holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 1.4.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-02 23:51:46 +00:00
parent 5466a7f35b
commit c2ccd7fd3d
88 changed files with 11590 additions and 8983 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
Shorewall-docs/6to4.htm
View File

@ -1,69 +1,49 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>6to4 Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">6to4 Tunnels<br>
</h1>
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
provide any IPv6
security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
network to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
of 6to4 tunnels</a>.</p>
<h2>Connecting two IPv6 Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
width="745" height="427" alt="">
</p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All that
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
width="745" height="427" alt=""> </p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
be able to communicate with the systems in the 2002:488:999::/64
network. This is accomplished through use of the /etc/shorewall/tunnels
file and the "ip" utility for network interface and routing
configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the
/etc/shorewall/policy, /etc/shorewall/interfaces and
/etc/shorewall/zones files are not used. There is no need to declare a
zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All
that
is visible on the IPv4 level is an IPv4 stream which contains IPv6
traffic. Separate IPv6 interfaces and ip6tables rules need to be
defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -77,27 +57,22 @@ this traffic. </p>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6
encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IPv6 encapsulation protocol (41) will be accepted to/from the remote
gateway.</p>
<p>Use the following commands to setup system A:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -111,34 +86,28 @@ this traffic. </p>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>And use the following commands to setup system B:</p>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration commands
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
talk to each other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

45
Shorewall-docs/Banner.html Executable file
View File

@ -0,0 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<title>Banner</title>
<meta name="author" content="Tom Eastep">
<base target="main">
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
link="#000099" vlink="#990099" alink="#000099">
<table cellpadding="0"
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
id="AutoNumber3">
<tbody>
<tr>
<td style="text-align: center; width: 34%; vertical-align: top;">
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
align="middle" title=""> </div>
</td>
<td style="vertical-align: top;">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"
style="background-color: rgb(51, 102, 255);"> <strong><font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"><b><font
color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
href="http://lists.shorewall.net/htdig/search.html"
style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
</td>
</tr>
</tbody>
</table>
</body>
</html>

302
Shorewall-docs/CorpNetwork.htm
View File

@ -1,285 +1,229 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta content="FrontPage.Editor.Document" name="ProgId">
<meta content="none" name="Microsoft Theme">
<meta content="Graeme Boyle" name="author">
</head>
<body>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
border="0">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
Servers</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote></blockquote>
<h1>Corporate Network</h1>
<h1 style="text-align: center;">Corporate Network</h1>
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently being
used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to protect
the innocent.</b> </li>
Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to
protect the innocent.</b> </li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
configuration
uses a combination of One-to-one NAT and Proxy ARP. This is generally
not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this configuration
won't apply to your setup so beware of copying parts of this
configuration
and expecting them to work for you. What you copy may or may not work
in your configuration.<br>
</small></b></big><br>
</p>
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies behind
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different
companies behind
the firewall hence, the two Exchange servers in the diagram below.</p>
<p>Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
address 10.10.1.56 and external address 192.0.18.75.<br>
<li>One-to-one NAT for <i>Polaris</i> (Exchange Server #2).
Internal
address 10.10.1.8 and external address 192.0.18.70. </li>
<li>One-to-one NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
10.10.1.60 and external address 192.0.18.115. </li>
<li>One-to-one NAT for <i>Project</i> (Project Web Server).
Internal
address 10.10.1.55 and external address 192.0.18.84. </li>
<li>One-to-one NAT for <i>Fortress</i> (Exchange Server). Internal
address 10.10.1.252 and external address 192.0.18.93. </li>
<li>One-to-one NAT for <i>BBSRV</i> (Blackberry Server). Internal
address 10.10.1.230 and external address 192.0.18.97. </li>
<li>One-to-one NAT for <i>Intweb</i> (Intranet Web Server).
Internal
address 10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
with RH8.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel through
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
the firewall using SSH is restricted to systems in the LAN, DMZ or the
system Kaos which is on the Internet and managed by me.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
1.1.0). That server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0">
</p>
src="images/CorpNetwork.gif" width="770" border="0"> </p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP address
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
192.0.18.65, the Router connected to my network and the ISP. This is the
same default gateway used by the firewall itself. On the firewall, Shorewall
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
because of the entry in /etc/shorewall/proxyarp (see below). I modified
the start, stop and init scripts to include the fixes suggested when having
an IPSec tunnel.</p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server's default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with the
<p>Yes, believe it or not, I made some really basic mistakes when
building this firewall. Firstly, I had the new firewall setup in
parallel with the
old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the outside,
firewall which worked fine. When testing my NAT connections, from the
outside,
these would fail and I could not understand why. Eventually, I changed
the default route on the internal system I was trying to access, to point
to the new firewall and "bingo", everything worked as expected. This oversight
delayed my deployment by a couple of days not to mention level of frustration
the default route on the internal system I was trying to access, to
point
to the new firewall and "bingo", everything worked as expected. This
oversight
delayed my deployment by a couple of days not to mention level of
frustration
it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
/etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside system
"kaos", were showing the correct Ethernet MAC address. However, in testing
remote access, I could access the system in the DMZ only from the firewall
and LAN but not from the Internet. The message I received was "connection
<p>Another problem that I encountered was in setting up the Proxyarp
system in the DMZ. Initially I forgot to remove the entry for the eth2
from the /etc/shorewall/masq file. Once my file settings were correct,
I started verifying that the ARP caches on the firewall, as well as the
outside system "kaos", were showing the correct Ethernet MAC address.
However, in testing remote access, I could access the system in the DMZ
only from the firewall
and LAN but not from the Internet. The message I received was
"connection
denied" on all protocols. What I did not realize was that a "helpful"
administrator that had turned on an old system and assigned the same address
as the one I was using for Proxyarp without notifying me. How did I work
this out. I shutdown the system in the DMZ, rebooted the router and flushed
the ARP cache on the firewall and kaos. Then, from kaos, I started pinging
administrator that had turned on an old system and assigned the same
address
as the one I was using for Proxyarp without notifying me. How did I
work
this out. I shutdown the system in the DMZ, rebooted the router and
flushed
the ARP cache on the firewall and kaos. Then, from kaos, I started
pinging
that IP address and checked the updated ARP cache and lo-and-behold a
different MAC address showed up. High levels of frustration etc., etc.
The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of the
firewall, whether they are TCP or UDP packets and make a note of these
port numbers. </li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note of
these port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand. </li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder. </li>
<li>When asking for assistance, be honest and include as much
detail as requested. Don't try and hide IP addresses etc., you will
probably screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal documentation
<p>This is by no means the final configuration. In the near future, I
will be moving more systems from the LAN to the DMZ. I will also be
watching the logs for port scan programs etc. but, this should be
standard security maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation
for the purpose of this space however, my system still has the original
files with all the comments and I highly recommend you do the same.</p>
</blockquote>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
</blockquote>
<p><font size="2">Last updated 11/13/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script>
<br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
//</script><br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
and
Graeme Boyle</a></small><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

58
Shorewall-docs/Documentation.htm
View File

@ -12,17 +12,8 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall 1.4 Reference<br>
</h1>
<h2 align="center">This documentation is intended primarily for
reference. Step-by-step instructions for configuring Shorewall in
common setups may be found in the <a
@ -66,7 +57,11 @@ field in packets is to be set.<br>
<li><b><a href="#Scripts">common.def</a></b> -- a parameter file
installed in in /etc/shorewall that defines firewall-wide rules that
are applied before a DROP or REJECT policy is applied.</li>
<li><b> <a href="#Interfaces">interfaces</a> </b> -- a parameter
<li><span style="font-weight: bold;">init.sh </span>-- a shell
script installed in /etc/init.d to automatically start Shorewall during
boot.<br>
<b> </b></li>
<li><b><a href="#Interfaces">interfaces</a> </b> -- a parameter
file installed in /etc/shorewall/ and used to describe the interfaces
on the firewall system.</li>
<li><a href="#Hosts"><b> hosts</b> </a>-- a parameter file installed
@ -78,15 +73,12 @@ possibly also the IP address(es)) of devices.<br>
</li>
<li><b> <a href="#Masq">masq</a></b> - This file also describes IP
masquerading under Shorewall and is installed in /etc/shorewall.</li>
<li><b><a href="shorewall_firewall_structure.htm">firewall</a></b> --
<li><b>firewall</b> --
a shell program that reads the configuration files in /etc/shorewall
and configures your firewall. This file is installed in your init.d
directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i>
/etc/shorewall/firewall (/var/lib/shorewall/firewall in versions
1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 and later) is a
symbolic link to this program.</li>
and configures your firewall. This file is installed in
/usr/share/shorewall.</li>
<li><b> <a href="#NAT">nat</a></b> -- a parameter file in
/etc/shorewall used to define <a href="#NAT"> static NAT</a> .</li>
/etc/shorewall used to define <a href="#NAT">one-to-one NAT</a> .</li>
<li><b> <a href="#ProxyArp">proxyarp</a></b> -- a parameter file in
/etc/shorewall used to define <a href="#ProxyArp"> Proxy Arp</a> .</li>
<li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in
@ -1190,6 +1182,13 @@ header-rewriting rule.<br>
</li>
<li>LOG - Log the packet -- requires
a syslog level (see below).</li>
<li>QUEUE - Forward the packet to a user-space application. This
facility is provided to allow interfacing to <a
href="http://p2pwall.sourceforge.net">ftwall</a> for <a
href="Shorewall_and_Kazaa.html">Kazaa filtering</a>. Note: When the
protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
</ul>
<p>Beginning with Shorewall version 1.4.7, you may rate-limit the
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
@ -2253,16 +2252,20 @@ following (I haven't tried it):</p>
<p>In /etc/shorewall/start, include:</p>
<p> qt service ipsec start</p>
<h2><font color="#660066"><b><a name="NAT"></a> </b></font>/etc/shorewall/nat</h2>
<p>The /etc/shorewall/nat file is used to define static NAT. There is
one entry in the file for each static NAT relationship that you wish to
<p>The /etc/shorewall/nat file is used to define one-to-one NAT. There
is
one entry in the file for each one-to-one NAT relationship that you
wish to
define. In order to make use of this feature, you must have <a
href="#NatEnabled">NAT enabled</a> .</p>
<p> <font color="#ff0000"> <b>IMPORTANT: If all you want to do is
forward ports to servers behind your firewall, you do NOT want to use
static NAT. Port forwarding can be accomplished with simple entries in
one-to-one NAT. Port forwarding can be accomplished with simple entries
in
the <a href="#Rules"> rules file</a>. Also, in most cases <a
href="#ProxyArp"> Proxy ARP</a> provides a superior solution to static
NAT because the internal systems are accessed using the same IP address
href="#ProxyArp"> Proxy ARP</a> provides a superior solution to
one-to-one NAT because the internal systems are accessed using the same
IP address
internally and externally.</b></font></p>
<p>Columns in an entry are:</p>
<ul>
@ -2465,7 +2468,8 @@ individual rule for each listed port or port range. </p>
<li><b>NAT_BEFORE_RULES</b><br>
If set to "No" or "no", port forwarding rules can override the contents
of the <a href="#NAT">/etc/shorewall/nat</a> file. If set to "Yes" or
"yes", port forwarding rules cannot override static NAT. If not set or
"yes", port forwarding rules cannot override one-to-one NAT. If not set
or
set to an empty value,
"Yes" is assumed.</li>
<li><b>FW<br>
@ -2515,7 +2519,7 @@ this parameter is now automatically detected by Shorewall)<br>
This parameter determines whether Shorewall supports NAT operations.
NAT operations include:<br>
<br>
Static NAT<br>
One-to-one NAT<br>
Port Forwarding<br>
Port Redirection<br>
Masquerading<br>
@ -2842,7 +2846,7 @@ Validation Documentation</a>.<br>
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
This file is described in the <a href="ECN.html">ECN Control
Documentation</a>.<br>
<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
<p><font size="-1"> Updated 11/15/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font

97
Shorewall-docs/ECN.html
View File

@ -2,65 +2,51 @@
<html>
<head>
<title>Shorewall and ECN</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%">
<h1 align="center"><font color="#ffffff">ECN</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
proposed internet standard. Unfortunately, not all sites support ECN and when
a TCP connection offering ECN is sent to sites that don't support it, the
<body>
<br>
<h1 style="text-align: center;">ECN<br>
</h1>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is
a proposed internet standard. Unfortunately, not all sites support ECN
and when
a TCP connection offering ECN is sent to sites that don't support it,
the
result is often that the connection request is ignored.<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
systems then disable it in your firewall when the destination matches a list
that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<blockquote>
<pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
</blockquote>
You must arrange for that command to be executed at system boot. Most distributions
have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
<br>
</blockquote>
You must arrange for that command to be executed at system boot. Most
distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.<br>
<br>
<blockquote>
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet)
of a system or group of systems accessed through the &nbsp;interface in the
first column. You may include a comma-separated list of such addresses in
this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or
subnet) of a system or group of systems accessed through the
&nbsp;interface in the first column. You may include a comma-separated
list of such addresses in this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN
for tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -76,16 +62,15 @@ tcp connections to 192.0.2.0/24:<br>
<td valign="top">192.0.2.0/24<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom Eastep</a></font>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

313
Shorewall-docs/FAQ.htm
View File

@ -10,20 +10,11 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
</tbody>
</table>
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
<h1 style="text-align: center;">Shorewall FAQs<br>
</h1>
<h2>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
</h2>
<h1>PORT FORWARDING<br>
</h1>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b>
@ -41,8 +32,8 @@ connection
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
</p>
<p align="left"><span style="font-weight: bold;">30.<a
href="file:///vfat/Shorewall-docs/FAQ.htm#faq30"> </a></span><a
href="#faq30">I'm confused about <span style="font-weight: bold;">when</span>
href="FAQ.htm#faq30"> </a></span><a href="FAQ.htm#faq30">I'm confused
about <span style="font-weight: bold;">when</span>
to use <span style="font-weight: bold;">DNAT</span> rules <span
style="font-weight: bold;">and when</span> to use <span
style="font-weight: bold;">ACCEPT</span> rules. </a> </p>
@ -53,7 +44,7 @@ requests to www.mydomain.com (IP 130.151.100.69)
to system 192.168.1.5 in my local network. <b>External clients can
browse</b> http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq2a">I have a zone "Z" with an
RFC1918 subnet and I use <b>static NAT</b> to
RFC1918 subnet and I use <b>one-to-one NAT</b> to
assign non-RFC1918 addresses to hosts in Z.
Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access
@ -109,6 +100,11 @@ getting <b>logged?</b></a><br>
<b><br>
21. </b><a href="#faq21">I see these <b>strange log entries </b>occasionally;
what are they?</a><br>
<h1>ROUTING</h1>
<span style="font-weight: bold;">32. </span><a href="#faq32">My
firewall has <span style="font-weight: bold;">two connections to the
internet from two different ISPs</span>. How do I set this up in
Shorewall?</a><br>
<h1>STARTING AND STOPPING<br>
</h1>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
@ -140,6 +136,9 @@ your <b>web site</b>?</a><br>
<b><br>
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
<br>
<span style="font-weight: bold;">31. </span><a href="#faq31">Does
Shorewall provide protection against...</a><br>
<h1>RFC 1918<br>
</h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable
@ -173,7 +172,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
options in nmap</b> on or behind the firewall, I get "<b>operation not
permitted</b>". How can I use nmap with Shorewall?"</a><br>
<br>
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
<b><span style="font-weight: bold;">26a.&nbsp; </span></b><a
href="#faq26a">When I try
to use the <span style="font-weight: bold;">"-O" option of nmap</span>
from the firewall system, I get "<span style="font-weight: bold;">operation
not permitted". </span>How to I allow this option?</a><b><span
style="font-weight: bold;"><a href="#faq26a"> </a><br>
<br>
</span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
for my
firewall<b>.</b> What should I look out for?</a><br>
<br>
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
@ -282,8 +289,9 @@ three things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP
<li>You have a more basic problem with your local system (the one
that you are trying to forward to) such as an
incorrect default gateway (it should be set to the IP
address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -306,8 +314,9 @@ packet count in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected to the server.
In this case, the problem is
usually a missing or incorrect default gateway setting
on the server (the server's default gateway should be the
IP address of the firewall's interface to the server).</li>
on the local system (the system you are trying to forward to -- its
default gateway should be the
IP address of the firewall's interface to that system).</li>
<li>If the
packet count is zero:</li>
<ul>
@ -328,6 +337,7 @@ ethereal to further diagnose the problem.<br>
want to connect to port 1022 on my firewall and have the firewall
forward the connection to port 22 on local system 192.168.1.3. How do I
do that?</h4>
In /etc/shorewall/rules:<br>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -377,7 +387,7 @@ Firewall, of course :-)</li>
using a separate DNS server for local clients) such that
www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5
internally. That's what I do here at shorewall.net for my local systems
that use static NAT.</li>
that use one-to-one NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility
problem rather than a DNS solution, then assuming that your external
@ -401,7 +411,7 @@ please upgrade to Shorewall 1.4.2 or later.<br>
<li>In /etc/shorewall/interfaces:</li>
</ul>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<table cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
@ -507,7 +517,8 @@ DHCP/PPPoE client to automatically restart Shorewall each time that you
get a new IP address.</p>
</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an
RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to
RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses
to
hosts in Z. Hosts in Z cannot communicate with each other using their
external (non-RFC1918 addresses) so they can't access each other using
their DNS names.</h4>
@ -521,7 +532,7 @@ solved using Bind Version 9 "views". It allows
both external and internal clients to access
a NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch
from static NAT to Proxy ARP. That way, the
from one-to-one NAT to Proxy ARP. That way, the
hosts in Z have non-RFC1918 addresses and can
be accessed externally and internally using the same address.</p>
<p align="left">If you don't like those solutions and prefer routing
@ -984,9 +995,44 @@ cause of packets being logged in the FORWARD chain.<br>
</li>
<li><b>logflags </b>- The packet is being logged because it failed
the checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
href="Documentation.htm#Interfaces">interface option</a>.</li>
</ol>
<p align="left">Here is an example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:<span style="text-decoration: underline;">all2all:REJECT</span>:<span
style="text-decoration: underline;">IN=eth2</span> <span
style="text-decoration: underline;">OUT=eth1</span> <span
style="text-decoration: underline;">SRC=192.168.2.2</span>
<span style="text-decoration: underline;">DST=192.168.1.3</span> LEN=67
TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <span
style="text-decoration: underline;">PROTO=UDP</span>
SPT=1803 <span style="text-decoration: underline;">DPT=53</span> LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the <span
style="font-weight: bold;">all2all</span> chain -- the packet
was rejected under the "all"-&gt;"all"
REJECT policy (number 3 above).</li>
<li>IN=eth2 - the packet entered the firewall via eth2. If you see
"IN=" with no interface name, the packet originated on the firewall
itself.<br>
</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1. If you
see "OUT=" with no interface name, the packet would be processed by the
firewall itself.<br>
</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - The destination port is 53 (DNS)<br>
</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip
addresses</b> with Shorewall, and maintain separate rulesets for
different IPs?</h4>
@ -1079,13 +1125,22 @@ Shorewall</b> I am <b>running</b>?<br>
At the shell prompt, type:<br>
<br>
<font color="#009900"><b> /sbin/shorewall
version</b></font><br>
version<br>
</b></font>
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
options in nmap on or behind the firewall, I get "operation not
permitted".
How can I use nmap with Shorewall?"</h4>
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
"NEWNOTSYN=Yes" then restart Shorewall.<br>
<br>
<h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.&nbsp;
</span></b>When I try to use the <span style="font-weight: bold;">"-O"
option of nmap</span> from the firewall system, I get "<span
style="font-weight: bold;">operation not permitted". </span>How to I
allow this option?</h4>
Add this command to your /etc/shorewall/start file:<br>
<pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
What
should I look out for?</a></h4>
@ -1118,8 +1173,208 @@ to allow connections from the internet to your local network. In all
other cases, you use ACCEPT unless you need to hijack connections as
they go through your firewall and handle them on the firewall box
itself; in that case, you use a REDIRECT rule.<br>
<h4><a name="faq31"></a>31. Does Shorewall provide protection
against....</h4>
<ol>
<li>IP Spoofing: Sending packets over the WAN interface using an
internal LAP IP address as the source address? <span
style="font-weight: bold;">Answer: </span>Yes.</li>
<li>Tear Drop: Sending packets that contain overlapping fragments? <span
style="font-weight: bold;">Answer: </span>This is the responsibility
of the IP stack, not the Netfilter-based firewall since fragment
reassembly occurs before the stateful packet filter ever touches each
packet.</li>
<li>Smurf and Fraggle: Sending packets that use the WAN or LAN
broadcast address as the source address? <span
style="font-weight: bold;">Answer: </span>Shorewall can be configured
to do that using the <a href="blacklisting_support.htm">blacklisting</a>
facility.</li>
<li>Land Attack: Sending packets that use the same address as the
source and destination address? <span style="font-weight: bold;">Answer:
</span>Yes, if the <a href="Documentation.htm#Interfaces">routefilter
interface option</a> is selected.</li>
<li>DOS:<br>
&nbsp;&nbsp; - SYN Dos<br>
&nbsp;&nbsp; - ICMP Dos<br>
&nbsp;&nbsp; - Per-host Dos protection<br>
<span style="font-weight: bold;">Answer: </span>Shorewall has
facilities for limiting SYN and ICMP packets. Netfilter as included in
standard Linux kernels doesn't support per-remote-host limiting except
by explicit rule that specifies the host IP address; that form of
limiting is supported by Shorewall.</li>
</ol>
<h4><a name="faq32"></a><span style="font-weight: bold;">32. </span>My
firewall has two connections to the internet from two different ISPs.
How do I set this up in Shorewall?</h4>
Setting this up in Shorewall is easy; setting up the routing is a bit
harder.<br>
<br>
<font size="2">Last updated 10/04/2003 - <a href="support.htm">Tom
Assuming that eth0 and eth1 are the interfaces to the two ISPs then:<br>
<br>
/etc/shorewall/interfaces:<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2">
<tbody>
<tr>
<td><u><b>ZONE</b></u></td>
<td><u><b>INTERFACE</b></u></td>
<td><u><b>BROADCAST</b></u></td>
<td><u><b>OPTIONS</b></u></td>
</tr>
<tr>
<td>net<br>
</td>
<td>eth0</td>
<td>detect<br>
</td>
<td>...<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">net<br>
</td>
<td style="vertical-align: top;">eth1<br>
</td>
<td style="vertical-align: top;">detect<br>
</td>
<td style="vertical-align: top;">...<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
/etc/shorewall/policy:<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE </b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>net<br>
</td>
<td>net<br>
</td>
<td>DROP<br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<hr style="width: 100%; height: 2px;">The following information
regarding setting up routing for this
configuration is reproduced from the <a href="http://www.lartc.org">LARTC
HOWTO</a> and has not been verified by the author. If you have
questions or problems with the instructions given below, please post to
the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.<br>
<hr style="width: 100%; height: 2px;">A common configuration is the
following, in which there are two providers
that connect a local network (or even a single machine) to the big
Internet.
<pre class="SCREEN"> ________<br> +------------+ /<br> | | |<br> +-------------+ Provider 1 +-------<br> __ | | | /<br> ___/ \_ +------+-------+ +------------+ |<br> _/ \__ | if1 | /<br> / \ | | |<br>| Local network -----+ Linux router | | Internet<br> \_ __/ | | |<br> \__ __/ | if2 | \<br> \___/ +------+-------+ +------------+ |<br> | | | \<br> +-------------+ Provider 2 +-------<br> | | |<br> +------------+ \________</pre>
<p>There are usually two questions given this setup.</p>
<div class="SECT2">
<h2 class="SECT2">Split access</h2>
<p> The first is how to route answers to packets coming in over a
particular provider, say Provider 1, back out again over that same
provider. </p>
<p> Let us first set some symbolical names. Let <b class="COMMAND">$IF1</b>
be the name of the first interface (if1 in the picture above) and <b
class="COMMAND">$IF2</b> the name of the second interface. Then let <b
class="COMMAND">$IP1</b> be the IP address associated with <b
class="COMMAND">$IF1</b> and <b class="COMMAND">$IP2</b> the IP
address associated with <b class="COMMAND">$IF2</b>. Next, let <b
class="COMMAND">$P1</b> be the IP address of the gateway at Provider
1, and <b class="COMMAND">$P2</b> the IP address of the gateway at
provider 2. Finally, let <b class="COMMAND">$P1_NET</b> be the IP
network <b class="COMMAND">$P1</b> is in, and <b class="COMMAND">$P2_NET</b>
the IP network <b class="COMMAND">$P2</b> is in. </p>
<p> One creates two additional routing tables, say <b class="COMMAND">T1</b>
and <b class="COMMAND">T2</b>. These are added in
/etc/iproute2/rt_tables. Then you set up routing in these tables as
follows: </p>
<p> </p>
<pre class="SCREEN"> ip route add $P1_NET dev $IF1 src $IP1 table T1<br> ip route add default via $P1 table T1<br> ip route add $P2_NET dev $IF2 src $IP2 table T2<br> ip route add default via $P2 table T2<br> </pre>
Nothing spectacular, just build a route to the gateway and build a
default route via that gateway, as you would do in the case of a single
upstream provider, but put the routes in a separate table per provider.
Note that the network route suffices, as it tells you how to find any
host in that network, which includes the gateway, as specified above.
<p> Next you set up the main routing table. It is a good idea to route
things to the direct neighbour through the interface connected to that
neighbour. Note the `src' arguments, they make sure the right outgoing
IP address is chosen. </p>
<pre class="SCREEN"> ip route add $P1_NET dev $IF1 src $IP1<br> ip route add $P2_NET dev $IF2 src $IP2<br> </pre>
Then, your preference for default route:
<pre class="SCREEN"> ip route add default via $P1<br> </pre>
Next, you set up the routing rules. These actually choose what routing
table to route with. You want to make sure that you route out a given
interface if you already have the corresponding source address:
<pre class="SCREEN"> ip rule add from $IP1 table T1<br> ip rule add from $IP2 table T2<br> </pre>
This set of commands makes sure all answers to traffic coming in on a
particular interface get answered from that interface.
<p> </p>
<div class="WARNING">
<table class="WARNING" width="100%" border="0">
<tbody>
<tr>
<td width="25" align="center" valign="top"><img
src="images/BD21298_.gif" hspace="5" alt="Warning" title=""
style="width: 13px; height: 13px;"></td>
<td align="left" valign="top">
<p>Reader Rod Roark notes: 'If $P0_NET is the local network and
$IF0 is its interface,
the following additional entries are desirable: </p>
<pre class="SCREEN">ip route add $P0_NET dev $IF0 table T1<br>ip route add $P2_NET dev $IF2 table T1<br>ip route add 127.0.0.0/8 dev lo table T1<br>ip route add $P0_NET dev $IF0 table T2<br>ip route add $P1_NET dev $IF1 table T2<br>ip route add 127.0.0.0/8 dev lo table T2 </pre>
'</td>
</tr>
</tbody>
</table>
</div>
<p> Now, this is just the very basic setup. It will work for all
processes running on the router itself, and for the local network, if
it is masqueraded. If it is not, then you either have IP space from
both providers or you are going to want to masquerade to one of the two
providers. In both cases you will want to add rules selecting which
provider to route out from based on the IP address of the machine in
the local network. </p>
</div>
<div class="SECT2">
<h2 class="SECT2">Load balancing</h2>
<p> The second question is how to balance traffic going out over the
two providers. This is actually not hard if you already have set up
split access as above. </p>
<p> Instead of choosing one of the two providers as your default route,
you now set up the default route to be a multipath route. In the
default kernel this will balance routes over the two providers. It is
done as follows (once more building on the example in the section on
split-access): </p>
<pre class="SCREEN"> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \<br> nexthop via $P2 dev $IF2 weight 1<br> </pre>
This will balance the routes over both providers. The <b
class="COMMAND">weight</b> parameters can be tweaked to favor one
provider over the other.
<p> Note that balancing will not be perfect, as it is route based, and
routes are cached. This means that routes to often-used sites will
always be over the same provider. </p>
<p> Furthermore, if you really want to do this, you probably also want
to look at Julian Anastasov's patches at <a
href="http://www.ssi.bg/%7Eja/#routes" target="_top">http://www.ssi.bg/~ja/#routes
</a>, Julian's route patch page. They will make things nicer to work
with. </p>
</div>
<hr style="width: 100%; height: 2px;">End of information reproduced
from the LARTC HOWTO. If you have
questions or problems with the instructions given above, please post to
the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.
<hr style="width: 100%; height: 2px;"><font size="2">Last updated
11/20/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

63
Shorewall-docs/FTP.html
View File

@ -8,19 +8,37 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<h1 style="text-align: center;">Shorewall and FTP<br>
</h1>
<hr style="width: 100%; height: 2px;">
<p><span style="font-weight: bold;">NOTICE: </span>If you are running
Mandrake 9.1 or 9.2 and are having problems with FTP, you have three
choices:</p>
<ol>
<li>Edit /usr/share/shorewall/firewall and replace this line:<br>
<br>
&nbsp;&nbsp; <tt>for suffix in o gz ko ; do<br>
</tt><br>
with<br>
<br>
&nbsp;&nbsp; <tt>for suffix in o gz ko <span
style="font-weight: bold;">o.gz </span>; do<br>
<br>
</tt>and at a root shell prompt:<br>
<br>
<tt>&nbsp;<span style="font-weight: bold; color: rgb(0, 153, 0);">shorewall
restart</span><br style="font-weight: bold; color: rgb(0, 153, 0);">
<br>
</tt></li>
<li>Install the Mandrake "cooker" version of Shorewall.<br>
<br>
</li>
<li>Upgrade to Shorewall 1.4.7 or later.<br>
</li>
</ol>
<hr style="width: 100%; height: 2px;">
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between
@ -30,7 +48,8 @@ connection is dependent on the <u>mode</u>
that the client is operating in:<br>
</p>
<ul>
<li>Passive Mode (default for web browsers) -- The client issues a
<li>Passive Mode (often the default for web browsers) -- The client
issues a
PASV command. Upon receipt of this command, the server listens on a
dynamically-allocated port then sends a PASV reply to the client. The
PASV reply gives the IP address
@ -91,13 +110,17 @@ that the
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
Shorewall automatically
loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
and you can determine if they are loaded using the 'lsmod' command:<br>
and you can determine if they are loaded using the 'lsmod' command. The
&lt;<span style="font-style: italic;">kernel-version</span>&gt; may be
obtained by typing<br>
</p>
<pre> <span style="color: rgb(0, 153, 0);"><span
style="font-weight: bold;">uname -r</span></span>
Example:<br></pre>
<blockquote>
<p>Example:<br>
</p>
<blockquote>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc<br> ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp<br> ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state<br> ipt_multiport ipt_conntrack iptable_filter<br> iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
</blockquote>
</blockquote>
<blockquote> </blockquote>
@ -105,6 +128,12 @@ and you can determine if they are loaded using the 'lsmod' command:<br>
directory, you need to set the MODULESDIR variable in
/etc/shorewall/shorewall.conf to point to that directory.<br>
</p>
<p>If your FTP helper modules are compressed and have the names <span
style="font-style: italic;">ip_nat_ftp.o.gz </span>and <span
style="font-style: italic;">ip_conntrack_ftp.o.gz</span> then you will
need Shorewall 1.4.7 or later if you want Shorewall to load them for
you.<br>
</p>
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
/etc/shorewall/rules documentation</a>,<br>
</p>
@ -203,7 +232,7 @@ to the net.<br>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 12/01/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>

13
Shorewall-docs/GenericTunnels.html
View File

@ -8,17 +8,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Generic Tunnels<br>
</h1>
Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support,
you can generally describe the tunneling software using "generic

619
Shorewall-docs/GnuCopyright.htm
View File

@ -1,341 +1,420 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">GNU Free Documentation License<br>
</h1>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for
the author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of "copyleft", which means that derivative works
of the document must themselves be free in the same sense. It complements
the GNU General Public License, which is a copyleft license designed for
<p>The purpose of this License is to make a manual, textbook, or other
written document "free" in the sense of freedom: to assure everyone the
effective freedom to copy and redistribute it, with or without
modifying it, either commercially or noncommercially. Secondarily, this
License preserves for
the author and publisher a way to get credit for their work, while not
being considered responsible for modifications made by others. </p>
<p>This License is a kind of "copyleft", which means that derivative
works
of the document must themselves be free in the same sense. It
complements
the GNU General Public License, which is a copyleft license designed
for
free software. </p>
<p>We have designed this License in order to use it for manuals for free software,
because free software needs free documentation: a free program should come
with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual
work, regardless of subject matter or whether it is published as a printed
book. We recommend this License principally for works whose purpose is instruction
<p>We have designed this License in order to use it for manuals for
free software,
because free software needs free documentation: a free program should
come
with manuals providing the same freedoms that the software does. But
this License is not limited to software manuals; it can be used for any
textual
work, regardless of subject matter or whether it is published as a
printed
book. We recommend this License principally for works whose purpose is
instruction
or reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms
of this License. The "Document", below, refers to any such manual or work.
<p>This License applies to any manual or other work that contains a
notice placed by the copyright holder saying it can be distributed
under the terms
of this License. The "Document", below, refers to any such manual or
work.
Any member of the public is a licensee, and is addressed as "you". </p>
<p>A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or translated
<p>A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated
into another language. </p>
<p>A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the publishers
or authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship could
be a matter of historical connection with the subject or with related matters,
or of legal, commercial, philosophical, ethical or political position regarding
<p>A "Secondary Section" is a named appendix or a front-matter section
of
the Document that deals exclusively with the relationship of the
publishers
or authors of the Document to the Document's overall subject (or to
related matters) and contains nothing that could fall directly within
that overall subject. (For example, if the Document is in part a
textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship
could
be a matter of historical connection with the subject or with related
matters,
or of legal, commercial, philosophical, ethical or political position
regarding
them. </p>
<p>The "Invariant Sections" are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says
<p>The "Invariant Sections" are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says
that the Document is released under this License. </p>
<p>The "Cover Texts" are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
<p>The "Cover Texts" are certain short passages of text that are
listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the
Document is released under this License. </p>
<p>A "Transparent" copy of the Document means a machine-readable copy, represented
in a format whose specification is available to the general public, whose
contents can be viewed and edited directly and straightforwardly with generic
text editors or (for images composed of pixels) generic paint programs or
(for drawings) some widely available drawing editor, and that is suitable
for input to text formatters or for automatic translation to a variety of
formats suitable for input to text formatters. A copy made in an otherwise
Transparent file format whose markup has been designed to thwart or discourage
subsequent modification by readers is not Transparent. A copy that is not
<p>A "Transparent" copy of the Document means a machine-readable copy,
represented
in a format whose specification is available to the general public,
whose
contents can be viewed and edited directly and straightforwardly with
generic
text editors or (for images composed of pixels) generic paint programs
or
(for drawings) some widely available drawing editor, and that is
suitable
for input to text formatters or for automatic translation to a variety
of
formats suitable for input to text formatters. A copy made in an
otherwise
Transparent file format whose markup has been designed to thwart or
discourage
subsequent modification by readers is not Transparent. A copy that is
not
"Transparent" is called "Opaque". </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using
a publicly available DTD, and standard-conforming simple HTML designed for
human modification. Opaque formats include PostScript, PDF, proprietary formats
that can be read and edited only by proprietary word processors, SGML or
XML for which the DTD and/or processing tools are not generally available,
and the machine-generated HTML produced by some word processors for output
<p>Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
XML using
a publicly available DTD, and standard-conforming simple HTML designed
for
human modification. Opaque formats include PostScript, PDF, proprietary
formats
that can be read and edited only by proprietary word processors, SGML
or
XML for which the DTD and/or processing tools are not generally
available,
and the machine-generated HTML produced by some word processors for
output
purposes only. </p>
<p>The "Title Page" means, for a printed book, the title page itself, plus
such following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have
any title page as such, "Title Page" means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the
<p>The "Title Page" means, for a printed book, the title page itself,
plus
such following pages as are needed to hold, legibly, the material this
License requires to appear in the title page. For works in formats
which do not have
any title page as such, "Title Page" means the text near the most
prominent appearance of the work's title, preceding the beginning of
the body of the
text. </p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and
the license notice saying this License applies to the Document are reproduced
in all copies, and that you add no other conditions whatsoever to those of
this License. You may not use technical measures to obstruct or control the
reading or further copying of the copies you make or distribute. However,
you may accept compensation in exchange for copies. If you distribute a large
enough number of copies you must also follow the conditions in section 3.
<p>You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and
the license notice saying this License applies to the Document are
reproduced
in all copies, and that you add no other conditions whatsoever to those
of
this License. You may not use technical measures to obstruct or control
the
reading or further copying of the copies you make or distribute.
However,
you may accept compensation in exchange for copies. If you distribute a
large
enough number of copies you must also follow the conditions in section
3.
</p>
<p>You may also lend copies, under the same conditions stated above, and
<p>You may also lend copies, under the same conditions stated above,
and
you may publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100,
and the Document's license notice requires Cover Texts, you must enclose
the copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
Both covers must also clearly and legibly identify you as the publisher of
these copies. The front cover must present the full title with all words
of the title equally prominent and visible. You may add other material on
the covers in addition. Copying with changes limited to the covers, as long
as they preserve the title of the Document and satisfy these conditions,
<p>If you publish printed copies of the Document numbering more than
100,
and the Document's license notice requires Cover Texts, you must
enclose
the copies in covers that carry, clearly and legibly, all these Cover
Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover.
Both covers must also clearly and legibly identify you as the publisher
of
these copies. The front cover must present the full title with all
words
of the title equally prominent and visible. You may add other material
on
the covers in addition. Copying with changes limited to the covers, as
long
as they preserve the title of the Document and satisfy these
conditions,
can be treated as verbatim copying in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along
with each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the Document,
free of added material, which the general network-using public has access
to download anonymously at no charge using public-standard network protocols.
If you use the latter option, you must take reasonably prudent steps, when
you begin distribution of Opaque copies in quantity, to ensure that this Transparent
copy will remain thus accessible at the stated location until at least one
year after the last time you distribute an Opaque copy (directly or through
<p>If the required texts for either cover are too voluminous to fit
legibly,
you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along
with each Opaque copy, or state in or with each Opaque copy a
publicly-accessible computer-network location containing a complete
Transparent copy of the Document,
free of added material, which the general network-using public has
access
to download anonymously at no charge using public-standard network
protocols.
If you use the latter option, you must take reasonably prudent steps,
when
you begin distribution of Opaque copies in quantity, to ensure that
this Transparent
copy will remain thus accessible at the stated location until at least
one
year after the last time you distribute an Opaque copy (directly or
through
your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them
<p>It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies, to
give them
a chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the
role of the Document, thus licensing distribution and modification of the
Modified Version to whoever possesses a copy of it. In addition, you must
<p>You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release the
Modified Version under precisely this License, with the Modified
Version filling the
role of the Document, thus licensing distribution and modification of
the
Modified Version to whoever possesses a copy of it. In addition, you
must
do these things in the Modified Version: </p>
<p> </p>
<p>&nbsp;</p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
<li><strong>A.</strong> Use in the Title Page (and on the covers, if
any)
a title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version if the
versions (which should, if there were any, be listed in the History
section
of the Document). You may use the same title as a previous version if
the
original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the principal authors
of the Document (all of its principal authors, if it has less than five).
</li>
<li><strong>C.</strong> State on the Title page the name of the publisher
<li><strong>B.</strong> List on the Title Page, as authors, one or
more persons or entities responsible for authorship of the
modifications in
the Modified Version, together with at least five of the principal
authors
of the Document (all of its principal authors, if it has less than
five). </li>
<li><strong>C.</strong> State on the Title page the name of the
publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>D.</strong> Preserve all the copyright notices of the
Document. </li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices,
a license notice giving the public permission to use the Modified Version
under the terms of this License, in the form shown in the Addendum below.
</li>
<li><strong>G.</strong> Preserve in that license notice the full lists
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright
notices,
a license notice giving the public permission to use the Modified
Version
under the terms of this License, in the form shown in the Addendum
below. </li>
<li><strong>G.</strong> Preserve in that license notice the full
lists
of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled "History", and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there
is no section entitled "History" in the Document, create one stating the
title, year, authors, and publisher of the Document as given on its Title
<li><strong>I.</strong> Preserve the section entitled "History", and
its title, and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the Title
Page. If there
is no section entitled "History" in the Document, create one stating
the
title, year, authors, and publisher of the Document as given on its
Title
Page, then add an item describing the Modified Version as stated in the
previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in
the Document for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for previous versions
<li><strong>J.</strong> Preserve the network location, if any, given
in
the Document for public access to a Transparent copy of the Document,
and
likewise the network locations given in the Document for previous
versions
it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four years
omit a network location for a work that was published at least four
years
before the Document itself, or if the original publisher of the version
it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
"Dedications", preserve the section's title, and preserve in the section
"Dedications", preserve the section's title, and preserve in the
section
all the substance and tone of each of the contributor acknowledgements
and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled "Endorsements". Such
<li><strong>L.</strong> Preserve all the Invariant Sections of the
Document, unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled "Endorsements".
Such
a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as "Endorsements"
or to conflict in title with any Invariant Section. </li>
<li><strong>N.</strong> Do not retitle any existing section as
"Endorsements" or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices
that qualify as Secondary Sections and contain no material copied from the
Document, you may at your option designate some or all of these sections
as invariant. To do this, add their titles to the list of Invariant Sections
in the Modified Version's license notice. These titles must be distinct from
<p>If the Modified Version includes new front-matter sections or
appendices
that qualify as Secondary Sections and contain no material copied from
the
Document, you may at your option designate some or all of these
sections
as invariant. To do this, add their titles to the list of Invariant
Sections
in the Modified Version's license notice. These titles must be distinct
from
any other section titles. </p>
<p>You may add a section entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
and one of Back-Cover Text may be added by (or through arrangements made
by) any one entity. If the Document already includes a cover text for the
same cover, previously added by you or by arrangement made by the same entity
you are acting on behalf of, you may not add another; but you may replace
the old one, on explicit permission from the previous publisher that added
<p>You may add a section entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and
a passage of up to 25 words as a Back-Cover Text, to the end of the
list of
Cover Texts in the Modified Version. Only one passage of Front-Cover
Text
and one of Back-Cover Text may be added by (or through arrangements
made
by) any one entity. If the Document already includes a cover text for
the
same cover, previously added by you or by arrangement made by the same
entity
you are acting on behalf of, you may not add another; but you may
replace
the old one, on explicit permission from the previous publisher that
added
the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p>The author(s) and publisher(s) of the Document do not by this
License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this License,
under the terms defined in section 4 above for modified versions, provided
that you include in the combination all of the Invariant Sections of all
of the original documents, unmodified, and list them all as Invariant Sections
<p>You may combine the Document with other documents released under
this License,
under the terms defined in section 4 above for modified versions,
provided
that you include in the combination all of the Invariant Sections of
all
of the original documents, unmodified, and list them all as Invariant
Sections
of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there
are multiple Invariant Sections with the same name but different contents,
make the title of each such section unique by adding at the end of it, in
parentheses, the name of the original author or publisher of that section
if known, or else a unique number. Make the same adjustment to the section
titles in the list of Invariant Sections in the license notice of the combined
<p>The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there
are multiple Invariant Sections with the same name but different
contents,
make the title of each such section unique by adding at the end of it,
in
parentheses, the name of the original author or publisher of that
section
if known, or else a unique number. Make the same adjustment to the
section
titles in the list of Invariant Sections in the license notice of the
combined
work. </p>
<p>In the combination, you must combine any sections entitled "History" in
the various original documents, forming one section entitled "History"; likewise
combine any sections entitled "Acknowledgements", and any sections entitled
"Dedications". You must delete all sections entitled "Endorsements." </p>
<p>In the combination, you must combine any sections entitled "History"
in
the various original documents, forming one section entitled "History";
likewise combine any sections entitled "Acknowledgements", and any
sections entitled "Dedications". You must delete all sections entitled
"Endorsements." </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of
<p>You may make a collection consisting of the Document and other
documents released under this License, and replace the individual
copies of this License in the various documents with a single copy that
is included in the collection, provided that you follow the rules of
this License for verbatim copying of
each of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this License
into the extracted document, and follow this License in all other respects
<p>You may extract a single document from such a collection, and
distribute
it individually under this License, provided you insert a copy of this
License
into the extracted document, and follow this License in all other
respects
regarding verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document, provided
no compilation copyright is claimed for the compilation. Such a compilation
is called an "aggregate", and this License does not apply to the other self-contained
works thus compiled with the Document, on account of their being thus compiled,
<p>A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, does not as a whole count as a Modified Version of
the Document, provided
no compilation copyright is claimed for the compilation. Such a
compilation
is called an "aggregate", and this License does not apply to the other
self-contained
works thus compiled with the Document, on account of their being thus
compiled,
if they are not themselves derivative works of the Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies
of the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround
only the Document within the aggregate. Otherwise they must appear on covers
<p>If the Cover Text requirement of section 3 is applicable to these
copies
of the Document, then if the Document is less than one quarter of the
entire aggregate, the Document's Cover Texts may be placed on covers
that surround
only the Document within the aggregate. Otherwise they must appear on
covers
around the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You may
include a translation of this License provided that you also include the
original English version of this License. In case of a disagreement between
the translation and the original English version of this License, the original
<p>Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You
may
include a translation of this License provided that you also include
the
original English version of this License. In case of a disagreement
between
the translation and the original English version of this License, the
original
English version will prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except
as expressly provided for under this License. Any other attempt to copy,
modify, sublicense or distribute the Document is void, and will automatically
terminate your rights under this License. However, parties who have received
copies, or rights, from you under this License will not have their licenses
<p>You may not copy, modify, sublicense, or distribute the Document
except
as expressly provided for under this License. Any other attempt to
copy,
modify, sublicense or distribute the Document is void, and will
automatically
terminate your rights under this License. However, parties who have
received
copies, or rights, from you under this License will not have their
licenses
terminated so long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the
GNU Free Documentation License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
<p>The Free Software Foundation may publish new, revised versions of
the
GNU Free Documentation License from time to time. Such new versions
will
be similar in spirit to the present version, but may differ in detail
to
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this License
"or any later version" applies to it, you have the option of following the
terms and conditions either of that specified version or of any later version
that has been published (not as a draft) by the Free Software Foundation.
If the Document does not specify a version number of this License, you may
choose any version ever published (not as a draft) by the Free Software Foundation.
<p>Each version of the License is given a distinguishing version
number.
If the Document specifies that a particular numbered version of this
License
"or any later version" applies to it, you have the option of following
the
terms and conditions either of that specified version or of any later
version
that has been published (not as a draft) by the Free Software
Foundation.
If the Document does not specify a version number of this License, you
may
choose any version ever published (not as a draft) by the Free Software
Foundation.
</p>
<p align="left"> </p>
<br>
<p align="left">&nbsp;</p>
<br>
</body>
</html>

189
Shorewall-docs/IPIP.htm
View File

@ -1,73 +1,48 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
networks.</p>
<body>
<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
</h1>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
insecure when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
also includes a tunnel script for automating tunnel configuration. If you
have installed the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
Shorewall also includes a tunnel script for automating tunnel
configuration. If you have installed the RPM, the tunnel script may be
found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall documentation
directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p>
<p align="center"> <img border="0" src="images/TwoNets1.png"
width="745" height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included
in the tarball; if you install using the RPM, the file is in your
Shorewall documentation directory (normally
/usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the
'tunnel_type' parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -81,14 +56,12 @@ it in /etc/shorewall/zones on both systems as follows.</p>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -102,15 +75,13 @@ In /etc/shorewall/interfaces:</p>
<td>vpn</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -124,30 +95,25 @@ In /etc/shorewall/interfaces:</p>
<td>ipip</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -161,15 +127,12 @@ zone. In /etc/shorewall/interfaces:</p>
<td>vpn</td>
<td>tosysa</td>
<td>192.168.1.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -183,31 +146,25 @@ zone. In /etc/shorewall/interfaces:</p>
<td>ipip</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they
are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -221,29 +178,27 @@ are secured so that root can execute them. </p>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel script with
the "start" argument on each system. The systems in the two masqueraded subnetworks
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel
script with
the "start" argument on each system. The systems in the two masqueraded
subnetworks
can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

57
Shorewall-docs/IPSEC.htm
View File

@ -8,17 +8,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">IPSEC Tunnels<br>
</h1>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://www.geocities.com/jixen66/">
@ -34,10 +25,40 @@ to debug this problem so I can't say if it is a bug in the Kernel or in
FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the
following (I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec
stop</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp; qt service ipsec start<br>
</p>
<p>Also, the documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
additional entries in ipsec.conf:<br>
</p>
<p style="margin-left: 40px;"><tt>conn block<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private-or-clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear-or-private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn packetdefault<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
</tt></p>
For further information see <a
href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
</tt>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
@ -631,7 +652,7 @@ issue the command":<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
@ -664,7 +685,7 @@ DESTINATION<br>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
<td valign="top">z!dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
@ -682,7 +703,7 @@ DESTINATION<br>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the
above rule.
<p><font size="2">Last updated 8/12//2003 - </font><font size="2"> <a
<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

244
Shorewall-docs/Install.htm
View File

@ -1,97 +1,75 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
</h1>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge
you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
a shell prompt, type "/sbin/iptables --version"), you must upgrade to
version 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
before attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note1: </b>Some SuSE  users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
<b>Note1: </b>Some SuSE&nbsp; users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the installation of
Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.x-1
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.x-1 <br>
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in
the directory name as in "shorewall-1.1.10").</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
@ -101,79 +79,75 @@ the directory name as in "shorewall-1.1.10").</li>
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration.</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall
to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface
<p><a name="LRP"></a>To install my version of Shorewall on a fresh
Bering disk, simply replace the "shorwall.lrp" file on the image with
the file that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
installed and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
your /etc/shorewall/interfaces file to be sure that it contains an
entry for each interface mentioned in the hosts file. Also, there are
certain 1.2 rule forms that are no longer supported under 1.4 (you must
use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
issues </a>for details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the upgrade of Shorewall to
fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.0-1 <br>
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;). </p>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).&nbsp;</p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
your /etc/shorewall/interfaces file to be sure that it contains an
entry
for each interface mentioned in the hosts file.&nbsp; Also, there are
certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in
the directory name as in "shorewall-3.0.1").</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
@ -183,39 +157,33 @@ the directory name as in "shorewall-3.0.1").</li>
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running
<a name="LRP_Upgrade"></a>If you already have a running
Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<br>
&nbsp;&nbsp;&nbsp; <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<p>You will need to edit some or all of the configuration files to
match your setup. In most cases, the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p>
<ul>
</ul>
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

158
Shorewall-docs/MAC_Validation.html
View File

@ -2,123 +2,103 @@
<html>
<head>
<title>MAC Verification</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
<br>
All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses.
<br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<body>
<br>
<h1 style="text-align: center;">MAC Verification<br>
</h1>
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP
addresses. <br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
When
this option is specified, all traffic arriving on the interface is
subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that
subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
which connection requests that fail verification are to be logged. If
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
<li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
for details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
own MAC address. Consequently, I list the IP addresses of both devices in
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
like a wireless router with DHCP relay. When forwarding DHCP traffic,
it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it
uses it's
own MAC address. Consequently, I list the IP addresses of both devices
in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
Suppose now that I add a second wireless segment to my wireless zone
and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

551
Shorewall-docs/Multiple_Zones.html Executable file
View File

@ -0,0 +1,551 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Multiple Zones per Interface</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="author" content="Tom Eastep">
</head>
<body>
<h2></h2>
<blockquote> </blockquote>
<h1 style="text-align: center;">Multiple Zones per Interface<br>
</h1>
While most configurations can be handled with each of the firewall's
network interfaces assigned to a single zone, there are cases where you
will want to divide the hosts accessed through an interface between two
or more zones.<br>
<ol>
<li>The interface has multiple addresses on multiple subnetworks.
This case is covered in the <a
href="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
documentation</a>.</li>
<li>You are using some form of NAT and want to access a server by its
external IP address from the same LAN segment. This is covered in <a
href="FAQ.htm#faq2">FAQs 2 and 2a</a>.<br>
</li>
<li>There are routers accessible through the interface and you want
to treat the networks accessed through that router as a separate zone.</li>
<li>Some of the hosts accessed through an interface have
significantly different firewalling requirements from the others so you
want to assign them to a different zone.</li>
</ol>
The key points to keep in mind when setting up multiple zones per
interface are:<br>
<ul>
<li>Shorewall generates rules for zones in the order that the zone
declarations appear in /etc/shorewall/zones.</li>
<li>The order of entries in /etc/shorewall/hosts is immaterial as far
as the generated ruleset is concerned.</li>
</ul>
<span style="font-weight: bold;">These examples use the local zone but
the same technique works for any zone. </span>Remember that Shorewall
doesn't have any conceptual knowledge of "Internet", "Local", or "DMZ"
so all zones except the firewall itself ($FW) are the same as far as
Shorewall is concerned.&nbsp; Also, the examples use private (RFC 1918)
addresses but public IP addresses can be used in exactly the same way.<br>
<h2>Router in the Local Zone<br>
</h2>
Here is an example of a router in the local zone.&nbsp; Note that <span
style="font-weight: bold;">the box called "Router" could be a VPN
server</span> or other such device; from the point of view of this
discussion, it makes no difference.<br>
<br>
<div style="text-align: center;"><img src="images/MultiZone1.png"
title="" alt="(Firewall connected to Internal Router)"
style="width: 556px; height: 335px;"><br>
</div>
<blockquote>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<h3>Can You Use the Standard Configuration?<br>
</h3>
In many cases, the <a href="two-interface.htm">standard two-interface
Shorewall setup</a> will work fine in this configuration.&nbsp; It will
work if:<br>
<ul>
<li>The firewall requirements to/from the internet are the same for
192.168.1.0/24 and 192.168.2.0/24.</li>
<li>The hosts in 192.168.1.0/24 know that the route to 192.168.2.0/24
is through the <span style="font-weight: bold;">router.</span></li>
</ul>
All you have to do on the firewall is add a route to 192.168.2.0/24
through the <span style="font-weight: bold;">router</span> and restart
Shorewall.<br>
<h3>Will One Zone be Enough?</h3>
If the firewalling requirements for the two local networks is the same
but the hosts in 192.168.1.0/24 don't know how to route to
192.168.2.0/24 then you need to configure the firewall slightly
differently. This type of configuration is rather stupid from an IP
networking point of view but it is sometimes necessary because you
simply don't want to have to reconfigure all of the hosts in
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
firewall:<br>
<ul>
<li>Add a route to 192.168.2.0/24 through the <span
style="font-weight: bold;">Router.</span></li>
<li>Set the 'routeback' and 'newnotsyn' options for eth1 (the local
firewall interface) in /etc/shorewall/interfaces.</li>
<li>Restart Shorewall.<br>
</li>
</ul>
<h3>I Need Separate Zones</h3>
If you need to make 192.168.2.0/24 into it's own zone, you can do it
one of two ways; Nested Zones or Parallel Zones.<br>
<h4>Nested Zones:</h4>
You can define one zone (called it 'loc') as being all hosts connectied
to eth1 and a second zone 'loc1' (192.168.2.0/24) as a sub-zone.<br>
<br>
<div style="text-align: center;"><img src="images/MultiZone1A.png"
title="" alt="" style="width: 607px; height: 415px;"><br>
</div>
<br>
The advantage of this approach is that the zone 'loc1' can use CONTINUE
policies such that if a connection request doesn't match a 'loc1' rule,
it will be matched against the 'loc' rules. For example, if your
loc1-&gt;net policy is CONTINUE then if a connection request from loc1
to the internet doesn't match any rules for loc1-&gt;net then it will
be checked against the loc-&gt;net rules.<br>
<br>
/etc/shorewall/zones:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">Local2<br>
</td>
<td style="vertical-align: top;">Hosts access through internal
router<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">Local<br>
</td>
<td style="vertical-align: top;">All hosts accessed via eth1<br>
</td>
</tr>
</tbody>
</table>
<br>
Note that the sub-zone (loc1) is defined first!<br>
<br>
</div>
/etc/shorewall/interfaces<br>
<br>
<div style="margin-left: 40px;">
<table cellspacing="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">eth1<br>
</td>
<td style="vertical-align: top;">192.168.1.255<br>
</td>
<td style="vertical-align: top;">...<br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
/etc/shorewall/hosts<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">eth1:192.168.2.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</div>
<br>
If you don't need Shorewall to set up infrastructure to route traffic
between 'loc' and 'loc1', add these two policies:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DEST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">LOG<br>
LEVEL<br>
</td>
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">loc1</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"> <br>
</td>
</tr>
</tbody>
</table>
</div>
<h4>Parallel Zones:</h4>
You define both zones in the /etc/shorewall/hosts file to create two
disjoint zones.<br>
<br>
<div style="text-align: center;"><img src="images/MultiZone1B.png"
title="" alt="" style="width: 588px; height: 415px;"><br>
</div>
<br>
/etc/shorewall/zones:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">Local1<br>
</td>
<td style="vertical-align: top;">Hosts accessed Directly from
Firewall<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc2<br>
</td>
<td style="vertical-align: top;">Local2<br>
</td>
<td style="vertical-align: top;">Hosts accessed via internal
Router<br>
</td>
</tr>
</tbody>
</table>
<br>
Here it doesn't matter which zone is defined first.<br>
<br>
</div>
/etc/shorewall/interfaces<br>
<br>
<div style="margin-left: 40px;">
<table cellspacing="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">-<br>
</td>
<td style="vertical-align: top;">eth1<br>
</td>
<td style="vertical-align: top;">192.168.1.255<br>
</td>
<td style="vertical-align: top;">...<br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
/etc/shorewall/hosts<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">eth1:192.168.1.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc2<br>
</td>
<td style="vertical-align: top;">eth1:192.168.2.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</div>
<br>
If you don't need Shorewall to set up infrastructure to route traffic
between 'loc' and 'loc1', add these two policies:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DEST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">LOG<br>
LEVEL<br>
</td>
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">loc1</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"> <br>
</td>
</tr>
</tbody>
</table>
</div>
<h2>Some Hosts have Special Firewalling Requirements</h2>
There are cases where a subset of the addresses associated with an
interface need special handling.&nbsp; Here's an example.<br>
<br>
<div style="text-align: center;"><img src="images/MultiZone2.png"
title="" alt="" style="height: 252px; width: 631px;"><br>
</div>
<br>
In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29)
are to be treated as their own zone (loc1).<br>
<br>
/etc/shorewall/zones:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">Local2<br>
</td>
<td style="vertical-align: top;">192.168.1.8 - 192.168.1.15<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">Local<br>
</td>
<td style="vertical-align: top;">All hosts accessed via eth1<br>
</td>
</tr>
</tbody>
</table>
<br>
Note that the sub-zone (loc1) is defined first!<br>
<br>
</div>
/etc/shorewall/interfaces<br>
<br>
<div style="margin-left: 40px;">
<table cellspacing="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">eth1<br>
</td>
<td style="vertical-align: top;">192.168.1.255<br>
</td>
<td style="vertical-align: top;">...<br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
/etc/shorewall/hosts<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
</td>
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">eth1:192.168.1.8/29<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</div>
<br>
You probably don't want Shorewall to set up infrastructure to route
traffic
between 'loc' and 'loc1' so you should add these two policies:<br>
<div style="margin-left: 40px;"><br>
<table cellpadding="2" border="1" style="text-align: left;">
<tbody>
<tr>
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
</td>
<td style="vertical-align: top; font-weight: bold;">DEST<br>
</td>
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
</td>
<td style="vertical-align: top; font-weight: bold;">LOG<br>
LEVEL<br>
</td>
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">loc1</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">loc1<br>
</td>
<td style="vertical-align: top;">loc<br>
</td>
<td style="vertical-align: top;">NONE<br>
</td>
<td style="vertical-align: top;"><br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
&nbsp;<br>
</div>
<p><font size="2">Last updated 11/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

122
Shorewall-docs/NAT.htm
View File

@ -1,57 +1,40 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Static Nat</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<br>
<br>
<h1 style="text-align: center;">One-to-one NAT<br>
</h1>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
ports to servers behind your firewall, you do NOT want to use
one-to-one NAT. Port forwarding can be accomplished with simple entries
in the <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a
<p>One-to-one NAT is a way to make systems behind a firewall and
configured
with private IP addresses (those reserved for private use in RFC 1918)
appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p>
<p>The following figure represents a one-to-one NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397">
</strong></p>
style="width: 456px; height: 397px;" title="" alt=""> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
</blockquote>
<p align="left">One-to-one NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the
following /etc/shorewall/NAT file would make the lower left-hand system
appear to have IP address 130.252.100.18 and the right-hand one to have
IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -75,45 +58,50 @@
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces
should undergo NAT (Yes or yes) or if only access from the interface in
the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6. <span style="font-weight: bold;">Specifying
"Yes" in this column will </span><span
style="text-decoration: underline; font-weight: bold;">not</span><span
style="font-weight: bold;"> allow systems on the lower LAN to access
each other using their public IP addresses.</span> For example, the
lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and
expect to be connected to the lower right-hand system. <a
href="FAQ.htm#faq2a">See FAQ 2a</a>.<br>
</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
external addresses to an interface that is configured with a single subnetwork
-- if your external interface has addresses in more than one subnetwork,
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
can only add external addresses to an interface that is configured with
a single subnetwork -- if your external interface has addresses in more
than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN
also contains "Yes" or "yes") then such packets are redirected; otherwise,
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
COLUMN
also contains "Yes" or "yes") then such packets are redirected;
otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 11/222003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

104
Shorewall-docs/NetfilterOverview.html Executable file
View File

@ -0,0 +1,104 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Netfilter Overview</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<p align="left"><font size="2"><big></big></font></p>
<h1 style="text-align: center;">Netfilter Overview<br>
</h1>
Netfilter consists of three <span style="font-style: italic;">tables: </span><span
style="font-weight: bold;">Filter, Nat </span>and <span
style="font-weight: bold;">Mangle</span>. Each table has a number of
build-in <span style="font-style: italic;">chains: </span><span
style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
INPUT, FORWARD, OUTPUT </span></span>and <span
style="font-weight: bold;">POSTROUTING.<br>
<br>
</span>Rules in the various tables are used as follows:<br>
<ul>
<li><span style="font-weight: bold;">Filter: </span>Packet filtering
(rejecting, dropping or accepting packets)</li>
<li><span style="font-weight: bold;">Nat: </span>Network Address
Translation including DNAT, SNAT and Masquerading</li>
<li><span style="font-weight: bold;">Mangle:</span> General packet
header modification such as setting the TOS value or marking packets
for policy routing and traffic shaping.<br>
</li>
</ul>
The following diagram shows how packets traverse the various builtin
chains within Netfilter. Note that not all table/chain combinations are
used.<br>
<br>
<div style="text-align: center;"><img src="images/Netfilter.png"
title="" alt="(Netfilter Flow Diagram)"
style="width: 541px; height: 826px;"><br>
<br>
<div style="text-align: left;"><br>
"Local Process" means a process running on the Shorewall system itself.<br>
<br>
In the above diagram are boxes similar to this:<br>
<br>
<img src="images/Legend.png" title="" alt="(Diagram Legend)"
style="width: 145px; height: 97px;"><br>
<br>
The above box gives the name of the built-in <span
style="font-style: italic;">chain </span>(<span
style="font-weight: bold;">INPUT</span>) along with the names of the <span
style="font-style: italic;">tables </span>(<span
style="font-weight: bold;">Mangle </span>and <span
style="font-weight: bold;">Filter</span>) that the chain exists in and
in the order that the chains are traversed. The above sample indicates
that packets go first through the <span style="font-weight: bold;">INPUT</span>
chain of the <span style="font-weight: bold;">Mangle </span>table
then
through the <span style="font-weight: bold;">INPUT</span> chain of the
<span style="font-weight: bold;">Filter </span>table. When a chain is
enclosed in parentheses, Shorewall does not use the named chain (<span
style="font-weight: bold;">INPUT)</span> in that table <span
style="font-weight: bold;">(Mangle)</span>.<br>
<br>
<span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
chains in the <span style="font-weight: bold;">Nat</span> table are <span
style="text-decoration: underline;">only traversed for new connection
requests</span> (including those related to existing connections) while
the chains in the other tables are traversed on every packet.<br>
<br>
The above diagram should help you understand the output of "shorewall
status".<br>
<br>
Here are some excerpts from "shorewall status" on a server with one
interface (eth0):<br>
<br>
<pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
<pre style="margin-left: 40px;"> <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br></pre>
The following rule indicates that all traffic destined for the firewall
that comes into the firewall on eth0 is passed to a chain called
"eth0_in". That chain will be shown further down.<br>
<pre style="margin-left: 40px;"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0<br> 922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
Here is the eth0_in chain:<br>
<pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target prot opt in out source destination<br> 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
The "dynamic" chain above is where dynamic blacklisting is done.<br>
<br>
Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
<pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target prot opt in out source destination<br>20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target prot opt in out source destination<br> 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128<br></pre>
And finally, the <span style="font-weight: bold;">Mangle </span>table:&nbsp;<br>
<pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br>1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br>1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain outtos (1 references)<br> pkts bytes target prot opt in out source destination<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target prot opt in out source destination<br> 271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br></pre>
<pre style="margin-left: 40px;"></pre>
</div>
</div>
<p align="left"><font size="2">Last updated 10/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

303
Shorewall-docs/News.htm
View File

@ -8,17 +8,287 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall News Archive<br>
</h1>
<p><b>11/07/2003 - Shorewall 1.4.8<br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during
startup.</li>
<li>The NONE policy's intended use is to suppress the generating of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW or
"all". Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces (e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the 'loc' zone, you would add the
following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
this option is set to "Yes", the blacklists (dynamic and static) are
only consulted for new connection requests. When set to "No" (the
default if the variable is not set), the blacklists are consulted on
every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may now
begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/30/2003 - Shorewall 1.4.8 RC1<br>
</b></p>
Given the small number of new features and the relatively few lines of
code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the 'loc' zone, you would add the
following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
this option is set to "Yes", the blacklists (dynamic and static) are
only consulted for new connection requests. When set to "No" (the
default if the variable is not set), the blacklists are consulted on
every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may now
begin with a digit ([0-9]) and may contain embedded dashes ("-").<br>
</li>
</ol>
<b></b>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
script produces a ruleset that should work for everyone even if it is
not quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
This is a bugfx rollup of the 1.4.7a fixes plus:<br>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a<br>
</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.<br>
</li>
</ol>
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
</b></p>
<b>Problems Corrected since version 1.4.6 (Those in bold font were
@ -290,7 +560,7 @@ where we started.<br>
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.</li>
</ol>
<p><b>10/02/2003 - Shorewall 1.4.7 RC2</b><b><br>
@ -555,7 +825,7 @@ where we started.<br>
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.</li>
</ol>
<p><b>9/18/2003 - Shorewall 1.4.7 RC 1</b><b><br>
@ -997,7 +1267,7 @@ where we started.<br>
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.</li>
</ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia</b></p>
@ -1554,8 +1824,7 @@ ADDRESS column in /etc/shorewall/masq may now include a comma-separated
list of addresses and/or address ranges. Netfilter will use all listed
addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow for
traffic accounting.&nbsp; See the <a
href="file:///vfat/Shorewall-docs/Accounting.html">accounting
traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
@ -4550,7 +4819,7 @@ deleted.</li>
an additional "gw" (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available
now.</b></p>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>

218
Shorewall-docs/OPENVPN.html
View File

@ -1,65 +1,39 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>OpenVPN Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><br>
</h3>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
daemon which can be used to securely link two or more private networks using
an encrypted tunnel over the internet. OpenVPN is an Open Source project
and is <a href="http://openvpn.sourceforge.net/license.html">licensed under
the GPL</a>. OpenVPN can be downloaded from <a
<body>
<h1 style="text-align: center;">OpenVPN Tunnels<br>
</h1>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an
Open Source project and is <a
href="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</a>. OpenVPN can be downloaded from <a
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
</p>
</p>
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
</p>
</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy
file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and stop
script to start and stop OpenVPN, I decided to use the init script of OpenVPN
to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the
/etc/shorewall/policy file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and
stop script to start and stop OpenVPN, I decided to use the init script
of OpenVPN to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -73,14 +47,12 @@ the GPL</a>. OpenVPN can be downloaded from <a
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -95,15 +67,13 @@ In /etc/shorewall/interfaces:</p>
<td>tun0</td>
<td><br>
</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -117,19 +87,16 @@ In /etc/shorewall/interfaces:</p>
<td>openvpn</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
traffic on the default port 5000/udp will be accepted to/from the remote
gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels
like this:<br>
</p>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from
the remote gateway. If you change the port used by OpenVPN to 7777, you
can define&nbsp;/etc/shorewall/tunnels like this:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -143,38 +110,32 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>openvpn:7777</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>This is the OpenVPN config on system A:</p>
<blockquote>
<p></p>
</blockquote>
</blockquote>
<blockquote>
<p>dev tun<br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
ifconfig 192.168.99.1 192.168.99.2<br>
up ./route-a.up<br>
tls-server<br>
dh dh1024.pem<br>
ca ca.crt<br>
cert my-a.crt<br>
key my-a.key<br>
comp-lzo<br>
verb 5<br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
ifconfig 192.168.99.1 192.168.99.2<br>
up ./route-a.up<br>
tls-server<br>
dh dh1024.pem<br>
ca ca.crt<br>
cert my-a.crt<br>
key my-a.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -188,15 +149,12 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>vpn</td>
<td>tun0</td>
<td>192.168.1.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -210,34 +168,29 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>openvpn</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the OpenVPN config on system B:</p>
</blockquote>
<p>And in the&nbsp;OpenVPN config on system B:</p>
<blockquote>
<p>dev tun<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
ifconfig 192.168.99.2 192.168.99.1<br>
up ./route-b.up<br>
tls-client<br>
ca ca.crt<br>
cert my-b.crt<br>
key my-b.key<br>
comp-lzo<br>
verb 5<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
ifconfig 192.168.99.2 192.168.99.1<br>
up ./route-b.up<br>
tls-client<br>
ca ca.crt<br>
cert my-b.crt<br>
key my-b.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -251,34 +204,29 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in the
two masqueraded subnetworks can now talk to each other.</p>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<small>and Simon Mater</small><br>
</p>
</p>
<p><font size="2"> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>
<br>
<br>
<br>
<br>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

378
Shorewall-docs/PPTP.htm
View File

@ -9,17 +9,8 @@
<title>Shorewall PPTP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">PPTP</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">PPTP<br>
</h1>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
current
Linux kernel's and pppd. I recommend that you refer to the following
@ -263,9 +254,191 @@ status)<br>
esac</font></p>
</blockquote>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>I consider hosts connected to my PPTP server to be just like local
systems.
My key Shorewall entries are:</p>
<h4><span style="text-decoration: underline;">Basic Setup</span><br>
</h4>
<p>Here' a basic setup that treats your remote users as if they were
part of your <span style="font-weight: bold;">loc</span> zone. Note
that if your primary internet connection uses ppp0, then be sure that <span
style="font-weight: bold;">loc</span> follows <span
style="font-weight: bold;">net</span> in /etc/shorewall/zones.<br>
</p>
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>pptpserver<br>
</td>
<td>net</td>
<td>0.0.0.0/0<br>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p><span style="font-weight: bold;">/etc/shorewall/interfaces:</span><br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc<br>
</td>
<td>ppp+</td>
<td>&nbsp;-</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<h4 style="text-decoration: underline;">Remote Users in a Separate Zone</h4>
If you want to place your remote users in their own zone so that you
can control connections between these users and the local network,
follow this example. Note that if your primary internet connection uses
ppp0 then be sure that <span style="font-weight: bold;">vpn</span>
follows <span style="font-weight: bold;">net</span> in
/etc/shorewall/zones as shown below.<br>
<br>
<span style="font-weight: bold;">/etc/shorewall/tunnels:<br>
</span>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>pptpserver<br>
</td>
<td>net</td>
<td>0.0.0.0/0<br>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<span style="font-weight: bold;">/etc/shorewall/zones:<br>
</span>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Internet</td>
<td>The Internet</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Network <br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn</td>
<td style="vertical-align: top;">VPN<br>
</td>
<td style="vertical-align: top;">Remote Users<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.10.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn<br>
</td>
<td>ppp+</td>
<td>&nbsp;-</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Your policies and rules may now be configured for traffic to/from the <span
style="font-weight: bold;">vpn</span> zone.<br>
<h4><span style="text-decoration: underline;">Multiple Remote Networks</span><br>
</h4>
<p>Often there will be situations where you want multiple connections
from remote networks with these networks having different firewalling
requirements.<br>
</p>
<div style="text-align: center;"><img src="images/MultiPPTP.png"
title="" alt="" style="width: 846px; height: 544px;"><br>
</div>
<p>Here's how you configure this in Shorewall. Note that if your
primary internet connection uses ppp0 then be sure that the <span
style="font-weight: bold;">vpn{1-3}</span> zones follows <span
style="font-weight: bold;">net</span> in /etc/shorewall/zones as shown
below.<br>
</p>
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong> TYPE</strong></td>
<td><strong> ZONE</strong></td>
<td><strong> GATEWAY</strong></td>
<td><strong> GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>pptpserver<br>
</td>
<td>net</td>
<td>0.0.0.0/0<br>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -283,7 +456,31 @@ My key Shorewall entries are:</p>
<tr>
<td>loc</td>
<td>Local</td>
<td>My Local Network including remote PPTP clients</td>
<td>Local Network <br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn1</td>
<td style="vertical-align: top;">Remote1<br>
</td>
<td style="vertical-align: top;">Remote Network 1<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn2<br>
</td>
<td style="vertical-align: top;">Remote2<br>
</td>
<td style="vertical-align: top;">Remote Network 2<br>
</td>
</tr>
<tr>
<td style="vertical-align: top;">vpn3<br>
</td>
<td style="vertical-align: top;">Remote3<br>
</td>
<td style="vertical-align: top;">Remote Network 3<br>
</td>
</tr>
</tbody>
</table>
@ -307,13 +504,13 @@ My key Shorewall entries are:</p>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>192.168.10.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;-</td>
<td>&nbsp;</td>
</tr>
</tbody>
@ -329,151 +526,32 @@ My key Shorewall entries are:</p>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td><br>
<td>vpn1<br>
</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/policy:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>POLICY</b></td>
<td><b>LOG LEVEL</b></td>
</tr>
<tr>
<td>loc</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
1.3.9b):</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
1.3.10 and
later)<br>
</b></p>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td valign="top"><b>TYPE<br>
</b></td>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>GATEWAY<br>
</b></td>
<td valign="top"><b>GATEWAY ZONE<br>
</b></td>
</tr>
<tr>
<td valign="top">pptpserver<br>
<td style="vertical-align: top;">vpn2<br>
</td>
<td valign="top">net<br>
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
</td>
<td valign="top">0.0.0.0/0<br>
<td style="vertical-align: top;"><br>
</td>
<td valign="top"><br>
</tr>
<tr>
<td style="vertical-align: top;">vpn3<br>
</td>
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
</td>
<td style="vertical-align: top;"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a
single
ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>ppp0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
Your policies and rules can now be configured using separate zones
(vpn1, vpn2, and vpn3) for the three remote network.<br>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
Behind
your Firewall</h2>
@ -968,7 +1046,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
That entry allows a PPTP tunnel to be established between your
Shorewall system and the PPTP server in the modem.<br>
</div>
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>

215
Shorewall-docs/ProxyARP.htm
View File

@ -1,53 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td>
</tr>
</tbody>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<body>
<h1 style="text-align: center;">Proxy ARP<br>
</h1>
<p>Proxy ARP allows you to insert a firewall in front of a set of
servers without changing their IP addresses and without having to
re-subnet. Before you try to use this technique, I strongly recommend
that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397">
</strong></p>
<p align="center"><strong> <img src="images/proxyarp.png" width="519"
height="397"> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with
addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
(130.252.100.*) subnet.&nbsp; Assuming that the upper firewall
interface is eth0 and the lower interface is eth1, this is accomplished
using the following entries in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -69,124 +48,118 @@ the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the firewall
rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and
130.252.100.19&nbsp; in the above example) are not included in any
specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
is irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
their subnet mask and default gateway configured exactly the same way
that the Firewall system's eth0 is configured. In other words, they
should be configured just like they would be if they were parallel to
the firewall rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
address(es) (130.252.100.18 and 130.252.100.19 in the above
example)&nbsp; to the external interface (eth0 in this example) of the
firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
</p>
<p align="left">A word of warning is in order here. ISPs typically
configure their routers with a long ARP cache timeout. If you move a
system from parallel to your firewall to behind your firewall with
Proxy ARP, it
will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP
address
isn't a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in
its cache for the old hardware address to update its ARP cache entry
accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's
iputils package include "arping", whose "-U" flag does just that:<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP
(or one-to-one NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly
proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I <i>&lt;net
if&gt; &lt;newly proxied IP&gt;</i></b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to
Stevens goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>    shorewall clear<br>
</b></font>    <font color="#009900"><b>ip addr add 130.252.100.18
dev eth0<br>
    ip addr add 130.252.100.19 dev eth0</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
    <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
    ip addr del 130.252.100.19 dev eth0<br>
    shorewall start</font></b><br>
<font color="#009900"><b>&nbsp; &nbsp; shorewall clear<br>
</b></font>&nbsp; &nbsp; <font color="#009900"><b>ip addr add
130.252.100.18 dev eth0<br>
&nbsp; &nbsp; ip addr add 130.252.100.19 dev eth0</b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
130.252.100.18</b></font><br>
&nbsp; &nbsp; <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
&nbsp; &nbsp; <b><font color="#009900">ip addr del 130.252.100.18 dev
eth0<br>
&nbsp; &nbsp; ip addr del 130.252.100.19 dev eth0<br>
&nbsp; &nbsp; shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div>
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
we will assume is 130.252.100.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words,
<p align="left">Notice that the source MAC address in the echo request
is different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
In other words,
the gateway's ARP cache still associates 130.252.100.19 with the NIC
in that system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
</div>
<p><font size="2">Last updated 11/13/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

55
Shorewall-docs/SeattleInTheSpring.html
View File

@ -1,53 +1,34 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Springtime in Seattle!!!</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
-+
<h3><font color="#ff6633"></font></h3>
<img src="images/P1000048.jpg" alt="" width="640" height="480">
<br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480">
<br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the deck
(Yes -- that is snow on the deck...)</b>.<br>
</p>
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
</h1>
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the
deck (Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

130
Shorewall-docs/Shorewall_CA_html.html
View File

@ -2,93 +2,79 @@
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority
(CA) and sign my own X.509 certificates. I use these certificates on my list
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
<body>
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
Certificate<br>
</h1>
Given that I develop and support Shorewall without asking for any
renumeration, I can hardly justify paying $200US+ a year to a
Certificate Authority such as Thawte (A Division of VeriSign) for an
X.509 certificate to prove that I am who I am. I have therefore
established my own Certificate Authority (CA) and sign my own X.509
certificates. I use these certificates on my list server (<a
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser verifies
the X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose
identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
the CAs literally have a license to print money -- they are selling a string
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser
verifies the X.509 certificate supplied by the HTTPS server against the
set of Certificate Authority Certificates that were shipped with your
browser. It is expected that the server's certificate was issued by one
of the authorities whose identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
that the CAs literally have a license to print money -- they are
selling a string of bits (an X.509 certificate) for $200US+ per
year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and
writing Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of
the authorities known to your browser. If you try to connect to my
server using SSL, your browser will frown and give you a dialog box
asking if you want to accept the sleezy X.509 certificate being
presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
<li>You can accept the mail.shorewall.net certificate when your
browser asks -- your acceptence of the certificate can be temporary
(for that access only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed)
CA certificate.</a> This will make my Certificate Authority known to
your browser so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of
<li>If you install my CA certificate then you assume that I am
trustworthy and that Shorewall running on your firewall won't redirect
HTTPS requests intented to go to your bank's server to one of my
systems that will present your browser with a bogus certificate
claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li>
most that you have to loose is that when you connect to
https://mail.shorewall.net, the server you are connecting to might not
be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

68
Shorewall-docs/Shorewall_CVS_Access.html
View File

@ -2,56 +2,38 @@
<html>
<head>
<title>Shorewall CVS Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
<br>
Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of the
pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br>
<body>
<br>
<h1 style="text-align: center;">Shorewall CVS Access<br>
</h1>
Lots of people try to download the entire Shorewall website for
off-line browsing, including the CVS portion. In addition to being an
enormous volume of data (HTML versions of all versions of all Shorewall
files), all of the pages in Shorewall CVS access are cgi-generated
which places a tremendous load on my little server. I have therefore
resorted to making CVS access password controlled. When you are asked
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
the user name and the password.<br>
<br>
<div align="center">
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

37
Shorewall-docs/Shorewall_Doesnt.html
View File

@ -9,20 +9,11 @@
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that
Shorewall <b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
</small>
<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
</h1>
Shorewall cannot:<br>
<ul>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by
@ -30,18 +21,28 @@ application.</li>
<li>Be used with an Operating System other than Linux (version &gt;=
2.4.0)<br>
</li>
<li>Do content filtering -- better to use <a
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
<li>Do content filtering:</li>
<ul>
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
for that.</li>
<li>Email -- Install something like <a
href="http://www.postfix.org">Postfix</a> on your firewall and
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
</li>
</ul>
</ul>
In addition:<br>
<ul>
<li>Shorewall does not contain any support for Netfilter <span
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
<li>Shorewall does not contain any support for Netfilter <a
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
style="font-style: italic;">Patch-O-Matic</span></a> features --
Shorewall
only supports features from released kernels.<br>
</li>
</ul>
<br>
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

200
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -7,19 +7,22 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff">
<table cellpadding="0" cellspacing="0" border="0"
style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
<td valign="middle" width="33%" bgcolor="#3366ff"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> </a><br>
</td>
<td valign="middle" height="90" align="center" width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<td valign="middle" height="90" align="center" width="34%"
style="background-color: rgb(255, 255, 255);">
<h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
<td valign="middle" height="90" width="33%" align="right"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> </a><br>
</td>
@ -28,10 +31,14 @@
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
href="http://www.squid-cache.org/">Squid </a>running as a <a
href="#Transparent">Transparent
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
<br>
If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
</h1>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
following general requirements:<br>
@ -71,7 +78,7 @@ running on the Firewall.</a></li>
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
You want to redirect all local www connection requests
EXCEPT those to your own http server (206.124.146.177) to a Squid
transparent proxy running on the firewall
@ -123,15 +130,49 @@ DEST</b></td>
There may be a requirement to exclude additional destination
hosts or networks from being redirected. For example, you might also
want
requests destined for 130.252.100.0/24 to not be routed to Squid. In
that
case, you must add a manual rule in /etc/shorewall/start:<br>
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
<br>
If you are running Shorewall version 1.4.5 or later, you may just add
the additional hosts/networks to the ORIGINAL DEST column in your
REDIRECT rule:<br>
<br>
<div style="margin-left: 40px;">
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177,130.252.100.0/24</td>
</tr>
</tbody>
</table>
</div>
<br>
If you are running a Shorewall version earlier than 1.4.5, you must add
a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional
similar rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy running in your local zone at 192.168.1.3 and
listening
@ -273,7 +314,8 @@ command above:<br>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
@ -455,7 +497,133 @@ command above:<br>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
Assume that Squid is running in zone SZ and listening on port SP; all
web sites that are to be accessed through Squid are in the 'net' zone.
Then for each zone Z that needs access to the Squid server:<br>
<br>
<div style="margin-left: 40px;">
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">Z<br>
</td>
<td valign="top">SZ<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">SP<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">SZ<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</div>
<br>
Example:<br>
<br>
<div style="margin-left: 40px;">Squid on the firewall listening on port
8080 with access from the 'loc' zone:<br>
<br>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">$FW<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">8080<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">$FW<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>

349
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -2,89 +2,83 @@
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<body>
<h1 style="text-align: center;">Shorewall and Aliased Interfaces<br>
</h1>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the
concept of <i>aliased </i>or <i>virtual </i>interfaces. These virtual
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the
concept of <i>aliased </i>or <i>virtual </i>interfaces. These
virtual
interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
eth0:0) and ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip
utility does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects in their own right.
The ip utility does provide for interaction with ifconfig in that it allows
addresses to be <i>labeled </i>where these labels take the form of ipconfig
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility
does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects in their own
right.
The ip utility does provide for interaction with ifconfig in that it
allows
addresses to be <i>labeled </i>where these labels take the form of
ipconfig
virtual interfaces.<br>
<br>
Example:<br>
<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either
it's "-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file or anywhere
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not
allow them to be used in the /etc/shorewall/interfaces file or anywhere
else except as described in the discussion below. <br>
<br>
<h2>Adding Addresses to Interfaces</h2>
Shorewall provides facilities for automatically adding addresses to interfaces
as described in the following section. It is also easy to add them yourself
Most distributions have a facility for adding additional addresses to
interfaces. If you have already used your distribution's capability to
add your required addresses, you can skip this section. <br>
<br>
Shorewall provides facilities for automatically adding addresses to
interfaces
as described in the following section. It is also easy to add them
yourself
using the <b>ip</b> utility. The above alias was added using:<br>
<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd
206.124.146.255
dev eth0 label eth0:0</font></b><br>
</blockquote>
You probably want to arrange to add these addresses when the device is started
rather than placing commands like the above in one of the Shorewall extension
scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
You probably want to arrange to add these addresses when the device is
started
rather than placing commands like the above in one of the Shorewall
extension
scripts. For example, on RedHat systems, you can place the commands in
/sbin/ifup-local:<br>
<br>
<blockquote>
<pre>#!/bin/sh<br><br>case $1 in<br> eth0)<br> /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br> ;;<br>esac&nbsp;<br></pre>
</blockquote>
RedHat systems also allow adding such aliases from the network administration
GUI (which works well if you have a graphical environment on your firewall).<br>
RedHat systems also allow adding such aliases from the network
administration
GUI (which only works well if you have a graphical environment on your
firewall).<br>
<h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br>
The answer depends on what you are trying to do with the interfaces. In
the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone
with the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
@ -120,19 +114,16 @@ GUI (which works well if you have a graphical environment on your firewall).<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port
Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
<br>
zone at 192.168.1.3. That is accomplised by a single rule in the
/etc/shorewall/rules file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
@ -168,17 +159,14 @@ zone at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewa
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -198,18 +186,19 @@ zone at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewa
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if
you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
</blockquote>
Shorewall can create the alias (additional address) for you if
you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label"
(virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual
interface
name in the INTERFACE column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -229,17 +218,15 @@ name in the INTERFACE column as follows:<br>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
<br>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP
addresses. Do do that, you specify a range of IP addresses in the
ADDRESS column. If you specify a label in the INTERFACE column,
Shorewall will use that label for the first address of the range and
will increment the label by one for each subsequent label.<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -259,21 +246,18 @@ name in the INTERFACE column as follows:<br>
<td valign="top">206.124.146.178-206.124.146.180<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>One-to-one NAT</h3>
If you wanted to use one-to-one NAT to link eth0:0 with local address
192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -301,19 +285,19 @@ name in the INTERFACE column as follows:<br>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if
</blockquote>
Shorewall can create the alias (additional address) for you if
you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
with Shorewall 1.3.14, Shorewall can actually create the "label"
(virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual
interface
name in the INTERFACE column as follows:<br>
<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -341,18 +325,16 @@ name in the INTERFACE column as follows:<br>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair,
you simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
@ -388,29 +370,26 @@ name in the INTERFACE column as follows:<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not provide
for any security between the subnetworks if the users of the systems have
administrative privileges because in that case, the users can simply manipulate
their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
and eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br>
Sometimes multiple IP addresses are used because there are multiple
subnetworks configured on a LAN segment. This technique does not
provide for any security between the subnetworks if the users of the
systems have administrative privileges because in that case, the users
can simply manipulate their system's routing table to bypass your
firewall/router. Nevertheless, there are cases where you simply want to
consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
and eth1:0 is 192.168.20.254. You want to simply route all requests
between the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -434,13 +413,11 @@ and eth1:0 is 192.168.20.254. You want to simply route all requests between
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -468,19 +445,17 @@ and eth1:0 is 192.168.20.254. You want to simply route all requests between
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as
Shorewall 1.4.1 and later releases default to allowing intra-zone
traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -504,17 +479,15 @@ and eth1:0 is 192.168.20.254. You want to simply route all requests between
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you
must specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -542,20 +515,19 @@ must specify the <b>multi</b> option.<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into separate
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into
separate
zones and control the access between them (the users of the systems do
not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -583,14 +555,12 @@ not have administrative privileges).<br>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -614,16 +584,14 @@ not have administrative privileges).<br>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you
must specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -651,21 +619,18 @@ must specify the <b>multi</b> option.<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 7/29/2003 A - <a
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 11/13/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

32
Shorewall-docs/Shorewall_and_Kazaa.html Normal file
View File

@ -0,0 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<title>Shorewall and Kazaa</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Kazaa Filtering</h1>
<br>
Beginning with Shorewall version 1.4.8, Shorewall can interface to <span
style="font-weight: bold;">ftwall</span>. ftwall is part of the
p2pwall project and is a user-space filter for applications based on
the "Fast Track" peer to peer protocol. Applications using this
protocol include Kazaa, KazaaLite, iMash and Grokster.<br>
<br>
To filter traffic from your 'loc' zone with ftwall, you insert the
following rules <span style="text-decoration: underline;"><span
style="font-weight: bold;">near the top</span></span> of your
/etc/shorewall/rules file (before and ACCEPT rules whose source is the
'loc' zone).<br>
<pre style="margin-left: 40px;">QUEUE loc net tcp<br>QUEUE loc net udp<br>QUEUE loc fw udp<br></pre>
Now simply configure ftwall as described in the ftwall documentation
and restart Shorewall.<br>
<p align="left"><font size="2">Last updated 10/22/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

120
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,138 +1,66 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%" height="90" align="center">
<div align="center">
</div>
<a href="http://www.shorewall.net" target="_top"><img
border="0" src="images/ProtectedBy.png" width="200" height="42"
hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
</a><br>
<br>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing
Lists</a><a href="http://lists.shorewall.net"> </a><br>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
</body>
</html>

116
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,120 +1,68 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a></li>
<li><a
href="shorewall_mirrors.htm">Mirrors</a></li>
<li><a
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
<br>
</body>
</html>

45
Shorewall-docs/SourceforgeBanner.html Executable file
View File

@ -0,0 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<title>Banner</title>
<meta name="author" content="Tom Eastep">
<base target="main">
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
link="#000099" vlink="#990099" alink="#000099">
<table cellpadding="0"
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
id="AutoNumber3">
<tbody>
<tr>
<td style="text-align: center; width: 34%; vertical-align: top;">
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
align="middle" title=""> </div>
</td>
<td style="vertical-align: top;">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"
style="background-color: rgb(51, 102, 255);"> <strong><font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"><b><font
color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
href="http://lists.shorewall.net/htdig/search.html"
style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
</td>
</tr>
</tbody>
</table>
</body>
</html>

141
Shorewall-docs/UserSets.html Executable file
View File

@ -0,0 +1,141 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Controlling Traffic by UID/GID</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Controlling Output
Traffic by UID/GID<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
This capability was added in Shorewall release
1.4.7.<br>
<br>
Netfilter provides the capability to filter packets generated on the
firewall system by User Id and/or Group Id. Shorewall provides two
separate but related ways to use this Netfilter capability:<br>
<ol>
<li>Shorewall allows you to
define collections of users called "<a href="#UserSet">User Sets</a>"
and then to restrict
certain rules in /etc/shorewall/rules to a given User Set.</li>
<li>Shorewall also allows you to restrict a given <a href="#Rule">rule
</a>to a particular user and/or group.<br>
</li>
</ol>
Since only packets created by programs running on the Shorewall box
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
using either of the facilities.<br>
<h2><a name="UserSet"></a>User Sets<br>
</h2>
Given the way that this facility is implemented in Shorewall, it is not
possible to control logging of individual rules using a User Set and
logging is rather specified on the User Set itself.<br>
<br>
User Sets are defined in the /etc/shorewall/usersets file. Columns in
that file include:<br>
<br>
<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The name of a User Set. Must be a legal
shell
identifier of no more than six (6) characters in length.<br>
REJECT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
Log level for connections rejected for this User Set.<br>
ACCEPT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; Log
level for connections accepted for this User Set.<br>
DROP &nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; Log level for connections dropped for this User Set.<br>
</div>
<br>
In the REJECT and ACCEPT columns, if you don't want to specify a value
in the column but you want to specify a value in a following column,
you may enter "-".<br>
<br>
Users and/or groups are added to User Sets using the
/etc/shorewall/users file. Columns in that file are:<br>
<br>
<div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; &nbsp;&nbsp; The name of a User Set defined in
/etc/shorewall/usersets.<br>
USER&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
&nbsp;&nbsp; The name of a user defined on the system or a user number.<br>
GROUP&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
The name of a group defined on the system or a number.<br>
</div>
<p align="left">Only one of the USER and GROUP
column needs to be non-empty. If you wish to specify a GROUP but not a
USER, enter "-" in the user column.<br>
</p>
<p align="left">If both USER and GROUP are
specified then only programs running under that USER:GROUP pair will
match rules specifying the User Set named in the USERSET column.<br>
</p>
<p align="left">Once a user set has been defined, its name may be
placed in the USER SET column of the /etc/shorewall/rules file. <span
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
</span></span>When
the name of a user set is given in the USER SET column, you may not
include a log level in the ACTION column; logging of such rules is
governed solely by the user set's definition in the
/etc/shorewall/userset file.
</p>
<p align="left">Example: You want members of the
'admin' group and 'root' to be able to use ssh on the firewall to
connect to local systems. You want to log all connections accepted for
these users using syslog at the 'info' level.<br>
</p>
<div style="margin-left: 40px;"></div>
<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
<div style="margin-left: 40px;"></div>
<pre style="margin-left: 80px;">#USERSET REJECT ACCEPT DROP<br>admins - info<br></pre>
<div style="margin-left: 40px;"></div>
<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
</p>
<div style="margin-left: 40px;"></div>
<pre style="margin-left: 80px;">#USERSET USER GROUP<br>admins - admin<br>admins root<br></pre>
<div style="margin-left: 40px;">/etc/shorewall/rules<br>
</div>
<pre style="margin-left: 80px;">#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 22 - - - admins<br></pre>
<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
group<br>
</h2>
In cases where you may want to restrict a rule to a particular user
and/or group, the USER SET column in the rules file may be specified as:<br>
<br>
<div style="margin-left: 40px;">[ &lt;<span style="font-style: italic;">user
name or number</span>&gt; ] : [ &lt;<span style="font-style: italic;">group
name or number</span>&gt; ]<br>
<div style="text-align: left;"><br>
</div>
</div>
When a user and/or group name is given in the USER SET column, it is OK
to specify a log level in the ACTION column. <br>
<br>
Example: You want user <span style="font-style: italic;">mail </span>to
be able to send email from the firewall to the local net zone<br>
<br>
<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
the ":" in the USER SET column entry).<br>
<pre>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 25 - - - mail:</pre>
</div>
<p align="left"><font size="2">Last updated 9/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

100
Shorewall-docs/VPN.htm
View File

@ -1,55 +1,36 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table>
<p>It is often the case that a system behind the firewall needs to be able
to access a remote network through Virtual Private Networking (VPN). The
two most common means for doing this are IPSEC and PPTP. The basic setup
is shown in the following diagram:</p>
<body>
<h1 style="text-align: center;">VPN<br>
</h1>
<p>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking
(VPN). The two most common means for doing this are IPSEC and PPTP. The
basic setup is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the
local system has IP address 192.168.1.12 and that the remote gateway has
height="796"> </p>
<p align="left">A system with an RFC 1918 address needs to access a
remote network through a remote gateway. For this example, we will
assume that the local system has IP address 192.168.1.12 and that the
remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available at
<p align="left">If PPTP is being used, there are no firewall
requirements beyond the default loc-&gt;net ACCEPT policy. There is one
restriction however: Only one local system at a time can be connected
to a single remote gateway unless you patch your kernel from the
'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as follows:</p>
<p align="left">If IPSEC is being used then only one system may connect
to the remote gateway and there are firewall configuration requirements
as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
@ -61,18 +42,18 @@ the remote gateway and there are firewall configuration requirements as follows
<td height="38"><u><b>PROTOCOL</b></u></td>
<td height="38"><u><b>PORT</b></u></td>
<td height="38"><u><b>CLIENT<br>
PORT</b></u></td>
PORT</b></u></td>
<td height="38"><u><b>ORIGINAL<br>
DEST</b></u></td>
DEST</b></u></td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">50</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
<tr>
<td height="19">DNAT</td>
@ -80,27 +61,24 @@ the remote gateway and there are firewall configuration requirements as follows
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
</blockquote>
<p>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <a
href="Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
href="PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
<br>
<p>&nbsp;</p>
<br>
<br>
</body>
</html>

125
Shorewall-docs/blacklisting_support.htm
View File

@ -1,102 +1,91 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<body>
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
</h1>
<p>Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of
blacklist filtering:<br>
</p>
<ol>
<li>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.<br>
</li>
<li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
connection requests. Blacklists may not be used to terminate existing
connections.</li>
</ol>
Only the source address is checked against the blacklists.<br>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
<p>Shorewall static blacklisting support has the following
configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>You specify the interfaces whose incoming packets you want
checked against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is restarted.</li>
will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
192.0.2.125</p>
<p>Example 2:</p>
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

31
Shorewall-docs/configuration_file_basics.htm
View File

@ -9,17 +9,8 @@
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Configuration Files<br>
</h1>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
@ -46,7 +37,7 @@ and Source Network Address Translation (SNAT).</li>
modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
<li>/etc/shorewall/nat - defines one-to-one NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
@ -254,18 +245,21 @@ that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<p>Example:<br>
</p>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<p>&nbsp;&nbsp;&nbsp; The result will be the same as if the record had
been written</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
@ -331,7 +325,8 @@ The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and
if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 11/20/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>

50
Shorewall-docs/copyright.htm
View File

@ -1,46 +1,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Copyright</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
2003 Thomas M Eastep<br>
 </p>
<body>
<h1 style="text-align: center;">Copyright<br>
</h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
2000, 2001, 2003 Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify
this document under the terms of the GNU Free Documentation License, Version
1.1 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled "<a
href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
 </p>
</blockquote>
<br>
<br>
<p align="left">Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation
License, Version 1.1 or any later version published by the Free
Software Foundation; with no Invariant Sections, with no Front-Cover,
and with no Back-Cover Texts. A copy of the license is included in the
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
License</a>".<br>
&nbsp;</p>
</blockquote>
<br>
<br>
</body>
</html>

72
Shorewall-docs/dhcp.htm
View File

@ -1,85 +1,65 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">DHCP<br>
</h1>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be served
<p align="left">Specify the "dhcp" option on each interface to be
served
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
file. This will generate rules that will allow DHCP to and from your
firewall
system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
<p align="left">When starting "dhcpd", you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying /etc/sysconfig/dhcpd. </p>
</li>
</ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
file.&nbsp;This will generate rules that will allow DHCP to and from
your firewall system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always going to
be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
<p align="left">If you know that the dynamic address is always
going to
be in the same subnet, you can specify the subnet address in the
interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify "detect" for the interface's subnet address in the <a
<p align="left">If you don't know the subnet address in advance,
you should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a "shorewall refresh"
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
<p align="left">In the event that the subnet address might change
while Shorewall is started, you need to arrange for a "shorewall
refresh" command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

47
Shorewall-docs/download.htm
View File

@ -9,17 +9,8 @@
<title>Download</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall Download<br>
</h1>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
@ -86,20 +77,20 @@ removing the file /etc/shorewall/startup_disabled.</b></font></p>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td style="vertical-align: top;">Washington State, USA</td>
<td style="vertical-align: top;">Shorewall.net</td>
<td style="vertical-align: top;"><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td style="vertical-align: top;"><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
@ -144,7 +135,8 @@ Unavailable)</a></td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
<td valign="top"><a href="ftp://ftp.syachile.cl/pub/shorewall"
target="_top">Browse</a><br>
</td>
</tr>
<tr>
@ -159,11 +151,14 @@ Unavailable)</a></td>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
target="_blank">Browse</a></td>
<td>Sourceforge - California, USA (Incomplete)<br>
</td>
<td>Sourceforge.net<br>
</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse<br>
</a></td>
<td>N/A<br>
</td>
</tr>
</tbody>
</table>
@ -187,7 +182,7 @@ These snapshots have undergone initial testing and will have been
installed and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
<p align="left"><font size="2">Last Updated 11/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

156
Shorewall-docs/errata.htm
View File

@ -10,43 +10,36 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> </p>
<h1 style="text-align: center;">Shorewall Errata<br>
</h1>
<p align="center"><b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
it
to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
time and plan to use the .tgz and install.sh script, you can untar the
archive, replace the 'firewall' script in the untarred directory with
the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a
corrected firewall script in /usr/share/shorewall/firewall,
you may rename the existing file before copying in the new file.</b></p>
corrected firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script
if you are running 1.3.7c.</font></b><br>
BELOW. For example, do NOT install the 1.3.9a firewall script if you
are
running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
@ -61,8 +54,7 @@ Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a href="#iptables"> Problem with
iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat
iptables</a></b></li>
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
@ -75,12 +67,38 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.7</h3>
<ul>
<li>Using some versions of 'ash' (such as from RH8) as the
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so: <br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>When more than one ICMP type is listed in a rule and your kernel
includes multiport match support,&nbsp; the firewall fails to
start.&nbsp;</li>
<li>Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</li>
<li>After the following error message, Shorewall was left in an
inconsistent state:<br>
<br>
Error: Unable to determine the routes through interface xxx<br>
</li>
</ul>
These problems have been corrected in this <a
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
script</a> which may be installed in /var/share/shorewall/firewall as
described above.<br>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires Mangle";
that problem has been corrected in <a
requires
Mangle"; that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall as described above. This problem is also
@ -95,13 +113,10 @@ follows:<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
/var/share/shorewall/firewall
as described above. For all other versions, you will have to edit your
'firewall'
script (in versions 1.4.*, it is located in
/usr/share/shorewall/firewall).
Locate the function add_tcrule_() and in that function, replace this
line:<br>
/var/share/shorewall/firewall as described above. For all other
versions, you will have to edit your 'firewall' script (in versions
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
function add_tcrule_() and in that function, replace this line:<br>
<br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
@ -116,13 +131,13 @@ Note that there must be a space before the ending quote!<br>
</ul>
<h3>1.4.4b</h3>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
that have an empty second column (HOSTS). This problem may be corrected
by installing <a
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.</li>
/usr/share/shorewall/firewall
as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -138,8 +153,8 @@ though the log level for the console is set properly according to <a
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above.<br>
/usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
@ -158,7 +173,8 @@ to allow integration of Shorewall with Fireparse
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net.
The updated files may be found at <a
The
updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
@ -171,8 +187,8 @@ directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall as
described above. <br>
/usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
@ -191,7 +207,8 @@ in /etc/shorewall/common.def.<br>
produces the harmless additional message:<br>
<br>
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator expected<br>
unary operator
expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
@ -202,8 +219,8 @@ You may correct the problem by installing <a
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to
create ECN rules even when /etc/shorewall/ecn is empty. You may
either just remove /etc/shorewall/ecn or you can install <a
create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
@ -222,17 +239,19 @@ released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also built an <a
also
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you
upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which
you can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and
it works fine.</p>
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -246,8 +265,8 @@ corrects a problem in handling the&nbsp; TOS target.</p>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and RedHat
iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
2.4.18/19 may experience the following:</p>
@ -259,10 +278,9 @@ user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a
1.2.5 version of iptables, you will need to specify the
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
iptables-1.2.5-1.i386.rpm").</p>
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
@ -275,7 +293,8 @@ MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
Shorewall
1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may install <a
@ -293,23 +312,22 @@ Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and REJECT
(also applies to 2.4.21-RC1)</b></h3>
and
REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch
and precompiled modules to fix this problem are available at <a
and
precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
Eastep</a></font>
</p>
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

76
Shorewall-docs/fallback.htm
View File

@ -1,77 +1,61 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<div style="text-align: left;">
<h1 style="text-align: center;">Fallback and Uninstall<br>
</h1>
<h1><strong></strong></h1>
<h1><strong></strong></h1>
</div>
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2>
<p>If you install Shorewall and discover that it doesn't work for you, you
<h2><a name="fallback"></a>Falling Back to the Previous Version of
Shorewall using the Fallback Script</h2>
<p>If you install Shorewall and discover that it doesn't work for you,
you
can fall back to your previously installed version. To do that:</p>
<ul>
<li>cd to the distribution directory for the version of Seattle
Firewall <u>that you are currently running </u>(NOT the version
that you want to fall back to).</li>
Firewall <u>that you are currently running </u>(NOT the version that
you want to fall back to).</li>
<li>Type "./fallback.sh"</li>
</ul>
<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the current
<h3><strong><u>Warning:</u> The fallback script will replace
/etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
/etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the
current
version was installed. Any changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2>
<p>If your previous version of Shorewall was installed using RPM, you may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
using rpm</h2>
<p>If your previous version of Shorewall was installed using RPM, you
may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;"
at
a root shell prompt (Example: "rpm -Uvh --force
/downloads/shorewall-3.1=0noarch.rpm"
would fall back to the 3.1-0 version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
<ul>
<li>cd to the distribution directory for the version of Shorewall
that you have installed.</li>
<li>type "./uninstall.sh"</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e
shorewall".</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</body>
</html>

101
Shorewall-docs/gnu_mailman.htm
View File

@ -1,80 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
Way</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<body>
<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run
with proper uid/gid. Postfix has an ability to run a command specified in
an alias as owner of that alias, thus mailman's wrapper is not needed here.
The best method to invoke mailman's mail handling via aliases is to use
separate alias file especially for mailman, and made it owned by mailman
and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
<br>
A: Mailman uses a setgid wrapper that is designed to be used in
system-wide aliases file so that rest of mailman's mail handling
processes will run with proper uid/gid. Postfix has an ability to run a
command specified in an alias as owner of that alias, thus mailman's
wrapper is not needed here. The best method to invoke mailman's mail
handling via aliases is to use separate alias file especially for
mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
very similar so that no workaround is necessary. See the README.POSTFIX file
included with Mailman-2.1. </h4>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
something very similar so that no workaround is necessary. See the
README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/Legend.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/Logo.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/Logo1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
Shorewall-docs/images/Logo2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
Shorewall-docs/images/Logo3.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/MultiPPTP.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/MultiZone1.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/MultiZone1A.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/MultiZone1B.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/MultiZone2.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/Netfilter.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/ProtectedBy.png Executable file
View File

Binary file not shown.

BIN
Shorewall-docs/images/netfilterconf.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.vsd
View File

Binary file not shown.

31
Shorewall-docs/index.htm
View File

@ -1,22 +1,19 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"></head>
<frameset rows="110,*" cols="*" frameborder="yes"
border="1"framespacing="0"> <frame
src="Banner.html" name="topFrame"scrolling="NO"
noresize >
<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
<frame src="Shorewall_index_frame.htm" name="contents"> <frame src="seattlefirewall_index.htm"
name="main">
</frameset>
</frameset>
<noframes><body><p>This page uses frames, but your browser doesn't
support them.</p></body></noframes>
</html>

71
Shorewall-docs/kernel.htm
View File

@ -1,45 +1,27 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For information regarding configuring and building GNU/Linux kernels, see
<body>
<h1 style="text-align: center;">Kernel Configuration<br>
</h1>
<p>For information regarding configuring and building GNU/Linux
kernels, see
<a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
<p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p>
</blockquote>
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<p>&nbsp;<img border="0" src="images/netopts.jpg" width="609"
height="842"> </p>
</blockquote>
<p>While not all of the options that I've selected are required, they
should be sufficient for most applications. Here's an excerpt from the
corresponding .config file (Note: If you are running a kernel older
than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br>
# Networking options<br>
@ -71,32 +53,29 @@ CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y<br>
</p>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
width="589" height="849">
<br>
width="589" height="849"> <br>
</p>
</blockquote>
<p>Note that I have built everything I need as modules. You can also build
everything into your kernel but if you want to be able to deal with FTP running
on a non-standard port then I recommend that you modularize FTP Protocol
</blockquote>
<p>Note that I have built everything I need as modules. You can also
build
everything into your kernel but if you want to be able to deal with FTP
running
on a non-standard port then I recommend that you modularize FTP
Protocol
support.<br>
</p>
<p>Here's the corresponding part of my .config file:<br>
</p>
<blockquote>
<pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<pre>#<br>#&nbsp;&nbsp; IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
<br>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003,&nbsp; Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

26
Shorewall-docs/mailing_list.htm
View File

@ -15,7 +15,8 @@
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<td width="33%" valign="middle" align="left"
style="background-color: rgb(255, 255, 255);">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -23,15 +24,18 @@
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> </a>
<p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
<p align="right" style="background-color: rgb(255, 255, 255);"><font
color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<td valign="middle" width="34%" align="center"
style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
<h1 align="center">Shorewall Mailing Lists</h1>
</td>
<td valign="middle" width="33%"> <a
<td valign="middle" width="33%"
style="background-color: rgb(255, 255, 255);"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
@ -50,7 +54,7 @@
<big><span style="color: rgb(255, 0, 0);"><span
style="font-weight: bold;">If you are reporting a problem or asking a
question, you are at the wrong place -- please see the <a
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
href="http://shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
<br>
If you experience problems with any of these lists,
please let <a href="mailto:postmaster@shorewall.net">me</a>
@ -148,7 +152,7 @@ of general interest to the Shorewall user community is also posted to
this list.</p>
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
to this list, please see the <a
href="http://www.shorewall.net/support.htm">problem
href="http://shorewall.net/support.htm">problem
reporting guidelines</a>.<br>
</b></big></p>
<p align="left">To subscribe: <a
@ -158,7 +162,9 @@ reporting guidelines</a>.<br>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
<span style="font-weight: bold;">IMPORTANT: </span>If you are not
subscribed to the list, please say so -- otherwise, you will not be
included in any replies.<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
@ -230,8 +236,8 @@ to be emailed to you.</p>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/17/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><font size="2">Last updated 10/27/2003 - <a
href="http://shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

25
Shorewall-docs/myfiles.htm
View File

@ -9,18 +9,9 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1 style="text-align: center;">About My Network<br>
</h1>
<a href="http://www.redhat.com"><img
style="border: 0px solid ; width: 88px; height: 31px;"
src="images/poweredby.png" title="" alt="(RedHat Logo)"> </a><a
@ -51,7 +42,7 @@
<h1> </h1>
<blockquote>
<p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
use a combination of Static NAT and Proxy ARP, neither of which are
use a combination of One-to-one NAT and Proxy ARP, neither of which are
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this
@ -70,9 +61,10 @@ and a Wireless network connected to eth3 (192.168.3.0/24).</p>
<p> I use:<br>
</p>
<ul>
<li>Static NAT for Ursa (my XP System) - Internal address
<li>One-to-one NAT for Ursa (my XP System) - Internal address
192.168.1.5 and external address 206.124.146.178.</li>
<li>Static NAT for EastepLaptop (My work system). Internal address
<li>One-to-one NAT for EastepLaptop (My work system). Internal
address
192.168.1.7 and external address 206.124.146.180.<br>
</li>
<li>SNAT through the primary gateway address
@ -181,7 +173,8 @@ my Ethernet interfaces. </p>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<p> Although most of our internal systems use static NAT, my wife's
<p> Although most of our internal systems use one-to-one NAT, my
wife's
system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my
personal system (192.168.1.3), our laptop (192.168.3.8) and
visitors with laptops.<br>
@ -244,7 +237,7 @@ file.<br>
</div>
<pre style="margin-left: 40px;">#!/bin/sh<br><br>case $1 in<br> eth1)<br> ip route add 206.124.146.177 dev eth1<br> ;;<br>esac<br></pre>
<pre style="margin-left: 40px;"><span style="font-family: sans-serif;"></span></pre>
<p><font size="2">Last updated 10/03/2003 - <a href="support.htm">Tom
<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

13
Shorewall-docs/ping.html
View File

@ -7,18 +7,9 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
</h1>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall

182
Shorewall-docs/ports.htm
View File

@ -1,201 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Ports Required for Various
Services/Applications<br>
</h1>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure
href="Documentation.htm">the /etc/shorewall/rules documentation</a>,
here are some other services/applications that you may need to
configure
your firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
<blockquote>
<p>UDP Port 123</p>
</blockquote>
</blockquote>
<p>rdate</p>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
<p>TCP Port 119</p>
</blockquote>
</blockquote>
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
<p>UDP Port 53. If you are configuring a DNS client, you will
probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if
If you are configuring a server, only open TCP Port 53 if
you will return long replies to queries or if you need to enable ZONE
transfers. In the latter case, be sure that your server is properly
transfers.&nbsp;In the latter case, be sure that your server is
properly
configured.</p>
</blockquote>
<p>ICQ   </p>
</blockquote>
<p>ICQ&nbsp;&nbsp;&nbsp;</p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports
which you can specify to your ICQ client. By default, clients use
4000-4100.</p>
</blockquote>
<p>PPTP</p>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
</blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP
Port 500. These should be opened in both directions (Lots more
information <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP (Email)</p>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>&nbsp;TCP Port 25.</p>
</blockquote>
<p>RealPlayer<br>
</p>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
</blockquote>
<p>IMAP<br>
</p>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
</blockquote>
<p>FTP<br>
</p>
</p>
<blockquote>
<p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
<p>TCP port 21 plus <a href="FTP.html">look here for much more
information</a>.<br>
</p>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
ICMP type 8 ('ping')<br>
ICMP type 8 ('ping')<br>
</p>
</blockquote>
</blockquote>
<p>NFS<br>
</p>
</p>
<blockquote>
<p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br>
<p>I personally use the following rules for opening access from zone
z1 to a server with IP address a.b.c.d in zone z2:<br>
</p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
</blockquote>
</blockquote>
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case).
There is lots of additional information at&nbsp; <a
href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>VNC<br>
</p>
</p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> ©
<a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

155
Shorewall-docs/quotes.htm
View File

@ -1,153 +1,134 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Quotes from Shorewall Users<br>
</h1>
<ul>
<li><font size="3">"I have fought with IPtables for untold hours. First
I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey, cool"
stage. Then I discovered Shorewall. After about an hour, everything just
<li><font size="3">"I have fought with IPtables for untold hours.
First
I tried the SuSE firewall, which worked for 80% of what I needed. Then
gShield, which also worked for 80%. Then I set out to write my own
IPtables parser in shell and awk, which was a lot of fun but never got
me past the "hey, cool"
stage. Then I discovered Shorewall. After about an hour, everything
just
worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<br>
</li>
<li>"The configuration is intuitive and flexible, and much easier than
any of the other iptables-based firewall programs out there. After sifting
through many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA<br>
<li>"The configuration is intuitive and flexible, and much easier
than
any of the other iptables-based firewall programs out there. After
sifting
through many other scripts, it is obvious that yours is the most well
thought-out and complete one available." -- BC, USA<br>
<br>
</li>
<li>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
<li>"I just installed Shorewall after weeks of messing with
ipchains/iptables and I had it up and running in under 20 minutes!" --
JL, Ohio<br>
<br>
</li>
<li>"My case was almost like [the one above]. Well. instead of 'weeks'
<li>"My case was almost like [the one above]. Well. instead of
'weeks'
it was 'months' for me, and I think I needed two minutes more:<br>
</li>
</ul>
<ul>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>One to see that I had no Internet access from the firewall
itself.</li>
</ul>
<ul>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
<li>Other to see that this was the default configuration, and it
was enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
</ul>
<ul>
<li> Minutes instead of months! Congratulations and thanks for such
a simple and well documented thing for something as huge as iptables." --
a simple and well documented thing for something as huge as iptables."
--
JV, Spain. </li>
</ul>
<ul>
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
without any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </li>
without any problems. Your documentation is great and I really
appreciate
your network configuration info. That really helped me out alot.
THANKS!!!" -- MM. </li>
</ul>
<ul>
<li>"[Shorewall is a] great, great project. I've used/tested may
firewall scripts but this one is till now the best." -- B.R, Netherlands
</li>
firewall scripts but this one is till now the best." -- B.R,
Netherlands </li>
</ul>
<ul>
<li>"Never in my +12 year career as a sys admin have I witnessed
someone so relentless in developing a secure, state of the art, safe and
useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </li>
someone so relentless in developing a secure, state of the art, safe
and useful product as the Shorewall firewall package for no cost or
obligation involved." -- Mario Kerecki, Toronto </li>
</ul>
<ul>
<li>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</li>
</ul>
<ul>
<li>"You have the best support of any other package I've ever used."
-- SE, US </li>
-- SE, US </li>
</ul>
<ul>
<li>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</li>
<li>"Because our company has information which has been classified by
the national government as secret, our security doesn't stop by putting
a fence around our company. Information security is a hot issue. We
also make use of checkpoint firewalls, but not all of the internet
servers are guarded by checkpoint, some of them are
running....Shorewall." -- Name withheld by request, Europe</li>
</ul>
<ul>
<li>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</li>
<li>"thanx for all your efforts you put into shorewall - this product
stands out against a lot of commercial stuff i´ve been working with in
terms of flexibillity, quality &amp; support" -- RM, Austria</li>
</ul>
<ul>
<li>"I have never seen such a complete firewall package that is so easy
<li>"I have never seen such a complete firewall package that is so
easy
to configure. I searched the Debian package system for firewall scripts
and Shorewall won hands down." -- RG, Toronto</li>
</ul>
<p></p>
<ul>
<li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
it is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
<li>"My respects... I've just found and installed Shorewall 1.3.3-1
and
it is a wonderful piece of software. I've just sent out an email to
about 30 people recommending it. :-)<br>
<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
While I had previously taken the time (maybe 40 hours) to really
understand ipchains, then spent at least an hour per server customizing
and carefully scrutinizing firewall rules, I've got shorewall running
on my home firewall, with rulesets and policies that I know make sense,
in under 20 minutes." -- RP, Guatamala<br>
</li>
</ul>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
7/1/2003 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

106
Shorewall-docs/samba.htm
View File

@ -9,17 +9,8 @@
<title>Samba</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Samba/SMB<br>
</h1>
<p>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
@ -95,7 +86,98 @@ DEST</b></td>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
<p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
To make network browsing ("Network Neighborhood") work properly between
Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I
run Samba on my firewall to handle browsing between two zones connected
to my firewall. Details are <a href="myfiles.htm">here</a>.<br>
<p><font size="2">Last modified 10/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>

675
Shorewall-docs/seattlefirewall_index.htm
View File

@ -7,30 +7,38 @@
<base target="_self">
</head>
<body>
<table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle" align="center"><a
href="http://www.cityofshoreline.com"> </a>
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<div align="center"> </div>
<center>
<div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
style="border-collapse: collapse; width: 100%; height: 100%;"
id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2>Introduction<br>
<h2>Site Problem</h2>
The server that normally hosts www.shorewall.net and ftp.shorewall.net
is currently down. Until it is back up, a small server with very
limited bandwidth is being used temporarly. You will likely experience
better response time from the <a
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
Sorry for the inconvenience.<br>
<br>
<h2>Introduction to Shorewall<br>
</h2>
<h3>This is the Shorewall 1.4 Web Site</h3>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.</li>
</ul>
<h3>Glossary<br>
</h3>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the
packet filter facility built into the 2.4 and later Linux kernels.</li>
@ -40,12 +48,12 @@ and control that facility. Netfilter can be used in ipchains
compatibility mode.<br>
</li>
<li>iptables - the utility program used to configure and
control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in
ipchains compatibility mode).<br>
</li>
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).</li>
</ul>
<h3>What is Shorewall?<br>
</h3>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
@ -57,367 +65,237 @@ system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state tracking
capabilities.<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is complete
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
program can be used at any time to monitor the Netfilter firewall</a>.<br>
<h3>Getting Started with Shorewall</h3>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step instructions.<br>
<h3>Looking for Information?</h3>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search in the frame
above.
<h3>License<br>
</h3>
This program is free software; you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<p> This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
General
Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
Eastep</a></p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment
and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your
right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on
this site will not apply directly to your setup. If you want
to use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2>
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""><br>
</b></p>
<b>Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2)</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li>The 'shorewall reject' and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6 addresses configured on interfaces in contexts where Shorewall
needed to detect something about the interface (such as when "detect"
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<ol>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state &nbsp;to
continue as it has been; namely, in the stopped state only traffic
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
/etc/shorewall/routestopped, Shorewall will allow:<br>
<br>
&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
&nbsp;&nbsp; b) All traffic that is part of or related to an
already-existing connection.<br>
<br>
&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.<br>
<br>
&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
possible for people to shoot themselves in the foot.<br>
<br>
&nbsp;Example:<br>
<br>
&nbsp;/etc/shorewall/nat:<br>
<br>
&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
<br>
&nbsp;/etc/shorewall/rules:<br>
<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
connection
from that computer to the firewall and confidently type "shorewall
stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH
connection to 192.168.1.5!!!</li>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
tunnel and you add the appropriate rules/policies to<br>
implement your security policy regarding traffic to/from those systems.<br>
&nbsp;<br>
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
<br>
generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
&nbsp;<br>
where:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
used by the tunnel<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
is 'udp' or 'tcp' then this is the destination port number used by the
tunnel.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone names. If specified, the
remote gateway is to be considered part of these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests from
hosts that are routed out through that interface. Setting this option
facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a>
for details.<br>
<br>
</li>
</ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<p style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
size="3"><br>
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
Eastep</a><br>
</p>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
</font>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
Control requires Mangle"; that problem has been corrected.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the
tcrules file. Previously, these addresses resulted in an invalid
iptables
command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
If so, the documentation<b> </b>on this site will not apply directly
to
having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being
added to a PPP interface; the addresses were successfully added in
spite
of the messages.<br>
&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages.<br>
your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<h2>News</h2>
<p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><b><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the
SUBSYSLOCK option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and
a broadcast address then an error would occur during startup.</li>
<li>he NONE policy's intended use is to suppress the generating
of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW or
"all". Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces
(e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program
allows for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
shorewall.conf. When this option is set to "Yes", the blacklists
(dynamic and static) are only consulted for new connection requests.
When set to "No" (the default if the variable is not set), the
blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b> </p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c
script produces a ruleset that should work for everyone even if it is
not
quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.<br>
</li>
</ol>
<ol>
</ol>
<p><b></b></p>
<ol>
@ -432,56 +310,33 @@ You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">
http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques
and Eric on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#3366ff" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
<font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!! <br>
<br>
</b>
<div style="text-align: center;">
<div style="text-align: center;"><a
href="http://www.shorewall.net" target="_top"><img
src="images/ProtectedBy.png" title="" alt="(Protected by Shorewall)"
style="border: 0px solid ; width: 216px; height: 45px;"></a></div>
</div>
<h2><a name="Donations"></a>Donations</h2>
<p style="text-align: left;"><a href="http://www.starlight.org"> <img
style="border: 4px solid ; width: 57px; height: 100px;"
src="images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
title=""></a><br>
<big>Shorewall is free but if you try it and find it useful,
please consider making a donation to <a href="http://www.starlight.org">Starlight
Children's Foundation</a>. Thanks!</big><br>
<a href="http://www.starlight.org"> </a></p>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;" valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> </a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and find it
useful, please consider making a donation to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/13/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>

16
Shorewall-docs/shoreline.htm
View File

@ -9,18 +9,10 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
<p align="center"> </p>
<h1 style="text-align: center;">Tom Eastep<br>
</h1>
<p align="center"><img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>

135
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -1,118 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
<body>
<h1 style="text-align: center;">Extension Scripts<br>
</h1>
<p>Extension scripts are user-provided scripts that are invoked at
various points during firewall start, restart, stop and clear. The
scripts are placed in /etc/shorewall and are processed using the Bourne
shell "source" mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of features
extension script to do what you want. Shorewall has a wide range of
features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND
ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT
BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT
YOU ARE
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stop -- invoked as a first step when the firewall is being
stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but
before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the
'newnotsyn' chain has been created but before any rules have been added
to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p><u><b>If your version of Shorewall doesn't have the file that you
want to use from the above list, you can simply create the file
yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the
filter chains in the firewall and the script will be invoked after the
/etc/shorewall/rules file has been processed but before the
/etc/shorewall/policy file has been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this
file is present, the rules that it defines will totally replace the
default rules in the common chain. These default rules are contained in
the file /etc/shorewall/common.def which may be used as a starting
point for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error
occurs during
processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE<br>
</p>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you
can add the superceding rule before the '.' command. Using this
technique allows you to add new rules while still getting the benefit
of the latest common.def file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only
applied if the applicable policy is DROP or REJECT. These rules are NOT
applied if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 6/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

91
Shorewall-docs/shorewall_features.htm
View File

@ -1,119 +1,98 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Shorewall Features<br>
</h1>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<li>Uses Netfilter's connection tracking facilities for stateful
packet filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway
applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li>
control over the connections permitted between each pair of
zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
to help get your first firewall up and running quickly</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
</li>
<li>Extensive <b> <a
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
</b> included in the .tgz and .rpm downloads.</li>
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#NAT">One-to-one NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
individual IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<li><b><a href="starting_and_stopping_shorewall.htm">Operational
support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible
alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,&nbsp; IPIP
and
OpenVPN Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic
Control/Shaping</b></a> integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
fallback and uninstall facilities</b></a> for users who can't use
or choose not to use the RPM or Debian packages.</li>
href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install,
upgrade, fallback and uninstall facilities</b></a> for users
who can't use or choose not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
on a floppy, CD or compact flash).</li>
</ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
Address <b>Verification</b><br>
Address <b>Verification</b></a></li>
<li><a href="Accounting.html">Traffic Accounting<br>
</a><br>
</li>
</ul>
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

332
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -1,332 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Firewall Structure</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Firewall Structure (Under
Construction)</font></h1>
</td>
</tr>
</tbody>
</table>
<p> Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
refers to the firewall system itself . The /etc/shorewall/zones file
is used to define additional zones and the example file provided with
Shorewall defines the zones:</p>
<ol>
<li> net -- the (untrusted) internet.</li>
<li> dmz - systems that must be accessible from the internet
and from the local network.  These systems cannot be trusted completely
since their servers may have been compromised through a security exploit.</li>
<li> loc - systems in your local network(s). These systems
must be protected from the internet and from the DMZ and in some
cases, from each other.</li>
</ol>
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
zone</a>. For ease of description in this documentation, it is assumed
that the firewall zone is named "fw".</p>
<p>It can't be stressed enough that with the exception of the firewall zone,
Shorewall itself attaches no meaning to zone names. Zone names are simply
labels used to refer to a collection of network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
of this document, we will consider Netfilter to have three tables:</p>
<ol>
<li>Filter table -- this is the main table for packet filtering and
can be displayed with the command "shorewall show".</li>
<li>Nat table -- used for all forms of Network Address Translation (NAT);
SNAT, DNAT and MASQUERADE.</li>
<li>Mangle table -- used to modify fields in the packet header.<br>
</li>
</ol>
<p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT,
FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables
as shown in this table.<br>
</p>
<div align="center">
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top">CHAIN<br>
</td>
<td valign="top">Filter<br>
</td>
<td valign="top">Nat<br>
</td>
<td valign="top">Mangle<br>
</td>
</tr>
<tr>
<td valign="top">PREROUTING<br>
</td>
<td valign="top"><br>
</td>
<td valign="top">X<br>
</td>
<td valign="top">X<br>
</td>
</tr>
<tr>
<td valign="top">INPUT<br>
</td>
<td valign="top">X<br>
</td>
<td valign="top"><br>
</td>
<td valign="top">X<br>
</td>
</tr>
<tr>
<td valign="top">OUTPUT<br>
</td>
<td valign="top">X<br>
</td>
<td valign="top">X<br>
</td>
<td valign="top">X<br>
</td>
</tr>
<tr>
<td valign="top">FORWARD<br>
</td>
<td valign="top">X<br>
</td>
<td valign="top"><br>
</td>
<td valign="top">X<br>
</td>
</tr>
<tr>
<td valign="top">POSTROUTING<br>
</td>
<td valign="top"><br>
</td>
<td valign="top">X<br>
</td>
<td valign="top">X<br>
</td>
</tr>
</tbody>
</table>
</div>
<p>Shorewall doesn't create rules in all of the builtin chains. In the large
diagram below are boxes such as  shown below.  This box represents in INPUT
chain and shows that packets first flow through the INPUT chain in the Mangle
table followed by the INPUT chain in the Filter table. The parentheses around
"Mangle" indicate that while the packets will flow through the INPUT chain
in the Mangle table, Shorewall does not create any rules in that chain.<br>
</p>
<div align="center"><img src="images/Legend.png" alt="(Box Legend)"
width="145" height="97" align="middle">
<br>
</div>
<p></p>
<p>Here is a picture of how packets traverse the various chains and tables
in Netfilter. In that diagram, "Local Process" refers to a process running
on the Firewall itself (in the 'fw' zone).</p>
<div align="center"><img src="images/Netfilter.png"
alt="Netfilter Flow Diagram" width="541" height="767">
</div>
<p><br>
<br>
In the text that follows, the paragraph numbers correspond to the box
number in the diagram above.<br>
</p>
<ol>
<li>Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing "shorewall show
mangle"). If the packet entered through an interface that has the <b>norfc1918</b>
option and if iptables/netfilter doesn't support the connection tracking
match extension, then the packet is sent down the <b>man1918</b> chain which
will drop the packet if its destination IP address is reserved (as specified
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
file. Finally, if traffic control/shaping is being used, the packet is
sent through the<b> tcpre</b> chain to be marked for later use in policy
routing or traffic control.<br>
<br>
Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table
by typing "shorewall show nat"). If you are doing both static nat and
port forwarding, the order in which chains are traversed is dependent on
the setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
on then packets will ender a chain called<b> <i>interface_</i>in</b> where
<i>interface</i> is the name of the interface on which the packet entered.
Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP
addresses from /etc/shorewall/nat that correspond to this interface; if
there is a match, DNAT is applied and the packet header is modified to
the IP in the <i>INTERNAL</i> column of the nat file record. If the destination
address doesn't match any of the rules in the <b><i>interface_</i>in</b>
chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b>
where <i>sourcezone</i> is the source zone of the packet. There it is compared
for a match against each of the DNAT records in the rules file that specify
<i> sourcezone </i>as the source zone. If a match is found, the
destination IP address (and possibly the destination port) is modified based
on the rule matched. If NAT_BEFORE_RULES is off, then the order of traversal
of the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is
reversed.<br>
<br>
</li>
<li>Depending on whether the packet is destined for the firewall itself
or for another system, it follows either the left or the right path. Traffic
going to the firewall goes through chain called INPUT in the mangle table.
Shorewall doesn't add any rules to that chain.<br>
<br>
</li>
<li>Traffic that is to be forwarded to another host goes through the chains
called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf,
all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
processed in a chain called <br>
<br>
</li>
<ol>
</ol>
<li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
table (called 'filter'). If the traffic is destined for the firewall
itself, the name of the interface chain is formed by appending "_in" to
the interface name. So traffic on eth0 destined for the firewall will
enter a chain called <i>eth0_in</i>. The interface chain for traffic
that will be routed to another system is formed by appending "_fwd" to
the interface name. So traffic from eth1 that is going to be forwarded
enters a chain called<i> eth1_fwd</i>. Interfaces described with the wild-card
character ("+") in /etc/shorewall/interfaces, share input chains. if <i>ppp+
</i>appears in /etc/shorewall/interfaces then all PPP interfaces (ppp0,
ppp1, ...) will share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>.
In other words, "+" is deleted from the name before forming the input chain
names.<br>
<br>
While the use of interfacechains may seem wasteful in simple environments,
in complex setups it substantially reduces the number of rules that each
packet must traverse.  </li>
</ol>
<p> Traffic directed from a zone to the firewall itself is sent through
a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
the internet and addressed to the firewall is sent through a chain named
net2fw. Similarly, traffic originating in the firewall and being sent
to a host in a given zone is sent through a chain named fw2<i>&lt;zone
name&gt;. </i>For example, traffic originating in the firewall and
destined for a host in the local network is sent through a chain named
<i>fw2loc.</i> <font face="Century Gothic, Arial, Helvetica">  </font></p>
<p> Traffic being forwarded between two zones (or from one interface to
a zone to another interface to that zone) is sent through a chain named <i>
&lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example,
traffic originating in a local system and destined for a remote web server
is sent through chain <i>loc2net. </i>This chain is referred to
as the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
traverses one of these chains so rules in /etc/shorewall/rules should
be expressed in terms of the destination system's real IP address as opposed
to its apparent external address. Similarly, source NAT will occur <u>after</u>
the packet has traversed the appropriate forwarding chain so the rules
again will be expressed using the source system's real IP address.</p>
<p> For each record in the /etc/shorewall/policy file, a chain is created.
Policies in that file are expressed in terms of a source zone and destination
zone where these zones may be a zone defined in /etc/shorewall/zones,
"fw" or "all". Policies specifying the pseudo-zone "all" matches all defined
zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice
that for an ordered pair of zones (za,zb), the canonical chain (za2zb)
may also be the policy chain for the pair or the policy chain may be
a different chain (za2all, for example). Packets from one zone to another
will traverse chains as follows:</p>
<ol>
<li> If the canonical chain exists, packets first traverse
that chain.</li>
<li> If the canonical chain and policy chain are different
and the packet does not match a rule in the canonical chain, it then
is sent to the policy chain.</li>
<li> If the canonical chain does not exist, packets are sent
immediately to the policy chain.</li>
</ol>
<p> The canonical chain from zone za to zone zb will be created only if
there are exception rules defined in /etc/shorewall/rules for packets going
from za to zb.</p>
<p> Shorewall is built on top of the Netfilter kernel facility. Netfilter
implements connection tracking function that allow what is often referred
to as "statefull inspection" of packets. This statefull property allows
firewall rules to be defined in terms of "connections" rather than in
terms of "packets". With Shorewall, you:</p>
<ol>
<li> Identify the client's zone.</li>
<li> Identify the server's zone.</li>
<li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add
a rule. That rule is expressed in terms of the client's zone and
the server's zone.</li>
</ol>
<p> Just because connections of a particular type are allowed between zone
A and the firewall and are also allowed between the firewall and zone
B <font color="#ff6633"><b><u> DOES NOT mean that these connections
are allowed between zone A and zone B</u></b></font>. It rather means
that you can have a proxy running on the firewall that accepts a connection
from zone A and then establishes its own separate connection from the
firewall to zone B.</p>
<p> If you adopt the default policy of ACCEPT from the local zone to the
internet zone and you are having problems connecting from a local client
to an internet server, <font color="#ff6633"><b><u> adding a rule won't
help</u></b></font> (see point 3 above).</p>
<p><font size="2">Last modified 5/22/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

46
Shorewall-docs/shorewall_logging.html
View File

@ -7,18 +7,37 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">Logging</h1>
<h2>How to Log Traffic through a Shorewall Firewall</h2>
The disposition of packets entering a Shorewall firewall&nbsp; is
determined by one of a number of Shorewall facilities. Only some of
these facilities permit logging.<br>
<ol>
<li>The packet is part of an established connection. The packet is
accepted and cannot be logged.</li>
<li>The packet represents a connection request that is related to an
established connection (such as a <a href="FTP.html">data connection
associated with an FTP control connection</a>).&nbsp; These packets
also cannot be logged.</li>
<li>The packet is rejected because of an option in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
These packets can be logged by setting the appropriate logging-related
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
By including a syslog level (see below) in the ACTION column of a rule
(e.g., "ACCEPT<span
style="font-weight: bold; text-decoration: underline;">:info</span>
net fw tcp 22"), the connection attempt will be logged at that level.</li>
<li>The packet doesn't match a rule so is handled by a policy defined
in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
may be logged by specifying a syslog level in the LOG LEVEL column of
the policy entry (e.g., "loc net ACCEPT <span
style="font-weight: bold; text-decoration: underline;">info</span>"<br>
</li>
</ol>
<h2>Where the Traffic is logged and how to Change the Destination<br>
</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
@ -149,7 +168,8 @@ and
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>

21
Shorewall-docs/shorewall_mirrors.htm
View File

@ -9,20 +9,12 @@
<title>Shorewall Mirrors</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall Mirrors<br>
</h1>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
HTML content, the main web site (<a href="http://shorewall.sf.net"
target="_top">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
@ -67,6 +59,9 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
<li><a href="ftp://ftp.syachile.cl/pub/shorewall" target="_top">ftp://ftp.syachile.cl/pub/shorewall
</a>(Santiago Chile)<br>
</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
@ -78,7 +73,7 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
<p align="left"><font size="2">Last Updated 11/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.

91
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -1,86 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall Requires:<br>
<body>
<h1 style="text-align: center;">Shorewall Requirements</h1>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
at least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
2.4.23-rc2. With current releases of Shorewall, Traffic
Shaping/Control
requires at least 2.4.18.&nbsp; <a href="kernel.htm"> Check here for
kernel configuration information.</a> If you are looking for a firewall
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see the
Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
</b></font>The buggy iptables version 1.2.3 is included in RedHat
7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
Version 1.2.4 is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included
with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
RedHat</a> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with most
distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Your shell must produce a sensible result when a number n (128 &lt;=
n &lt;= 255) is left shifted by 24 bits. You can check this at a shell prompt
by:</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Your shell must produce a sensible result when a number n (128
&lt;= n &lt;= 255) is left shifted by 24 bits. You can check this at a
shell prompt by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you
have awk (gawk) installed.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 7/8/2003 - <a
<p align="left"><font size="2">Last updated 11/20/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font></p>
</body>
</html>

76
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -10,22 +10,10 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart
Guides (HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall QuickStart Guides (HOWTOs)<br>
</h1>
<p align="center">With thanks to Richard who reminded me once again
that we
must all first walk before we can run.<br>
that we must all first walk before we can run.<br>
The French Translations of the single-IP guides are courtesy of Patrice
Vetsel<br>
The French Translation of the Shorewall Setup Guide is courtesy of
@ -51,15 +39,16 @@ acting as a firewall/router for a small local network and a DMZ. (<a
running quickly in the three most common Shorewall configurations. If
you want to learn more about Shorewall than is explained in the above
simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
Setup Guide</a> (See Index Below) is for you.</p>
Setup
Guide</a> (See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public
IP address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are multiple public IP
addresses involved or if you
firewall where there are multiple public IP addresses involved or if
you
want to learn more about Shorewall than is explained in the
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Française</a>).</blockquote>
@ -79,13 +68,11 @@ Interfaces (e.g., eth0:0)</a><br>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using
/sbin/shorewall</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
(Description of
all /sbin/shorewall commands)</li>
(Description of all /sbin/shorewall commands)</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a>&nbsp;</li>
<ul>
@ -143,13 +130,16 @@ in Shorewall</a> </li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall --
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
/etc/shorewall/start,
/etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="Multiple_Zones.html">Forwarding Traffic on the Same
Interface</a><br>
</li>
<li><a href="FTP.html">FTP and Shorewall</a><br>
</li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
@ -158,16 +148,25 @@ code through the use of files in /etc/shorewall --
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
<li><a href="Install.htm">Installation/Upgrade</a></li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="Shorewall_and_Kazaa.html">Kazaa Filtering</a><br>
</li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
<li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
<li><a href="Multiple_Zones.html">Multiple Zones Through One Interface</a><br>
</li>
<li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration (How I
personally use Shorewall)</a></li>
<li><font color="#000099"><a href="NAT.htm">One-to-one NAT (Formerly
referred to as <span style="font-style: italic;">Static NAT</span>)<br>
</a></font></li>
<li><a href="OPENVPN.html">OpenVPN</a></li>
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
@ -178,8 +177,8 @@ personally use Shorewall)</a></li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy
ARP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
@ -197,8 +196,7 @@ Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
@ -219,7 +217,8 @@ Network</a>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
One-to-one NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
@ -235,14 +234,11 @@ Starting and Stopping the Firewall</a></li>
href="starting_and_stopping_shorewall.htm">Starting/stopping the
Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall
commands</li>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a></li>
<li><a href="Shorewall_Squid_Usage.html">Squid with Shorewall</a></li>
<li><a href="Accounting.html">Traffic Accounting</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
@ -255,14 +251,14 @@ doesn't work)</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and
IPIP</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
<li><a href="VPN.htm">IPSEC/PPTP</a> passthrough from a system
behind your
firewall to a remote network.</li>
<li><a href="GenericTunnels.html">Other VPN types</a>.<br>
</li>
@ -272,7 +268,7 @@ firewall to a remote network.</li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>

45
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -10,18 +10,8 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">Shorewall Setup Guide<br>
</h1>
<p><a href="#Introduction">1.0 Introduction</a><br>
<a href="#Concepts">2.0 Shorewall Concepts</a><br>
<a href="#Interfaces">3.0 Network Interfaces</a><br>
@ -41,7 +31,7 @@
<p><a href="#SNAT">5.2.1 SNAT</a><br>
<a href="#DNAT">5.2.2 DNAT</a><br>
<a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
<a href="#NAT">5.2.4 Static NAT</a></p>
<a href="#NAT">5.2.4 One-to-one NAT</a></p>
</blockquote>
<p><a href="#Rules">5.3 Rules</a><br>
<a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
@ -929,7 +919,15 @@ a VPN relationship. </p>
<div align="left">
<p align="left">So it's a good idea to check with your ISP to see if
they are using (or are planning to use) private addresses before you
decide the addresses that you are going to use.</p>
decide the addresses that you are going to use.<br>
</p>
<p align="left"><span style="font-weight: bold;">NOTE: In this
document, external "real" IP addresses are of the form 192.0.2.x.
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
printed examples. These addresses are not to be confused with addresses
in 192.168.0.0/16; as described above, these addresses are reserved by
RFC 1918 for private use.</span><br>
</p>
</div>
<div align="left">
<h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
@ -1077,7 +1075,7 @@ also known as <i>Port Forwarding.</i> </p>
</li>
<li>
<p align="left"><i>Network Address Translation</i> (NAT) also
referred to as <i>Static NAT</i>. </p>
referred to as <i>One-to-one NAT</i>. </p>
</li>
</ul>
</div>
@ -1230,12 +1228,13 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M)
<p align="left">When <b>H</b> issues an ARP "who has" request for
an address in the subnetwork defined by <b>A</b> and <b>M</b>, the
firewall will
respond (with the MAC if the firewall interface to <b>H</b>). </p>
respond (with the MAC if the firewall interface) to <b>H</b>. </p>
</li>
</ul>
</div>
<div align="left">
<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ
<p align="left">Let us suppose that we decide to use Proxy ARP on the
DMZ
in our example network.</p>
</div>
<div align="left">
@ -1323,7 +1322,7 @@ accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP
(or static NAT for that matter). Happily enough, recent versions
(or one-to-one NAT for that matter). Happily enough, recent versions
of Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
@ -1371,10 +1370,10 @@ words, the gateway's ARP cache still associates 192.0.2.177 with
the NIC in DMZ 1 rather than with the firewall's eth0.</p>
</div>
<div align="left">
<h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
<h4 align="left"><a name="NAT"></a>5.2.4 One-to-one NAT</h4>
</div>
<div align="left">
<p align="left">With static NAT, you assign local systems RFC 1918
<p align="left">With one-to-one NAT, you assign local systems RFC 1918
addresses then establish a one-to-one mapping between those addresses
and
public IP addresses. For outgoing connections SNAT (Source Network
@ -1486,7 +1485,7 @@ daughter's web server -- you would rather just use an ACCEPT rule:</p>
<p align="left">A word of warning is in order here. ISPs typically
configure their routers with a long ARP cache timeout. If you move a
system from parallel to your firewall to behind your firewall with
static NAT, it will probably be HOURS before that system can
one-to-one NAT, it will probably be HOURS before that system can
communicate
with the internet. There are a couple of things that you can try:<br>
</p>
@ -1506,7 +1505,7 @@ accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP
(or static NAT for that matter). Happily enough, recent versions
(or one-to-one NAT for that matter). Happily enough, recent versions
of Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
@ -2367,7 +2366,7 @@ create an <i><a href="Documentation.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="Documentation.htm#Starting">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 7/6/2003 - <a
<p align="left"><font size="2">Last updated 11/18/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>

2515
Shorewall-docs/shorewall_setup_guide_fr.htm Executable file
View File

File diff suppressed because it is too large Load Diff

602
Shorewall-docs/sourceforge_index.htm
View File

@ -7,18 +7,6 @@
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle" align="center"><a
href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90"> <br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
@ -26,6 +14,15 @@
<tbody>
<tr>
<td width="90%">
<h2>Site Problem</h2>
The server that normally hosts www.shorewall.net and ftp.shorewall.net
is currently down. Until it is back up, a small server with very
limited bandwidth is being used temporarly. You will likely experience
better response time from the <a
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
Sorry for the inconvenience.<br>
<br>
<h2>Introduction<br>
</h2>
<ul>
@ -37,14 +34,12 @@ and control that facility. Netfilter can be used in ipchains
compatibility mode.<br>
</li>
<li>iptables - the utility program used to configure and
control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in
ipchains compatibility mode).<br>
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).<br>
</li>
</ul>
The
Shoreline Firewall, more commonly known as "Shorewall", is
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
@ -56,14 +51,14 @@ and can thus take advantage of Netfilter's connection state tracking
capabilities.
<p>This program is free software; you can redistribute it and/or
modify it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
General
Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
@ -81,356 +76,205 @@ Shorewall. For older versions:<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and
follow the step by step instructions.<br>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your
right.
Index</a> is a good place to start as is the Quick Search in the frame
above.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not apply directly
to your setup. If you want to
use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches the
documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for
to
your setup. If you want to use the documentation that you find here,
you will want to consider uninstalling what you have and installing a
setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.
<h2></h2>
<h2><b>News</b></h2>
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><br>
<b><br>
Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2).</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are
now displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li value="7">The 'shorewall reject'
and
'shorewall drop' commands now delete any existing rules for the subject
IP address before adding a new DROP or REJECT rule. Previously, there
could be many rules for the same IP address in the dynamic chain so
that multiple 'allow' commands were required to re-enable traffic
to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over
IPV6
addresses configured on interfaces in contexts where Shorewall needed
to detect something about the interface (such as when "detect" appears
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load
module files that are formed from the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a
proxy
ARP host and such a route already exists, two routes resulted
previously. This has been corrected so that the existing route is
replaced if it already exists.</li>
<li>The rfc1918 file has been
updated to reflect recent allocations.</li>
<li>The documentation of the
USER SET column in the rules file has been corrected.</li>
<li>If there is no policy
defined for
the zones specified in a rule, the firewall script previously
encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
would fail to start and would not remove the lock file. Failure to
remove the lock file resulted in the following during subsequent
attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing
the
various options has been changed such that blacklist entries now take
precedence over the 'dhcp' interface setting.</li>
<li>The log message generated
from the
'logunclean' interface option has been changed to reflect a disposition
of LOG rather than DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group
name was specified in the USER SET column and the destination zone was
qualified with a IP address, the user and/or group name was not being
used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The
per-interface Dynamic Blacklisting facility introduced in the first
post-1.4.6 Snapshot has been removed. The facility had too many
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b></b><b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state &nbsp;to
continue as it has been; namely, in the stopped state only traffic
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
/etc/shorewall/routestopped, Shorewall will allow:<br>
<br>
&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
&nbsp;&nbsp; b) All traffic that is part of or related to an
already-existing connection.<br>
<br>
&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.<br>
<br>
&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
possible for people to shoot themselves in the foot.<br>
<br>
&nbsp;Example:<br>
<br>
&nbsp;/etc/shorewall/nat:<br>
<br>
&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
<br>
&nbsp;/etc/shorewall/rules:<br>
<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
connection
from that computer to the firewall and confidently type "shorewall
stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my
SSH
connection to 192.168.1.5!!!</li>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
tunnel and you add the appropriate rules/policies to<br>
implement your security policy regarding traffic to/from those systems.<br>
&nbsp;<br>
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
<br>
generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
&nbsp;<br>
where:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
used by the tunnel<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
is 'udp' or 'tcp' then this is the destination port number used by the
tunnel.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone names. If specified, the
remote gateway is to be considered part of these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests from
hosts that are routed out through that interface. Setting this option
facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields, the limit will apply to each pair of zones individually rather
than as a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp;
where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an &lt;interval&gt;. If not given, the default of 5 is
assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit the rule for 2 second, the burst will be fully recharged; back
where we started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.</li>
</ol>
<p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
<p>Thanks to Dave Kempe and Solutions First (<a
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
there is now a Shorewall Mirror in Australia:</p>
<div style="margin-left: 40px;"><a
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
<p><b>8/26/2003 - French Version of the Shorewall Setup
Guide&nbsp;</b></p>
Thanks to Fabien <font size="3">Demassieux, there is now a <a
href="shorewall_setup_guide_fr.htm">French translation of the
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
- Shorewall 1.4.7 Beta 2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""> <br>
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b><b>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
Given the small number of new features and the relatively few lines of
code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
Control requires Mangle"; that problem has been corrected.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the
SUBSYSLOCK option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the
tcrules file. Previously, these addresses resulted in an invalid
iptables
command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior
to
having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
being
added to a PPP interface; the addresses were successfully added in
spite
of the messages.<br>
&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages.</li>
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and
a broadcast address then an error would occur during startup.</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program
allows for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
option is set to "Yes", the blacklists (dynamic and static) are only
consulted for new connection requests. When set to "No" (the default if
the variable is not set), the blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b> </p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c script
produces a ruleset that should work for everyone even if it is not
quite optimal. My apologies for this ongoing mess.</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
</ol>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
@ -453,44 +297,22 @@ Bering 1.2!!! </b><br>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
href="http://www.sf.net">SourceForge.net</a></b></h2>
<br>
<br>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#3366ff" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
&nbsp;</p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
<input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
id="AutoNumber2">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<td style="width: 100%; margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> </a></p>
@ -503,7 +325,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

27
Shorewall-docs/standalone.htm
View File

@ -9,17 +9,8 @@
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Standalone Firewall<br>
</h1>
<p align="left">Setting up Shorewall on a standalone Linux system is
very easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features
@ -113,7 +104,9 @@ first checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in
/etc/shorewall/policy that matches the request is applied. If that
policy is REJECT or DROP&nbsp; the request is first checked against the
rules in /etc/shorewall/common (the samples provide that file for you).</p>
rules in /etc/shorewall/common if that file exists; otherwise the rules
in /etc/shorewall/common.def are checked.<br>
</p>
<p>The /etc/shorewall/policy file included with the one-interface
sample
has the following policies:</p>
@ -365,9 +358,15 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.<br>
</div>
<p align="left"><font size="2">Last updated 2/08/2003 - <a
<p align="left"><font size="2">Last updated 11/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a></p>

435
Shorewall-docs/standalone_fr.html
View File

@ -1,113 +1,94 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="center">Version 2.0.1 Française</h2>
<body>
<h1 style="text-align: center;">Standalone Firewall</h1>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
une traduction exacte du texte, mais plutôt à en faire une version
française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps
conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les
retrouver
dans le reste des documentations ainsi que dans les fichiers de
configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
pour
son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
<p align="left">Mettre en place un système Linux en tant que firewall
(écluse) pour un petit réseau est une chose assez simple, si vous
comprenez les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
rtc...</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du
programme ip sur votre système de firewall. Sous root, utilisez la
commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points, où les changements
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au
début en
effectuant le changements dans votre configuration. Les points, où les
changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte
cette option sinon vous devez les faire passer par dos2unix avant
d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de
configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur
la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
(Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient
des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
@ -119,39 +100,35 @@ interface, une seule zone est d
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
cette
politique est REJECT ou DROP la requête est alors comparée par rapport
aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
one-interface a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -189,95 +166,81 @@ ce fichier).</p>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<pre> </pre>
Ces politiques vont :
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>permettre toutes demandes de connexion depuis le firewall vers
l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas
un simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL
(pas
un simple modem), l'<i>External Interface</i> (interface externe) sera
l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
connectez par un simple modem (RTC), votre interface externe sera aussi
<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
votre interface externe sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
height="13"> L'exemple de configuration de Shorewall pour une
interface suppose que votre interface externe est <b>eth0</b>. Si
votre configuration est différente, vous devrez modifier le fichier
d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
pour l'interface. Quelques astuces :</p>
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p>
vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
"dhcp" de la liste d'option. </p>
</li>
</ul>
<div align="left">
<h2 align="left">Adresse IP</h2>
</div>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
car les routeurs sur les backbones Internet ne font pas passer les
paquets dont les adresses de destinations sont définies dans la RFC
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
width="13" height="13"> Avant de lancer Shorewall, vous devriez
regarder l'adresse de votre interface externe et si elle est comprise
dans une des plages précédentes, vous devriez enlever l'option
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Permettre d'autres connexions</h2>
</div>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
vers votre firewall, le format général est :</p>
</div>
<p align="left">Si vous désirez autoriser d'autres connexions depuis
l'Internet vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -303,17 +266,15 @@ votre interface externe est <b>eth0</b>. Si votre configuration est diff
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
un
serveur POP3 sur votre système de firewall :</p>
</div>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -350,24 +311,22 @@ serveur POP3 sur votre syst
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<p align="left">Si vous ne savez pas quel port ou protocole une
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au shell
<p align="left"><b>Important: </b>Je ne vous recommande pas
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au
shell
de votre firewall depuis Internet, utilisez SSH :</p>
</div>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -393,79 +352,75 @@ de votre firewall depuis Internet, utilisez SSH :</p>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div>
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
autres connexions désirées.</p>
</div>
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
height="13" alt="Arrow"> La <a href="Install.htm">procédure
d'installation </a> configure votre système pour lancer Shorewall au
boot du système, mais au début avec la version 1.3.9 de Shorewall le
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
configuration soit finie. Une fois que vous en aurez fini avec la
configuration du firewall, vous pouvez permettre le lancement de
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre
'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
<p align="left">Le firewall est activé en utilisant la commande
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Un firewall qui tourne peut être relancé en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
sur votre
configuration de Netfilter, utilisez "shorewall clear".</p>
</div>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que
vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
De la même manière, je ne vous recommande pas d'utiliser "shorewall
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

21
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -9,19 +9,12 @@
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable, I
<div style="text-align: center;">
<h1>Starting/Stopping and Monitoring the Firewall<br>
</h1>
</div>
<p><br>
If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
@ -44,7 +37,7 @@ restart" in that script.</li>
<p> </p>
<p> You can manually start and stop Shoreline Firewall using the
"shorewall" shell program. Please refer to the <a
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
href="starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
State Diagram</a> is shown at the bottom of this page. </p>
<ul>
<li>shorewall start - starts the firewall</li>

48
Shorewall-docs/support.htm
View File

@ -7,19 +7,11 @@
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
Support Guide <font><font color="#ffffff"><img
src="images/obrasinf.gif" alt=""
style="width: 90px; height: 90px; color: rgb(51, 0, 51);"
align="middle" title=""></font></font></h1>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please try
@ -29,15 +21,15 @@ these before you post.
</li>
<li>More than half of the questions posted on the support list have
answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
<li> The <a href="FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li>
<li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
<li> The <a href="troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips
to help you solve common problems. </li>
<li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
<li> The <a href="errata.htm"> Errata</a>
has links to download updated components. </li>
<li> The Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li>
@ -98,6 +90,13 @@ error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li>Please don't describe your problem as "Computer A can't see
Computer B". Of course it can't -- it hasn't any eyes! If ping from A
to B fails, say so (and see below for information about reporting
'ping' problems). If Computer B doesn't show up in "Network
Neighborhood" then say so. <br>
<br>
</li>
<li> Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your questions but
we can't do your job for you.<br>
@ -143,7 +142,11 @@ problem is that some type of connection to/from or through your
firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
1. <b><font color="#009900"><span style="color: rgb(0, 0, 0);">If
shorewall isn't running then </span></font></b><font color="#009900"
style="font-weight: bold; color: rgb(0, 153, 0);">/sbin/shorewall/start</font><b><font
color="#009900"><span style="color: rgb(0, 0, 0);">. Otherwise</span>
/sbin/shorewall reset<span style="color: rgb(0, 0, 0);">.</span></font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
@ -189,7 +192,7 @@ unless one also knows the policies).<br>
</li>
<li>If an error occurs when you try to "<font color="#009900"><b>shorewall
start</b></font>", include a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
@ -232,7 +235,10 @@ you can post non MNF-specific Shorewall questions to the </b><a
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list.</a> </p>
mailing list.</a><span style="font-weight: bold;"> IMPORTANT: </span>If
you are not subscribed to the list, please say so -- otherwise, you
will not be included in any replies.<br>
</p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
@ -245,7 +251,7 @@ mailing list.</a> </p>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 11/12/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font><br>

33
Shorewall-docs/three-interface.htm
View File

@ -9,17 +9,8 @@
<title>Three-Interface Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Three-Interface Firewall<br>
</h1>
<p align="left">Setting up a Linux system as a firewall for a small
network with DMZ is a fairly straight-forward task if you understand
the basics and follow the documentation.</p>
@ -28,7 +19,11 @@ of Shorewall. It rather focuses on what is required to configure
Shorewall in one of its more popular configurations:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Single public IP address.</li>
<li style="font-weight: bold;">Single public IP address. If you have
more than one public IP address, this is not the guide you want -- see
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
instead.<br>
</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
...</li>
@ -128,7 +123,9 @@ file matches the connection request then the first policy in
/etc/shorewall/policy that matches the request is applied. If that
policy is REJECT
or DROP&nbsp; the request is first checked against the rules in
/etc/shorewall/common (the samples provide that file for you).</p>
/etc/shorewall/common if that file exists; otherwise the file
/etc/shorewall/common.def is checked<br>
</p>
<p>The /etc/shorewall/policy file included with the three-interface
sample has the following policies:</p>
<blockquote>
@ -1064,9 +1061,15 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.
</div>
<p align="left"><font size="2">Last updated 8/8/2003 - <a
<p align="left"><font size="2">Last updated 11/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>

938
Shorewall-docs/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

349
Shorewall-docs/traffic_shaping.htm
View File

@ -1,185 +1,161 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
to be running Linux Kernel 2.4.18 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<body>
<h1 style="text-align: center;">Traffic Shaping/Control<br>
</h1>
<p align="left">Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
also necessary to be running Linux Kernel 2.4.18 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the
following:</p>
<ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the
traffic shaping configuration during Shorewall [re]start and Shorewall
stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you
can specify firewall marking of packets. The firewall mark value
may be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
sourced by Shorewall during "shorewall start" and which you can use to
define your traffic shaping disciplines and classes. I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
support may eventually become an integral part of Shorewall since HTB
is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
standard part of the kernel but iproute2 must be patched in order to
use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility,
use the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
In tcstart, when you want to run the 'tc' utility,
use the run_tc function supplied by shorewall if you want tc errors to
stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
You can generally use off-the-shelf traffic shaping scripts by simply
copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
version) that way (i.e., I just copied wshaper.htb to
/etc/shorewall/tcstart
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been
you use use Masquerading or SNAT (i.e., you only have one external IP
address) then listing internal hosts in the NOPRIOHOSTSRC variable in
the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
has already been
applied so when traffic shaping happens, all outbound traffic will have
as a source address the IP addresss of your firewall's external interface.<br>
as a source address the IP addresss of your firewall's external
interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
sourced by Shorewall when it is clearing traffic shaping. This file is
normally not required as Shorewall's method of clearing qdisc and
filter definitions is pretty general.</li>
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up
your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop
traffic shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
packets using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script
to be run at that time. How you do that is distribution dependent and will
To start traffic shaping when you bring up your network interfaces, you
will have to arrange for your traffic shaping configuration script to
be run at that time. How you do that is distribution dependent and will
not be covered here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="left">This screen shot show how I've configured QoS in my
Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
height="764"> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading
<p align="left">The fwmark classifier provides a convenient way to
classify packets for traffic shaping. The /etc/shorewall/tcrules file
provides a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain
before any address rewriting takes place. This makes it impossible to
mark inbound packets based on their destination address when SNAT or
Masquerading
are being used. Beginning with Shorewall 1.3.12, you can cause packet
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
marking to occur in the FORWARD chain by using the
MARK_IN_FORWARD_CHAIN
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned
in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
<li>MARK - Specifies the mark value is to be assigned in case of a
match. This is an integer in the range 1-255. Beginning with Shorewall
version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in
the
FORWARD or PREROUTING chains respectively. If this additional
specification
is omitted, the chain used to mark packets will be determined by the
setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
Example - 5<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet
originates on the firewall, place "fw" in this column. Otherwise,
this is a comma-separated list of interface names, IP addresses, MAC
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
and/or
Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
Examples<br>
&nbsp;&nbsp;&nbsp; eth0<br>
&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br>
<li>DEST -- Destination of the packet. Comma-separated list of IP
addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol
from /etc/protocol, a number or "all"<br>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as
the destination icmp type(s).<br>
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
protocol is "icmp", this column is interpreted as the destination icmp
type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with
3.</p>
<p align="left">Example 1 - All packets arriving on eth1 should be
marked with 1. All packets arriving on eth2 and eth3 should be marked
with 2. All packets originating on the firewall itself should be marked
with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -195,16 +171,16 @@ from /etc/protocol, a number or "all"<br>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td valign="top">2<br>
@ -225,17 +201,14 @@ from /etc/protocol, a number or "all"<br>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked
with 12.</p>
<p align="left">Example 2 - All GRE (protocol 47) packets not
originating on the firewall and destined for 155.186.235.151 should be
marked with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -251,16 +224,14 @@ with 12.</p>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<p align="left">Example 3 - All SSH packets originating in
192.168.1.0/24 and destined for 155.186.235.151 should be marked with
22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -277,65 +248,59 @@ with 12.</p>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<h3>My Setup<br>
</h3>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p>
<h3>My Current Setup<br>
</h3>
<p>I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
DOES NOT USE THE
/etc/shorewall/tcrules file. While I currently have entries in
/etc/shorewall/tcrules, I do so for <a
href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
for Traffic Shaping.</p>
<h3>My Old Setup<br>
</h3>
<p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
file.<br>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "&nbsp;&nbsp; Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit&nbsp; ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "&nbsp;&nbsp; Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>echo "&nbsp;&nbsp; Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<pre>echo "&nbsp;&nbsp; Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example
1 above. When I was using these rules:<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
<li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
traffic can use all available bandwidth if there is no traffic from the
local systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My laptop (which at that time connected via eth3) and local
systems (eth2) could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li>
</ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
Once www.shorewall.net was moved off-site, I no longer needed these
shaping rules and The Wonder Shaper does all that I now require.<br>
<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

23
Shorewall-docs/troubleshoot.htm
View File

@ -8,19 +8,10 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> </font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
Troubleshooting <img src="images/obrasinf.gif"
alt="Beating head on table" style="width: 90px; height: 90px;"
align="middle" title=""></h1>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
@ -145,8 +136,8 @@ sending the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
same interface and you haven't specified the 'routeback' option on that
interface.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8
@ -199,7 +190,7 @@ in /etc/shorewall/shorewall.conf.</li>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 11/1/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>

33
Shorewall-docs/two-interface.htm
View File

@ -10,18 +10,8 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber5"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface
Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
</h1>
<p align="left">Setting up a Linux system as a firewall for a small
network is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
@ -30,7 +20,10 @@ of Shorewall. It rather focuses on what is required to configure
Shorewall in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Single public IP address.</li>
<li style="font-weight: bold;">Single public IP address. If you have
more than one public IP address, this is not the guide you want -- see
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
instead.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
dial-up ...</li>
</ul>
@ -140,8 +133,8 @@ that file matches the connection request then the first policy
in /etc/shorewall/policy that matches the request is applied.
If that policy is REJECT or DROP&nbsp; the request is first checked
against
the rules in /etc/shorewall/common (the samples provide that file
for you).</p>
the rules in /etc/shorewall/common if that file exists; otherwise the
rules in /etc/shorewall/common.def are checked.</p>
<p>The /etc/shorewall/policy file included with the two-interface
sample
has the following policies:</p>
@ -946,9 +939,15 @@ have added an entry for the IP address that you are connected from to <a
Also, I don't recommend using "shorewall restart"; it is better
to create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.
</div>
<p align="left"><font size="2">Last updated 8/8/2003 - <a
<p align="left"><font size="2">Last updated 11/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>

932
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

561
Shorewall-docs/upgrade_issues.htm
View File

@ -1,471 +1,378 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you
are currently running.<br>
</p>
<body>
<h1 style="text-align: center;">Upgrade Issues<br>
</h1>
<p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade
page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where
the version number mentioned in the section title is later than what
you are currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; eth0:0.0.0.0/0<br>
&nbsp;&nbsp;&nbsp; eth2:192.168.1.0/24<br>
&nbsp;&nbsp;&nbsp; eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups
associated with each of your zones.<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.6</h3>
<h3>Version &gt;= 1.4.8</h3>
<ul>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
from shorewall.conf. These capabilities are now automatically detected by
Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the host
file as follows:<br>
<br>
<i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
<i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
<li>The meaning of ROUTE_FILTER=Yes has changed. Previously this
setting was documented as causing route filtering to occur on all
network interfaces; this didn't work. Beginning with this release,
ROUTE_FILTER=Yes causes route filtering to occur on all interfaces
brought up while Shorewall is running. This means that it may be
appropriate to set ROUTE_FILTER=Yes <span
style="text-decoration: underline;">and</span> use the routefilter
option in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
entries.<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br>
<h3>Version &gt;= 1.4.6</h3>
<ul>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from shorewall.conf. These capabilities are now automatically
detected by Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the
host file as follows:<br>
<br>
<i>zone</i> &nbsp; &nbsp;eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to
allow entries of the following format:<br>
<br>
<i>zone</i> &nbsp; eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>,
then you must set the new LOGFORMAT variable appropriately and remove
your setting of LOGMARKER<br>
<br>
<h3>Version 1.4.4<br>
</h3>
If you have zone names that are 5 characters long, you may experience
</h3>
If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
There are some cases where you may want to handle traffic from a
particular group to itself. While I personally think that such a setups
are ridiculous, there are two cases covered in this documentation where
it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a
transparent proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br>
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in
the same zone is accepted by default. Previously, traffic from a zone
to itself was treated just like any other traffic; any matching rules
were applied followed by enforcement of the appropriate policy. With 1.4.1
were applied followed by enforcement of the appropriate policy. With
1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
traffic between the groups in zone Z will be accepted. If you do have one
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
to Z or you have an explicit Z to Z policy (where "Z" is some zone)
then
traffic between the groups in zone Z will be accepted. If you do have
one
or more explicit rules for Z to Z or if you have an explicit Z to Z
policy
then the behavior is as it was in prior versions.</li>
</ul>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed
and traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li>
between two interfaces to the same zone, that policy can be removed
and traffic between the interfaces will traverse fewer rules than
previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one
that has "all" in either the SOURCE or DESTINATION column) to prevent
traffic between two interfaces to a zone Z and you have no rules for
Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
Z.<br>
</li>
</ol>
</blockquote>
</blockquote>
<ul>
<li> Sometimes, you want two separate zones on one interface but
you don't want Shorewall to set up any infrastructure to handle traffic
between them. </li>
<li> Sometimes, you want two separate zones on one interface but you
don't want Shorewall to set up any infrastructure to handle traffic
between them. </li>
</ul>
<blockquote>Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with
Shorewall 1.4.1, you can prevent Shorewall from setting up any infrastructure
Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with
Shorewall 1.4.1, you can prevent Shorewall from setting up any
infrastructure
to handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
Note that NONE policies are generally used in pairs unless there is
asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other
direction.&nbsp;</blockquote>
<h3>Version 1.4.1<br>
</h3>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic
between two subnetworks on the same interface then I recommend that you
upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
<li>In Version 1.4.1, Shorewall will never create rules to deal with
traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between
two subnetworks on the same interface then I recommend that you upgrade
to Version 1.4.2 and use the 'routeback' interface or host option.&nbsp;</li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.0-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The <b>noping </b>and <b>forwardping</b> interface options are
no longer supported nor is the <b>FORWARDPING </b>option in
shorewall.conf. ICMP echo-request (ping) packets are treated just like
any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces
and hosts file has been eliminated; use entries in the routestopped
file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3
with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version'
file have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you
include it from /etc/shorewall/icmpdef, you will need to modify that
file.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to
avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
<li>If you followed the advice in FAQ #2 and call
find_interface_address in /etc/shorewall/params, that code should be
moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
&nbsp;Shorewall will generate rules for sending packets back out the
same interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone
to or from the destination zone. An explicit policy names both zones
and does not use the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or
from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source
zone to or from the destination zone including rules that use the 'all'
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: if the source zone and destination zone are
the same then the rule must be explicit - it must name the zone in both
the SOURCE and DESTINATION columns.</li>
</ul>
</blockquote>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp; &nbsp; Beginning in version 1.3.14, Shorewall treats
entries in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses
the firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets is
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed
through eth1 needed their own entry in /etc/shorewall/masq to be
masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named
interface. Traffic originating in ANY of those subnets is
masqueraded or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration
You will need to make a change to your configuration
if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq
with an interface name in the SUBNET (second) column; and</li>
<li>You have one or more entries in /etc/shorewall/masq with an
interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config
is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration
is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to
be used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
the old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
Two examples:<br>
<br>
&nbsp;<b>Example 1</b> -- Suppose that your current config is as
follows:<br>
&nbsp;&nbsp; <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS<br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24&nbsp; scope link<br> 192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no
longer required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS <br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24&nbsp; scope link<br> 192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in
/etc/shorewall/masq to:<br>
</blockquote>
<pre> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS <br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; Version 1.3.14 also introduced simplified ICMP
echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf is used to specify that the old
(pre-1.3.14) ping handling is to be used (If the option is not set in
your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is
assumed). I don't plan on supporting the old handling indefinitely so I
urge current users to migrate to using the new handling as soon as
possible. See the <a href="ping.html">'Ping' handling documentation</a>
for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are
If you have installed the 1.3.10 Beta 1 RPM and are
now upgrading to version 1.3.10, you will need to use the '--force'
option:<br>
<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm&nbsp;</pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<p>If you have a pair of firewall systems configured for failover or if
you have asymmetric routing, you will need to modify your firewall
setup slightly under Shorewall versions &gt;= 1.3.8. Beginning with
version 1.3.8, you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to
include the following rules in their /etc/shorewall/icmpdef file
(creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
/etc/shorewall/icmp.def" command from that file since the icmp.def file
is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you
have a backup -- you will need
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the
shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not
forget to backup root.lrp !</li>
<li>Be sure you have a backup -- you will need to transcribe any
Shorewall configuration changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on the Bering floppy
with the later one. If you did not obtain the later version from
Jacques's site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the
/var/lib/shorewall entry if present. Then do not forget to backup
root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a
href="two-interface.htm">instructions for setting up a two-interface
firewall</a> plus you also need to add the following two Bering-specific
rules to /etc/shorewall/rules:</p>
<p>The .lrp that I release isn't set up for a two-interface firewall
like Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it
add the following rule<br>
<br>
<font face="Courier">run_iptables -A
newnotsyn -j RETURN # So that the connection tracking
table can be rebuilt<br>
                                   
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
 </font> </p>
&nbsp;</font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
#Accept Acks to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to
/var/lib/shorewall. If you have applications that access these files,
those applications should be modified accordingly.</p>
<p><font size="2"> Last updated 10/30/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
</body>
</html>

64
Shorewall-docs/useful_links.html
View File

@ -2,65 +2,39 @@
<html>
<head>
<title>Useful Links</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Useful Links</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
&nbsp;&nbsp; &nbsp;<br>
<body>
<h1 style="text-align: center;">Useful Links &nbsp; &nbsp;</h1>
<h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
height="33" hspace="4" align="middle" border="0">
</a></h3>
height="33" hspace="4" align="middle" border="0"> </a></h3>
<h3>Linux Advanced Routing and Traffic Control Howto: <a
href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
<h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
<h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
align="middle" hspace="4" border="0">
</a></h3>
align="middle" hspace="4" border="0"> </a></h3>
<h3>Bering LEAF Distribution: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3>
href="http://leaf.sourceforge.net/devel/jnilo">
http://leaf.sourceforge.net/devel/jnilo</a></h3>
<h3>Debian apt-get sources for Shorewall: <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian<img
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
align="middle" hspace="4" border="0">
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
align="middle" border="0">
</a><br>
</h3>
<br>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
align="middle" hspace="4" border="0"> <img src="images/debian.jpg"
alt="Debian Logo" width="88" height="30" align="middle" border="0"> </a><br>
</h3>
<br>
<font size="2">Last updated 11/20/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

184
Shorewall-docs/whitelisting_under_shorewall.htm
View File

@ -1,48 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported
an /etc/shorewall/whitelist file. This file was intended to contain a list
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3
RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special privileges
to a set  of hosts within an organization. Let us suppose that we have the
following environment:</p>
<body>
<h1 style="text-align: center;">Whitelisting under Shorewall<br>
</h1>
<p align="left">For a brief time, the 1.2 version of Shorewall
supported
an /etc/shorewall/whitelist file. This file was intended to contain a
list
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
whitelist file was implemented as a stop-gap measure until the
facilities necessary for implementing white lists using zones was in
place. As of Version 1.3 RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special
privileges to a set&nbsp; of hosts within an organization. Let us
suppose that we have the following environment:</p>
<ul>
<li>A firewall with three interfaces -- one to the internet, one
to a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
<li>A firewall with three interfaces -- one to the internet, one to a
local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised of
the class B network 10.10.0.0/16 (Note: While this example uses an RFC
1918 local network, the technique described here in no way depends on
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
NAT, etc.).</li>
@ -52,15 +36,11 @@ in the class C network 10.10.10.0/24</li>
other hosts.</li>
<li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li>
</ul>
<p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
configuration files:</p>
<p align="left">The basic approach will be that we will place the
operations staff's class C in its own zone called <b>ops</b>. Here are
the appropriate configuration files:</p>
<h2 align="left">Zone File</h2>
<blockquote>
<table border="2">
<tbody>
@ -89,16 +69,13 @@ HTTP proxy running on our firewall.</li>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</tbody>
</table>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones
file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
<b>loc</b>.</p>
<h2>Interfaces File</h2>
<blockquote>
<table border="2">
<tbody>
@ -125,20 +102,15 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
<td>-</td>
<td>eth2</td>
<td>10.10.255.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
we don't specify a zone for it here.</p>
<h2>Hosts File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
@ -155,24 +127,22 @@ we don't specify a zone for it here.</p>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
only the hosts in the <b>ops</b> zone will be allowed to access the firewall
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 10.10.0.0/16
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
is stopped,
only the hosts in the <b>ops</b> zone will be allowed to access the
firewall
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
10.10.0.0/16
so that the limited broadcast address (255.255.255.255) falls into that
zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
that special address.</p>
zone. If I used 10.10.0.0/16 then I would have to have a separate entry
for that special address.</p>
<h2>Policy File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
@ -186,49 +156,44 @@ zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td> </td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
file.<font color="#ff0000"><b></b></font></p>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone
policy file.<font color="#ff0000"><b></b></font></p>
<h2>Rules File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
@ -237,11 +202,11 @@ file.<font color="#ff0000"><b></b></font></p>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
@ -249,29 +214,25 @@ file.<font color="#ff0000"><b></b></font></p>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>...</td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the
transparent proxy running on the firewall. The SOURCE column explicitly
excludes the <b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2>
<blockquote>
<table border="2">
<tbody>
@ -291,19 +252,16 @@ file.<font color="#ff0000"><b></b></font></p>
</td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>