From bfa841a6c367d03b5830538ba426802cfdfdc3bf Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 31 Dec 2003 22:15:46 +0000 Subject: [PATCH] Update two-interface guide for PDF compatibility git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1046 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/FAQ.xml | 37 ++-- Shorewall-docs/standalone.xml | 6 +- .../starting_and_stopping_shorewall.xml | 52 +++-- Shorewall-docs/two-interface.xml | 204 ++++++++++-------- Shorewall-docs/useful_links.xml | 4 +- 5 files changed, 171 insertions(+), 132 deletions(-) diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml index be5962fd0..641e4ab03 100644 --- a/Shorewall-docs/FAQ.xml +++ b/Shorewall-docs/FAQ.xml @@ -17,14 +17,10 @@ - 2003-12-18 + 2003-12-31 - 2001 - - 2002 - - 2003 + 2001-2003 Thomas M. Eastep @@ -192,7 +188,7 @@ Finally, if you need to forward a range of ports, in the PORT - column specify the range as low-port:high-port. + column specify the range as <low-port>:<high-port>.
(FAQ 1a) Ok -- I followed those instructions but it doesn't @@ -722,16 +718,28 @@ rather than dropping them. This is necessary to prevent outgoing connection problems to services that use the <quote>Auth</quote> mechanism for identifying requesting users. Shorewall also rejects TCP - ports 135, 137 and 139 as well as UDP ports 137-139. These are ports - that are used by Windows (Windows <emphasis>can</emphasis> be configured - to use the DCE cell locator on port 135). Rejecting these connection - requests rather than dropping them cuts down slightly on the amount of - Windows chatter on LAN segments connected to the Firewall.</para> + ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are + ports that are used by Windows (Windows <emphasis>can</emphasis> be + configured to use the DCE cell locator on port 135). Rejecting these + connection requests rather than dropping them cuts down slightly on the + amount of Windows chatter on LAN segments connected to the Firewall.</para> <para>If you are seeing port 80 being <quote>closed</quote>, that's probably your ISP preventing you from running a web server in violation of your Service Agreement.</para> + <tip> + <para>You can change the default behavior of Shorewall through use of + an /etc/shorewall/common file. See the <ulink + url="shorewall_extension_scripts.htm">Extension Script Section</ulink>.</para> + </tip> + + <tip> + <para>Beginning with Shorewall 1.4.9, Shorewall no longer rejects the + Windows SMB ports (135-139 and 445) by default and silently drops them + instead.</para> + </tip> + <section id="faq4a"> <title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it showed 100s of ports as open!!!! @@ -858,7 +866,7 @@ through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: - LOGLIMIT="" + LOGLIMIT="" LOGBURST="" Beginning with Shorewall version 1.3.12, you can Revision History - 1.72003-12-30TERemove + 1.82003-12-31TEAdditions + to FAQ 4.1.72003-12-30TERemove dead link from FAQ 1.1.62003.12-18TEAdd external link reference to FAQ 17.1.52003-12-16TEAdded a link to a Sys Admin article about multiple internet interfaces. Added diff --git a/Shorewall-docs/standalone.xml b/Shorewall-docs/standalone.xml index 2ea845b79..d51e2d043 100644 --- a/Shorewall-docs/standalone.xml +++ b/Shorewall-docs/standalone.xml @@ -114,9 +114,9 @@ If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you must make the changes - recommended here in addition to those described in the steps - below. ADSL with PPTP is most commonly found in Europe, notably in - Austria. + recommended here in addition to those + described in the steps below. ADSL with PPTP is most commonly + found in Europe, notably in Austria.
