diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml
index be5962fd0..641e4ab03 100644
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@@ -17,14 +17,10 @@
- 2003-12-18
+ 2003-12-31
- 2001
-
- 2002
-
- 2003
+ 2001-2003Thomas M. Eastep
@@ -192,7 +188,7 @@
Finally, if you need to forward a range of ports, in the PORT
- column specify the range as low-port:high-port.
+ column specify the range as <low-port>:<high-port>.
(FAQ 1a) Ok -- I followed those instructions but it doesn't
@@ -722,16 +718,28 @@
rather than dropping them. This is necessary to prevent outgoing
connection problems to services that use the <quote>Auth</quote>
mechanism for identifying requesting users. Shorewall also rejects TCP
- ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
- that are used by Windows (Windows <emphasis>can</emphasis> be configured
- to use the DCE cell locator on port 135). Rejecting these connection
- requests rather than dropping them cuts down slightly on the amount of
- Windows chatter on LAN segments connected to the Firewall.</para>
+ ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are
+ ports that are used by Windows (Windows <emphasis>can</emphasis> be
+ configured to use the DCE cell locator on port 135). Rejecting these
+ connection requests rather than dropping them cuts down slightly on the
+ amount of Windows chatter on LAN segments connected to the Firewall.</para>
<para>If you are seeing port 80 being <quote>closed</quote>, that's
probably your ISP preventing you from running a web server in violation
of your Service Agreement.</para>
+ <tip>
+ <para>You can change the default behavior of Shorewall through use of
+ an /etc/shorewall/common file. See the <ulink
+ url="shorewall_extension_scripts.htm">Extension Script Section</ulink>.</para>
+ </tip>
+
+ <tip>
+ <para>Beginning with Shorewall 1.4.9, Shorewall no longer rejects the
+ Windows SMB ports (135-139 and 445) by default and silently drops them
+ instead.</para>
+ </tip>
+
<section id="faq4a">
<title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it
showed 100s of ports as open!!!!
@@ -858,7 +866,7 @@
through settings in
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:
- LOGLIMIT=""
+ LOGLIMIT=""
LOGBURST=""Beginning with Shorewall version 1.3.12, you can Revision History
- 1.72003-12-30TERemove
+ 1.82003-12-31TEAdditions
+ to FAQ 4.1.72003-12-30TERemove
dead link from FAQ 1.1.62003.12-18TEAdd
external link reference to FAQ 17.1.52003-12-16TEAdded
a link to a Sys Admin article about multiple internet interfaces. Added
diff --git a/Shorewall-docs/standalone.xml b/Shorewall-docs/standalone.xml
index 2ea845b79..d51e2d043 100644
--- a/Shorewall-docs/standalone.xml
+++ b/Shorewall-docs/standalone.xml
@@ -114,9 +114,9 @@
If you
have an ADSL Modem and you use PPTP to communicate with a server in that
modem, you must make the changes
- recommended here in addition to those described in the steps
- below. ADSL with PPTP is most commonly found in Europe, notably in
- Austria.
+ recommended herein addition to those
+ described in the steps below. ADSL with PPTP is most commonly
+ found in Europe, notably in Austria.
diff --git a/Shorewall-docs/starting_and_stopping_shorewall.xml b/Shorewall-docs/starting_and_stopping_shorewall.xml
index 2c3b00293..ddff858d4 100755
--- a/Shorewall-docs/starting_and_stopping_shorewall.xml
+++ b/Shorewall-docs/starting_and_stopping_shorewall.xml
@@ -37,15 +37,11 @@
Operating ShorewallIf you have a permanent internet connection such as DSL or Cable, I
- recommend that you start the firewall automatically at boot. Once you have
- installed firewall in your init.d directory, simply type
- chkconfig --add shorewall (insserv
- -d shorewall if your distribution uses insserv to
- install startup scripts). This will start the firewall in run levels 2-5
- and stop it in run levels 1 and 6. If you want to configure your firewall
- differently from this default, you can use the --level
- option in chkconfig (see man chkconfig) or using your
- favorite graphical run-level editor.
+ recommend that you start the firewall automatically at boot. The installation procedure attempts to set up the
+ init scripts to start the firewall in run levels 2-5 and stop it in run
+ levels 1 and 6. If you want to configure your firewall differently from
+ this default, you can use your distribution's run-level editor.
@@ -57,20 +53,27 @@
- If you use dialup, you may want to start the firewall in your
+ If you use dialup or some flavor of PPP where your IP address
+ can change arbitrarily, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just
- placing shorewall restart in that script.
