include in +/etc/shorewall/interfaces. To correct this problem, you +must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and later versions produce a clearer error message in this case.
- +Version 1.3.2
- -Until approximately 2130 GMT on 17 June 2002, the - download sites contained an incorrect version of the .lrp file. That - file can be identified by its size (56284 bytes). The correct -version has a size of 38126 bytes.
- + +Until approximately 2130 GMT on 17 June 2002, the + download sites contained an incorrect version of the .lrp file. That + file can be identified by its size (56284 bytes). The correct version + has a size of 38126 bytes.
+-
-
- The code to detect a duplicate interface -entry in /etc/shorewall/interfaces contained a typo that prevented - it from working correctly. -
- "NAT_BEFORE_RULES=No" was broken; it behaved - just like "NAT_BEFORE_RULES=Yes". - +
- The code to detect a duplicate interface + entry in /etc/shorewall/interfaces contained a typo that +prevented it from working correctly. +
- "NAT_BEFORE_RULES=No" was broken; it behaved + just like "NAT_BEFORE_RULES=Yes". +
Both problems are corrected in - this script which should be installed in /var/lib/shorewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> + this script which should be installed in /var/lib/shorewall as described above.
- +-
-
-
-
-
The IANA have just announced the allocation of subnet +
-
+
+
+
The IANA have just announced the allocation of subnet 221.0.0.0/8. This - updated rfc1918 file reflects that allocation.
-
-
+ href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
+ updated rfc1918 file reflects that allocation.
+
+
Version 1.3.1
- +-
-
- TCP SYN packets may be double counted when - LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., +
- TCP SYN packets may be double counted when + LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each packet is sent through the limit chain twice). -
- An unnecessary jump to the policy chain +
- An unnecessary jump to the policy chain is sometimes generated for a CONTINUE policy. -
- When an option is given for more than one
- interface in /etc/shorewall/interfaces then depending
-on the option, Shorewall may ignore all but the first
-appearence of the option. For example:
-
- net eth0 dhcp
- loc eth1 dhcp
-
- Shorewall will ignore the 'dhcp' on eth1.
- - Update 17 June 2002 - The bug described
-in the prior bullet affects the following options: dhcp,
-dropunclean, logunclean, norfc1918, routefilter, multi,
-filterping and noping. An additional bug has been found
-that affects only the 'routestopped' option.
-
- Users who downloaded the corrected script prior - to 1850 GMT today should download and install the corrected - script again to ensure that this second problem is corrected.
-
+ - When an option is given for more than one
+ interface in /etc/shorewall/interfaces then depending
+on the option, Shorewall may ignore all but the first appearence
+of the option. For example:
+
+ net eth0 dhcp
+ loc eth1 dhcp
+
+ Shorewall will ignore the 'dhcp' on eth1.
+ - Update 17 June 2002 - The bug described
+in the prior bullet affects the following options: dhcp,
+ dropunclean, logunclean, norfc1918, routefilter, multi,
+ filterping and noping. An additional bug has been found
+ that affects only the 'routestopped' option.
+
+ Users who downloaded the corrected script prior + to 1850 GMT today should download and install the corrected + script again to ensure that this second problem is corrected.
+
These problems are corrected in - this firewall script which should be installed in /etc/shorewall/firewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> + this firewall script which should be installed in /etc/shorewall/firewall as described above.
- +Version 1.3.0
- +-
-
- Folks who downloaded 1.3.0 from the links - on the download page before 23:40 GMT, 29 May 2002 may - have downloaded 1.2.13 rather than 1.3.0. The "shorewall - version" command will tell you which version that you +
- Folks who downloaded 1.3.0 from the links + on the download page before 23:40 GMT, 29 May 2002 may + have downloaded 1.2.13 rather than 1.3.0. The "shorewall + version" command will tell you which version that you have installed. -
- The documentation NAT.htm file uses non-existent - wallpaper and bullet graphic files. The - corrected version is here. - +
- The documentation NAT.htm file uses non-existent + wallpaper and bullet graphic files. The + corrected version is here. +
+ +
Upgrade Issues
- +The upgrade issues have moved to a separate page.
- -
-Problem with + +
+Problem with iptables version 1.2.3
- -- -
I have installed this RPM on my firewall and it works +fine. - -There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat - released this buggy iptables in RedHat 7.2.
+ ++ +
There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, RedHat + released this buggy iptables in RedHat 7.2.
- +I have built a - corrected 1.2.3 rpm which you can download here and I have also - built an -iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs - before you upgrade to RedHat 7.2.
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> + corrected 1.2.3 rpm which you can download here and I have +also built an + iptables-1.2.4 rpm which you can download here. If you are currently + running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2. - -Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can download + +
Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works fine.
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html. +If you would like to patch iptables 1.2.3 yourself, + +
If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification + href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch + which corrects a problem with parsing of the --log-level specification while this patch - corrects a problem in handling the TOS target.
+ href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch + corrects a problem in handling the TOS target. - +To install one of the above patches:
+-
-
- cd iptables-1.2.3/extensions -
- patch -p0 < the-patch-file - -
- cd iptables-1.2.3/extensions
+- patch -p0 < the-patch-file
-Problems with kernels >= 2.4.18 - and RedHat iptables
- --
+ + - -Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 - may experience the following:
- -- -
- -# shorewall start
-
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by -installing - this iptables RPM. If you are already running a 1.2.5 version - of iptables, you will need to specify the --oldpackage option to -rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
-Problems installing/upgrading + +
Problems with kernels >= 2.4.18 + and RedHat iptables
+ ++
+ + +Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + may experience the following:
+ ++ +
+ +# shorewall start
+
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in + the Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version + of iptables, you will need to specify the --oldpackage option to + rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
+Problems installing/upgrading RPM on SuSE
- -If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to - rpm.
- + +If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.
+Installing: rpm -ivh --nodeps <shorewall rpm>
- +Upgrading: rpm -Uvh --nodeps <shorewall rpm>
- -Problems with - iptables version 1.2.7 and MULTIPORT=Yes
- -The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running - Shorewall 1.3.7a or later or:
- + +Problems with + iptables version 1.2.7 and MULTIPORT=Yes
+ +The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running + Shorewall 1.3.7a or later or:
+-
-
- set MULTIPORT=No in +
- set MULTIPORT=No in /etc/shorewall/shorewall.conf; or -
- if you are running Shorewall - 1.3.6 you may install - - this firewall script in /var/lib/shorewall/firewall +
- if you are running +Shorewall 1.3.6 you may install + + this firewall script in /var/lib/shorewall/firewall as described above. - +
Problems with RH Kernel 2.4.18-10 and NAT
- /etc/shorewall/nat entries of the following form will result + + /etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:
-
-
- +
+#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
- Error message is:
192.0.2.22 eth0 192.168.9.22 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- + Error message is:
+Setting up NAT...
- The solution is to put "no" in the LOCAL column. Kernel support - for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. - The 2.4.19 kernel contains corrected support under a new kernel configuraiton - option; see http://www.shorewall.net/Documentation.htm#NAT
iptables: Invalid argument
Terminated
- -Last updated 1/21/2003 - - Tom Eastep
- + The solution is to put "no" in the LOCAL column. Kernel support + for LOCAL=yes has never worked properly and 2.4.18-10 has disabled +it. The 2.4.19 kernel contains corrected support under a new kernel +configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
+ +Last updated 1/25/2003 - + Tom Eastep
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+ +
-
diff --git a/Shorewall-docs/images/Thumbs.db b/Shorewall-docs/images/Thumbs.db index b97a45e40..4d064dedc 100644 Binary files a/Shorewall-docs/images/Thumbs.db and b/Shorewall-docs/images/Thumbs.db differ diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index a975ef9de..f910c687e 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -1,140 +1,144 @@ - + - + - + - +Shorewall Mailing Lists - + - +- -
- +- ++ + - - +- + -
+ - -
-
- -
-
-
-+ + +
++ -Shorewall Mailing Lists
-- +
-
-
- +
+ + +
+-
- Powered by Postfix
-
+Powered by Postfix
+ + + + +Not getting List Mail? -- Check Here
- -If you experience problems with any of these lists, please - let me know
- + +If you experience problems with any of these lists, please + let me know
+Not able to Post Mail to shorewall.net?
- -You can report such problems by sending mail to tom dot eastep + +
You can report such problems by sending mail to tom dot eastep at hp dot com.
- +A Word about SPAM Filters
- -Before subscribing please read my policy - about list traffic that bounces. Also please note that the mail server + +
Before subscribing please read my policy + about list traffic that bounces. Also please note that the mail server at shorewall.net checks incoming mail:
- + +
--
-
- against Spamassassin +
- against Spamassassin
(including Vipul's Razor).
-
- - to ensure that the sender address is fully qualified. -
- to verify that the sender's domain has an A or MX record + +
- to ensure that the sender address is fully qualified. +
- to verify that the sender's domain has an A or MX record in DNS. -
- to ensure that the host name in the HELO/EHLO command is - a valid fully-qualified DNS name that resolves. - +
- to ensure that the host name in the HELO/EHLO command +is a valid fully-qualified DNS name that resolves. +
Please post in plain text
- A growing number of MTAs serving list subscribers are rejecting all -HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net -"for continuous abuse" because it has been my policy to allow HTML in list -posts!!
-
- I think that blocking all HTML is a Draconian way to control spam -and that the ultimate losers here are not the spammers but the list subscribers - whose MTAs are bouncing all shorewall.net mail. As one list subscriber -wrote to me privately "These e-mail admin's need to get a (explitive -deleted) life instead of trying to rid the planet of HTML based e-mail". -Nevertheless, to allow subscribers to receive list posts as must as possible, -I have now configured the list server at shorewall.net to strip all HTML -from outgoing posts. This means that HTML-only posts will be bounced by -the list server.
- -Note: The list server limits posts to 120kb.
+ A growing number of MTAs serving list subscribers are rejecting all + HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net + "for continuous abuse" because it has been my policy to allow HTML in list + posts!!
-
+
+ I think that blocking all HTML is a Draconian way to control spam + and that the ultimate losers here are not the spammers but the list subscribers + whose MTAs are bouncing all shorewall.net mail. As one list subscriber +wrote to me privately "These e-mail admin's need to get a (explitive deleted) + life instead of trying to rid the planet of HTML based e-mail". Nevertheless, + to allow subscribers to receive list posts as must as possible, I have now + configured the list server at shorewall.net to strip all HTML from outgoing + posts. This means that HTML-only posts will be bounced by the list server.
+Note: The list server limits posts to 120kb.
+
+Other Mail Delivery Problems
- If you find that you are missing an occasional list post, your e-mail -admin may be blocking mail whose Received: headers contain the names -of certain ISPs. Again, I believe that such policies hurt more than they help -but I'm not prepared to go so far as to start stripping Received: + If you find that you are missing an occasional list post, your e-mail + admin may be blocking mail whose Received: headers contain the names + of certain ISPs. Again, I believe that such policies hurt more than they +help but I'm not prepared to go so far as to start stripping Received: headers to circumvent those policies.
- +Mailing Lists Archive Search
- - + +Please do not try to download the +entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply +won't stand the traffic. If I catch you, you will be blacklisted.
+
+Shorewall CA Certificate
- If you want to trust X.509 certificates issued by Shoreline -Firewall (such as the one used on my web site), you may download and install my CA certificate - in your browser. If you don't wish to trust my certificates then you - can either use unencrypted access when subscribing to Shorewall mailing - lists or you can use secure access (SSL) and accept the server's certificate + If you want to trust X.509 certificates issued by Shoreline + Firewall (such as the one used on my web site), you may download and install my CA certificate + in your browser. If you don't wish to trust my certificates then you + can either use unencrypted access when subscribing to Shorewall mailing + lists or you can use secure access (SSL) and accept the server's certificate when prompted by your browser.
- +Shorewall Users Mailing List
- -The Shorewall Users Mailing list provides a way for users - to get answers to questions and to report problems. Information of - general interest to the Shorewall user community is also posted to + +
The Shorewall Users Mailing list provides a way for users + to get answers to questions and to report problems. Information of + general interest to the Shorewall user community is also posted to this list.
- -Before posting a problem report to this list, please see + +
Before posting a problem report to this list, please see the problem reporting guidelines.
- -To subscribe to the mailing list:
-
--
-
- Insecure: http://lists.shorewall.net/mailman/listinfo/shorewall-users -
- SSL: https//lists.shorewall.net/mailman/listinfo/shorewall-users -
To post to the list, post to shorewall-users@lists.shorewall.net.
- -The list archives are at http://lists.shorewall.net/pipermail/shorewall-users.
- -Note that prior to 1/1/2002, the mailing list was hosted -at Sourceforge. The archives from that -list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.
- -Shorewall Announce Mailing List
- -This list is for announcements of general interest to the - Shorewall community. To subscribe:
- -
--
-
- Insecure: http://lists.shorewall.net/mailman/listinfo/shorewall-announce -
- SSL: https//lists.shorewall.net/mailman/listinfo/shorewall-announce. -
- -
- The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce.Shorewall Development Mailing List
- -The Shorewall Development Mailing list provides a forum for - the exchange of ideas about the future of Shorewall and for coordinating - ongoing Shorewall Development.
- +To subscribe to the mailing list:
+
-
-
- Insecure: Insecure: http://lists.shorewall.net/mailman/listinfo/shorewall-users +
- SSL: https//lists.shorewall.net/mailman/listinfo/shorewall-users + +
To post to the list, post to shorewall-users@lists.shorewall.net.
+ +The list archives are at http://lists.shorewall.net/pipermail/shorewall-users.
+ +Note that prior to 1/1/2002, the mailing list was hosted at +Sourceforge. The archives from that list +may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.
+ +Shorewall Announce Mailing List
+ +This list is for announcements of general interest to the + Shorewall community. To subscribe:
+ + + +
+-
+
- Insecure: http://lists.shorewall.net/mailman/listinfo/shorewall-announce +
- SSL: https//lists.shorewall.net/mailman/listinfo/shorewall-announce. + +
+ +
+ The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce.Shorewall Development Mailing List
+ +The Shorewall Development Mailing list provides a forum for + the exchange of ideas about the future of Shorewall and for coordinating + ongoing Shorewall Development.
+ +To subscribe to the mailing list:
+ +
+-
+
- Insecure: http://lists.shorewall.net/mailman/listinfo/shorewall-devel -
- SSL: SSL: https//lists.shorewall.net/mailman/listinfo/shorewall-devel. +
To post to the list, post to shorewall-devel@lists.shorewall.net.
- +The list archives are at http://lists.shorewall.net/pipermail/shorewall-devel.