diff --git a/Shorewall-docs/starting_and_stopping_shorewall.xml b/Shorewall-docs/starting_and_stopping_shorewall.xml index 2c3b00293..ddff858d4 100755 --- a/Shorewall-docs/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs/starting_and_stopping_shorewall.xml @@ -37,15 +37,11 @@ Operating Shorewall If you have a permanent internet connection such as DSL or Cable, I - recommend that you start the firewall automatically at boot. Once you have - installed firewall in your init.d directory, simply type - chkconfig --add shorewall (insserv - -d shorewall if your distribution uses insserv to - install startup scripts). This will start the firewall in run levels 2-5 - and stop it in run levels 1 and 6. If you want to configure your firewall - differently from this default, you can use the --level - option in chkconfig (see man chkconfig) or using your - favorite graphical run-level editor. + recommend that you start the firewall automatically at boot. The installation procedure attempts to set up the + init scripts to start the firewall in run levels 2-5 and stop it in run + levels 1 and 6. If you want to configure your firewall differently from + this default, you can use your distribution's run-level editor. @@ -57,20 +53,27 @@ - If you use dialup, you may want to start the firewall in your + If you use dialup or some flavor of PPP where your IP address + can change arbitrarily, you may want to start the firewall in your /etc/ppp/ip-up.local script. I recommend just - placing shorewall restart in that script. + placing /sbin/shorewall restart in + that script. You can manually start and stop Shoreline Firewall using the - shorewall shell program. Please refer to the - Shorewall State Diagram as shown at the bottom of this page. + /sbin/shorewall shell program. - shorewall start - starts the firewall + shorewall start - starts the firewall. It + important to understand that when the firewall is in the Started state there is no Shorewall + Program running. It rather means that Netfilter has been + configured to handle traffic as described in your Shorewall + configuration files. Please refer to the Shorewall + State Diagram as shown at the bottom of this page. @@ -341,17 +344,18 @@
-
+
Shorewall State Diagram - The Shorewall State Diargram is depicted below. + The Shorewall State Diargram is depicted below. + + You will note that the commands that result in state transitions use the word firewall rather than shorewall. - That is because the actual transitions are done by - /usr/share/shorewall/firewall; /sbin/shorewall runs firewall - according to the following table: + That is because the actual transitions are done by /usr/share/shorewall/firewall; + /sbin/shorewall runs firewall according + to the following table: @@ -452,4 +456,12 @@
+ + + Revision History + + 1.22003-12-31TEAdded + clarification about "Started State"1.12003-12-29TEInitial + Docbook conversion + \ No newline at end of file diff --git a/Shorewall-docs/two-interface.xml b/Shorewall-docs/two-interface.xml index 1aa8262ea..5a59343c9 100644 --- a/Shorewall-docs/two-interface.xml +++ b/Shorewall-docs/two-interface.xml @@ -129,23 +129,27 @@
PPTP/ADSL - If you - have an ADSL Modem and you use PPTP - to communicate with a server in that modem, you must make the changes - recommended here in addition to those detailed below. ADSL - with PPTP is most commonly found in Europe, notably in + + + If you have an ADSL Modem and you use + PPTP to communicate with a server in that modem, you + must make the changes recommended here + in addition to those detailed below. ADSL with + PPTP is most commonly found in Europe, notably in Austria.
Shorewall Concepts - The - configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will - only need to deal with a few of these as described in this guide. - After you have installed Shorewall, - download the two-interface + + + The configuration files for Shorewall are contained in the directory + /etc/shorewall -- for simple + setups, you will only need to deal with a few of these as described in + this guide. After you have installed + Shorewall, download the two-interface sample, un-tar it (tar two-interfaces.tgz) and and copy the files to /etc/shorewall reject all other connection requests. At this point, edit your - /etc/shorewall/policy + fileref="images/BD21298_.gif" format="GIF" /> + + At this point, edit your /etc/shorewall/policy and make any changes that you wish.
@@ -250,9 +255,10 @@ ISDN, your external interface will be ippp0. - If your - external interface is ppp0 or - ippp0 then you will want to set + + + If your external interface is ppp0 + or ippp0 then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf. Your Internal Interface will be an ethernet @@ -268,11 +274,13 @@ /etc/shorewall/interfaces for all interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly recommended against. - The Shorewall - two-interface sample configuration assumes that the external interface is - eth0 and the internal interface is - eth1. If your configuration is - different, you will have to modify the sample /etc/shorewall/interfaces + + + The Shorewall two-interface sample configuration assumes that the + external interface is eth0 and the + internal interface is eth1. If + your configuration is different, you will have to modify the sample + /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interfaces. Some hints: If your external interface is Before - starting Shorewall, you should look at the IP address of your external - interface and if it is one of the above ranges, you should remove the - 'norfc1918' option from the external interface's entry in + + + Before starting Shorewall, you should look at the IP address of your + external interface and if it is one of the above ranges, you should remove + the 'norfc1918' option from the external interface's entry in /etc/shorewall/interfaces. You will want to assign your addresses from the same sub-network @@ -345,10 +354,11 @@ directly. To communicate with systems outside of the subnetwork, systems send packets through a gateway (router). - Your - local computers (computer 1 and computer 2 in the above diagram) should be - configured with their default gateway to be the IP - address of the firewall's internal interface. + + + Your local computers (computer 1 and computer 2 in the above + diagram) should be configured with their default gateway to be the + IP address of the firewall's internal interface. The foregoing short discussion barely scratches the surface regarding subnetting and routing. If you are interested in learning more @@ -405,24 +415,28 @@ IP is dynamic and SNAT if the IP is static. - If your - external firewall interface is eth0, + + + If your external firewall interface is eth0, you do not need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq and change the first column to the name of your external interface and the second column to the name of your internal interface. - If your - external IP is static, you can enter it in the third - column in the /etc/shorewall/masq + + + If your external IP is static, you can enter it + in the third column in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing outgoing packets a little more efficient. - If you - are using the Debian package, please check your shorewall.conf - file to ensure that the following are set correctly; if they are not, - change them appropriately: NAT_ENABLED=Yes + + + If you are using the Debian package, please check your + shorewall.conf file to ensure that the following are + set correctly; if they are not, change them appropriately: NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)IP_FORWARDING=On
@@ -448,9 +462,9 @@ class="directory">/etc/shorewall/rules is: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(s)ORIGINAL DESTDNATnetloc:<server local ip address> [:<server port>]<protocol>ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.2tcp80 @@ -471,9 +485,9 @@ incoming TCP port 21 to that system: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.1tcp21 @@ -494,17 +508,18 @@ url="FAQ.htm#faq2">Shorewall FAQ #2.Many ISPs block incoming connection requests to port 80. If you have problems connecting to your web server, try the following rule - and try connecting to port 5000. ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTDNATnetloc:10.10.10.2:80tcp5000 - At this point, - modify /etc/shorewall/rules + align="left">tcp5000 + + + At this point, modify /etc/shorewall/rules to add any DNAT rules that you require. @@ -543,9 +558,9 @@ class="directory">/etc/shorewall/rules. ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwtcp53The two-interface sample includes the following rules: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTfwnettcp53The sample also includes: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwtcp22 @@ -589,9 +604,9 @@ other systems, the general format is: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPT<source zone><destination zone><protocol>ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTnetfwtcp80#Allow @@ -619,15 +634,15 @@ url="ports.htm">here. I don't recommend enabling telnet to/from the internet because it uses clear text (even for login!). If you want shell access to your firewall - from the internet, use SSH: SSH: ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSSOURCEDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTnetfwtcp22 + align="left">22 Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration. ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSDESTPROTODEST PORT(S)CLIENT PORT(S)ORIGINAL DESTACCEPTlocfwudp53#Allow @@ -646,21 +661,23 @@ align="left">locfwtcp80#Allow weblet to work - Now edit your - /etc/shorewall/rules + + + Now edit your /etc/shorewall/rules file to add or delete other connections as required.
Starting and Stopping Your Firewall - The - installation procedure configures your - system to start Shorewall at system boot but beginning with Shorewall - version 1.3.9 startup is disabled so that your system won't try to - start Shorewall before configuration is complete. Once you have completed - configuration of your firewall, you can enable Shorewall startup by - removing the file /etc/shorewall/startup_disabled. + + + The installation procedure + configures your system to start Shorewall at system boot but beginning + with Shorewall version 1.3.9 startup is disabled so that your system + won't try to start Shorewall before configuration is complete. Once + you have completed configuration of your firewall, you can enable + Shorewall startup by removing the file /etc/shorewall/startup_disabled. Users of the .deb package must edit /etc/default/shorewall and set startup=1. The firewall is @@ -674,10 +691,11 @@ of Shorewall from your Netfilter configuration, use shorewall clear. - The - two-interface sample assumes that you want to enable routing to/from - eth1 (the local network) when - Shorewall is stopped. If your local network isn't connected to + + + The two-interface sample assumes that you want to enable routing + to/from eth1 (the local network) + when Shorewall is stopped. If your local network isn't connected to eth1 or if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped accordingly. If you are connected to your firewall from the diff --git a/Shorewall-docs/useful_links.xml b/Shorewall-docs/useful_links.xml index 8a919d3a2..793656a19 100644 --- a/Shorewall-docs/useful_links.xml +++ b/Shorewall-docs/useful_links.xml @@ -13,7 +13,7 @@ Eastep - 2003/12/22 + 2003/12/30 2003 @@ -60,7 +60,7 @@ Debian apt-get sources for Shorewall: http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian + url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian