forked from extern/shorewall_code
Add historical FAQ number to the FAQ
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@824 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1fa273eb41
commit
becf157828
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-12-04</pubdate>
|
<pubdate>2003-12-09</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001 - 2003</year>
|
<year>2001 - 2003</year>
|
||||||
@ -24,6 +24,16 @@
|
|||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
<revhistory>
|
<revhistory>
|
||||||
|
<revision>
|
||||||
|
<revnumber>1.2</revnumber>
|
||||||
|
|
||||||
|
<date>2003-12-09</date>
|
||||||
|
|
||||||
|
<authorinitials>TE</authorinitials>
|
||||||
|
|
||||||
|
<revremark>Added Copyright and legacy FAQ numbers</revremark>
|
||||||
|
</revision>
|
||||||
|
|
||||||
<revision>
|
<revision>
|
||||||
<revnumber>1.1</revnumber>
|
<revnumber>1.1</revnumber>
|
||||||
|
|
||||||
@ -55,9 +65,9 @@
|
|||||||
<title>Port Forwarding</title>
|
<title>Port Forwarding</title>
|
||||||
|
|
||||||
<section id="faq1">
|
<section id="faq1">
|
||||||
<title>I want to forward UDP port 7777 to my my personal PC with IP
|
<title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with
|
||||||
address 192.168.1.5. I've looked everywhere and can't find how
|
IP address 192.168.1.5. I've looked everywhere and can't find
|
||||||
to do it.</title>
|
how to do it.</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> The <ulink
|
<para><emphasis role="bold">Answer:</emphasis> The <ulink
|
||||||
url="Documentation.htm#PortForward">first example</ulink> in the <ulink
|
url="Documentation.htm#PortForward">first example</ulink> in the <ulink
|
||||||
@ -196,7 +206,8 @@
|
|||||||
column specify the range as <emphasis>low-port:high-port</emphasis>.</para>
|
column specify the range as <emphasis>low-port:high-port</emphasis>.</para>
|
||||||
|
|
||||||
<section id="faq1a">
|
<section id="faq1a">
|
||||||
<title>Ok -- I followed those instructions but it doesn't work</title>
|
<title>(FAQ 1a) Ok -- I followed those instructions but it doesn't
|
||||||
|
work</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> That is usually the
|
<para><emphasis role="bold">Answer:</emphasis> That is usually the
|
||||||
result of one of three things:</para>
|
result of one of three things:</para>
|
||||||
@ -221,7 +232,7 @@
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq1b">
|
<section id="faq1b">
|
||||||
<title>I'm still having problems with port forwarding</title>
|
<title>(FAQ 1b) I'm still having problems with port forwarding</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> To further diagnose
|
<para><emphasis role="bold">Answer:</emphasis> To further diagnose
|
||||||
this problem:</para>
|
this problem:</para>
|
||||||
@ -284,8 +295,8 @@
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq1c">
|
<section id="faq1c">
|
||||||
<title>From the internet, I want to connect to port 1022 on my
|
<title>(FAQ 1c) From the internet, I want to connect to port 1022 on
|
||||||
firewall and have the firewall forward the connection to port 22 on
|
my firewall and have the firewall forward the connection to port 22 on
|
||||||
local system 192.168.1.3. How do I do that?</title>
|
local system 192.168.1.3. How do I do that?</title>
|
||||||
|
|
||||||
<para>In /etc/shorewall/rules:</para>
|
<para>In /etc/shorewall/rules:</para>
|
||||||
@ -333,8 +344,8 @@
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq30">
|
<section id="faq30">
|
||||||
<title>I'm confused about when to use DNAT rules and when to use
|
<title>(FAQ 30) I'm confused about when to use DNAT rules and when
|
||||||
ACCEPT rules.</title>
|
to use ACCEPT rules.</title>
|
||||||
|
|
||||||
<para>It would be a good idea to review the <ulink
|
<para>It would be a good idea to review the <ulink
|
||||||
url="shorewall_quickstart_guide.htm">QuickStart Guide</ulink>
|
url="shorewall_quickstart_guide.htm">QuickStart Guide</ulink>
|
||||||
@ -353,7 +364,7 @@
|
|||||||
<title>DNS and Port Forwarding/NAT</title>
|
<title>DNS and Port Forwarding/NAT</title>
|
||||||
|
|
||||||
<section id="faq2">
|
<section id="faq2">
|
||||||
<title>I port forward www requests to www.mydomain.com (IP
|
<title>(FAQ 2) I port forward www requests to www.mydomain.com (IP
|
||||||
130.151.100.69) to system 192.168.1.5 in my local network. External
|
130.151.100.69) to system 192.168.1.5 in my local network. External
|
||||||
clients can browse http://www.mydomain.com but internal clients
|
clients can browse http://www.mydomain.com but internal clients
|
||||||
can't.</title>
|
can't.</title>
|
||||||
@ -527,10 +538,11 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<section id="faq2a">
|
<section id="faq2a">
|
||||||
<title>I have a zone "Z" with an RFC1918 subnet and I use
|
<title>(FAQ 2a) I have a zone "Z" with an RFC1918 subnet and I
|
||||||
one-to-one NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in
|
use one-to-one NAT to assign non-RFC1918 addresses to hosts in Z.
|
||||||
Z cannot communicate with each other using their external (non-RFC1918
|
Hosts in Z cannot communicate with each other using their external
|
||||||
addresses) so they can't access each other using their DNS names.</title>
|
(non-RFC1918 addresses) so they can't access each other using
|
||||||
|
their DNS names.</title>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>If the ALL INTERFACES column in /etc/shorewall/nat is empty or
|
<para>If the ALL INTERFACES column in /etc/shorewall/nat is empty or
|
||||||
@ -685,8 +697,8 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
<title>Netmeeting/MSN</title>
|
<title>Netmeeting/MSN</title>
|
||||||
|
|
||||||
<section id="faq3">
|
<section id="faq3">
|
||||||
<title>I want to use Netmeeting or MSN Instant Messenger with Shorewall.
|
<title>(FAQ 3) I want to use Netmeeting or MSN Instant Messenger with
|
||||||
What do I do?</title>
|
Shorewall. What do I do?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> There is an <ulink
|
<para><emphasis role="bold">Answer:</emphasis> There is an <ulink
|
||||||
url="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/">H.323
|
url="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/">H.323
|
||||||
@ -702,8 +714,9 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
<title>Open Ports</title>
|
<title>Open Ports</title>
|
||||||
|
|
||||||
<section id="faq4">
|
<section id="faq4">
|
||||||
<title>I just used an online port scanner to check my firewall and it
|
<title>(FAQ 4) I just used an online port scanner to check my firewall
|
||||||
shows some ports as 'closed' rather than 'blocked'. Why?</title>
|
and it shows some ports as 'closed' rather than
|
||||||
|
'blocked'. Why?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> The common.def included
|
<para><emphasis role="bold">Answer:</emphasis> The common.def included
|
||||||
with version 1.3.x always rejects connection requests on TCP port 113
|
with version 1.3.x always rejects connection requests on TCP port 113
|
||||||
@ -721,8 +734,8 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
of your Service Agreement.</para>
|
of your Service Agreement.</para>
|
||||||
|
|
||||||
<section id="faq4a">
|
<section id="faq4a">
|
||||||
<title>I just ran an nmap UDP scan of my firewall and it showed 100s
|
<title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it
|
||||||
of ports as open!!!!</title>
|
showed 100s of ports as open!!!!</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Take a deep breath and
|
<para><emphasis role="bold">Answer:</emphasis> Take a deep breath and
|
||||||
read the nmap man page section about UDP scans. If nmap gets <emphasis
|
read the nmap man page section about UDP scans. If nmap gets <emphasis
|
||||||
@ -733,8 +746,8 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq4b">
|
<section id="faq4b">
|
||||||
<title>I have a port that I can't close no matter how I change my
|
<title>(FAQ 4b) I have a port that I can't close no matter how I
|
||||||
rules.</title>
|
change my rules.</title>
|
||||||
|
|
||||||
<para>I had a rule that allowed telnet from my local network to my
|
<para>I had a rule that allowed telnet from my local network to my
|
||||||
firewall; I removed that rule and restarted Shorewall but my telnet
|
firewall; I removed that rule and restarted Shorewall but my telnet
|
||||||
@ -748,7 +761,7 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq4c">
|
<section id="faq4c">
|
||||||
<title>How to I use Shorewall with PortSentry?</title>
|
<title>(FAQ 4c) How to I use Shorewall with PortSentry?</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt">Here's
|
url="http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt">Here's
|
||||||
@ -761,8 +774,8 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
<title>Connection Problems</title>
|
<title>Connection Problems</title>
|
||||||
|
|
||||||
<section id="faq5">
|
<section id="faq5">
|
||||||
<title>I've installed Shorewall and now I can't ping through the
|
<title>(FAQ 5) I've installed Shorewall and now I can't ping
|
||||||
firewall</title>
|
through the firewall</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> If you want your firewall
|
<para><emphasis role="bold">Answer:</emphasis> If you want your firewall
|
||||||
to be totally open for "ping",</para>
|
to be totally open for "ping",</para>
|
||||||
@ -789,7 +802,7 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq15">
|
<section id="faq15">
|
||||||
<title>My local systems can't see out to the net</title>
|
<title>(FAQ 15) My local systems can't see out to the net</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Every time I read
|
<para><emphasis role="bold">Answer:</emphasis> Every time I read
|
||||||
"systems can't see out to the net", I wonder where the
|
"systems can't see out to the net", I wonder where the
|
||||||
@ -817,7 +830,7 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq29">
|
<section id="faq29">
|
||||||
<title>FTP Doesn't Work</title>
|
<title>(FAQ 29) FTP Doesn't Work</title>
|
||||||
|
|
||||||
<para>See the <ulink url="FTP.html">Shorewall and FTP page</ulink>.</para>
|
<para>See the <ulink url="FTP.html">Shorewall and FTP page</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
@ -827,8 +840,8 @@ Subnet: 192.168.2.0/24</literallayout>
|
|||||||
<title>Logging</title>
|
<title>Logging</title>
|
||||||
|
|
||||||
<section id="faq6">
|
<section id="faq6">
|
||||||
<title>Where are the log messages written and how do I change the
|
<title>(FAQ 6) Where are the log messages written and how do I change
|
||||||
destination?</title>
|
the destination?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> NetFilter uses the
|
<para><emphasis role="bold">Answer:</emphasis> NetFilter uses the
|
||||||
kernel's equivalent of syslog (see "man syslog") to log
|
kernel's equivalent of syslog (see "man syslog") to log
|
||||||
@ -853,7 +866,7 @@ LOGBURST=""</programlisting>
|
|||||||
to a separate file</ulink>.</para>
|
to a separate file</ulink>.</para>
|
||||||
|
|
||||||
<section id="faq6a">
|
<section id="faq6a">
|
||||||
<title>Are there any log parsers that work with Shorewall?</title>
|
<title>(FAQ 6a) Are there any log parsers that work with Shorewall?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Here are several links
|
<para><emphasis role="bold">Answer:</emphasis> Here are several links
|
||||||
that may be helpful:</para>
|
that may be helpful:</para>
|
||||||
@ -872,9 +885,9 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq6b">
|
<section id="faq6b">
|
||||||
<title>DROP messages on port 10619 are flooding the logs with their
|
<title>(FAQ 2b) DROP messages on port 10619 are flooding the logs with
|
||||||
connect requests. Can i exclude these error messages for this port
|
their connect requests. Can i exclude these error messages for this
|
||||||
temporarily from logging in Shorewall?</title>
|
port temporarily from logging in Shorewall?</title>
|
||||||
|
|
||||||
<para>Temporarily add the following rule:</para>
|
<para>Temporarily add the following rule:</para>
|
||||||
|
|
||||||
@ -927,8 +940,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq6d">
|
<section id="faq6d">
|
||||||
<title>Why is the MAC address in Shorewall log messages so long? I
|
<title>(FAQ 6c) Why is the MAC address in Shorewall log messages so
|
||||||
thought MAC addresses were only 6 bytes in length.</title>
|
long? I thought MAC addresses were only 6 bytes in length.</title>
|
||||||
|
|
||||||
<para>What is labeled as the MAC address in a Shorewall log message is
|
<para>What is labeled as the MAC address in a Shorewall log message is
|
||||||
actually the Ethernet frame header. IT contains:</para>
|
actually the Ethernet frame header. IT contains:</para>
|
||||||
@ -970,8 +983,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq16">
|
<section id="faq16">
|
||||||
<title>Shorewall is writing log messages all over my console making it
|
<title>(FAQ 16) Shorewall is writing log messages all over my console
|
||||||
unusable!</title>
|
making it unusable!</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> If you are running
|
<para><emphasis role="bold">Answer:</emphasis> If you are running
|
||||||
Shorewall version 1.4.4 or 1.4.4a then check the <ulink url="errata.htm">errata</ulink>.
|
Shorewall version 1.4.4 or 1.4.4a then check the <ulink url="errata.htm">errata</ulink>.
|
||||||
@ -983,7 +996,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</programlis
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq17">
|
<section id="faq17">
|
||||||
<title>How do I find out why this traffic is getting logged?</title>
|
<title>(FAQ 17) How do I find out why this traffic is getting logged?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Logging occurs out of a
|
<para><emphasis role="bold">Answer:</emphasis> Logging occurs out of a
|
||||||
number of chains (as indicated in the log message) in Shorewall:</para>
|
number of chains (as indicated in the log message) in Shorewall:</para>
|
||||||
@ -1190,7 +1203,8 @@ PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq21">
|
<section id="faq21">
|
||||||
<title>I see these strange log entries occasionally; what are they?</title>
|
<title>I (FAQ 21) see these strange log entries occasionally; what are
|
||||||
|
they?</title>
|
||||||
|
|
||||||
<programlisting>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
|
<programlisting>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
|
||||||
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
|
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
|
||||||
@ -1236,7 +1250,7 @@ PROTO=UDP SPT=1803 DPT=53 LEN=47</programlisting>
|
|||||||
<title>Routing</title>
|
<title>Routing</title>
|
||||||
|
|
||||||
<section id="faq32">
|
<section id="faq32">
|
||||||
<title>My firewall has two connections to the internet from two
|
<title>(FAQ 32) My firewall has two connections to the internet from two
|
||||||
different ISPs. How do I set this up in Shorewall?</title>
|
different ISPs. How do I set this up in Shorewall?</title>
|
||||||
|
|
||||||
<para>Setting this up in Shorewall is easy; setting up the routing is a
|
<para>Setting this up in Shorewall is easy; setting up the routing is a
|
||||||
@ -1464,8 +1478,8 @@ nexthop via $P2 dev $IF2 weight 1</programlisting>
|
|||||||
<title>Starting and Stopping</title>
|
<title>Starting and Stopping</title>
|
||||||
|
|
||||||
<section id="faq7">
|
<section id="faq7">
|
||||||
<title>When I stop Shorewall using 'shorewall stop', I can't
|
<title>(FAQ 7) When I stop Shorewall using 'shorewall stop', I
|
||||||
connect to anything. Why doesn't that command work?</title>
|
can't connect to anything. Why doesn't that command work?</title>
|
||||||
|
|
||||||
<para>The 'stop' command is intended to place your firewall into
|
<para>The 'stop' command is intended to place your firewall into
|
||||||
a safe state whereby only those hosts listed in
|
a safe state whereby only those hosts listed in
|
||||||
@ -1475,8 +1489,8 @@ nexthop via $P2 dev $IF2 weight 1</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq8">
|
<section id="faq8">
|
||||||
<title>When I try to start Shorewall on RedHat, I get messages about
|
<title>(FAQ 8) When I try to start Shorewall on RedHat, I get messages
|
||||||
insmod failing -- what's wrong?</title>
|
about insmod failing -- what's wrong?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> The output you will see
|
<para><emphasis role="bold">Answer:</emphasis> The output you will see
|
||||||
looks something like this:</para>
|
looks something like this:</para>
|
||||||
@ -1509,7 +1523,8 @@ rmmod ipchains</programlisting>
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq9">
|
<section id="faq9">
|
||||||
<title>Why can't Shorewall detect my interfaces properly at startup?</title>
|
<title>(FAQ 9) Why can't Shorewall detect my interfaces properly at
|
||||||
|
startup?</title>
|
||||||
|
|
||||||
<para>I just installed Shorewall and when I issue the start command, I
|
<para>I just installed Shorewall and when I issue the start command, I
|
||||||
see the following:</para>
|
see the following:</para>
|
||||||
@ -1539,8 +1554,8 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq22">
|
<section id="faq22">
|
||||||
<title>I have some iptables commands that I want to run when Shorewall
|
<title>( FAQ 22) I have some iptables commands that I want to run when
|
||||||
starts. Which file do I put them in?</title>
|
Shorewall starts. Which file do I put them in?</title>
|
||||||
|
|
||||||
<para>You can place these commands in one of the <ulink
|
<para>You can place these commands in one of the <ulink
|
||||||
url="shorewall_extension_scripts.htm">Shorewall Extension Scripts</ulink>.
|
url="shorewall_extension_scripts.htm">Shorewall Extension Scripts</ulink>.
|
||||||
@ -1559,21 +1574,21 @@ Creating input Chains...
|
|||||||
<title>About Shorewall</title>
|
<title>About Shorewall</title>
|
||||||
|
|
||||||
<section id="faq10">
|
<section id="faq10">
|
||||||
<title>What Distributions does it work with?</title>
|
<title>(FAQ 10) What Distributions does it work with?</title>
|
||||||
|
|
||||||
<para>Shorewall works with any GNU/Linux distribution that includes the
|
<para>Shorewall works with any GNU/Linux distribution that includes the
|
||||||
<ulink url="shorewall_prerequisites.htm">proper prerequisites</ulink>.</para>
|
<ulink url="shorewall_prerequisites.htm">proper prerequisites</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq11">
|
<section id="faq11">
|
||||||
<title>What Features does it have?</title>
|
<title>(FAQ 11) What Features does it have?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> See the <ulink
|
<para><emphasis role="bold">Answer:</emphasis> See the <ulink
|
||||||
url="shorewall_features.htm">Shorewall Feature List</ulink>.</para>
|
url="shorewall_features.htm">Shorewall Feature List</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq12">
|
<section id="faq12">
|
||||||
<title>Is there a GUI?</title>
|
<title>(FAQ 12) Is there a GUI?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Yes. Shorewall support is
|
<para><emphasis role="bold">Answer:</emphasis> Yes. Shorewall support is
|
||||||
included in Webmin 1.060 and later versions. See <ulink
|
included in Webmin 1.060 and later versions. See <ulink
|
||||||
@ -1581,7 +1596,7 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq13">
|
<section id="faq13">
|
||||||
<title>Why do you call it "Shorewall"?</title>
|
<title>(FAQ 13) Why do you call it "Shorewall"?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Shorewall is a
|
<para><emphasis role="bold">Answer:</emphasis> Shorewall is a
|
||||||
concatenation of "<emphasis>Shore</emphasis>line" (<ulink
|
concatenation of "<emphasis>Shore</emphasis>line" (<ulink
|
||||||
@ -1592,7 +1607,7 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq23">
|
<section id="faq23">
|
||||||
<title>Why do you use such ugly fonts on your web site?</title>
|
<title>(FAQ 23) Why do you use such ugly fonts on your web site?</title>
|
||||||
|
|
||||||
<para>The Shorewall web site is almost font neutral (it doesn't
|
<para>The Shorewall web site is almost font neutral (it doesn't
|
||||||
explicitly specify fonts except on a few pages) so the fonts you see are
|
explicitly specify fonts except on a few pages) so the fonts you see are
|
||||||
@ -1601,7 +1616,7 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq25">
|
<section id="faq25">
|
||||||
<title>How to I tell which version of Shorewall I am running?</title>
|
<title>(FAQ 25) How to I tell which version of Shorewall I am running?</title>
|
||||||
|
|
||||||
<para>At the shell prompt, type:</para>
|
<para>At the shell prompt, type:</para>
|
||||||
|
|
||||||
@ -1609,7 +1624,7 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq31">
|
<section id="faq31">
|
||||||
<title>Does Shorewall provide protection against....</title>
|
<title>(FAQ 31) Does Shorewall provide protection against....</title>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -1672,10 +1687,10 @@ Creating input Chains...
|
|||||||
<title>RFC 1918</title>
|
<title>RFC 1918</title>
|
||||||
|
|
||||||
<section id="faq14">
|
<section id="faq14">
|
||||||
<title>I'm connected via a cable modem and it has an internal web
|
<title>(FAQ 14) I'm connected via a cable modem and it has an
|
||||||
server that allows me to configure/monitor it but as expected if I
|
internal web server that allows me to configure/monitor it but as
|
||||||
enable rfc1918 blocking for my eth0 interface (the internet one), it
|
expected if I enable rfc1918 blocking for my eth0 interface (the
|
||||||
also blocks the cable modems web server.</title>
|
internet one), it also blocks the cable modems web server.</title>
|
||||||
|
|
||||||
<para>Is there any way it can add a rule before the rfc1918 blocking
|
<para>Is there any way it can add a rule before the rfc1918 blocking
|
||||||
that will let all traffic to and from the 192.168.100.1 address of the
|
that will let all traffic to and from the 192.168.100.1 address of the
|
||||||
@ -1747,9 +1762,10 @@ Creating input Chains...
|
|||||||
</note>
|
</note>
|
||||||
|
|
||||||
<section id="faq14a">
|
<section id="faq14a">
|
||||||
<title>Even though it assigns public IP addresses, my ISP's DHCP
|
<title>(FAQ 14a) Even though it assigns public IP addresses, my
|
||||||
server has an RFC 1918 address. If I enable RFC 1918 filtering on my
|
ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
|
||||||
external interface, my DHCP client cannot renew its lease.</title>
|
filtering on my external interface, my DHCP client cannot renew its
|
||||||
|
lease.</title>
|
||||||
|
|
||||||
<para>The solution is the same as <xref linkend="faq14" /> above.
|
<para>The solution is the same as <xref linkend="faq14" /> above.
|
||||||
Simply substitute the IP address of your ISPs DHCP server.</para>
|
Simply substitute the IP address of your ISPs DHCP server.</para>
|
||||||
@ -1761,8 +1777,8 @@ Creating input Chains...
|
|||||||
<title>Alias IP Addresses/Virtual Interfaces</title>
|
<title>Alias IP Addresses/Virtual Interfaces</title>
|
||||||
|
|
||||||
<section id="faq18">
|
<section id="faq18">
|
||||||
<title>Is there any way to use aliased ip addresses with Shorewall, and
|
<title>(FAQ 18) Is there any way to use aliased ip addresses with
|
||||||
maintain separate rulesets for different IPs?</title>
|
Shorewall, and maintain separate rulesets for different IPs?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer:</emphasis> Yes. See <ulink
|
<para><emphasis role="bold">Answer:</emphasis> Yes. See <ulink
|
||||||
url="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased
|
url="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased
|
||||||
@ -1774,8 +1790,8 @@ Creating input Chains...
|
|||||||
<title>Miscellaneous</title>
|
<title>Miscellaneous</title>
|
||||||
|
|
||||||
<section id="faq19">
|
<section id="faq19">
|
||||||
<title>I have added entries to /etc/shorewall/tcrules but they don't
|
<title>(FAQ 19) I have added entries to /etc/shorewall/tcrules but they
|
||||||
seem to do anything. Why?</title>
|
don't seem to do anything. Why?</title>
|
||||||
|
|
||||||
<para>You probably haven't set TC_ENABLED=Yes in
|
<para>You probably haven't set TC_ENABLED=Yes in
|
||||||
/etc/shorewall/shorewall.conf so the contents of the tcrules file are
|
/etc/shorewall/shorewall.conf so the contents of the tcrules file are
|
||||||
@ -1783,8 +1799,8 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq20">
|
<section id="faq20">
|
||||||
<title>I have just set up a server. Do I have to change Shorewall to
|
<title>(FAQ 20) I have just set up a server. Do I have to change
|
||||||
allow access to my server from the internet?</title>
|
Shorewall to allow access to my server from the internet?</title>
|
||||||
|
|
||||||
<para>Yes. Consult the <ulink url="shorewall_quickstart_guide.htm">QuickStart
|
<para>Yes. Consult the <ulink url="shorewall_quickstart_guide.htm">QuickStart
|
||||||
guide</ulink> that you used during your initial setup for information
|
guide</ulink> that you used during your initial setup for information
|
||||||
@ -1792,8 +1808,8 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq24">
|
<section id="faq24">
|
||||||
<title>How can I allow conections to let's say the ssh port only
|
<title>(FAQ 24) How can I allow conections to let's say the ssh port
|
||||||
from specific IP Addresses on the internet?</title>
|
only from specific IP Addresses on the internet?</title>
|
||||||
|
|
||||||
<para>In the SOURCE column of the rule, follow "net" by a colon
|
<para>In the SOURCE column of the rule, follow "net" by a colon
|
||||||
and a list of the host/subnet addresses as a comma-separated list.</para>
|
and a list of the host/subnet addresses as a comma-separated list.</para>
|
||||||
@ -1808,18 +1824,18 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq26">
|
<section id="faq26">
|
||||||
<title>When I try to use any of the SYN options in nmap on or behind the
|
<title>(FAQ 26) When I try to use any of the SYN options in nmap on or
|
||||||
firewall, I get "operation not permitted". How can I use nmap
|
behind the firewall, I get "operation not permitted". How can I
|
||||||
with Shorewall?"</title>
|
use nmap with Shorewall?"</title>
|
||||||
|
|
||||||
<para>Edit /etc/shorewall/shorewall.conf and change
|
<para>Edit /etc/shorewall/shorewall.conf and change
|
||||||
"NEWNOTSYN=No" to "NEWNOTSYN=Yes" then restart
|
"NEWNOTSYN=No" to "NEWNOTSYN=Yes" then restart
|
||||||
Shorewall.</para>
|
Shorewall.</para>
|
||||||
|
|
||||||
<section id="faq26a">
|
<section id="faq26a">
|
||||||
<title>When I try to use the "-O" option of nmap from the
|
<title>(FAQ 26a) When I try to use the "-O" option of nmap
|
||||||
firewall system, I get "operation not permitted". How to I
|
from the firewall system, I get "operation not permitted". How
|
||||||
allow this option?</title>
|
to I allow this option?</title>
|
||||||
|
|
||||||
<para>Add this command to your /etc/shorewall/start file:</para>
|
<para>Add this command to your /etc/shorewall/start file:</para>
|
||||||
|
|
||||||
@ -1828,8 +1844,8 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq27">
|
<section id="faq27">
|
||||||
<title>I'm compiling a new kernel for my firewall. What should I
|
<title>(FAQ 27) I'm compiling a new kernel for my firewall. What
|
||||||
look out for?</title>
|
should I look out for?</title>
|
||||||
|
|
||||||
<para>First take a look at the <ulink url="kernel.htm">Shorewall kernel
|
<para>First take a look at the <ulink url="kernel.htm">Shorewall kernel
|
||||||
configuration page</ulink>. You probably also want to be sure that you
|
configuration page</ulink>. You probably also want to be sure that you
|
||||||
@ -1840,7 +1856,7 @@ Creating input Chains...
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq28">
|
<section id="faq28">
|
||||||
<title>How do I use Shorewall as a Bridging Firewall?</title>
|
<title>(FAQ 28) How do I use Shorewall as a Bridging Firewall?</title>
|
||||||
|
|
||||||
<para>Basically, you don't. While there are kernel patches that
|
<para>Basically, you don't. While there are kernel patches that
|
||||||
allow you to route bridge traffic through Netfilter, the environment is
|
allow you to route bridge traffic through Netfilter, the environment is
|
||||||
|
Loading…
Reference in New Issue
Block a user