- -How to Unsubscribe from one of + +
How to Unsubscribe from one of the Mailing Lists
- -There seems to be near-universal confusion about unsubscribing - from Mailman-managed lists although Mailman 2.1 has attempted to + +
There seems to be near-universal confusion about unsubscribing + from Mailman-managed lists although Mailman 2.1 has attempted to make this less confusing. To unsubscribe:
- +-
-
-
-
-
Follow the same link above that you used to subscribe +
-
+
+
Follow the same link above that you used to subscribe to the list.
-
- -
-
-
Down at the bottom of that page is the following text: - " To unsubscribe from <list name>, get a password - reminder, or change your subscription options enter your subscription - email address:". Enter your email address in the box and click +
+ -
+
+
Down at the bottom of that page is the following text: + " To unsubscribe from <list name>, get a password + reminder, or change your subscription options enter your subscription + email address:". Enter your email address in the box and click on the "Unsubscribe or edit options" button.
-
- -
-
-
There will now be a box where you can enter your password - and click on "Unsubscribe"; if you have forgotten your password, -there is another button that will cause your password to be emailed +
+ -
+
+
There will now be a box where you can enter your password + and click on "Unsubscribe"; if you have forgotten your password, +there is another button that will cause your password to be emailed to you.
-
-
+
+
+ +
Frustrated by having to Rebuild Mailman to use it with Postfix?
- + - +Last updated 1/14/2003 - Tom Eastep
- -Copyright © -2001, 2002, 2003 Thomas M. Eastep.
+ +
-Copyright +© 2001, 2002, 2003 Thomas M. Eastep.
+
+
diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm index a05025c11..e43a34778 100644 --- a/Shorewall-docs/myfiles.htm +++ b/Shorewall-docs/myfiles.htm @@ -1,144 +1,146 @@ - +My Shorewall Configuration - + - - + + - +- -
+ + -- +- + + - - -+ -About My Network
-
- -My Current Network
+ +-
+Warning: I -use a combination of Static NAT and Proxy ARP, neither of which are relevant -to a simple configuration with a single public IP address. -If you have just a single public IP address, most of what you see here won't -apply to your setup so beware of copying parts of this configuration and -expecting them to work for you. They may or may not work in your setup.
-
-I have DSL service and have 5 static IP addresses (206.124.146.176-180). - My DSL "modem" (Fujitsu Speedport) - is connected to eth0. I have a local network connected to eth2 (subnet -192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
- +
+ +My Current Network
+ ++
- +Warning: I +use a combination of Static NAT and Proxy ARP, neither of which are relevant +to a simple configuration with a single public IP address. +If you have just a single public IP address, most of what you see here won't +apply to your setup so beware of copying parts of this configuration and expecting +them to work for you. What you copy may or may not work in your setup.
+ +
+I have DSL service and have 5 static IP addresses (206.124.146.176-180). + My DSL "modem" (Fujitsu Speedport) + is connected to eth0. I have a local network connected to eth2 (subnet + 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
+I use:
- + +
--
-
- Static NAT for ursa (my XP System) - Internal address 192.168.1.5 - and external address 206.124.146.178. -
- Proxy ARP for wookie (my Linux System). This system has two +
- Static NAT for ursa (my XP System) - Internal address 192.168.1.5 + and external address 206.124.146.178. +
- Proxy ARP for wookie (my Linux System). This system has two IP addresses: 192.168.1.3/24 and 206.124.146.179/24. -
- SNAT through the primary gateway address (206.124.146.176) -for my Wife's system (tarry) and the Wireless Access Point (wap) - +
- SNAT through the primary gateway address (206.124.146.176) + for my Wife's system (tarry) and the Wireless Access Point (wap) +
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.
- -Wookie runs Samba and acts as the a WINS server. Wookie is in its - own 'whitelist' zone called 'me'.
- -My laptop (eastept1) is connected to eth3 using a cross-over cable. - It runs its own Sygate firewall software - and is managed by Proxy ARP. It connects to the local network through -the PopTop server running on my firewall.
- -The single system in the DMZ (address 206.124.146.177) runs postfix, - Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server - (Pure-ftpd). The system also runs fetchmail to fetch our email from -our old and current ISPs. That server is managed through Proxy ARP.
- -The firewall system itself runs a DHCP server that serves the local - network.
- + +Wookie runs Samba and acts as the a WINS server. Wookie is in its + own 'whitelist' zone called 'me'.
+ +My laptop (eastept1) is connected to eth3 using a cross-over cable. + It runs its own Sygate firewall +software and is managed by Proxy ARP. It connects to the local network +through the PopTop server running on my firewall.
+ +The single system in the DMZ (address 206.124.146.177) runs postfix, + Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP +server (Pure-ftpd). The system also runs fetchmail to fetch our email +from our old and current ISPs. That server is managed through Proxy ARP.
+ +The firewall system itself runs a DHCP server that serves the local + network.
+All administration and publishing is done using ssh/scp.
- +I run an SNMP server on my firewall to serve MRTG running - in the DMZ.
- + href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG running + in the DMZ. +
- + +
-
- -The ethernet interface in the Server is configured - with IP address 206.124.146.177, netmask - 255.255.255.0. The server's default gateway is - 206.124.146.254 (Router at my ISP. This is the same - default gateway used by the firewall itself). On the firewall, - Shorewall automatically adds a host route to - 206.124.146.177 through eth1 (192.168.2.1) because - of the entry in /etc/shorewall/proxyarp (see -below).
- -A similar setup is used on eth3 (192.168.3.1) which - interfaces to my laptop (206.124.146.180).
- -
-Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior + +
The ethernet interface in the Server is configured + with IP address 206.124.146.177, netmask + 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same + default gateway used by the firewall itself). On the firewall, + Shorewall automatically adds a host route to + 206.124.146.177 through eth1 (192.168.2.1) because + of the entry in /etc/shorewall/proxyarp (see + below).
+ +A similar setup is used on eth3 (192.168.3.1) which + interfaces to my laptop (206.124.146.180).
+ +
+Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior access.
- + + -
-Shorewall.conf
- +SUBSYSLOCK=/var/lock/subsys/shorewall
- +
STATEDIR=/var/state/shorewall
LOGRATE=
LOGBURST=
ADD_IP_ALIASES="Yes"
CLAMPMSS=Yes
MULTIPORT=YesZones File:
- +#ZONE DISPLAY COMMENTS
- +
net Internet Internet
me Eastep My Workstation
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEInterfaces File:
- --
- + +This is set up so that I can start the firewall before bringing up my -Ethernet interfaces.
-+
+This is set up so that I can start the firewall before bringing up +my Ethernet interfaces.
+#ZONE INTERFACE BROADCAST OPTIONS
- +
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp,filterping,maclist
dmz eth1 206.124.146.255 filterping
net eth3 206.124.146.255 filterping,blacklist
- texas - filterping
loc ppp+ - filterping
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEHosts File:
- +#ZONE HOST(S) OPTIONS
- +
me eth2:192.168.1.3,eth2:206.124.146.179
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVERoutestopped File:
- +#INTERFACE HOST(S)
- -
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180Common File:
- -. /etc/shorewall/common.def
-
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPPolicy File:
+Common File:
+ +. /etc/shorewall/common.def
+ +
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROPPolicy File:
+#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST me all ACCEPT @@ -146,42 +148,43 @@ Ethernet interfaces. all me CONTINUE #WARNING: You must be running Shorewall 1.3.1 or later for
- -
# this policy to work as expected!!!
loc loc ACCEPT
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT
net net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTEMasq File:
- -- -
+Although most of our internal systems use static NAT, my wife's system - (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with - laptops. Also, I masquerade wookie to the peer subnet in Texas.
-Masq File:
+ ++ +
+Although most of our internal systems use static NAT, my wife's system + (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with + laptops. Also, I masquerade wookie to the peer subnet in Texas.
+#INTERFACE SUBNET ADDRESS
- +
eth0 192.168.1.0/24 206.124.146.176
texas 206.124.146.179 192.168.1.254
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVENAT File:
- +#EXTERNAL INTERFACE INTERNAL ALL LOCAL
- +
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEProxy ARP File:
- +#ADDRESS INTERFACE EXTERNAL HAVEROUTE
- +
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):
- +#TYPE ZONE GATEWAY
- -
gre net $TEXAS
#LAST LINE -- DO NOT REMOVERules File (The shell variables - are set in /etc/shorewall/params):
- + +Rules File (The shell variables + are set in /etc/shorewall/params):
+#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
- -
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVELast updated 1/12/2003 - - Tom Eastep + +
Last updated 1/12/2003 - + Tom Eastep
- Copyright © + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/ping.html b/Shorewall-docs/ping.html index c8ffb46bd..fdf4b1126 100644 --- a/Shorewall-docs/ping.html +++ b/Shorewall-docs/ping.html @@ -2,137 +2,148 @@ICMP Echo-request (Ping) - + - + - +- -
-- ++ + - - + + + +ICMP Echo-request (Ping)
-
- Shorewall 'Ping' management has evolved over time with the latest change -coming in Shorewall version 1.3.14. In that version, a new option (OLD_PING_HANDLING) -was added to /etc/shorewall/shorewall.conf. The value of that option determines +
+ Shorewall 'Ping' management has evolved over time with the latest change +coming in Shorewall version 1.3.14. In that version, a new option (OLD_PING_HANDLING) +was added to /etc/shorewall/shorewall.conf. The value of that option determines the overall handling of ICMP echo requests (pings).
+Shorewall Versions >= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf
-In 1.3.14, Ping handling was put under control of the rules and policies -just like any other connection request. In order to accept ping requests -from zone z1 to zone z2, you need a rule in /etc/shoreall/rules of the form:
-ACCEPT z1 z2 + In 1.3.14, Ping handling was put under control of the rules and policies +just like any other connection request. In order to accept ping requests from +zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need +a rule in /etc/shoreall/rules of the form:
+ With that rule in place, if you want to ignore 'ping' from z1 to z2 then you need a rule of the form:
+ +ACCEPT z1 z2 icmp 8
-Example:
-
-
-To permit ping from the local zone to the firewall:
-ACCEPT loc fw +
+ Example:
+
+ To permit ping from the local zone to the firewall:
+ +ACCEPT loc fw icmp 8
- If you would like to accept 'ping' by default, create /etc/shorewall/icmpdef -if it doesn't already exist and in that file place the following command:
-
-+
+ If you would like to accept 'ping' by default even when the relevant +policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't +already exist and in that file place the following command:
+ +
-With that rule in place, if you want to ignore 'ping' from z1 to z2 then +run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
-
-DROP z1 z2 + +
+DROP z1 z2 icmp 8
-Example:
-
-
-To drop ping from the internet, you would need this rule in /etc/shorewall/rules:
-DROP net fw +
+ Example:
+
+ To drop ping from the internet, you would need this rule in /etc/shorewall/rules:
+ +DROP net fw icmp 8
+
-
+Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
-There are several aspects to the old Shorewall Ping management:
-
- --
-
- The noping and filterping interface options in /etc/shorewall/interfaces. -
- The FORWARDPING option in -/etc/shorewall/shorewall.conf. -
- Explicit rules in /etc/shorewall/rules. - -
- --
-
- Ping requests addressed to the firewall itself; and -
- Ping requests being forwarded to another system. Included here are -all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple -routing. - -
- -Ping Requests Addressed to the Firewall Itself
- For ping requests addressed to the firewall, the sequence is as follows:
- --
-
- If neither noping nor filterping are specified for the -interface that receives the ping request then the request will be responded -to with an ICMP echo-reply. -
- If noping is specified for the interface that receives the -ping request then the request is ignored. -
- If filterping is specified for the interface then the request -is passed to the rules/policy evaluation. - -
Ping Requests Forwarded by the Firewall
- These requests are always passed to rules/policy evaluation.
- -Rules Evaluation
- Ping requests are ICMP type 8. So the general rule format is:
-
- Target Source -Destination icmp 8
-
- Example 1. Accept pings from the net to the dmz (pings are responded to -with an ICMP echo-reply):
-
- ACCEPT net dmz -icmp 8
-
- Example 2. Drop pings from the net to the firewall
-
- DROP net fw -icmp 8
- -Policy Evaluation
- If no applicable rule is found, then the policy for the source to the destination -is applied.
- --
-
- If the relevant policy is ACCEPT then the request is responded to -with an ICMP echo-reply. -
- If FORWARDPING is set to Yes in /etc/shorewall/shorewall.conf -then the request is responded to with an ICMP echo-reply. -
- Otherwise, the relevant REJECT or DROP policy is used and the request -is either rejected or simply ignored. - -
Updated 1/21/2003 - Tom Eastep -
+ + There are several aspects to the old Shorewall Ping management:
+-
+
- The noping and filterping interface options in /etc/shorewall/interfaces. +
- The FORWARDPING option in +/etc/shorewall/shorewall.conf. +
- Explicit rules in /etc/shorewall/rules. + +
+ +-
+
- Ping requests addressed to the firewall itself; and +
- Ping requests being forwarded to another system. Included here are + all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple + routing. + +
+ +Ping Requests Addressed to the Firewall Itself
+ For ping requests addressed to the firewall, the sequence is as follows:
+ +-
+
- If neither noping nor filterping are specified for +the interface that receives the ping request then the request will be responded + to with an ICMP echo-reply. +
- If noping is specified for the interface that receives the +ping request then the request is ignored. +
- If filterping is specified for the interface then the request + is passed to the rules/policy evaluation. + +
Ping Requests Forwarded by the Firewall
+ These requests are always passed to rules/policy evaluation.
+ +Rules Evaluation
+ Ping requests are ICMP type 8. So the general rule format is:
+
+ Target Source +Destination icmp 8
+
+ Example 1. Accept pings from the net to the dmz (pings are responded to +with an ICMP echo-reply):
+
+ ACCEPT net dmz + icmp 8
+
+ Example 2. Drop pings from the net to the firewall
+
+ DROP net fw + icmp 8
+ +Policy Evaluation
+ If no applicable rule is found, then the policy for the source to the destination + is applied.
+ +-
+
- If the relevant policy is ACCEPT then the request is responded to +with an ICMP echo-reply. +
- If FORWARDPING is set to Yes in /etc/shorewall/shorewall.conf + then the request is responded to with an ICMP echo-reply. +
- Otherwise, the relevant REJECT or DROP policy is used and the request + is either rejected or simply ignored. + +
Updated 1/21/2003 - Tom Eastep +
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index d2dcaebb3..30a87e416 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -5,7 +5,7 @@ - +Shoreline Firewall (Shorewall) 1.3 @@ -13,21 +13,22 @@ -+ - + - + -
- -+ - + - - - + + ++ @@ -35,14 +36,15 @@ - + + -
+ Shorewall +1.3 - "iptables made +easy" @@ -50,41 +52,42 @@ - + + + -
- Shorewall 1.3
- - "iptables made easy"
+
-- -- +- + + + +++ + -- + -
-+ - + - - - + + ++ @@ -92,7 +95,8 @@ - + + + -What is it?
@@ -103,11 +107,11 @@ - -The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.
+ +The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.
@@ -117,26 +121,26 @@ - -This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General -Public License as published by the Free Software Foundation.
+ +This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU +General Public License as published by the Free Software Foundation.
+ You should have received a copy of the + GNU General Public License along with this + program; if not, write to the Free Software Foundation, + Inc., 675 Mass Ave, Cambridge, MA 02139, USA @@ -146,7 +150,7 @@ program; if not, write to the Free Software Foundation, - +
-
+
- This program is distributed in the hope - that it will be useful, but WITHOUT ANY WARRANTY; - without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details.
+ This program is distributed in the hope + that it will be useful, but WITHOUT ANY WARRANTY; + without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details.
-
+
- You should have received a copy of the -GNU General Public License along with this -program; if not, write to the Free Software Foundation, - Inc., 675 Mass Ave, Cambridge, MA 02139, USACopyright 2001, 2002, 2003 Thomas M. Eastep
@@ -157,28 +161,30 @@ program; if not, write to the Free Software Foundation, - +
+ - -
- Jacques Nilo and Eric Wolzak
-have a LEAF (router/firewall/gateway on a floppy, CD or
-compact flash) distribution called Bering
- that features Shorewall-1.3.10 and Kernel-2.4.18.
+ Jacques Nilo and Eric Wolzak
+ have a LEAF (router/firewall/gateway on a floppy, CD
+ or compact flash) distribution called Bering
+ that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: http://leaf.sourceforge.net/devel/jnilo
-Congratulations to Jacques and Eric on the recent release of Bering -1.0 Final!!!
+ + +
-Congratulations to Jacques and Eric on the recent release of +Bering 1.0 Final!!!
- -
+This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)
+ + +This is a mirror of the main Shorewall web site at SourceForge +(http://shorewall.sf.net)
@@ -190,7 +196,8 @@ compact flash) distribution called Bering - + +News
@@ -200,8 +207,8 @@ compact flash) distribution called Bering - - + + @@ -209,322 +216,431 @@ compact flash) distribution called Bering - -1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format
+
+ 1/28/2003 - Shorewall 1.3.14-Beta2
- -
Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 -documenation. the PDF may be downloaded from
- Includes the Beta 1 content plus restores VLAN device names of the +form $dev.$vid (e.g., eth0.1) + +The beta may be downloaded from:
+ +
+http://www.shorewall.net/pub/shorewall/Beta
+ +
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
+1/25/2003 - Shorewall 1.3.14-Beta1
+ +
+
+The Beta includes the following changes:
+ +
+-
+
- An OLD_PING_HANDLING option has been added to shorewall.conf.
+ When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies + just like any other connection request. The FORWARDPING=Yes option in shorewall.conf + and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will + all generate an error.
+
+
+ - It is now possible to direct Shorewall to create a "label"
+such as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
+and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
+just the interface name:
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+
+ - When an interface name is entered in the SUBNET column of the
+ /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
+only the first subnet defined on that interface. It did not masquerade traffic
+ from:
+
+ a) The subnets associated with other addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you enter an interface name in the +SUBNET column, shorewall will use the firewall's routing table to construct +the masquerading/SNAT rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+ +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254[root@gateway test]# shorewall start
+ When upgrading to Shorewall 1.3.14, if you have multiple local subnets +connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq + entry, your /etc/shorewall/masq file will need changing. In most cases, you + will simply be able to remove redundant entries. In some cases though, you + might want to change from using the interface name to listing specific subnetworks + if the change described above will cause masquerading to occur on subnetworks + that you don't wish to masquerade.
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+
+ Example 2 -- Suppose that your current config is as follows:
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+ In this case, the second entry in /etc/shorewall/masq is no longer +required.
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+
+ Example 3 -- What if your current configuration is like this?
+ +[root@gateway test]# cat /etc/shorewall/masq
+ +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2
+ In this case, you would want to change the entry in /etc/shorewall/masq + to:
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+ +#INTERFACE SUBNET ADDRESS
+
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+ +http://www.shorewall.net/pub/shorewall/Beta
+ +
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
+1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format +
+ +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 + documenation. the PDF may be downloaded from
+ ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/ - -1/17/2003 - shorewall.net has MOVED
- + http://slovakia.shorewall.net/pub/shorewall/pdf/ + +
- 1/17/2003 - shorewall.net has MOVED
+Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and -ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A -big thanks to Alex for making this happen.
- + href="http://www.rettc.com">Rett Consulting, www.shorewall.net and ftp.shorewall.net +are now hosted on a system in Bellevue, Washington. A big thanks to Alex +for making this happen.
-
+ +1/13/2003 - Shorewall 1.3.13
- + +
-Just includes a few things that I had on the burner:
- + +
--
-
- A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
- file. DNAT- is intended for advanced users who wish to minimize the number
- of rules that connection requests must traverse.
-
- A Shorewall DNAT rule actually generates two iptables rules: a header -rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. -A DNAT- rule only generates the first of these rules. This is handy when -you have several DNAT rules that would generate the same ACCEPT rule.
-
- Here are three rules from my previous rules file:
-
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
-
- These three rules ended up generating _three_ copies of
-
- ACCEPT net dmz:206.124.146.177 tcp smtp
-
- By writing the rules this way, I end up with only one copy of the -ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
-
-
- - The 'shorewall check' command now prints out the applicable
- policy between each pair of zones.
-
-
- - A new CLEAR_TC option has been added to shorewall.conf. If
-this option is set to 'No' then Shorewall won't clear the current traffic
-control rules during [re]start. This setting is intended for use by people
-that prefer to configure traffic shaping when the network interfaces come
-up rather than when the firewall is started. If that is what you want to
-do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
-file. That way, your traffic shaping rules can still use the 'fwmark' classifier
-based on packet marking defined in /etc/shorewall/tcrules.
-
-
- - A new SHARED_DIR variable has been added that allows distribution
- packagers to easily move the shared directory (default /usr/lib/shorewall).
- Users should never have a need to change the value of this shorewall.conf
- setting.
-
-
+ - A new 'DNAT-' action has been added for entries in the
+/etc/shorewall/rules file. DNAT- is intended for advanced users who wish
+to minimize the number of rules that connection requests must traverse.
+
+ A Shorewall DNAT rule actually generates two iptables rules: a header + rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. + A DNAT- rule only generates the first of these rules. This is handy when + you have several DNAT rules that would generate the same ACCEPT rule.
+
+ Here are three rules from my previous rules file:
+
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
+
+ These three rules ended up generating _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177 tcp smtp
+
+ By writing the rules this way, I end up with only one copy of the + ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....
+
+
+ - The 'shorewall check' command now prints out the applicable
+ policy between each pair of zones.
+
+
+ - A new CLEAR_TC option has been added to shorewall.conf.
+If this option is set to 'No' then Shorewall won't clear the current traffic
+ control rules during [re]start. This setting is intended for use by people
+ that prefer to configure traffic shaping when the network interfaces come
+ up rather than when the firewall is started. If that is what you want
+to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
+ file. That way, your traffic shaping rules can still use the 'fwmark'
+classifier based on packet marking defined in /etc/shorewall/tcrules.
+
+
+ - A new SHARED_DIR variable has been added that allows distribution
+ packagers to easily move the shared directory (default /usr/lib/shorewall).
+ Users should never have a need to change the value of this shorewall.conf
+ setting.
+
+
1/6/2003 - BURNOUT -
- -Until further notice, I will not be involved in either Shorewall - Development or Shorewall Support
- + +1/6/2003 - BURNOUT +
+ + +Until further notice, I will not be involved in either Shorewall + Development or Shorewall Support
+ +-Tom Eastep
- -
-12/30/2002 - Shorewall Documentation in PDF Format -
+ - -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 - documenation. the PDF may be downloaded from
+ +12/30/2002 - Shorewall Documentation in PDF Format +
- + +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 + documenation. the PDF may be downloaded from
+ +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ + +
- http://slovakia.shorewall.net/pub/shorewall/pdf/
+12/27/2002 - Shorewall 1.3.12 Released +
+ + +Features include:
- -
12/27/2002 - Shorewall 1.3.12 Released -
- - -Features include:
- - +
--
-
- "shorewall refresh" now reloads the traffic shaping - rules (tcrules and tcstart). -
- "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near the - end of the trace rather than up in the middle of it. -
- "shorewall [re]start" has been speeded up by more -than 40% with my configuration. Your milage may vary. -
- A "shorewall show classifiers" command has been added - which shows the current packet classification filters. The output +
- "shorewall refresh" now reloads the traffic shaping + rules (tcrules and tcstart). +
- "shorewall debug [re]start" now turns off debugging + after an error occurs. This places the point of the failure near the + end of the trace rather than up in the middle of it. +
- "shorewall [re]start" has been speeded up by more + than 40% with my configuration. Your milage may vary. +
- A "shorewall show classifiers" command has been +added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor" -
- ULOG (must be all caps) is now accepted as a valid -syslog level and causes the subject packets to be logged using the ULOG -target rather than the LOG target. This allows you to run ulogd (available -from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to - a separate log file. -
- If you are running a kernel that has a FORWARD chain - in the mangle table ("shorewall show mangle" will show you the chains - in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking - input packets based on their destination even when you are using Masquerading - or SNAT. -
- I have cluttered up the /etc/shorewall directory with - empty 'init', 'start', 'stop' and 'stopped' files. If you already -have a file with one of these names, don't worry -- the upgrade process -won't overwrite your file. -
- I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies
- the syslog level at which packets are logged as a result of entries in
- the /etc/shorewall/rfc1918 file. Previously, these packets were always
- logged at the 'info' level.
-
+ - ULOG (must be all caps) is now accepted as a valid + syslog level and causes the subject packets to be logged using the + ULOG target rather than the LOG target. This allows you to run ulogd + (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to + a separate log file. +
- If you are running a kernel that has a FORWARD +chain in the mangle table ("shorewall show mangle" will show you +the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes +in shorewall.conf. This allows for +marking input packets based on their destination even when you are +using Masquerading or SNAT. +
- I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you already + have a file with one of these names, don't worry -- the upgrade process + won't overwrite your file. +
- I have added a new RFC1918_LOG_LEVEL variable to
+ shorewall.conf. This variable
+ specifies the syslog level at which packets are logged as a result
+of entries in the /etc/shorewall/rfc1918 file. Previously, these packets
+ were always logged at the 'info' level.
+
-
+
12/20/2002 - Shorewall 1.3.12 Beta 3
- This version corrects a problem with Blacklist logging. In Beta - 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would - fail to start and "shorewall refresh" would also fail.
-
+ + This version corrects a problem with Blacklist logging. In +Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall + would fail to start and "shorewall refresh" would also fail.
- +You may download the Beta from:
+ - +
-http://www.shorewall.net/pub/shorewall/Beta
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
+ - -12/20/2002 - Shorewall 1.3.12 Beta 2 -
- The first public Beta version of Shorewall 1.3.12 is now -available (Beta 1 was made available to a limited audience).
-
- Features include:
-
+ + +12/20/2002 - Shorewall 1.3.12 Beta 2 +
+ The first public Beta version of Shorewall 1.3.12 is now + available (Beta 1 was made available to a limited audience).
+
+ Features include:
+
- + +-
-
- "shorewall refresh" now reloads the traffic shaping - rules (tcrules and tcstart). -
- "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near the - end of the trace rather than up in the middle of it. -
- "shorewall [re]start" has been speeded up by -more than 40% with my configuration. Your milage may vary. -
- A "shorewall show classifiers" command has been - added which shows the current packet classification filters. The output - from this command is also added as a separate page in "shorewall monitor" -
- ULOG (must be all caps) is now accepted as a -valid syslog level and causes the subject packets to be logged using -the ULOG target rather than the LOG target. This allows you to run ulogd -(available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to - a separate log file. -
- If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show you the - chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes -in shorewall.conf. This allows for marking input packets based on -their destination even when you are using Masquerading or SNAT. -
- I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you already - have a file with one of these names, don't worry -- the upgrade process - won't overwrite your file. +
- "shorewall refresh" now reloads the traffic + shaping rules (tcrules and tcstart). +
- "shorewall debug [re]start" now turns off +debugging after an error occurs. This places the point of the failure +near the end of the trace rather than up in the middle of it. +
- "shorewall [re]start" has been speeded up +by more than 40% with my configuration. Your milage may vary. +
- A "shorewall show classifiers" command has +been added which shows the current packet classification filters. +The output from this command is also added as a separate page in "shorewall +monitor" +
- ULOG (must be all caps) is now accepted as +a valid syslog level and causes the subject packets to be logged using + the ULOG target rather than the LOG target. This allows you to run ulogd + (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to + a separate log file. +
- If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show you the + chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes +in shorewall.conf. This allows for marking input packets based on their + destination even when you are using Masquerading or SNAT. +
- I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you already + have a file with one of these names, don't worry -- the upgrade process + won't overwrite your file. - + +
+ You may download the Beta from:
- + +http://www.shorewall.net/pub/shorewall/Beta
+ ftp://ftp.shorewall.net/pub/shorewall/Beta
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-
+ - + +12/12/2002 - Mandrake Multi Network Firewall
- Shorewall is at the center of MandrakeSoft's recently-announced - Multi - Network Firewall (MNF) product. Here is the press - release.
-
- - -12/7/2002 - Shorewall Support for Mandrake 9.0 -
+ + Shorewall is at the center of MandrakeSoft's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
-Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally - delivered. I have installed 9.0 on one of my systems and I am now - in a position to support Shorewall users who run Mandrake 9.0.
+12/7/2002 - Shorewall Support for Mandrake 9.0 +
- + +Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally + delivered. I have installed 9.0 on one of my systems and I am +now in a position to support Shorewall users who run Mandrake 9.0.
+ + +12/6/2002 - Debian 1.3.11a Packages Available
+ - + +
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -12/3/2002 - Shorewall 1.3.11a -
- - - -This is a bug-fix roll up which includes Roger Aich's fix for DNAT - with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 - users who don't need rules of this type need not upgrade to 1.3.11.
- - - -11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format -
- - - - -Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 - documenation. the PDF may be downloaded from
- - - - -ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- - - - -
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-11/24/2002 - Shorewall 1.3.11 -
+ +12/3/2002 - Shorewall 1.3.11a +
+This is a bug-fix roll up which includes Roger Aich's fix for DNAT + with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to 1.3.11.
+ + + +11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format +
+ + + + +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 + documenation. the PDF may be downloaded from
+ + + + +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ + + + +
+ http://slovakia.shorewall.net/pub/shorewall/pdf/
+11/24/2002 - Shorewall 1.3.11 +
+ + + +In this version:
- + +-
-
- A 'tcpflags' option has been added -to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP +
- A 'tcpflags' option has been added + to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP packet header flags. -
- It is now allowed to use 'all' in the
- SOURCE or DEST column in a rule.
- When used, 'all' must appear by itself (in may not be qualified)
- and it does not enable intra-zone traffic. For example, the rule
-
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic from 'loc' to 'loc'.
- - Shorewall's use of the 'echo' command - is now compatible with bash clones such as ash and dash. -
- fw->fw policies now generate a startup - error. fw->fw rules generate a warning and are ignored +
- It is now allowed to use 'all' in
+ the SOURCE or DEST column in a rule. When used, 'all' must
+appear by itself (in may not be qualified) and it does not enable
+intra-zone traffic. For example, the rule
+
+ ACCEPT loc all tcp 80
+
+ does not enable http traffic from 'loc' to +'loc'.
+ - Shorewall's use of the 'echo' command + is now compatible with bash clones such as ash and dash. +
- fw->fw policies now generate +a startup error. fw->fw rules generate a warning and are +ignored - + +
Donations
-M +M -- + -
- -+ - + + + - - - + + ++ @@ -575,12 +692,12 @@ packet header flags. - + + + @@ -589,29 +706,30 @@ packet header flags. - - + +Shorewall is free but -if you try it and find it useful, please consider making a donation - to Starlight Children's -Foundation. Thanks!
-Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight +Children's Foundation. Thanks!
-Updated 1/18/2003 - Tom Eastep - + +
Updated 1/28/2003 - Tom Eastep +
diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm index 3a7104254..f1b1ba204 100644 --- a/Shorewall-docs/shoreline.htm +++ b/Shorewall-docs/shoreline.htm @@ -1,125 +1,126 @@ - +About the Shorewall Author - + - - + + - +- -
- +- +- + + - - + + + ++ -Tom Eastep
-
- + +
- Tarry & Tom -- August 2002
- +
-
-
+ +-
-
- Born 1945 in Born 1945 in Washington State . -
- BA Mathematics from Washington
+
- BA Mathematics from Washington State University 1967
-- MA Mathematics from MA Mathematics from University of Washington 1969
-- Burroughs Corporation (now Burroughs Corporation (now Unisys ) 1969 - 1980
-- Tandem Computers, Incorporated - (now part of the The New HP) 1980 - -present
-- Married 1969 - no children.
- -
I am currently a member of the design team for the next-generation - operating system from the NonStop Enterprise Division of HP.
- -I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated - ipchains and developed the scripts which are now collectively known as - Seattle Firewall. Expanding - on what I learned from Seattle Firewall, I then designed and wrote - Shorewall.
- -I telework from our home in Shoreline, - Washington where I live with my wife Tarry.
- -Our current home network consists of:
+- Tandem Computers, Incorporated + (now part of the The New HP) 1980 +- present
+- Married 1969 - no children.
--
-
- 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB - IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. -Serves as a PPTP server for Road Warrior access. Also has Mandrake 9.0 installed. -
- Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) - NIC - My personal Linux System which runs Samba configured as a -WINS server. This system also has VMware installed and can run -both Debian Woody and SuSE 8.1 in virtual machines. -
- K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC -- Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), -DNS server (Bind). -
- PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX - (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.12+ and a -DHCP server. -
- Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My - wife's personal system. -
- PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard -EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main -work system. -
I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.
+ +I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated + ipchains and developed the scripts which are now collectively known as + Seattle Firewall. Expanding + on what I learned from Seattle Firewall, I then designed and wrote + Shorewall.
+ +I telework from our home in Shoreline, + Washington where I live with my wife Tarry.
+ +Our current home network consists of:
+ +-
+
- 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB + IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves +as a PPTP server for Road Warrior access. Dual boots Mandrake 9.0. +
- Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) + NIC - My personal Linux System which runs Samba configured as a +WINS server. This system also has VMware installed and can run both + Debian Woody and SuSE 8.1 in virtual machines. +
- K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC +- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), +DNS server (Bind 9). +
- PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX + (Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.14 and a DHCP + server. +
- Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - +My wife's personal system. +
- PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard + EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main + work system. + +
For more about our network see my Shorewall Configuration.
- +All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.
- + - - + +Last updated 1/24/2003 - Tom Eastep
- Copyright © 2001, 2002, 2003 Thomas + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/shorewall_features.htm b/Shorewall-docs/shorewall_features.htm index 87c11864a..586ed3d74 100644 --- a/Shorewall-docs/shorewall_features.htm +++ b/Shorewall-docs/shorewall_features.htm @@ -1,111 +1,114 @@ - + - + - + - +Shorewall Features - +- -
- +- ++ + - - + + + +Shorewall Features
--
-
- Uses Netfilter's connection tracking facilities for stateful packet - filtering. -
- Can be used in a wide range of router/firewall/gateway applications. - +
- Uses Netfilter's connection tracking facilities for stateful packet + filtering. +
- Can be used in a wide range of router/firewall/gateway applications.
+
-
-
- Completely customizable using configuration files. -
- No limit on the number of network interfaces. -
- Allows you to partitions the network into zones and gives you complete -control over the connections permitted between each pair of zones. -
- Multiple interfaces per zone and multiple zones per interface - permitted. -
- Supports nested and overlapping zones. - +
- Completely customizable using configuration files. +
- No limit on the number of network interfaces. +
- Allows you to partitions the network into zones and gives you complete + control over the connections permitted between each pair of zones. +
- Multiple interfaces per zone and multiple zones per interface + permitted. +
- Supports nested and overlapping zones. +
- - QuickStart Guides to -help get your first firewall up and running quickly -
- Extensive documentation - included in the .tgz and .rpm downloads. -
- Flexible address management/routing support (and you can use -all types in the same firewall): + +
- QuickStart Guides +to help get your first firewall up and running quickly +
- Extensive documentation + included in the .tgz and .rpm downloads. +
- Flexible address management/routing support (and you can
+use all types in the same firewall):
-
-
- Masquerading/SNAT -
- Port Forwarding (DNAT). -
- Static NAT. -
- Proxy ARP. -
- Simple host/subnet Routing - +
- Masquerading/SNAT +
- Port Forwarding (DNAT). +
- Static NAT. +
- Proxy ARP. +
- Simple host/subnet Routing +
- - Blacklisting of individual + +
- Blacklisting of individual IP addresses and subnetworks is supported. -
- Operational support: - +
- Operational support:
+
-
-
- Commands to start, stop and clear the firewall -
- Supports status monitoring with an audible alarm -when an "interesting" packet is detected. -
- Wide variety of informational commands. - +
- Commands to start, stop and clear the firewall +
- Supports status monitoring with an audible alarm + when an "interesting" packet is detected. +
- Wide variety of informational commands. +
- - VPN Support + +
- VPN Support
-
-
- IPSEC, GRE and IPIP Tunnels. -
- PPTP clients and Servers. - +
- IPSEC, GRE, IPIP and +OpenVPN Tunnels. +
- PPTP clients and Servers. +
- - Support for Traffic Control/Shaping + +
- Support for Traffic Control/Shaping integration. -
- Wide support for different GNU/Linux Distributions. - +
- Wide support for different GNU/Linux Distributions.
+
-
-
- RPM and Debian +
- RPM and Debian packages available. -
- Includes automated install, upgrade, fallback - and uninstall facilities for users who can't use or choose -not to use the RPM or Debian packages. -
- Included as a standard part of LEAF/Bering (router/firewall +
- Includes automated install, upgrade, +fallback and uninstall facilities for users who can't use +or choose not to use the RPM or Debian packages. +
- Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or compact flash). - +
- - Media Access Control (MAC) Address
- Verification
-
-
+ - Media Access Control (MAC) Address
+ Verification
+
+
+
Last updated 11/09/2002 - Tom Eastep
- + +Last updated 1/31/2003 - Tom Eastep
+ + size="2">Copyright © 2001-2003 Thomas M. Eastep.
+ +
diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm index 4e34d188e..5365ef967 100644 --- a/Shorewall-docs/shorewall_quickstart_guide.htm +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -1,288 +1,296 @@ - + - + - + - +Shorewall QuickStart Guide - + - +- -
- -- ++ + - - + +- - -Shorewall QuickStart Guides -(HOWTO's)
-
- Version 3.1Shorewall QuickStart Guides + (HOWTO's)
+ + + +
+ Version 3.1With thanks to Richard who reminded me once again that we -must all first walk before we can run.
- + +With thanks to Richard who reminded me once again that +we must all first walk before we can run.
+
+The French Translations are courtesy of Patrice Vetsel
+The Guides
- -These guides provide step-by-step instructions for configuring Shorewall - in common firewall setups.
- + +These guides provide step-by-step instructions for configuring Shorewall + in common firewall setups.
+The following guides are for users who have a single public IP address:
- +-
-
- Standalone Linux System -
- Two-interface Linux -System acting as a firewall/router for a small local network -
- Three-interface Linux - System acting as a firewall/router for a small local network and -a DMZ. - +
- Standalone Linux System +(Version Française) +
- Two-interface Linux + System acting as a firewall/router for a small local network (Version Française) +
- Three-interface +Linux System acting as a firewall/router for a small local network +and a DMZ. (Version Française) +
The above guides are designed to get your first firewall up and running - quickly in the three most common Shorewall configurations.
- -The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple - public IP addresses involved or if you want to learn more about Shorewall - than is explained in the single-address guides above.
- + +The above guides are designed to get your first firewall up and running + quickly in the three most common Shorewall configurations.
+ +The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple + public IP addresses involved or if you want to learn more about Shorewall + than is explained in the single-address guides above.
+-
-
- 1.0
+
- 1.0 Introduction
-- 2.0 Shorewall +
- 2.0 Shorewall Concepts
-- 3.0 +
- 3.0 Network Interfaces
-- 4.0 -Addressing, Subnets and Routing - +
- 4.0 +Addressing, Subnets and Routing +
--
-
- 4.1 -IP Addresses -
- 4.1 + IP Addresses +
- 4.2 Subnets -
- 4.3 Routing -
- 4.4 Address - Resolution Protocol +
- 4.3 +Routing +
- 4.4 Address + Resolution Protocol - +
-
-
- 4.5 RFC - 1918 - - -
- 5.0 Setting - up your Network - -
--
-
- 5.1 Routed - - -
-
-
- 5.2
-Non-routed
-
-
-
-
-
- 5.2.1 -SNAT -
- 5.2.2 -DNAT -
- 5.2.3 - Proxy ARP -
- 5.2.4 Static - NAT - - - -
- - 5.3 Rules -
- 5.4 - Odds and Ends - - -
- 6.0 DNS
-- 7.0 Starting and - Stopping the Firewall
- -
Documentation Index
- -The following documentation covers a variety of topics and supplements - the QuickStart Guides - described above. Please review the appropriate guide before trying - to use this documentation directly.
- --
-
- Blacklisting
-
-
-
-
-
- Static Blacklisting using /etc/shorewall/blacklist -
- Dynamic Blacklisting using /sbin/shorewall - - -
- - Common configuration
- file features
-
-
- Comments - in configuration files -
- Line Continuation -
- Port - Numbers/Service Names -
- Port - Ranges -
- Using Shell Variables -
- Using
- DNS Names
-
- - Complementing an IP address -or Subnet -
- Shorewall - Configurations (making a test configuration) -
- Using -MAC Addresses in Shorewall +
- 4.5 +RFC 1918 - +
- - Configuration File Reference - Manual + +
- 5.0 Setting
+ up your Network
+
+
-
+
- 5.1 Routed + + +
-
+
- 5.2
+ Non-routed
+
+
+
-
+
- 5.2.1 +SNAT +
- 5.2.2 +DNAT +
- 5.2.3 + Proxy ARP +
- 5.2.4 +Static NAT + + - +
+ - 5.3 Rules +
- 5.4 + Odds and Ends - +
- - DHCP -
- Extension Scripts -(How to extend Shorewall without modifying Shorewall code) -
- Fallback/Uninstall -
- Firewall -Structure -
- Kernel Configuration -
- Logging
-
- - MAC Verification
-
- - My Configuration Files (How I personally - use Shorewall) -
- 'Ping' Management
-
- - Port Information
-
-
-
-
- Which applications use which ports -
- Ports used by Trojans - - -
- - Proxy ARP -
- Samba -
- Starting/stopping the Firewall - -
- Description of all /sbin/shorewall commands -
- How to safely test a Shorewall configuration change
-
-
- - Static NAT -
- Squid as a Transparent Proxy with
-Shorewall
-
- - Traffic Shaping/QOS -
- VPN
-
-
-
-
- IPSEC -
- GRE and IPIP -
- PPTP -
- IPSEC/PPTP from a system behind - your firewall to a remote network. - - -
- - White List - Creation - +
-
-
+ - On your firewall system, issue the following command
- 6.0 DNS +
- 7.0 Starting and + Stopping the Firewall +
- Blacklisting
+
+
+
-
+
- Static Blacklisting using /etc/shorewall/blacklist +
- Dynamic Blacklisting using /sbin/shorewall + + +
+ - Common configuration + file features + + + +
- Configuration File Reference + Manual + + + +
- DHCP +
- Extension Scripts (How +to extend Shorewall without modifying Shorewall code) +
- Fallback/Uninstall +
- Firewall + Structure +
- Kernel +Configuration +
- Logging
+
+ - MAC Verification
+
+ - My Configuration Files (How I personally + use Shorewall) +
- 'Ping' Management
+
+ - Port Information
+
+
-
+
- Which applications use which ports +
- Ports used by Trojans + + +
+ - Proxy ARP +
- Samba +
- Starting/stopping the Firewall + +
- Description of all /sbin/shorewall commands +
- How to safely test a Shorewall configuration change
+
+
+ - Static NAT +
- Squid as a Transparent Proxy
+with Shorewall
+
+ - Traffic Shaping/QOS +
- VPN
+
+
-
+
- IPSEC +
- GRE and IPIP +
- PPTP +
- IPSEC/PPTP from a system behind + your firewall to a remote network. + + +
+ - White List + Creation + +
-
-
-- -echo 202 www.out >> /etc/iproute2/rt_tables-
-
-
-- -if [ -z "`ip rule list | grep www.out`" ] ; then-
ip rule add fwmark 202 table www.out
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
-
-
+ 
-
- 
- 
- 
- 
- 
- Documentation Index
+ +The following documentation covers a variety of topics and supplements + the QuickStart Guides + described above. Please review the appropriate guide before trying + to use this documentation directly.
+ +-
+
-
+
If you use one of these guides and have a suggestion for improvement please let me know.
- -Last modified 1/9/2003 - Tom Eastep
- -Copyright 2002, 2003 Thomas M.
+
+ Last modified 1/28/2003 - Tom Eastep
diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index 026bd6773..3e742f202 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -5,8 +5,8 @@ - - + +
| + |
@@ -38,14 +39,14 @@
-
+
@@ -55,33 +56,35 @@
-
+
+
- |
-
+
- .
- The 
+
- 
- At this point, edit your /etc/shorewall/policy file and
-make any changes that you wish.
- 
- 
-