+ placing /sbin/shorewall restart in
+ that script.You can manually start and stop Shoreline Firewall using the
- shorewall shell program. Please refer to the
- Shorewall State Diagram as shown at the bottom of this page.
+ /sbin/shorewall shell program.
- shorewall start - starts the firewall
+ shorewall start - starts the firewall. It
+ important to understand that when the firewall is in the Started state there is no Shorewall
+ Program running. It rather means that Netfilter has been
+ configured to handle traffic as described in your Shorewall
+ configuration files. Please refer to the Shorewall
+ State Diagram as shown at the bottom of this page.
@@ -341,17 +344,18 @@
-
+ Shorewall State Diagram
- The Shorewall State Diargram is depicted below.
+ The Shorewall State Diargram is depicted below.
+
+ You will note that the commands that result in state transitions use
the word firewall rather than shorewall.
- That is because the actual transitions are done by
- /usr/share/shorewall/firewall; /sbin/shorewall runs firewall
- according to the following table:
+ That is because the actual transitions are done by /usr/share/shorewall/firewall;
+ /sbin/shorewall runs firewall according
+ to the following table:
@@ -452,4 +456,12 @@
+
+
+ Revision History
+
+ 1.22003-12-31TEAdded
+ clarification about "Started State"1.12003-12-29TEInitial
+ Docbook conversion
+
\ No newline at end of file
diff --git a/Shorewall-docs/two-interface.xml b/Shorewall-docs/two-interface.xml
index 1aa8262ea..5a59343c9 100644
--- a/Shorewall-docs/two-interface.xml
+++ b/Shorewall-docs/two-interface.xml
@@ -129,23 +129,27 @@
PPTP/ADSL
- If you
- have an ADSL Modem and you use PPTP
- to communicate with a server in that modem, you must make the changes
- recommended here in addition to those detailed below. ADSL
- with PPTP is most commonly found in Europe, notably in
+
+
+ If you have an ADSL Modem and you use
+ PPTP to communicate with a server in that modem, you
+ must make the changes recommended here
+ in addition to those detailed below. ADSL with
+ PPTP is most commonly found in Europe, notably in
Austria.Shorewall Concepts
- The
- configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will
- only need to deal with a few of these as described in this guide.
- After you have installed Shorewall,
- download the two-interface
+
+
+ The configuration files for Shorewall are contained in the directory
+ /etc/shorewall -- for simple
+ setups, you will only need to deal with a few of these as described in
+ this guide. After you have installed
+ Shorewall, download the two-interface
sample, un-tar it (tar
two-interfaces.tgz) and and copy the files
to /etc/shorewallreject all other
connection requests.At this point, edit your
- /etc/shorewall/policy
+ fileref="images/BD21298_.gif" format="GIF" />
+
+ At this point, edit your /etc/shorewall/policy
and make any changes that you wish.
@@ -250,9 +255,10 @@
ISDN, your external interface will be ippp0.
- If your
- external interface is ppp0 or
- ippp0 then you will want to set
+
+
+ If your external interface is ppp0
+ or ippp0 then you will want to set
CLAMPMSS=yes in /etc/shorewall/shorewall.conf.Your Internal Interface will be an ethernet
@@ -268,11 +274,13 @@
/etc/shorewall/interfaces
for all interfaces connected to the common hub/switch. Using such a setup
with a production firewall is strongly recommended against.
- The Shorewall
- two-interface sample configuration assumes that the external interface is
- eth0 and the internal interface is
- eth1. If your configuration is
- different, you will have to modify the sample /etc/shorewall/interfaces
+
+
+ The Shorewall two-interface sample configuration assumes that the
+ external interface is eth0 and the
+ internal interface is eth1. If
+ your configuration is different, you will have to modify the sample
+ /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list of
options that are specified for the interfaces. Some hints: If your external interface is Before
- starting Shorewall, you should look at the IP address of your external
- interface and if it is one of the above ranges, you should remove the
- 'norfc1918' option from the external interface's entry in
+
+
+ Before starting Shorewall, you should look at the IP address of your
+ external interface and if it is one of the above ranges, you should remove
+ the 'norfc1918' option from the external interface's entry in
/etc/shorewall/interfaces.You will want to assign your addresses from the same sub-network
@@ -345,10 +354,11 @@
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).
- Your
- local computers (computer 1 and computer 2 in the above diagram) should be
- configured with their default gateway to be the IP
- address of the firewall's internal interface.
+
+
+ Your local computers (computer 1 and computer 2 in the above
+ diagram) should be configured with their default gateway to be the
+ IP address of the firewall's internal interface.The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
@@ -405,24 +415,28 @@
IP is dynamic and SNAT if the
IP is static.
- If your
- external firewall interface is eth0,
+
+
+ If your external firewall interface is eth0,
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq
and change the first column to the name of your external interface and the
second column to the name of your internal interface.
- If your
- external IP is static, you can enter it in the third
- column in the /etc/shorewall/masq
+
+
+ If your external IP is static, you can enter it
+ in the third column in the /etc/shorewall/masq
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static IP in column 3 makes
processing outgoing packets a little more efficient.
- If you
- are using the Debian package, please check your shorewall.conf
- file to ensure that the following are set correctly; if they are not,
- change them appropriately: NAT_ENABLED=Yes
+
+
+ If you are using the Debian package, please check your
+ shorewall.conf file to ensure that the following are
+ set correctly; if they are not, change them appropriately: NAT_ENABLED=Yes
(Shorewall versions earlier than 1.4.6)IP_FORWARDING=On
@@ -448,9 +462,9 @@
class="directory">/etc/shorewall/rules is:
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(s)ORIGINAL DESTDNATnetloc:<server local ip address> [:<server
port>]<protocol>ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.2tcp80
@@ -471,9 +485,9 @@
incoming TCP port 21 to that system: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.1tcp21
@@ -494,17 +508,18 @@
url="FAQ.htm#faq2">Shorewall FAQ #2.Many
ISPs block incoming connection requests to port 80. If
you have problems connecting to your web server, try the following rule
- and try connecting to port 5000. ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.2:80tcp5000
- At this point,
- modify /etc/shorewall/rules
+ align="left">tcp5000
+
+
+ At this point, modify /etc/shorewall/rules
to add any DNAT rules that you require.
@@ -543,9 +558,9 @@
class="directory">/etc/shorewall/rules.
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwtcp53The two-interface sample includes the following rules:
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTfwnettcp53The sample also includes: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwtcp22
@@ -589,9 +604,9 @@
other systems, the general format is: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPT<source
zone><destination
zone><protocol>ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTnetfwtcp80#Allow
@@ -619,15 +634,15 @@
url="ports.htm">here. I don't recommend
enabling telnet to/from the internet because it uses
clear text (even for login!). If you want shell access to your firewall
- from the internet, use SSH: SSH: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTnetfwtcp22
+ align="left">22Bering users
will want to add the following two rules to be compatible with
Jacques's Shorewall configuration. ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwudp53#Allow
@@ -646,21 +661,23 @@
align="left">locfwtcp80#Allow weblet to work
- Now edit your
- /etc/shorewall/rules
+
+
+ Now edit your /etc/shorewall/rules
file to add or delete other connections as required.Starting and Stopping Your Firewall
- The
- installation procedure configures your
- system to start Shorewall at system boot but beginning with Shorewall
- version 1.3.9 startup is disabled so that your system won't try to
- start Shorewall before configuration is complete. Once you have completed
- configuration of your firewall, you can enable Shorewall startup by
- removing the file /etc/shorewall/startup_disabled.
+
+
+ The installation procedure
+ configures your system to start Shorewall at system boot but beginning
+ with Shorewall version 1.3.9 startup is disabled so that your system
+ won't try to start Shorewall before configuration is complete. Once
+ you have completed configuration of your firewall, you can enable
+ Shorewall startup by removing the file /etc/shorewall/startup_disabled.
Users of the .deb package must edit /etc/default/shorewall
and set startup=1. The firewall is
@@ -674,10 +691,11 @@
of Shorewall from your Netfilter configuration, use shorewall
clear.
- The
- two-interface sample assumes that you want to enable routing to/from
- eth1 (the local network) when
- Shorewall is stopped. If your local network isn't connected to
+
+
+ The two-interface sample assumes that you want to enable routing
+ to/from eth1 (the local network)
+ when Shorewall is stopped. If your local network isn't connected to
eth1 or if you wish to enable
access to/from other hosts, change /etc/shorewall/routestopped
accordingly. If you are connected to your firewall from the
diff --git a/Shorewall-docs/useful_links.xml b/Shorewall-docs/useful_links.xml
index 8a919d3a2..793656a19 100644
--- a/Shorewall-docs/useful_links.xml
+++ b/Shorewall-docs/useful_links.xml
@@ -13,7 +13,7 @@
Eastep
- 2003/12/22
+ 2003/12/302003
@@ -60,7 +60,7 @@
Debian apt-get sources for Shorewall: http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian
+ url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian