holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall-1.4.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-23 18:47:54 +00:00
parent 8377f70bc7
commit c68ecd14e7
94 changed files with 21164 additions and 20883 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
STABLE/changelog.txt
View File

@ -1,66 +1,9 @@
Changes since 1.3.14
Changes since 1.4.0
1. All versions changed to 1.4.
1. Implement NONE policy.
2. Rework of error message generation to make the 'firewall' script
smaller.
2. Never create rules for <iface>:<subnet> to itself.
3. Deimplemented MERGE_HOSTS=No.
3. Always allow intrazone traffic.
4. Generate error for <dev>:<integer> name in interfaces file.
5. Deimplement old ping handling.
6. Deimplement 'routestopped' interface/hosts option.
7. Strip comments from potentially large files while the firewall is
still up and running during 'restart'.
8. Disallow the old port forwarding/redirection syntax.
9. Reorganize shorewall.conf.
10. Added support for LOG target.
11. Move firewall and version (one more time....)
12. Add late DNS reply rule to the common chain.
12. Corrected rule number calculation problem in 'shorewall add' command
processing.
13. Update Documentation for 1.4
14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.
19. Don't detect loopback simply by name.
20. Removed trailing white space from all files.
21. Improved parsing of comma-separated lists.
22. Add ECN Removal support
23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.
25. Restore 'check' command support.
26. Remove unused function find_interface_broadcasts()
27. Remove stale comments in the params file.
28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).
4. Correct building of ECN interface list under ash.

5390
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

2118
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

287
STABLE/documentation/Install.htm
View File

@ -1,190 +1,213 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm
reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm
-ivh --nodeps &lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
<li>If you are using <a href="http://www.suse.com">SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be
started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
the iproute package. Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;). </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p>
<p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
</ul>
<p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>

3397
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

279
STABLE/documentation/ProxyARP.htm
View File

@ -1,179 +1,190 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read the
<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397">
</strong></p>
</strong></p>
<blockquote> </blockquote>
</blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</table>
</blockquote>
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured.</p>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the firewall
rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
address for its own IP; in addition to ensuring that the IP address isn't
a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware address...,
this packet causes any other host...that has an entry in its cache for the
old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address isn't
a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's
iputils package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied
IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>    shorewall clear<br>
</b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 dev
eth0<br>
    ip addr add 130.252.100.19 dev eth0</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
    <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
    ip addr del 130.252.100.19 dev eth0<br>
    shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
<br>
    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly
proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>    shorewall clear<br>
</b></font>    <font color="#009900"><b>ip addr add 130.252.100.18
dev eth0<br>
    ip addr add 130.252.100.19 dev eth0</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
    <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
    ip addr del 130.252.100.19 dev eth0<br>
    shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div>
<div align="left">
will assume is 130.252.100.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

886
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -2,195 +2,167 @@
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections
that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only
apply to a particular IP address, simply qualify the $FW zone with the IP
address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3.
That is accomplised by a single rule in the /etc/shorewall/rules file:<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled </i>and labels
may take the form of ipconfig virtual interfaces.<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top">net<br>
<td valign="top"><br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -203,7 +175,7 @@ column as follows:<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
@ -215,52 +187,43 @@ column as follows:<br>
</table>
<br>
</blockquote>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<br>
</blockquote>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -279,7 +242,7 @@ column as follows:<br>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
@ -292,184 +255,114 @@ column as follows:<br>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges
because in that case, the users can simply manipulate their system's routing
table to bypass your firewall/router. Nevertheless, there are cases where
you simply want to consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative
privileges because in that case, the users can simply manipulate their system's
routing table to bypass your firewall/router. Nevertheless, there are cases
where you simply want to consider the LAN segment itself as a zone and allow
your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
@ -487,26 +380,64 @@ privileges).<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
@ -514,15 +445,47 @@ privileges).<br>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
<td valign="top">eth1<br>
</td>
<td valign="top"><br>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">loc2<br>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
@ -530,20 +493,129 @@ privileges).<br>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
<br>
</body>
</html>

373
STABLE/documentation/errata.htm
View File

@ -2,244 +2,263 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
None.
<hr width="100%" size="2">
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<blockquote>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<h3><a name="SuSE"></a>Problems installing/upgrading
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
<br>
</body>
</html>

319
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

169
STABLE/documentation/quotes.htm
View File

@ -1,104 +1,109 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough
to uncomment a line in /etc/shorewall/policy.<br>
</li>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have
7 machines up and running with shorewall on several versions - starting
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!"
-- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld by
request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

468
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,7 +7,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
@ -17,22 +17,22 @@
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
<td width="100%"
height="90">
@ -43,26 +43,27 @@
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><a
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center">
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
@ -76,41 +77,41 @@
<div align="center"><a href="http://1.3/index.htm" target="_top"><font
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
            <br>
</div>
</td>
</div>
</td>
</tr>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
@ -121,7 +122,7 @@
<h2 align="left">What is it?</h2>
@ -135,7 +136,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
@ -152,28 +153,28 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
<br>
This program is distributed
in the hope that it will be useful, but
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -187,7 +188,7 @@ to the Free Software Foundation, Inc., 675
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -201,336 +202,115 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2>
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if
you want to 'ping' from the firewall, you will need the appropriate rule
or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
a) You must be running kernel 2.4.20<br>
b) You must have applied the patch in<br>
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li>
<li>The documentation for the routestopped file claimed that a
comma-separated list could appear in the second column while the code
only supported a single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. 802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate
limited.</li>
<li>The firewall fails to start in the case
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
is through eth1.</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
<ol>
<li>An OLD_PING_HANDLING option has been added
to shorewall.conf. When set to Yes, Shorewall ping handling is
as it has always been (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request.
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will all generate
an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
<br>
a) In the INTERFACE column of /etc/shorewall/masq<br>
b) In the INTERFACE column of /etc/shorewall/nat<br>
</li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the
form $DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may
be optionally followed by ":" and either 'F' or 'P' to designate that
the marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
<br>
a) The subnets associated with other addresses
on the interface.<br>
b) Subnets accessed through local routers.<br>
<br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
<br>
Example 1 -- This is how it works in 1.3.14.<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
<br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
<br>
Example 2 -- Suppose that your current config is as
follows:<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
<br>
Example 3 -- What if your current configuration is
like this?<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, you would want to change the entry
in /etc/shorewall/masq to:<br>
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
</td>
<td width="88"
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tr>
</tbody>
</table>
</center>
</center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
<td width="100%"
style="margin-top: 1px;">
@ -541,12 +321,12 @@ like this?<br>
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
</a></p>
@ -558,32 +338,34 @@ like this?<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</td>
</tr>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
<br>
<br>
</body>
</html>

147
STABLE/documentation/shoreline.htm
View File

@ -1,128 +1,129 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392">
</p>
</p>
<p align="center">Tarry &amp; Tom -- August 2002<br>
<br>
</p>
<br>
</p>
<ul>
<li>Born 1945 in <a
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li>
<li>Married 1969 - no children.</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
- present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed
and wrote Shorewall. </p>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and
wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where I live with my wife Tarry.  </p>
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as
a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run
both <a href="http://www.debian.org">Debian Woody</a> and <a
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.14 
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
- My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
</a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0"
</a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img
</a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20">
</a><a href="http://www.mandrakelinux.com"><img
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 3/7/2003 - </font><font size="2"> <a
</font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br>
<br>
<br>
<br>
</body>

82
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -1,67 +1,69 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall Requires:<br>
<br>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6.
<a href="kernel.htm"> Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a
href="http://seawall.sf.net"> see the Seattle Firewall site</a>
.</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at least
2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 2/21/2003 - <a
<p align="left"><font size="2">Last updated 3/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>

4208
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

546
STABLE/documentation/sourceforge_index.htm
View File

@ -7,7 +7,7 @@
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
@ -17,23 +17,23 @@
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
height="90">
<td width="100%"
height="90">
@ -43,13 +43,13 @@
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
@ -64,36 +64,36 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
</td>
</tr>
</tbody>
</tbody>
</table>
<div align="center">
<div align="center">
<center>
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
@ -105,7 +105,7 @@
<h2 align="left">What is it?</h2>
@ -119,12 +119,12 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
@ -137,29 +137,29 @@
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -172,7 +172,7 @@ to the Free Software Foundation, Inc., 675
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -186,26 +186,26 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2>News</h2>
@ -221,278 +221,23 @@ Nilo and Eric Wolzak have a LEAF (router/firewall/gatew
<p><b>3/17/2003 - Shorewall 1.4.0  </b><b> </b><b><img
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version
include:<br>
 </b><b> </b></p>
<b> </b>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address. </li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. </li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option. </li>
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
<li>The firewall fails to start in the case where you have "eth0
eth1" in /etc/shorewall/masq and the default route is through eth1
</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been
(see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request. The
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
options in /etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as  "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the form
$DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be
optionally followed by ":" and either 'F' or 'P' to designate that the
marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the
interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change described
above will cause masquerading to occur on subnetworks that you don't wish
to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
 <br>
Example 3 -- What if your current configuration is like
this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in 
/etc/shorewall/masq to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
<b> </b>
<ul>
</ul>
@ -502,6 +247,60 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
</ul>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</p>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
@ -515,7 +314,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h2> </h2>
@ -523,18 +322,18 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
</a></h1>
<h4> </h4>
@ -542,7 +341,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
@ -551,45 +350,47 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h2><a name="Donations"></a>Donations</h2>
</td>
</td>
<td width="88"
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</td>
</tr>
</tbody>
</tbody>
</table>
</center>
</center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td width="100%"
style="margin-top: 1px;">
@ -599,12 +400,11 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
</a></p>
@ -617,33 +417,35 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</tbody>
</table>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
</body>
</html>

416
STABLE/documentation/support.htm
View File

@ -3,89 +3,89 @@
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you post.
</h2>
There are a number
of sources of Shorewall information. Please try these before you post.
<ul>
<li>More than half of the questions posted
on the support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
</li>
<li> The <a
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
</li>
<li> The <a
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.
</li>
a number of tips to help you solve common problems.
</li>
<li> The <a
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -94,246 +94,252 @@ of sources of Shorewall information. Please try these before you post.
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
</form>
</blockquote>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
</h2>
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears to
be correct, or was mentioned in a previous post. There have been
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't
describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
<br>
</li>
<li> Please
don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall you are
running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
<li>If your kernel is modularized, the exact
output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.</b><br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul>
</ul>
<ul>
<ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection
problems of any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
</ul>
</ul>
<ul>
<li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver addresses,
domain name, etc. These aren't secrets, and concealing them often
misleads us (and 80% of the time, a hacker could derive them anyway
from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have
now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I
have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi
Network Firewall (MNF) and you have not purchased an MNF license
from MandrakeSoft then you can post non MNF-specific Shorewall questions
to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall
users mailing list</a>. <b>Do not expect to get free MNF support
on the list or forum.</b><br>
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>.</p>
</blockquote>
<p>To Subscribe to the mailing list go to <a
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
</p>
<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

548
STABLE/documentation/traffic_shaping.htm
View File

@ -1,336 +1,338 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
to be running Linux Kernel 2.4.18 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own
faster than you can learn how to use my sample. I personally use
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of
2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
in order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by
<br>
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been
applied so when traffic shaping happens, all outbound traffic will have
as a source address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up
your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script to
be run at that time. How you do that is distribution dependent and will not
be covered here. You then should:<br>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script
to be run at that time. How you do that is distribution dependent and will
not be covered here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading
are being used. Beginning with Shorewall 1.3.12, you can cause packet
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned in
case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated
<li>MARK - Specifies the mark value is to be assigned
in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by ":"
and either 'F' or 'P' to designate that the marking will occur in the FORWARD
or PREROUTING chains respectively. If this additional specification is omitted,
the chain used to mark packets will be determined by the setting of the
MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is
a comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted
</li>
<li>PROTO - Protocol - Must be the name of a protocol
from /etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges
(e.g., 21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with
3.</p>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked
with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked
with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody>
</table>
<h3>My Setup<br>
</h3>
</h3>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local
systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li>
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
traffic can use all available bandwidth if there is no traffic from the
local systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li>
</ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>

627
STABLE/documentation/upgrade_issues.htm
View File

@ -1,309 +1,424 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p>
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are
currently running. <br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options are
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate a Shorewall error at startup (they
always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are not dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups in
zone Z will be accepted. If you do have one or more explicit rules for Z
to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
</ul>
<ul>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has
"all" in either the SOURCE or DESTINATION column) to prevent traffic between
two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
add an explicit DROP or REJECT policy for Z to Z.<br>
</li>
</ol>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then either:</li>
</ul>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
</ul>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
the destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
interface (as shown by "ip addr show <i>interface</i>") and would masquerade
traffic from that subnet. Any other subnets that routed through eth1 needed
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq with an interface
name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping)
handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be used
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
is assumed). I don't plan on supporting the old handling indefinitely so
I urge current users to migrate to using the new handling as soon as possible.
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules
in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any Shorewall
configuration changes that you have
made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not obtain
the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN
# So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
<li>You have one or more entries in /etc/shorewall/masq with
an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like
this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version
1.3.8, you must set NEWNOTSYN=Yes in
your /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any
Shorewall configuration changes that
you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not
obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need
to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be
rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 3/6/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.0
VERSION=1.4.1
usage() # $1 = exit status
{

45
STABLE/firewall
View File

@ -672,6 +672,7 @@ validate_policy()
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = $2 ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
@ -708,7 +709,7 @@ validate_policy()
esac
case $policy in
ACCEPT|REJECT|DROP|CONTINUE)
ACCEPT|REJECT|DROP|CONTINUE|NONE)
;;
*)
startup_error "Invalid policy $policy"
@ -728,7 +729,7 @@ validate_policy()
chain=${client}2${server}
all_policy_chains="$all_policy_chains $chain"
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes
eval ${chain}_policy=$policy
@ -743,6 +744,7 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain
eval ${zone}2${zone1}_policy=$policy
print_policy $zone $zone1
fi
done
@ -753,6 +755,7 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain
eval ${zone}2${server}_policy=$policy
print_policy $zone $server
fi
done
@ -763,6 +766,7 @@ validate_policy()
if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain
eval ${client}2${zone}_policy=$policy
print_policy $client $zone
fi
done
@ -1438,7 +1442,7 @@ delete_nat() {
#
setup_ecn() # $1 = file name
{
local interfaces
local interfaces=""
local hosts
local h
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
else
serverport=
[ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Empty destination zone or qualifier: rule \"$rule\""
fatal_error "Empty destination zone or qualifier: rule \"$rule\""
fi
fi
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
chain=${source}2${dest}
eval policy=\$${chain}_policy
[ $policy = NONE ] && \
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
[ $command = check ] || ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then
@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone
havechain $chain && { echo $chain; return; }
[ "$1" = "$2" ] && { echo ACCEPT; return; }
eval chain=\$${chain}_policychain
[ -n "$chain" ] && { echo $chain; return; }
@ -3670,41 +3681,27 @@ activate_rules()
done
for zone1 in $zones; do
eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts
chain="`rules_chain $zone $zone1`"
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do
interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
bounce=yes
else
case $interface in
*+*)
bounce=yes
;;
*)
bounce=
;;
esac
fi
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if [ $interface != $interface1 -o -n "$bounce" ]; then
if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
fi
done

15
STABLE/hosts
View File

@ -1,10 +1,17 @@
#
# Shorewall 1.4 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don't need to add entries to this
# file and 80% of those who try to add such entries get it
# wrong. Unless you are ABSOLUTELY SURE that you need entries
# in this file, don't touch it!
# THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
#
# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
# THIS FILE.
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.0
VERSION=1.4.1
usage() # $1 = exit status
{

21
STABLE/policy
View File

@ -22,7 +22,26 @@
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

99
STABLE/releasenotes.txt
View File

@ -1,94 +1,19 @@
This is a major release of Shorewall.
This is a minor release of Shorewall.
Function from 1.3 that has been omitted from this version includes:
This release introduces incompatibilities with prior releases. See
http://www.shorewall.net/upgrade_issues.htm.
1) The MERGE_HOSTS variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
MERGE_HOSTS=Yes.
Changes are:
2) Interface names of the form <device>:<integer> in
/etc/shorewall/interfaces now generate an error.
a) There is now a new NONE policy specifiable in
/etc/shorewall/policy. This policy will cause Shorewall to assume that
there will never be any traffic between the source and destination
zones.
3) Shorewall 1.4 implements behavior consistent with
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error
at startup as will specification of the 'noping' or 'filterping'
interface options.
4) The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.
6) The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
7) The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
a) There is an _explicit_ policy for the source zone to the
destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
b) There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Changes for 1.4 include:
1) shorewall.conf has been completely reorganized into logical
sections.
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
3) The firewall script and version file are now installed in
/usr/share/shorewall.
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7) 802.11b devices with names of the form wlan<n> now support the
'maclist' option.
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility).
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:
a) You must be running kernel 2.4.20
b) You must have applied the patch in
http://www.shorewall/net/pub/shorewall/ecn/patch.
c) You must have iptables 1.2.7a installed.
10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.
b) Shorewall no longer creates rules to govern traffic from an
interface:subnet to itself.
c) Intra-zone traffic is always accepted now (exception is (b)
above).. Intrazone policies and rules are no longer allowed.

4
STABLE/rules
View File

@ -15,7 +15,8 @@
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
# or LOG.
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
@ -39,6 +40,7 @@
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.0
%define version 1.4.1
%define release 1
%define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.0
VERSION=1.4.1
usage() # $1 = exit status
{

3404
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

22
Shorewall-docs/Documentation_Index.htm
View File

@ -1,31 +1,31 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head>
<body>
<h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved <a
href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2"> Last updated 8/9/2002 -
<p><font size="2"> Last updated 8/9/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

2470
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

22
Shorewall-docs/Forum.html
View File

@ -1,40 +1,40 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Forum</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>

374
Shorewall-docs/GnuCopyright.htm
View File

@ -24,256 +24,256 @@ Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU
General Public License, which is a copyleft license designed for free software.
</p>
<p>We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual work,
regardless of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is instruction or
<p>We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual work,
regardless of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is instruction or
reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
member of the public is a licensee, and is addressed as &quot;you&quot;. </p>
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language. </p>
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a
matter of historical connection with the subject or with related matters, or of
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a
matter of historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position regarding them.
</p>
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that
the Document is released under this License. </p>
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
is released under this License. </p>
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general public,
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs
or (for drawings) some widely available drawing editor, and that is suitable for
input to text formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise Transparent
file format whose markup has been designed to thwart or discourage subsequent
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general public,
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs
or (for drawings) some widely available drawing editor, and that is suitable for
input to text formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise Transparent
file format whose markup has been designed to thwart or discourage subsequent
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
called &quot;Opaque&quot;. </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a
publicly available DTD, and standard-conforming simple HTML designed for human
modification. Opaque formats include PostScript, PDF, proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML produced by some word processors for output purposes
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a
publicly available DTD, and standard-conforming simple HTML designed for human
modification. Opaque formats include PostScript, PDF, proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML produced by some word processors for output purposes
only. </p>
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have any
title page as such, &quot;Title Page&quot; means the text near the most prominent
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have any
title page as such, &quot;Title Page&quot; means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the text.
</p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the
license notice saying this License applies to the Document are reproduced in all
copies, and that you add no other conditions whatsoever to those of this
License. You may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough number of
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the
license notice saying this License applies to the Document are reproduced in all
copies, and that you add no other conditions whatsoever to those of this
License. You may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough number of
copies you must also follow the conditions in section 3. </p>
<p>You may also lend copies, under the same conditions stated above, and you may
<p>You may also lend copies, under the same conditions stated above, and you may
publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the title
of the Document and satisfy these conditions, can be treated as verbatim copying
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the title
of the Document and satisfy these conditions, can be treated as verbatim copying
in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly, you
should put the first ones listed (as many as fit reasonably) on the actual
<p>If the required texts for either cover are too voluminous to fit legibly, you
should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with
each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the
Document, free of added material, which the general network-using public has
access to download anonymously at no charge using public-standard network
protocols. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at
least one year after the last time you distribute an Opaque copy (directly or
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with
each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the
Document, free of added material, which the general network-using public has
access to download anonymously at no charge using public-standard network
protocols. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at
least one year after the last time you distribute an Opaque copy (directly or
through your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a
chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
in the Modified Version: </p>
<p>&nbsp;</p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five). </li>
<li><strong>C.</strong> State on the Title page the name of the publisher of
<li><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
<li><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
the terms of this License, in the form shown in the Addendum below. </li>
<li><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
<li><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
<li><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
permission. </li>
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
do this, add their titles to the list of Invariant Sections in the Modified
Version's license notice. These titles must be distinct from any other section
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
do this, add their titles to the list of Invariant Sections in the Modified
Version's license notice. These titles must be distinct from any other section
titles. </p>
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one
entity. If the Document already includes a cover text for the same cover,
previously added by you or by arrangement made by the same entity you are acting
on behalf of, you may not add another; but you may replace the old one, on
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one
entity. If the Document already includes a cover text for the same cover,
previously added by you or by arrangement made by the same entity you are acting
on behalf of, you may not add another; but you may replace the old one, on
explicit permission from the previous publisher that added the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
<p>The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections of
all of the original documents, unmodified, and list them all as Invariant
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections of
all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are
multiple Invariant Sections with the same name but different contents, make the
title of each such section unique by adding at the end of it, in parentheses,
the name of the original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in the list of
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are
multiple Invariant Sections with the same name but different contents, make the
title of each such section unique by adding at the end of it, in parentheses,
the name of the original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work. </p>
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each
of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into
the extracted document, and follow this License in all other respects regarding
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into
the extracted document, and follow this License in all other respects regarding
verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document,
provided no compilation copyright is claimed for the compilation. Such a
compilation is called an &quot;aggregate&quot;, and this License does not apply to the
other self-contained works thus compiled with the Document, on account of their
being thus compiled, if they are not themselves derivative works of the
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document,
provided no compilation copyright is claimed for the compilation. Such a
compilation is called an &quot;aggregate&quot;, and this License does not apply to the
other self-contained works thus compiled with the Document, on account of their
being thus compiled, if they are not themselves derivative works of the
Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only
the Document within the aggregate. Otherwise they must appear on covers around
<p>If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only
the Document within the aggregate. Otherwise they must appear on covers around
the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in
addition to the original versions of these Invariant Sections. You may include a
translation of this License provided that you also include the original English
version of this License. In case of a disagreement between the translation and
the original English version of this License, the original English version will
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in
addition to the original versions of these Invariant Sections. You may include a
translation of this License provided that you also include the original English
version of this License. In case of a disagreement between the translation and
the original English version of this License, the original English version will
prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify,
sublicense or distribute the Document is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify,
sublicense or distribute the Document is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>

116
Shorewall-docs/IPIP.htm
View File

@ -1,74 +1,74 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
networks.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
also includes a tunnel script for automating tunnel configuration. If you
have installed the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall documentation
directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -81,15 +81,15 @@ it in /etc/shorewall/zones on both systems as follows.</p>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -104,14 +104,14 @@ zone. In /etc/shorewall/interfaces:</p>
<td>10.255.255.255</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -126,17 +126,17 @@ zone. In /etc/shorewall/interfaces:</p>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
@ -144,11 +144,11 @@ zone. In /etc/shorewall/interfaces:</p>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -163,14 +163,14 @@ zone. In /etc/shorewall/interfaces:</p>
<td>192.168.1.255</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -185,14 +185,14 @@ zone. In /etc/shorewall/interfaces:</p>
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
@ -200,15 +200,15 @@ zone. In /etc/shorewall/interfaces:</p>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they
are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -229,18 +229,18 @@ traffic in both directions, you can use the policy file:</p>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel script
with the "start" argument on each system. The systems in the two masqueraded
subnetworks can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>

212
Shorewall-docs/IPSEC.htm
View File

@ -1,77 +1,77 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
that you consult that site for information about confuring FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>     qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>    qt service ipsec start</p>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<font color="#660066">
<p align="center"><font face="Century Gothic, Arial, Helvetica"> <img
src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p>
<p align="left">a) Open the firewall so that the IPSEC tunnel can be established
<p align="left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -86,14 +86,14 @@ by adding an entry to the /etc/shorewall/tunnels file.</p>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system B, we would have:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -108,21 +108,21 @@ by adding an entry to the /etc/shorewall/tunnels file.</p>
<td>206.161.148.9</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -135,15 +135,15 @@ a zone called "vpn" to represent the remote subnet.</p>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -158,16 +158,16 @@ as a "vpn" interface:</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone -- if you simply want to admit all traffic in both
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -188,31 +188,31 @@ as a "vpn" interface:</p>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"> Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
Warrior)</font></h2>
<p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
local network.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created
<p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -225,16 +225,16 @@ a zone called "vpn" to represent the remote host.</p>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -249,26 +249,26 @@ on system A, the following entry should be made:</p>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
</p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
<br>
<blockquote>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -303,14 +303,14 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
<td valign="top">Third VPN Zone<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/tunnels:<br>
<blockquote>
<blockquote>
<table cellpadding="2" cellspacing="" border="2"
style="border-collapse: collapse;">
<tbody>
@ -334,32 +334,32 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
<td valign="top">vpn1,vpn2,vpn3<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">
<p><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>

122
Shorewall-docs/Install.htm
View File

@ -1,34 +1,34 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
@ -37,16 +37,16 @@
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
@ -60,7 +60,7 @@ on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
@ -68,19 +68,19 @@ This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
@ -94,43 +94,43 @@ NETWORK CONNECTIVITY.</b></font></li>
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be
<li>If the install script was unable to configure Shorewall to be
started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
@ -148,12 +148,12 @@ which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
@ -161,7 +161,7 @@ each interface mentioned in the hosts file.
rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
@ -175,35 +175,35 @@ details. </p>
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match
<p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
</ul>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>

64
Shorewall-docs/MAC_Validation.html
View File

@ -2,28 +2,28 @@
<html>
<head>
<title>MAC Verification</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
All traffic from an interface or from a subnet on an interface
@ -35,18 +35,18 @@ each MAC address may be optionally associated with one or more IP addresses.
- module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
@ -57,52 +57,52 @@ and determines the disposition of connection requests that fail MAC verificat
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,maclist<br> dmz eth1 192.168.2.255<br> net eth3 206.124.146.255 blacklist<br> - texas 192.168.9.255<br> loc ppp+<br></pre>
<b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on my local zone.<br>
<h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone
and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.1.253. Hosts in the second segment have IP addresses
Suppose now that I add a second ethernet segment to my local zone
and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.1.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253)
This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router
(00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 2/21/2002 - <a href="support.htm">Tom Eastep</a>
(00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 2/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

64
Shorewall-docs/NAT.htm
View File

@ -1,57 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<blockquote>
<blockquote>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td>
</tr>
</tbody>
</table>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the
NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a static NAT environment.</p>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397">
</strong></p>
<blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the following
we assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear
to have IP address 130.252.100.18 and the right-hand one to have IP address
to have IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -75,27 +75,27 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed. The ALL INTERFACES column was added
in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If this
@ -103,9 +103,9 @@ column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
"Yes" or "yes") then such packets are redirected; otherwise, such packets
are not redirected. The LOCAL column was added in version 1.1.8.</p>
</blockquote>
<blockquote> </blockquote>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font

2422
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

126
Shorewall-docs/OPENVPN.html
View File

@ -1,33 +1,33 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>OpenVPN Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h3><br>
</h3>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
daemon which can be used to securely link two or more private networks using
an encrypted tunnel over the internet. OpenVPN is an Open Source project
@ -35,32 +35,32 @@ and is <a href="http://openvpn.sourceforge.net/license.html">licensed under
the GPL</a>. OpenVPN can be downloaded from <a
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
</p>
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy
file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and stop
script to start and stop OpenVPN, I decided to use the init script of OpenVPN
to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -73,15 +73,15 @@ the GPL</a>. OpenVPN can be downloaded from <a
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -97,14 +97,14 @@ zone. In /etc/shorewall/interfaces:</p>
</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -119,18 +119,18 @@ zone. In /etc/shorewall/interfaces:</p>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
traffic on the default port 5000/udp will be accepted to/from the remote
gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels
like this:<br>
</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -145,18 +145,18 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>This is the OpenVPN config on system A:</p>
<blockquote>
<blockquote>
<p></p>
</blockquote>
<blockquote>
<blockquote>
<p>dev tun<br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
@ -171,11 +171,11 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
verb 5<br>
</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -190,14 +190,14 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>192.168.1.255</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -212,14 +212,14 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>And in the OpenVPN config on system B:</p>
<blockquote>
<blockquote>
<p>dev tun<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
@ -233,12 +233,12 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
verb 5<br>
</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -259,20 +259,20 @@ traffic in both directions, you can use the policy file:</p>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in the
two masqueraded subnetworks can now talk to each other.</p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<small>and Simon Mater</small><br>
</p>
<p><font size="2"> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>

356
Shorewall-docs/PPTP.htm
View File

@ -1,52 +1,52 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">PPTP</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your
<li> <a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your
<li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
<ol>
<li><a href="#PatchPppd">Patching and building pppd</a></li>
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
@ -54,36 +54,36 @@ up a working PPTP server on my own firewall.</p>
<li><a href="#ConfigPppd">Configuring pppd</a></li>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
<li><a
href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
</ul>
<p>You may also want the following patch if you want to require remote hosts
<p>You may also want the following patch if you want to require remote hosts
to use encryption:</p>
<ul>
<li><a
href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
</ul>
<p>Un-tar the pppd source and uncompress the patches into one directory (the
patches and the ppp-2.4.1 directory are all in a single parent directory):</p>
<ul>
<li>cd ppp-2.4.1</li>
<li>patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
@ -91,56 +91,56 @@ to use encryption:</p>
<li>(Optional) patch -p1 &lt; ../require-mppe.diff</li>
<li>./configure</li>
<li>make</li>
</ul>
<p>You will need to install the resulting binary on your firewall system.
<p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the
ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
<p>You will need one of the following patches depending on your kernel version:</p>
<ul>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
<li> <a
href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
</ul>
<p>Uncompress the patch into the same directory where your top-level kernel
source is located and:</p>
<ul>
<li>cd &lt;your GNU/Linux source top-level directory&gt;</li>
<li>patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
</ul>
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734">
</p>
</blockquote>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<blockquote>
<blockquote>
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
</blockquote>
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
lock<br>
mtu 1490<br>
@ -163,9 +163,9 @@ is:</p>
require-mppe<br>
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>System 192.168.1.3 acts as a WINS server so I have included that
IP as the 'ms-wins' value.</li>
@ -173,55 +173,55 @@ IP as the 'ms-wins' value.</li>
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built
with the 'require-mppe.diff' patch mentioned above.</li>
</ul>
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using CHAP<br>
# client        server    secret    IP addresses<br>
CPQTDM\\TEastep *         &lt;shhhhhh&gt; 192.168.1.7<br>
TEastep         *         &lt;shhhhhh&gt; 192.168.1.7</font></p>
</blockquote>
<p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
<p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
use its wireless LAN card around the house.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<pre> alias ppp-compress-18 ppp_mppe<br> alias ppp-compress-21 bsd_comp<br> alias ppp-compress-24 ppp_deflate<br> alias ppp-compress-26 ppp_deflate</pre>
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
speed 115200<br>
localip 192.168.1.254<br>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
(I have several).</li>
<li>The local IP is the same as my internal interface's (192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
<li>I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
the remote hosts look like they are part of the local subnetwork.</li>
</ul>
<p>I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:</p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptpd<br>
@ -259,15 +259,15 @@ the remote hosts look like they are part of the local subnetwork.</li>
    ;;<br>
esac</font></p>
</blockquote>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>I consider hosts connected to my PPTP server to be just like local systems.
My key Shorewall entries are:</p>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -285,14 +285,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>Local</td>
<td>My Local Network including remote PPTP clients</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -319,14 +319,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -344,14 +344,14 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>ppp+:192.168.1.0/24</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/policy:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -366,15 +366,15 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b):</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -416,11 +416,11 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)<br>
</b></p>
@ -453,10 +453,10 @@ and later)<br>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -483,19 +483,19 @@ ppp interface, you probably want:</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules
file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -528,15 +528,15 @@ file:</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
<p>If you have multiple external IP address and you want to forward a single
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
<p>If you have multiple external IP address and you want to forward a single
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
file:</p>
<p> <font face="Century Gothic, Arial, Helvetica"> </font>
<p> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -569,51 +569,51 @@ file:</p>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
</tbody>
</tbody>
</table>
</p>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind
your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
<p>You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
you will need to follow the instructions at <a
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your /etc/shorewall/modules
file: </p>
<blockquote>
<blockquote>
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built
Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client
(see below).</p>
<p>The key elements of this setup are as follows: </p>
<ol>
<li>Define a zone for the remote network accessed via PPTP.</li>
<li>Associate that zone with a ppp interface.</li>
<li>Define rules for PPTP traffic to/from the firewall.</li>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4>/etc/shorewall/zones</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -626,14 +626,14 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td>Compaq</td>
<td>Compaq Intranet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -648,14 +648,14 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/hosts</h4>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -668,15 +668,15 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td>ppp+:!192.168.1.0/24</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<h4>/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -709,11 +709,11 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p>
<blockquote>
@ -749,12 +749,12 @@ because I also run a PPTP server on my firewall (see above). Using this techniq
allows me to distinguish clients of my own PPTP server from arbitrary hosts
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq
doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that
<p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN
yet and reject the initial TCP connection request if I enable ECN :-( </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptp<br>
@ -816,10 +816,10 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
esac<br>
</font> </p>
</blockquote>
<p>Here's my /etc/ppp/options file: </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#<br>
# Identify this connection<br>
#<br>
@ -863,11 +863,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
lcp-echo-failure 10<br>
lcp-echo-interval 10</font> </p>
</blockquote>
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq
traffic through the PPTP tunnel: </p>
<blockquote>
<blockquote>
<p><font face="Courier" size="2">#/bin/sh<br>
<br>
case $6 in<br>
@ -879,19 +879,19 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
    ;;<br>
esac</font></p>
</blockquote>
<p>Finally, I run the following script every five minutes under crond to
<p>Finally, I run the following script every five minutes under crond to
restart the tunnel if it fails:</p>
<pre> #!/bin/sh<br> restart_pptp() {<br> /sbin/service pptp stop<br> sleep 10<br> if /sbin/service pptp start; then<br> /usr/bin/logger "PPTP Restarted"<br> fi<br> }<br><br> if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then<br> exit 0<br> fi<br><br> echo "Attempting to restart PPTP"<br><br> restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;<br></pre>
<p><a href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a script
and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>

130
Shorewall-docs/ProxyARP.htm
View File

@ -1,54 +1,54 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397">
</strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -69,45 +69,45 @@ the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the firewall
rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address isn't
a duplicate...<br>
<br>
@ -124,8 +124,8 @@ iputils package include "arping", whose "-U" flag does just that:<br>
proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
@ -141,44 +141,44 @@ dev eth0<br>
    shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div>
<div align="left">
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
<div align="left">
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font

24
Shorewall-docs/SeattleInTheSpring.html
View File

@ -1,30 +1,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Springtime in Seattle!!!</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<img src="images/P1000048.jpg" alt="" width="640" height="480">
<br>
@ -36,14 +36,14 @@
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the deck
(Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>

46
Shorewall-docs/Shorewall_CA_html.html
View File

@ -2,27 +2,27 @@
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
@ -30,7 +30,7 @@
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority
(CA) and sign my own X.509 certificates. I use these certificates on my list
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
@ -48,42 +48,42 @@ of bits (an X.509 certificate) for $200US+ per year!!!I <br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your
bank.</li>
<li>If you only accept my server's certificate when prompted then the
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font></p>

26
Shorewall-docs/Shorewall_CVS_Access.html
View File

@ -2,27 +2,27 @@
<html>
<head>
<title>Shorewall CVS Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
</h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
Lots of people try to download the entire Shorewall website for off-line
@ -33,18 +33,18 @@ the pages in Shorewall CVS access are cgi-generated which places a tremendous
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br>
<div align="center">
<div align="center">
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>

242
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -2,14 +2,14 @@
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169">
<tbody>
@ -28,8 +28,8 @@
</a><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
@ -47,14 +47,14 @@ run as a transparent proxy as described at <a
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
in the local zone, that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being routed
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or
in the local zone, that zone must be defined ONLY by its interface -- no
/etc/shorewall/hosts file entries. That is because the packets being routed
to the Squid server still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
@ -70,32 +70,32 @@ to the Squid server still have their original destination IP addresses.<br>
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on
the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the
DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests
You want to redirect all local www connection requests
EXCEPT those to your
own http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
own http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -107,7 +107,7 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
@ -130,59 +130,59 @@ EXCEPT those to your
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
@ -194,7 +194,7 @@ EXCEPT those to your
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
@ -209,21 +209,21 @@ EXCEPT those to your
<td><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
@ -250,85 +250,85 @@ EXCEPT those to your
<td valign="top"><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
@ -359,15 +359,15 @@ EXCEPT those to your
<td valign="top">-<br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
@ -398,19 +398,19 @@ EXCEPT those to your
<td valign="top">-<br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
@ -448,38 +448,38 @@ EXCEPT those to your
<td valign="top"><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>

918
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

File diff suppressed because it is too large Load Diff

118
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,47 +1,47 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
@ -70,17 +70,17 @@
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -95,23 +95,23 @@ help or Answers to Questions</a><br>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
@ -123,24 +123,24 @@ Archive</a></li>
the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
@ -151,13 +151,13 @@ Archive</a></li>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
</body>
</html>

136
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,47 +1,47 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
bgcolor="#ffffff">
<ul>
<li> <a
href="sourceforge_index.htm">Home</a></li>
@ -70,16 +70,16 @@
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -94,59 +94,59 @@ Help or Answers to Questions</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
</ul>
<ul>
<li> <a href="News.htm">News
<li> <a href="News.htm">News
Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
@ -155,11 +155,11 @@ Archive</a></li>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>

34
Shorewall-docs/VPN.htm
View File

@ -1,57 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table>
<p>It is often the case that a system behind the firewall needs to be able
to access a remote network through Virtual Private Networking (VPN). The
two most common means for doing this are IPSEC and PPTP. The basic setup
is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that
the local system has IP address 192.168.1.12 and that the remote gateway
has IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as
follows:</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
<tbody>
@ -84,17 +84,17 @@ follows:</p>
<td height="19"> </td>
<td height="19"> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to
the remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>

54
Shorewall-docs/blacklisting_support.htm
View File

@ -1,42 +1,42 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a
@ -50,17 +50,17 @@ parameters:</p>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li>
@ -71,25 +71,25 @@ listed IP addresses to be rejected by the firewall.</li>
<li>save - save the dynamic blacklisting configuration so that it will
be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
/etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p>
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>

270
Shorewall-docs/configuration_file_basics.htm
View File

@ -1,50 +1,50 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
<h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set
<li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set
shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
<li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
@ -56,75 +56,75 @@ several firewall parameters.</li>
where to use many-to-one (dynamic) Network Address Translation
(a.k.a. Masquerading) and Source Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are
<li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of
<li>/etc/shorewall/tcrules - defines marking of
packets for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the
<li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the
<li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at
the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash
<p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as
@ -133,17 +133,17 @@ utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall
<li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall
<li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router
@ -151,131 +151,131 @@ before starting your DNS server then your firewall won't start.<br>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul>
Examples of invalid DNS names:<br>
<ul>
<li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply
for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<blockquote>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as
@ -283,12 +283,12 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
@ -301,44 +301,44 @@ in another way. In Shorewall, MAC addresses begin with a tilde
("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not in
the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li> copying the files that need modification
from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c
/etc/testconfig restart</b></i> ).</li>
</ol>
<p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>

20
Shorewall-docs/copyright.htm
View File

@ -1,37 +1,37 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Copyright</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
2003 Thomas M Eastep<br>
 </p>
<blockquote>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify
this document under the terms of the GNU Free Documentation License, Version
1.1 or any later version published by the Free Software Foundation; with

52
Shorewall-docs/dhcp.htm
View File

@ -1,80 +1,80 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall system. </p>
</li>
<li>
<li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
</li>
</ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<li>
<p align="left">If you know that the dynamic address is always going
to be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
to be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<li>
<p align="left">If you don't know the subnet address in advance, you
should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change while
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a "shorewall refresh"
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>

210
Shorewall-docs/download.htm
View File

@ -1,60 +1,60 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format
<p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
@ -62,57 +62,57 @@ at:</p>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy
of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
</p>
<blockquote>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing the
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
@ -139,16 +139,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
@ -156,16 +156,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download
.samples</a><a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"><br>
</a></td>
@ -177,29 +177,29 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"><br>
</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.samples"> Download
@ -214,16 +214,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums<br>
</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
@ -231,16 +231,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums"><br>
</a></td>
@ -252,16 +252,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
@ -269,16 +269,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples">
Download .samples</a><a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums"><br>
</a></td>
@ -289,15 +289,15 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums<br>
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
</a><a href="http://france.shorewall.net/pub/LATEST.samples">Download
.samples</a><a
href="http://france.shorewall.net/pub/LATEST.md5sums"><br>
</a></td>
@ -305,7 +305,7 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
@ -327,16 +327,16 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download
.samples</a><br>
</td>
<td valign="top"><a
@ -349,22 +349,22 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums<br>
</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.samples"
target="_blank">Download .samples</a><br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -429,26 +429,26 @@ the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 3/6/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

246
Shorewall-docs/errata.htm
View File

@ -1,80 +1,80 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
@ -91,22 +91,22 @@ the archive, replace the 'firewall' script in the untarred directory
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
<h3></h3>
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
@ -116,145 +116,145 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2">
<hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/21/2003 -
<p><font size="2"> Last updated 3/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

144
Shorewall-docs/errata_1.htm
View File

@ -17,191 +17,191 @@
</td>
</tr>
</table>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font></h3>
<blockquote>
<p align="Left">Prior
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version
<blockquote>
<p align="Left">Prior
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version
of the firewall script. This has now been corrected. I apologize for any confusion
this may have caused.</p>
</blockquote>
<h3 align="Left">Version 1.1.18</h3>
<blockquote>
<p align="Left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.17</font></h3>
<blockquote>
<blockquote>
<p align="Left">In
shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">This
problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.16</font></h3>
<blockquote>
<blockquote>
<p align="Left">
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES
in the firewall script. To correct this problem, install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">
corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall.</p>
<p align="Left">
This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.14-1.1.15</font></h3>
<blockquote>
<blockquote>
<p align="Left">
There are no corrections for these versions.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.13</font></h3>
<blockquote>
<blockquote>
<p align="Left">
The firewall fails to start if a rule with the following format is given:</p>
<p align="Left">
&lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3</p>
<p align="Left">
To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">
this corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.12</font></h3>
<blockquote>
<blockquote>
<p align="Left">
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions
file. This incorrect file results in many error messages of the form:</p>
<blockquote>
<blockquote>
<p align="Left">
separate_list: not found</p>
</blockquote>
<p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">
The correct file may be obtained here</a>
. This problem is also corrected in version 1.1.13.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.11</font></h3>
<blockquote>
<blockquote>
<p align="Left">
There are no known problems with this version.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.10</font></h3>
<blockquote>
<blockquote>
<p align="Left">
If the following conditions were met:<br>
</p>
<ol>
<li>
<li>
<p align="Left">
A LAN segment attached to the firewall was served by a DHCP server
A LAN segment attached to the firewall was served by a DHCP server
running on the firewall.</p>
</li>
<li>
<li>
<p align="Left">
There were entries in /etc/shorewall/hosts that referred to the
interface to that LAN segment.</p>
</li>
</ol>
<p align="Left">
then up until now it has been necessary to include entries for 0.0.0.0
then up until now it has been necessary to include entries for 0.0.0.0
and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a>
makes those additions unnecessary provided that you simply include
"dhcp" in the options for the interface in /etc/shorewall/interfaces.
Install the script into the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="Left">
This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.9</font></h3>
<ul>
<li>The shorewall "hits" command lists extraneous service names in the final
<li>The shorewall "hits" command lists extraneous service names in the final
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
This version of the shorewall script</a>
corrects this problem.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.8</h3>
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
This version of the firewall script</a>
corrects this problem. Install it into the location pointed to by
the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.7</h3>
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li>
</ul>
<blockquote>
<blockquote>
<p align="Left">
This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2">
Last updated 12/21/2001 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>

296
Shorewall-docs/errata_2.htm
View File

@ -1,15 +1,15 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
@ -19,130 +19,130 @@
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center">
<b><u>If you use a Windows system to download a corrected script, be sure to
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center">
<u><b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
before you do that. /etc/shorewall/firewall is a symbolic link that points
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot and it is that file that must be overwritten
<u><b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
before you do that. /etc/shorewall/firewall is a symbolic link that points
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot and it is that file that must be overwritten
with the corrected script. </b></u></p>
<ul>
<li>
<h3 align="Left"><font color="#660066">
<a href="errata_1.htm">
Problems in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="Left"><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="Left">Version 1.2.13</h3>
<ul>
<li>
<p align="Left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
<p align="Left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm&quot;).<br>
<br>
The problem stems from the fact that SuSE does not
include a package named &quot;kernel&quot; but rather has a number of packages
that provide the virtual package &quot;kernel&quot;. Since virtual packages have
no version associated with them, a conflict results. Since the
The problem stems from the fact that SuSE does not
include a package named &quot;kernel&quot; but rather has a number of packages
that provide the virtual package &quot;kernel&quot;. Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="Left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
&lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that <u>all</u>
connection requests from the &lt;src&gt; zone whose original destination IP
address matches the last column are forwarded to the &lt;dest&gt; zone, IP
</font>The &lt;port number&gt; is ignored with the result that <u>all</u>
connection requests from the &lt;src&gt; zone whose original destination IP
address matches the last column are forwarded to the &lt;dest&gt; zone, IP
address &lt;ip addr&gt;.&nbsp;
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.11</h3>
<ul>
<li>
<p align="Left">The 'try' command is broken.</li>
<li>
<p align="Left">The usage text printed by the shorewall utility
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.</li>
</ul>
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="Left">Sample Configurations:</h3>
<ul>
<li>
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.</li>
</ul>
<h3 align="Left">All Versions through 1.2.10</h3>
<ul>
<li>
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
shown here:</li>
</ul>
<blockquote>
@ -166,93 +166,93 @@ dos2unix</a>
</table>
</blockquote>
</blockquote>
<h3 align="Left">All Versions through 1.2.8</h3>
<ul>
<li>
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
documentation on this web site has been corrected and
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.7</h3>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
/var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="Left">Version 1.2.6</h3>
<ul>
<li>
<p align="Left">GRE and IPIP tunnels are broken.</li>
<li>
<p align="Left">The following rule results in a start error:<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
icmp</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3>
<ul>
<li>
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name.</li>
<li>
<p align="Left">Errors result if $FW appears in the
<p align="Left">Errors result if $FW appears in the
/etc/shorewall/policy file.</li>
<li>
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time.</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.<p align="Left">&nbsp;<ul>
<li>
<p align="Left">The /sbin/shorewall script produces error messages
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a></li>
</ul>
<h3 align="Left">Version 1.2.4</h3>
<ul>
<li><p align="Left">This version will not install &quot;out of the box&quot; without
modification. Before attempting to start the
@ -261,9 +261,9 @@ dos2unix</a>
you are upgrading from a previous version of Shorewall, version 1.2.4 will
work without modification.</li>
</ul>
<h3 align="Left">Version 1.2.3</h3>
<ul>
<li>
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
@ -271,44 +271,44 @@ dos2unix</a>
corrected firewall script</a> in /etc/shorewall/firewall.</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="Left">Version 1.2.2</h3>
<ul>
<li>The &quot;shorewall status&quot; command hangs after
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of
/sbin/shorewall, then at line 445 change this:</li>
</ul>
<div align="left">
<pre align="Left"> status)
clear</pre>
</div>
<blockquote>
<p align="Left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)
get_config
clear</pre>
</div>
<ul>
<li>The &quot;shorewall monitor&quot; command
@ -322,9 +322,9 @@ dos2unix</a>
updated firewall script</a>.&nbsp; Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="Left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
@ -334,68 +334,68 @@ dos2unix</a>
firewall script are broken in the case of a REJECT policy, however; in
REJECT policy chains, all requests are currently replied to with an
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP RST in
corrected firewall script</a> replies to TCP requests with TCP RST in
REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<h3 align="Left">Version 1.2.0</h3>
<blockquote>
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<pre># shorewall start
@ -418,21 +418,21 @@ iptables: libiptc/libip4tc.c:380: do_check: Assertion
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 5/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>

584
Shorewall-docs/errata_3.html
View File

@ -1,65 +1,65 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<ol>
<li>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p>
</li>
<li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected
than 1.3.11, when the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
@ -71,17 +71,17 @@ boot. It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a
@ -91,37 +91,37 @@ before copying in the new file.</b></p>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br>
</li>
</ul>
<hr>
<hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
<li>There is an <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated
rfc1918</a> file that reflects the resent allocation of 222.0.0.0/8 and
223.0.0.0/8.</li>
</ul>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
@ -131,15 +131,15 @@ support the 'maclist' interface option.</li>
<li>The firewall fails to start in the case where you have "eth0 eth1"
in /etc/shorewall/masq and the default route is through eth1.<br>
</li>
</ul>
These problems have been corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<h3>Version 1.3.13</h3>
<ul>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
@ -147,60 +147,60 @@ in /etc/shorewall/masq and the default route is through eth1.<br>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br>
</li>
</ul>
All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.12. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect
is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g.,
eth0.1) are not supported in this version or in 1.3.13. If you need such
support, post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects
this problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3>
<ul>
<li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of
82.0.0.0/8.<br>
</li>
</ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive
the following warnings:<br>
@ -211,8 +211,8 @@ this problem.<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
<li>DNAT rules that exclude a source subzone (SOURCE column
contains ! followed by a sub-zone list) result in an error message and
Shorewall fails to start.<br>
<br>
Install <a
@ -223,13 +223,13 @@ a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3>
<ul>
<li>If you experience problems connecting to a PPTP server
<li>If you experience problems connecting to a PPTP server
running on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
@ -240,31 +240,31 @@ to save the old version of /usr/lib/shorewall/firewall before copying
in the new one since /usr/lib/shorewall/firewall is the real script
now and not just a symbolic link to the real script.<br>
</li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br>
</blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br>
</blockquote>
<ul>
<li>The installer (install.sh) issues a misleading message
"Common functions installed in /var/lib/shorewall/functions" whereas
@ -274,163 +274,163 @@ now and not just a symbolic link to the real script.<br>
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br>
</a></li>
</ul>
<h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated
firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br>
Version 1.3.8
Version 1.3.8
<ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
<li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP
addresses but with different port numbers doesn't work (e.g., "DNAT
loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
</li>
</ul>
Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these
problems.
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the
client won't be able to obtain an IP address
client won't be able to obtain an IP address
lease from that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction
measure where there are both dynamic and static
cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be
installed in /var/lib/shorewall as
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be
installed in /var/lib/shorewall as
described above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3>
<ul>
<li>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
</li>
</ul>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces
<p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above
<p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-(
<p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the
<p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line.
This problem is corrected by <a
@ -438,75 +438,75 @@ described above.</p>
modified 1.3.5a firewall script</a>. Install the script in
/var/lib/pub/shorewall/firewall as instructed above.</p>
</div>
<div align="left">
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p>
</div>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<p align="left">REDIRECT rules are broken in this version. Install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in
this case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
<li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that
prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken;
it behaved just like "NAT_BEFORE_RULES=Yes".</li>
</ul>
<p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p>
<ul>
<li>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted
when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
@ -532,169 +532,169 @@ found that affects only the 'routestopped' option.<br>
prior to 1850 GMT today should download and install
the corrected script again to ensure that this second
problem is corrected.</li>
</ul>
<p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p>
<h3 align="left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the
links on the download page before 23:40 GMT, 29 May
2002 may have downloaded 1.2.13 rather than 1.3.0.
The "shorewall version" command will tell you which version
The "shorewall version" command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses
non-existent wallpaper and bullet graphic files. The
non-existent wallpaper and bullet graphic files. The
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p>
<hr>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem
by installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running
Shorewall 1.3.6 you may install
<li>if you are running
Shorewall 1.3.6 you may install
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
The solution is to put "no" in the LOCAL column. Kernel
support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 -
<p><font size="2"> Last updated 3/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

2
Shorewall-docs/fallback.htm
View File

@ -70,5 +70,5 @@ type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

32
Shorewall-docs/gnu_mailman.htm
View File

@ -1,38 +1,38 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
Way</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
@ -48,7 +48,7 @@ and group mailman. Like:<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
@ -62,14 +62,14 @@ use the following:<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
very similar so that no workaround is necessary. See the README.POSTFIX file
included with Mailman-2.1. </h4>
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>

2
Shorewall-docs/hosts_file.htm
View File

@ -12,7 +12,7 @@
<body>
<h1 align="center">The Hosts File</h1>
<p align="left">Since there seems to be a lot of confusion regarding the
<p align="left">Since there seems to be a lot of confusion regarding the
/etc/shorewall/hosts file, I have created this page to try to clear the fog.</p>
<p align="left">&nbsp;</p>

2
Shorewall-docs/kernel.htm
View File

@ -142,5 +142,5 @@ the options selected above built as modules:</p>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

192
Shorewall-docs/mailing_list.htm
View File

@ -1,53 +1,53 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left">
</a></h1>
<a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a>
</a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
@ -55,62 +55,62 @@
src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0">
</a> </div>
<br>
<div align="right"><br>
<b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br>
</div>
</td>
</tr>
</tbody>
</tbody>
</table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br>
</p>
<ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX
<li>to verify that the sender's domain has an A or MX
record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command
<li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
@ -122,36 +122,36 @@ of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<p> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -167,140 +167,140 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline
If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's
certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted
to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br>
</p>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
</ul>
<p align="left">To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br>
</p>
<p align="left"></p>
<ul>
<li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul>
<p align="left"><br>
The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br>
</p>
<ul>
<li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
<ul>
<li>
<li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p>
</li>
<li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li>
<li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed
to you.</p>
</li>
</ul>
<hr>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>

32
Shorewall-docs/mailing_list_problems.htm
View File

@ -1,48 +1,48 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Mailing List Problems</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<blockquote>
<div align="left">
<pre>2020ca - delivery to this domain has been disabled (cause unknown)<br>arosy.de - delivery to this domain has been disabled (Relay access denied)<br>arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)<br>asurfer.com - (Mailbox full)<br>bol.com.br - delivery to this domain has been disabled (Mailbox Full)<br>cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").<br>cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)<br>datakota.com - (DNS Timeouts)<br>excite.com - delivery to this domain has been disabled (cause unknown)<br>epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)<br>freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)<br>gmx.net - delivery to this domain has been disabled (cause unknown)<br>hotmail.com - delivery to this domain has been disabled (Mailbox over quota)<br>intercom.net - delivery to this domain has been disabled (cause unknown)<br>nitialcs.com - delivery to this domain has been disabled (cause unknown)<br>intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).<br>khp-inc.com - delivery to this domain has been disabled (anti-virus problems)<br>kieninger.de - delivery to this domain has been disabled (relaying to &lt;xxxxx@kieninger.de&gt; prohibited by administrator)<br>lariera.com - delivery to this domain has been disabled (Unknown User)<br>mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)<br>navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)<br>opermail.net - delivery to this domain has been disabled (cause unknown)<br>penquindevelopment.com - delivery to this domain has been disabled (connection timed out)<br>scip-online.de - delivery to this domain has been disabled (cause unknown)<br>spctnet.com - connection timed out - delivery to this domain has been disabled<br>telusplanet.net - delivery to this domain has been disabled (cause unknown)<br>the-techy.com - delivery to this domain has been disabled (clueless administrator - continuous DNS problems) <br>yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></p>
<p align="left"> </p>
<br>
</body>

196
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

30
Shorewall-docs/netfilter_overview.htm
View File

@ -16,30 +16,30 @@
<p align="left">&nbsp;</div>
<h2 align="left">1.0 Tables</h2>
<p align="left"><i>Chains</i> of <i>rules </i>are organized into <i>Tables.</i>
<p align="left"><i>Chains</i> of <i>rules </i>are organized into <i>Tables.</i>
Netfilter currently has three tables.</p>
<ol>
<li>
<p align="left">Mangle Table - This allows the contents of the packet to be
changed. Shorewall uses rules in this table to mark packets for traffic
shaping/control (/etc/shorewall/tcrules file) and for setting the Type of
<p align="left">Mangle Table - This allows the contents of the packet to be
changed. Shorewall uses rules in this table to mark packets for traffic
shaping/control (/etc/shorewall/tcrules file) and for setting the Type of
Service (TOS) for the packet (/etc/shorewall/tos).</p>
</li>
<li>
<p align="left">NAT Table - Allows modification of the source and destination IP
<p align="left">NAT Table - Allows modification of the source and destination IP
and port.</p>
</li>
<li>
<p align="left">Filter Table - This is where most ACCEPT/DROP/REJECT decisions
<p align="left">Filter Table - This is where most ACCEPT/DROP/REJECT decisions
are made in Shorewall.</p>
</li>
</ol>
<p align="left">Each table has a number of <i>pre-defined chains</i> as shown in
the table that follows. Packets flow through the chains in the order of that
<p align="left">Each table has a number of <i>pre-defined chains</i> as shown in
the table that follows. Packets flow through the chains in the order of that
table.</p>
<blockquote>
@ -74,8 +74,8 @@ table.</p>
<li>Static NAT DNAT mapping</li>
</ol>
</td>
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
tracking table.</td>
</tr>
<tr>
@ -111,8 +111,8 @@ table.</p>
<td width="51">NAT</td>
<td width="112">OUTPUT</td>
<td width="346">DNAT rules where the source zone is <b>fw</b></td>
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
tracking table.</td>
</tr>
<tr>
@ -126,13 +126,13 @@ table.</p>
<li>Static NAT SNAT Mapping</li>
</ol>
</td>
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
<td width="310">Only connection requests go here -- packets that are part of or
related to an established connection use information from the connection
tracking table.</td>
</tr>
</table>
</blockquote>
<p align="left">The connection tracking table can be displayed using the
<p align="left">The connection tracking table can be displayed using the
&quot;shorewall show connections&quot; command.</p>
</body>

110
Shorewall-docs/ping.html
View File

@ -2,150 +2,150 @@
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest change
Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.4.0. <br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the
<li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded
@ -158,11 +158,11 @@ to with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the
If no applicable rule is found, then the policy for the source to the
destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.</li>
@ -170,12 +170,12 @@ to with an ICMP echo-reply.</li>
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>

172
Shorewall-docs/ports.htm
View File

@ -1,200 +1,200 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure your
firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
<blockquote>
<blockquote>
<p>UDP Port 123</p>
</blockquote>
<p>rdate</p>
<blockquote>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
<blockquote>
<p>TCP Port 119</p>
</blockquote>
<p>DNS</p>
<blockquote>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In
If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ   </p>
<blockquote>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
<p>PPTP</p>
<blockquote>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
<p>IPSEC</p>
<blockquote>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP</p>
<blockquote>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>POP3</p>
<blockquote>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
<p>TELNET</p>
<blockquote>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
<p>SSH</p>
<blockquote>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP</p>
<blockquote>
<blockquote>
<p>Server configuration is covered on in <a
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
</p>
<blockquote>
<blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
<blockquote>
<p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
<p>Traceroute</p>
<blockquote>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS<br>
</p>
<blockquote>
<p>I personally use the following rules for opening access from zone z1
<blockquote>
<p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br>
</p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
</blockquote>
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font

58
Shorewall-docs/quotes.htm
View File

@ -1,32 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
@ -36,55 +36,55 @@ and complete one available." -- BC, USA</p>
</p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate
any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands
scripts but this one is till now the best." -- B.R, Netherlands
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation
product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest
<p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions -
starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
@ -95,11 +95,11 @@ by request, Europe</p>
-- RP, Guatamala<br>
<br>
 </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
- <a href="support.htm">Tom Eastep</a> </font>
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>

2
Shorewall-docs/samba.htm
View File

@ -17,7 +17,7 @@
</td>
</tr>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote>

617
Shorewall-docs/seattlefirewall_index.htm
View File

@ -1,371 +1,386 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><a
</a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center">
</a></h1>
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div>
<p><a href="http://www.shorewall.net" target="_top">
</a> </p>
<div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>
</div>
</td>
</tr>
</tbody>
color="#ffffff">Shorewall 1.3 Site is here</font></a>
<br>
</div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on
Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more
than one group<i> </i>then if there is no explicit Z to Z policy and there
are no rules governing traffic from Z to Z then Shorewall will permit all
traffic between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create
rules to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE
is specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
<li>There may be no rules created that govern connections from
Z1 to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tbody>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

72
Shorewall-docs/shoreline.htm
View File

@ -1,46 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392">
</p>
<p align="center">Tarry &amp; Tom -- August 2002<br>
<br>
</p>
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
@ -50,58 +50,58 @@
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
- present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and
wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
- My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0"
@ -117,11 +117,11 @@ main work system.</li>
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br>
<br>
<br>

148
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -1,45 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
@ -47,77 +47,77 @@ restart"</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error occurs
during processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to use
the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p>
<p align="left"><font size="2">Last updated 2/18/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>

66
Shorewall-docs/shorewall_features.htm
View File

@ -1,114 +1,114 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
to help get your first firewall up and running quickly</li>
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
</li>
<li>Extensive <b> <a
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
</b> included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall):
<li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm
<li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
OpenVPN Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
fallback and uninstall facilities</b></a> for users who can't use
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
fallback and uninstall facilities</b></a> for users who can't use
or choose not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
</ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
Address <b>Verification</b><br>
</a><br>
</li>
</ul>
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
</p>

120
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -21,17 +21,17 @@
Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw"
which refers to the firewall system itself . The /etc/shorewall/zones file
is used to define additional zones and the example file provided with Shorewall
is used to define additional zones and the example file provided with Shorewall
defines the zones:</p>
<ol>
<li>
net -- the (untrusted) internet.</li>
<li>
dmz - systems that must be accessible from the internet and from the
local network.  These systems cannot be trusted completely since their servers
dmz - systems that must be accessible from the internet and from the
local network.  These systems cannot be trusted completely since their servers
may have been compromised through a security exploit.</li>
<li>
loc - systems in your local network(s). These systems must be protected
loc - systems in your local network(s). These systems must be protected
from the internet and from the DMZ and in some cases, from each other.</li>
</ol>
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall zone</a>.
@ -41,79 +41,79 @@ from the internet and from the DMZ and in some cases, from each other.</li
with the exception of the firewall zone, Shorewall itself attaches no meaning to
zone names. Zone names are simply labels used to refer to a collection of
network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common),
<p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>For a general picture of how packets traverse a Netfilter firewall, see
<a href="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES">
http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.</a><br>
<br>
Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing &quot;shorewall show
mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop
the packet if its destination IP address is reserved (as specified in the
/etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b>
chain to set its TOS field as specified in the /etc/shorewall/tos file.
Finally, if traffic control/shaping is being used, the packet is sent through
the<b> tcpre</b> chain to be marked for later use in policy routing or traffic
Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing &quot;shorewall show
mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop
the packet if its destination IP address is reserved (as specified in the
/etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b>
chain to set its TOS field as specified in the /etc/shorewall/tos file.
Finally, if traffic control/shaping is being used, the packet is sent through
the<b> tcpre</b> chain to be marked for later use in policy routing or traffic
control.</p>
<p>Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
typing &quot;shorewall show nat&quot;). If you are doing both static nat and
port forwarding, the order in which chains are traversed is dependent on the
setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then
packets will ender a chain called <i>interface_</i>in where <i>interface</i> is
the name of the interface on which the packet entered. Here it's destination IP
is compared to each of the <i>EXTERNAL</i> IP addresses from /etc/shorewall/nat
that correspond to this interface; if there is a match, DNAT is applied and the
packet header is modified to the IP in the <i>INTERNAL</i> column of the nat
<p>Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
typing &quot;shorewall show nat&quot;). If you are doing both static nat and
port forwarding, the order in which chains are traversed is dependent on the
setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then
packets will ender a chain called <i>interface_</i>in where <i>interface</i> is
the name of the interface on which the packet entered. Here it's destination IP
is compared to each of the <i>EXTERNAL</i> IP addresses from /etc/shorewall/nat
that correspond to this interface; if there is a match, DNAT is applied and the
packet header is modified to the IP in the <i>INTERNAL</i> column of the nat
file record. If the destination address doesn't match any of the rules in the
<i>interface_</i>in chain then the packet enters a chain called <i>sourcezone</i>_dnat
where <i>sourcezone</i> is the source zone of the packet. There it is compared
<i>interface_</i>in chain then the packet enters a chain called <i>sourcezone</i>_dnat
where <i>sourcezone</i> is the source zone of the packet. There it is compared
for a match against each of the DNAT records in the rules file that specify <i>
sourcezone </i>as the source zone. If a match is found, the destination IP
address (and possibly the destination port) is modified based on the rule
sourcezone </i>as the source zone. If a match is found, the destination IP
address (and possibly the destination port) is modified based on the rule
matched. If NAT_BEFORE_RULES is off, then the order of traversal of the <i>
interface_</i>in and <i>sourcezone</i>_dnat is reversed.</p>
<p>
Traffic is next sent to an<i> input </i>chain in the mail Netfilter table
(called 'filter'). If the traffic is destined for the
firewall itself, the name of the input chain is formed by appending &quot;_in&quot; to
the interface name. So traffic on eth0 destined for the firewall will enter a
chain called <i>eth0_in</i>. The input chain for traffic that will be routed to
another system is formed by appending &quot;_fwd&quot; to the interface name. So traffic
from eth1 that is going to be forwarded enters a chain called<i> eth1_fwd</i>.
Interfaces described with the wild-card character (&quot;+&quot;) in
/etc/shorewall/interfaces, share input chains. if <i>ppp+ </i>appears in
/etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share
the input chains <i>ppp_in</i> and <i>ppp_fwd</i>. In other words, &quot;+&quot; is
Traffic is next sent to an<i> input </i>chain in the mail Netfilter table
(called 'filter'). If the traffic is destined for the
firewall itself, the name of the input chain is formed by appending &quot;_in&quot; to
the interface name. So traffic on eth0 destined for the firewall will enter a
chain called <i>eth0_in</i>. The input chain for traffic that will be routed to
another system is formed by appending &quot;_fwd&quot; to the interface name. So traffic
from eth1 that is going to be forwarded enters a chain called<i> eth1_fwd</i>.
Interfaces described with the wild-card character (&quot;+&quot;) in
/etc/shorewall/interfaces, share input chains. if <i>ppp+ </i>appears in
/etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share
the input chains <i>ppp_in</i> and <i>ppp_fwd</i>. In other words, &quot;+&quot; is
deleted from the name before forming the input chain names.</p>
<p>
While the use of input chains may seem wasteful in simple environments, in
complex setups it substantially reduces the number of rules that each packet
While the use of input chains may seem wasteful in simple environments, in
complex setups it substantially reduces the number of rules that each packet
must traverse.&nbsp; </p>
<p>
Traffic directed from a zone to the firewall itself is sent through a
Traffic directed from a zone to the firewall itself is sent through a
chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
the internet and addressed to the firewall is sent through a chain named
net2fw. Similarly, traffic originating in the firewall and being sent to
a host in a given zone is sent through a chain named fw2<i>&lt;zone name&gt;.
</i>For example, traffic originating in the firewall and destined
a host in a given zone is sent through a chain named fw2<i>&lt;zone name&gt;.
</i>For example, traffic originating in the firewall and destined
for a host in the local network is sent through a chain named <i>fw2loc.</i>
<font face="Century Gothic, Arial, Helvetica">
 </font></p>
<p>
Traffic being forwarded between two zones (or from one interface to a
Traffic being forwarded between two zones (or from one interface to a
zone to another interface to that zone) is sent through a chain named <i>
&lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example,
traffic originating in a local system and destined for a remote web server
is sent through chain <i>loc2net. </i>This chain is referred to
as the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
traverses one of these chains so rules in /etc/shorewall/rules should be
expressed in terms of the destination system's real IP address as opposed
as the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
traverses one of these chains so rules in /etc/shorewall/rules should be
expressed in terms of the destination system's real IP address as opposed
to its apparent external address. Similarly, source NAT will occur <u>after</u>
the packet has traversed the appropriate forwarding chain so the rules
the packet has traversed the appropriate forwarding chain so the rules
again will be expressed using the source system's real IP address.</p>
<p>
For each record in the /etc/shorewall/policy file, a chain is created. Policies
@ -129,19 +129,19 @@ chains as follows:</p>
<li>
If the canonical chain exists, packets first traverse that chain.</li>
<li>
If the canonical chain and policy chain are different and the packet
does not match a rule in the canonical chain, it then is sent to the
If the canonical chain and policy chain are different and the packet
does not match a rule in the canonical chain, it then is sent to the
policy chain.</li>
<li>
If the canonical chain does not exist, packets are sent immediately
If the canonical chain does not exist, packets are sent immediately
to the policy chain.</li>
</ol>
<p>
The canonical chain from zone za to zone zb will be created only if there
are exception rules defined in /etc/shorewall/rules for packets going from
The canonical chain from zone za to zone zb will be created only if there
are exception rules defined in /etc/shorewall/rules for packets going from
za to zb.</p>
<p>
Shorewall is built on top of the Netfilter kernel facility. Netfilter
Shorewall is built on top of the Netfilter kernel facility. Netfilter
implements connection tracking function that allow what is often referred
to as "statefull inspection" of packets. This statefull property allows
firewall rules to be defined in terms of "connections" rather than in
@ -152,22 +152,22 @@ terms of "packets". With Shorewall, you:</p>
<li>
Identify the server's zone.</li>
<li>
If the POLICY from the client's zone to the server's zone is what you
If the POLICY from the client's zone to the server's zone is what you
want for this client/server pair, you need do nothing further.</li>
<li>
If the POLICY is not what you want, then you must add a rule. That rule
is expressed in terms of the client's zone and the server's zone.</li>
</ol>
<p>
Just because connections of a particular type are allowed between zone A
Just because connections of a particular type are allowed between zone A
and the firewall and are also allowed between the firewall and zone B <font color="#ff6633"><b><u>
DOES NOT mean that these connections are allowed between zone A and zone
B</u></b></font>. It rather means that you can have a proxy running on
the firewall that accepts a connection from zone A and then establishes
its own separate connection from the firewall to zone B.</p>
<p>
If you adopt the default policy of ACCEPT from the local zone to the internet
zone and you are having problems connecting from a local client to an internet
If you adopt the default policy of ACCEPT from the local zone to the internet
zone and you are having problems connecting from a local client to an internet
server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
(see point 3 above).</p>
<p><font size="2">Last modified 8/22/2002 - <a href="support.htm">Tom

78
Shorewall-docs/shorewall_logging.html
View File

@ -2,45 +2,45 @@
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
@ -62,46 +62,46 @@ as their value.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are unsure
of the level to choose, 6 (info) is a safe bet. You may specify levels
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are unsure
of the level to choose, 6 (info) is a safe bet. You may specify levels
by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs
to log files is done in /etc/syslog.conf (5). If you make changes to this
file, you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which will
send them to a process called 'ulogd'. The ulogd program is available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
@ -113,7 +113,7 @@ Download the ulod tar file and:<br>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first six steps on another system then either NFS mount
@ -121,13 +121,13 @@ your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
@ -136,21 +136,21 @@ may need something else done to activate the script.<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
</body>
</html>

52
Shorewall-docs/shorewall_mirrors.htm
View File

@ -1,60 +1,60 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed
<p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
</ul>
<p align="left">The rsync site is mirrored via FTP at:</p>
<ul>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
@ -62,22 +62,22 @@ is updated at the same time as the rsync site.</b></p>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
<li> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li>
</ul>
Search results and the mailing list archives are always fetched from the
Search results and the mailing list archives are always fetched from the
site in Washington State.<br>
<p align="left"><font size="2">Last Updated 3/7/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>

36
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -1,34 +1,34 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
With current releases of Shorewall, Traffic Shaping/Control requires at least
@ -43,23 +43,23 @@ With current releases of Shorewall, Traffic Shaping/Control requires at least
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
<li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 3/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>

188
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,57 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 4.0</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
@ -61,17 +61,17 @@ we must all first walk before we can run.<br>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
@ -81,8 +81,8 @@ we must all first walk before we can run.<br>
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
@ -92,35 +92,35 @@ we must all first walk before we can run.<br>
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
@ -130,54 +130,54 @@ we must all first walk before we can run.<br>
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
@ -201,14 +201,14 @@ trying to use this documentation directly.</p>
a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
@ -238,8 +238,8 @@ a test configuration)</a></li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
@ -257,63 +257,63 @@ etc.)</li>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
<li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 3/12/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>

1594
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

485
Shorewall-docs/sourceforge_index.htm
View File

@ -1,279 +1,150 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
height="90">
height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
</tbody>
</tbody>
</table>
<div align="center">
<center>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
<p>This program is free software; you can redistribute it and/or modify
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public
A PARTICULAR PURPOSE. See the GNU General Public
License for more details.<br>
<br>
You should have received
You should have received
a copy of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>
<b> </b>
<ul>
</ul>
 </b></p>
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</p>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
@ -281,7 +152,7 @@ a host address) accessed through a particular interface. Examples:<br>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
@ -292,7 +163,7 @@ to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
@ -302,147 +173,147 @@ from Z1 to Z2.</li>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p>
<h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
<h4> </h4>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</tbody>
</table>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>

38
Shorewall-docs/spam_filters.htm
View File

@ -1,32 +1,32 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>SPAM Filters</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h1 align="center"><br>
<a href="http://ordb.org"> </a><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
@ -34,23 +34,23 @@
</a><img border="0" src="images/but3.png" hspace="3" width="88"
height="31">
</h1>
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
you who are installing SPAM filters on your mail servers. A couple of recent
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
you who are installing SPAM filters on your mail servers. A couple of recent
incidents involving mis-configured filters have prompted me to establish this
page to spell out what I will do when these filters bounce list postings.</p>
<p>When your SPAM filter bounces/rejects list mail <b>and I can identify
who you are</b>, I will:</p>
<ol>
<li>immediately turn off delivery to you from all Shorewall lists to
which you subscribe.</li>
<li><u>try</u> to send you an email from a source other than shorewall.net</li>
</ol>
<p>When you have corrected the problem, please let me know and I will re-enable
delivery (or you can reenable delivery yourself).<br>
</p>
@ -58,10 +58,10 @@ which you subscribe.</li>
rejected as spam but fail to provide any clue about the original addressee!!!
If I don't know who you are, I can't tell you about the problem...<br>
</p>
<p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>

212
Shorewall-docs/standalone.htm
View File

@ -1,98 +1,98 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very
easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
in one of its most common configurations:</p>
<ul>
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
@ -104,38 +104,38 @@ one zone is defined:</p>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</tbody>
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -168,27 +168,27 @@ has the following policies:</p>
<td>info</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your
firewall</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that
you wish.</p>
<h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
@ -198,64 +198,64 @@ has the following policies:</p>
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
<ul>
<li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
</li>
<li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
<div align="left">
<div align="left">
<h2 align="left">IP Addresses</h2>
</div>
<div align="left">
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
for use in private networks:</p>
<div align="left">
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<div align="left">
<h2 align="left">Enabling other Connections</h2>
</div>
<div align="left">
<div align="left">
<p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -277,19 +277,19 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
@ -320,25 +320,25 @@ on your firewall system:</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">If you don't know what port and protocol a particular
<div align="left">
<p align="left">If you don't know what port and protocol a particular
application uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -360,39 +360,39 @@ application uses, see <a href="ports.htm">here</a>.</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    At this point, edit /etc/shorewall/rules to add other connections
as desired.</p>
</div>
<div align="left">
<div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
    The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
@ -401,22 +401,22 @@ application uses, see <a href="ports.htm">here</a>.</p>
If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p>
</div>
<div align="left">
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>
<br>

286
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -1,45 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
@ -48,110 +48,110 @@ in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing
"shorewall restart" in that script.</li>
</ol>
<p>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument, then
If you include the keyword <i>debug</i> as the first argument, then
a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br>
</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the
<li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the
<li>shorewall show nat - produce a verbose report about the
nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the
<li>shorewall show tos - produce a verbose report about the
mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show
<li>shorewall
show
tc - displays
information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall
<li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version
<li>shorewall version - Displays the installed version
number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an
error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is
@ -162,121 +162,121 @@ restarted using the standard configuration.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter
Finally, the "shorewall" program may be used to dynamically alter
the contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p>
<blockquote>
<blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from
<li>&lt;copy any files that you need to change from
/etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<p>  <br>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
@ -323,16 +323,16 @@ use the word "firewall" rather than "shorewall". That is because the actual
If timeout then firewall restart (standard configuration)<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>

244
Shorewall-docs/support.htm
View File

@ -1,91 +1,91 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
There are a number
of sources of Shorewall information. Please try these before you post.
<ul>
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<li>More than half of the questions posted
on the support list have answers directly accessible from the
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.
a number of tips to help you solve common problems.
</li>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
href="errata.htm"> Errata</a> has links to download updated
components. </li>
<li> The Site and Mailing
List Archives search facility can locate documents and posts
about similar problems: </li>
</ul>
<h2>Site and Mailing List Archive Search</h2>
<blockquote>
<blockquote>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method">
<option value="and">All </option>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -95,8 +95,8 @@
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
@ -106,14 +106,14 @@
type="submit" value="Search"><br>
</form>
</blockquote>
<h2>Problem Reporting Guidelines<br>
</h2>
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error.
@ -123,26 +123,26 @@ countless posts by people who were sure that some part of their
<li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing
for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<br>
</li>
<li> Please
<li> Please
don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your
questions but we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
<li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall you are
running.<br>
@ -150,44 +150,44 @@ running.<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
@ -206,14 +206,14 @@ running.<br>
<li><b>If you are running Shorewall under Mandrake
using the Mandrake installation of Shorewall, please say so.</b><br>
</li>
</ul>
</ul>
<ul>
<ul>
<li><font color="#ff0000"><u><i><big><b>If you are having connection
problems of any kind then:</b></big></i></u></font><br>
@ -228,54 +228,54 @@ using the Mandrake installation of Shorewall, please say so.</b><br>
<br>
</li>
</ul>
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
<li>As a general
matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
</ul>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
<blockquote>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
<blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
@ -290,50 +290,50 @@ all shorewall.net mail. As one list subscriber wrote to me privately
have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p>
<p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>

570
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

438
Shorewall-docs/three-interface_fr.html
View File

@ -1,34 +1,34 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Three-Interface Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n?est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
@ -40,16 +40,16 @@ N?h
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
contenant une DMZ est une chose assez simple à réaliser si vous comprenez
les bases et suivez cette documentation.</p>
<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans
une de ses utilisations les plus populaire :</p>
<ul>
<li>Un système Linux utilisé en tant que firewall/routeur pour un petit
réseau local.</li>
@ -57,68 +57,68 @@ r
<li>Une DMZ connectée sur une interface Ethernet séparée.</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay,
RTC, ...</li>
</ul>
<p align="left">Voici le schéma d'une installation typique.</p>
<p align="center"> <img border="0" src="images/dmz1.png" width="692"
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points où, les changements dans
la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
d'exemple <a href="/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
des fichiers contient des instructions de configuration détaillées et des
entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces,
trois zones sont définies :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
@ -138,27 +138,27 @@ trois zones sont d
<td><b>dmz</b></td>
<td><b>Zone </b><b>Demilitarisée</b></td>
</tr>
</tbody>
</tbody>
</table>
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
@ -166,11 +166,11 @@ politique dans /etc/shorewall/policy qui y correspond est appliqu
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -206,16 +206,16 @@ sample a les politiques suivantes :</p>
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<blockquote>
<blockquote>
<p>Dans l'archive three-interface, la ligne suivante est existante mais
elle est commentée. Si vous souhaitez que votre système de firewall puisse
avoir un accès complet aux serveurs sur Internet, décommentez la.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -235,13 +235,13 @@ avoir un acc
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Les politiques précédentes vont :</p>
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
@ -249,19 +249,19 @@ votre firewall ou vers votre r
<li>Facultativement accepter toutes les demandes de connexion depuis votre
firewall et vers Internet (si vous decommentez la politique précédente)</li>
<li>reject (rejeter) toutes les autres demandes de connexion.</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
A ce point, éditez votre /etc/shorewall/policy et faites y les changements
A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désire</p>
<h2 align="left">Les Interfaces Réseau</h2>
<p align="center"> <img border="0" src="images/dmz1.png" width="692"
height="635">
</p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
@ -271,30 +271,30 @@ Protocol (PPTP), dans ce cas l'interface ext
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
Si votre interface vers l'extérieur est ppp0 ou ippp0 alors vous mettrez
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul
ordinateur en local, vous pouvez le connecter directement au firewall par
un <i>câble croisé</i>).</p>
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au
firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que
ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que
@ -303,22 +303,22 @@ et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diff
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
<ul>
<li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0, vous pouvez
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
</li>
</ul>
<h2 align="left">Adresses IP</h2>
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
@ -327,25 +327,25 @@ Cette adresse peut
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela
signifie que vous configurez votre interface externe sur votre firewall afin
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet.
Vous devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
<div align="left">
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<div align="left">
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<div align="left">
<p align="left">Vous devrez assigner les adresses locales à un sous-réseau
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
@ -359,13 +359,13 @@ Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-r
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie
gauche du masque de sous-réseau. </p>
</div>
<div align="left">
<div align="left">
<p align="left">Exemple de sous-réseau (subnet) :</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" style="border-collapse: collapse;" id="AutoNumber1"
cellpadding="2">
<tbody>
@ -385,27 +385,27 @@ gauche du masque de sous-r
<td><b>CIDR Notation:</b></td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
<div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway
(routeur).</p>
</div>
<div align="left">
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
@ -414,26 +414,26 @@ IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: What
Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
réseau comme montrer ci-dessous :</p>
<p align="center"> <img border="0" src="images/dmz2.png" width="721"
height="635">
</p>
<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs
en local sera 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
@ -442,41 +442,41 @@ connexion
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul>
<li>
<li>
<p align="left">Masquerade désigne le cas ou vous laissez votre firewall
détecter automatiquement l'adresse de l'interface externe. </p>
</li>
<li>
<li>
<p align="left">SNAT désigne le cas où vous spécifiez explicitement l'adresse
source des paquets sortant de votre réseau local. </p>
</li>
</ul>
<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configuré
avec des entrés dans le fichier /etc/shorewall/masq.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Si votre interface externe est <b>eth0</b>, votre interface locale <b>eth1</b>
et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier
le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq
et changez le en conséquence.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Si votre IP externe est statique, vous pouvez la mettre dans la troisième
@ -485,23 +485,23 @@ firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des
paquets sortant un peu plus efficace.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
Si vous utilisez les paquets Debian, vérifiez que votre fichier de configuration
shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas
faite les changements nécessaires :<br>
</p>
<ul>
<li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br>
</li>
</ul>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">Un de nos buts est de, peut être, faire tourner un ou plusieurs
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
@ -510,15 +510,15 @@ de connexion au firewall qui r
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la
réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
les règles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme générale d'une simple règle de port forwarding dans /etc/shorewall/rules
est :</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -534,7 +534,7 @@ est :</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
@ -543,19 +543,19 @@ port&gt;</i>]</td>
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est supposé
être le même que <i>&lt;port&gt;</i>.</p>
<p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et vous
voulez faire passer les paquets entrant en TCP sur le port 80 à ce système
:</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -586,13 +586,13 @@ voulez faire passer les paquets entrant en TCP sur le port 80
<td>#Permet les connexions </td>
<td>depuis le réseau local</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Deux points importants à garder en mémoire :</p>
<ul>
<li>Lorsque vous vous connectez à votre serveur à partir de votre réseau
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
@ -601,10 +601,10 @@ de connexion entrantes sur le port 80. Si vous avez des probl
connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a href="http://w.x.y.z:5000">
http://w.x.y.z:5000</a> où w.x.y.z est votre IP externe).</li>
</ul>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -628,17 +628,17 @@ http://w.x.y.z:5000</a> o
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -660,26 +660,26 @@ pr
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
interface externe est en route avant de lancer Shorewall et vous devez suivre
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>)
:</p>
<ol>
<li>Insérez ce qui suit dans /etc/shorewall/params :<br>
<br>
ETH0_IP=`find_interface_address eth0`<br>
</li>
<li>Faites votre règle loc-&gt;dmz :</li>
</ol>
<blockquote>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -702,19 +702,19 @@ les
<td>-</td>
<td>$ETH0_IP</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
@ -723,9 +723,9 @@ donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuri
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
<ul>
<li>
<li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site
@ -734,7 +734,7 @@ cette information n'est pas disponible, regardez dans /etc/resolv.conf sur
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p>
</li>
<li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
Vous pouvez installer/configurer un cache dns (Caching Name Server) sur
@ -742,19 +742,19 @@ votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez
de faire tourner le serveur de nom sur votre firewall. Pour permettre à vos
systèmes locaux de discuter avec votre serveur cache de nom, vous devez ouvrir
le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous ferez
ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. </p>
</li>
</ul>
<blockquote>
<blockquote>
<p align="left">Si vous faites tourner le serveur de nom sur le firewall
:
:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -811,16 +811,16 @@ ceci en ajoutant les r
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</p>
</blockquote>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<p>Le serveur de nom tourne sur l'ordinateur 1 de la DMZ</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -877,23 +877,23 @@ ceci en ajoutant les r
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<h2 align="left">Autres Connexions</h2>
</div>
<div align="left">
<div align="left">
<p align="left">L'exemple pour trois interfaces contient les règles suivantes
:</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -928,24 +928,24 @@ ceci en ajoutant les r
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Ces règles permettent l'accès DNS depuis votre firewall et
peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy
autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
</div>
<div align="left">
<div align="left">
<p align="left">L'exemple contient aussi :</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -980,25 +980,25 @@ autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Cette règle permet de faire fonctionner une serveur SSH sur
le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion
à partir de votre réseau local.</p>
</div>
<div align="left">
<div align="left">
<p align="left">Si vous désirez permettre d'autres connexions entre vos systèmes,
la forme générale est :</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -1022,19 +1022,19 @@ la forme g
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur DNS disponible
pour le publique sur votre firewall :</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -1065,32 +1065,32 @@ pour le publique sur votre firewall :</p>
<td>#permet les accès DNS</td>
<td>depuis Internet</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left">Ces deux règles seront, bien sur, ajoutées aux règles décrites
dans "Vous pouvez installer/configurer un cache dns (Caching Name Server)
sur votre firewall ou dans la DMZ".</p>
</div>
<div align="left">
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -1114,24 +1114,24 @@ firewall depuis Internet, utilisez SSH :</p>
<td> <br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div>
<div align="left">
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
<div align="left">
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre système
@ -1141,13 +1141,13 @@ avec que la configuration soit finie. Une fois que vous en avez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
/etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
</p>
</div>
<div align="left">
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
@ -1156,8 +1156,8 @@ firewall qui tourne peut
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple pour trois interfaces suppose que vous voulez permettre le routage
@ -1166,12 +1166,12 @@ Shorewall est arr
à votre réseau local et votre DMZ, ou si vous voulez permettre un ensemble
d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
</div>
<div align="left">
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1179,10 +1179,10 @@ il est plus int
tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/20/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>

176
Shorewall-docs/traffic_shaping.htm
View File

@ -1,56 +1,56 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
to be running Linux Kernel 2.4.18 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
@ -63,85 +63,85 @@ faster than you can learn how to use my sample. I personally use
2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
in order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up
your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script
to be run at that time. How you do that is distribution dependent and will
not be covered here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
<h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned
in case of a match. This is an integer in the range 1-255. Beginning
in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by ":"
and either 'F' or 'P' to designate that the marking will occur in the FORWARD
or PREROUTING chains respectively. If this additional specification is omitted,
@ -159,7 +159,7 @@ a comma-separated list of interface names, IP addresses, MAC addresses
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated
<li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol
@ -167,20 +167,20 @@ from /etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges
(e.g., 21:22); if the protocol is "icmp", this column is interpreted
(e.g., 21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked
with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -229,14 +229,14 @@ with 3.</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked
with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -255,13 +255,13 @@ with 12.</p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
@ -280,41 +280,41 @@ with 12.</p>
<td>22</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
<h3>My Setup<br>
</h3>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p>
<blockquote>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to
<p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
@ -322,13 +322,13 @@ traffic can use all available bandwidth if there is no traffic from the
local systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li>
</ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>

164
Shorewall-docs/troubleshoot.htm
View File

@ -1,82 +1,82 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version
of the firewall.</p>
<h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p>
<h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting
the firewall and you can't determine the cause, then do the following:
<ul>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it
will not be near the end of the log because after startup errors, Shorewall
goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<ul>
<li>Port Forwarding where client and server are in
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
@ -86,47 +86,47 @@ the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they
add clutter to your rule set and they represent a big security hole in
the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that you
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT
@ -137,49 +137,49 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li>
<li>the source and destination hosts are both connected to
the same interface and you don't have a policy or rule for the
the same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want
type 8 ("ping") requests to be sent between zones. If you want
pings to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you
The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
@ -187,7 +187,7 @@ pings to be allowed between zones, you need a rule of the form:<br>
and you ping 130.252.100.18, unless you have allowed icmp
type 8 between the zone containing the system you are pinging from
and the zone containing 10.1.1.2, the ping requests will be dropped. </li>
<li>If you specify "routefilter" for an interface, that
<li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to
@ -196,35 +196,35 @@ aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So
when setting up routing between <b>A</b> and<b> B</b>, be sure to
verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have
<li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is
generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>Problems with NAT? Be sure that you let Shorewall
<li>Problems with NAT? Be sure that you let Shorewall
add all external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.<br>
</a></p>
<font face="Century Gothic, Arial, Helvetica">
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
</font>
<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>

524
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

446
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

606
Shorewall-docs/upgrade_issues.htm
View File

@ -1,409 +1,425 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are
currently running. <br>
</p>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are
currently running. <br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>Beginning with Version 1.4.1, intra-zone traffic is accepted by default.
Previously, traffic from a zone to itself was treated just like any other
traffic; any matching rules were applied followed by enforcement of the appropriate
policy. With 1.4.1 and later versions, unless you have explicit rules for
traffic from Z to Z or you have an explicit Z to Z policy (where "Z" is some
zone) then traffic within zone Z will be accepted. If you do have one or more
explicit rules for Z to Z or if you have an explicit Z to Z policy then the
behavior is as it was in prior versions.</li>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups in
zone Z will be accepted. If you do have one or more explicit rules for Z
to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
</ul>
<blockquote>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic between
the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has "all"
in either the SOURCE or DESTINATION column) to prevent traffic between two
interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
<li>If you are currently relying on a implicit policy (one that has
"all" in either the SOURCE or DESTINATION column) to prevent traffic between
two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
add an explicit DROP or REJECT policy for Z to Z.<br>
</li>
</li>
</ol>
</blockquote>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given <i>interface:subnetwork </i>back to itself.
The <i>multi</i> interface option is no longer available so if you want to
route traffic between two subnetworks on the same interface then either:</li>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then either:</li>
</ul>
<blockquote>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
in a single zone.</li>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
Example 1 -- Two zones:<br>
</blockquote>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z traffic
is accepted by default. The second technique is preferable if you want unlimited
access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
</ul>
<blockquote>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
</blockquote>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded or
to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq with
<li>You have one or more entries in /etc/shorewall/masq with
an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like
this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be used
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
is assumed). I don't plan on supporting the old handling indefinitely
so I urge current users to migrate to using the new handling as soon as
possible. See the <a href="ping.html">'Ping' handling documentation</a>
for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version
1.3.8, you must set NEWNOTSYN=Yes in
your /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules
in their /etc/shorewall/icmpdef file
(creating this file if necessary):</p>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any
Shorewall configuration changes that
you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
<li>Be sure you have a backup
-- you will need to transcribe any
Shorewall configuration changes that
you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not
obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to
add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need
to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be
rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
                                    # from non-SYN
packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>

28
Shorewall-docs/useful_links.html
View File

@ -2,48 +2,48 @@
<html>
<head>
<title>Useful Links</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Useful Links</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
&nbsp;&nbsp; &nbsp;<br>
<h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
height="33" hspace="4" align="middle" border="0">
</a></h3>
<h3>Linux Advanced Routing and Traffic Control Howto: <a
href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
<h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
<h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
align="middle" hspace="4" border="0">
</a></h3>
<h3>Bering LEAF Distribution: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3>
<h3>Debian apt-get sources for Shorewall: <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
@ -53,8 +53,8 @@
</a><br>
</h3>
<br>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>

184
Shorewall-docs/whitelisting_under_shorewall.htm
View File

@ -1,66 +1,66 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</tbody>
</tbody>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an
/etc/shorewall/whitelist file. This file was intended to contain a list of
IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3
IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3
RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special privileges
to a set  of hosts within an organization. Let us suppose that we have the
<p align="left">White lists are most often used to give special privileges
to a set  of hosts within an organization. Let us suppose that we have the
following environment:</p>
<ul>
<li>A firewall with three interfaces -- one to the internet, one to
<li>A firewall with three interfaces -- one to the internet, one to
a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised of
the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
<li>The local network uses SNAT to the internet and is comprised of
the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
local network, the technique described here in no way depends on that or
on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
<li>The network operations staff have workstations with IP addresses
<li>The network operations staff have workstations with IP addresses
in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to all
<li>We want the network operations staff to have full access to all
other hosts.</li>
<li>We want the network operations staff to bypass the transparent
<li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li>
</ul>
<p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
<p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
configuration files:</p>
<h2 align="left">Zone File</h2>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
@ -88,17 +88,17 @@ other hosts.</li>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
<h2>Interfaces File</h2>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
@ -126,20 +126,20 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
<td>10.10.255.255</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
we don't specify a zone for it here.</p>
<h2>Hosts File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2">
<tbody>
<tr>
@ -158,24 +158,24 @@ we don't specify a zone for it here.</p>
<td>eth2:0.0.0.0/0</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255)
falls into that zone. If I used 10.10.0.0/16 then I would have to have a
than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255)
falls into that zone. If I used 10.10.0.0/16 then I would have to have a
separate entry for that special address.</p>
<h2>Policy File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2">
<tbody>
<tr>
@ -189,18 +189,18 @@ separate entry for that special address.</p>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
@ -208,7 +208,7 @@ separate entry for that special address.</p>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
@ -225,19 +225,19 @@ separate entry for that special address.</p>
<td>info</td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
file.<font color="#ff0000"><b></b></font></p>
<h2>Rules File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
@ -270,18 +270,18 @@ file.<font color="#ff0000"><b></b></font></p>
<td> </td>
<td> </td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2>
<blockquote>
<table border="2">
<tbody>
@ -301,25 +301,25 @@ file.<font color="#ff0000"><b></b></font></p>
</td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>