diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index a68c583b5..a53543489 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -56,7 +56,7 @@
(FAQ 37) I just installed Shorewall on Debian and the
- /etc/shorewall directory is empty!!!
+ /etc/shorewall directory is almost empty!!!
Answer:
@@ -71,19 +71,13 @@
If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is
- intentional. The released configuration file skeletons may be found on
- your system in the directory /etc/shorewall directory is almost empty.
+ This is intentional. The released configuration file skeletons may be
+ found on your system in the directory /usr/share/doc/shorewall/default-config.
Simply copy the files you need from that directory to /etc/shorewall and modify the
copies.
-
- Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf
- and /usr/share/doc/shorewall/default-config/modules
- to /etc/shorewall even if you do
- not modify those files.
@@ -135,6 +129,13 @@ DNAT net loc:192.168.1.5 udp 7777
# PORT DEST.
DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP>
+ If you want to forward requests from a particular internet address
+ ( <address> ):
+
+ #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
+# PORT DEST.
+DNAT net:<address> loc:<local IP address>[:<local port>] <protocol> <port #> -
+
Finally, if you need to forward a range of ports, in the DEST PORT
column specify the range as
<low-port>:<high-port>.
@@ -358,7 +359,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104
- (FAQ 48) How do I Set up Transparent Proxy with
+ <title>(FAQ 48) How do I Set up Transparent HTTP Proxy with
Shorewall?
Answer: See That rule only works of course if you have a static external
IP address. If you have a dynamic IP address then include this in
- /etc/shorewall/params:
+ /etc/shorewall/params (or your
+ <export directory>/init file if you are
+ using Shorewall Lite on the firewall system):
ETH0_IP=`find_first_interface_address eth0`
@@ -444,8 +447,8 @@ DNAT loc loc:192.168.1.5 tcp www - 130.15
DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP
Using this technique, you will want to configure your
- DHCP/PPPoE client to automatically restart Shorewall each time that
- you get a new IP address.
+ DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
+ time that you get a new IP address.
@@ -478,8 +481,8 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0
addresses and can be accessed externally and internally using the same
address.
- If you don't like those solutions and prefer to stupidly route
- all Z->Z traffic through your firewall then:
+ If you don't like those solutions and prefer, incredibly, to
+ route all Z->Z traffic through your firewall then:
@@ -495,7 +498,7 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0
Example:
- Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24 Address: 192.168.2.254
+ Zone: dmz, Interface: eth2, Subnet: 192.168.2.0/24, Address: 192.168.2.254
In /etc/shorewall/interfaces:
@@ -510,7 +513,7 @@ dmz eth2 192.168.2.255 routeback
#INTERFACE SUBNETS ADDRESS
eth2 eth2 192.168.2.254
- Like the idiotic hack in FAQ 2 above, this will make all
+ Like the silly hack in FAQ 2 above, this will make all
dmz->dmz traffic appear to originate on the firewall.
@@ -545,7 +548,9 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206
If your external IP address is dynamic, then you must do the
following:
- In /etc/shorewall/params:
+ In /etc/shorewall/params (or in your
+ <export directory>/init file if you are
+ using Shorewall Lite on the firewall system):
ETH0_IP=`find_first_interface_address eth0`
@@ -762,7 +767,8 @@ to debug/develop the newnat interface.
The DNS settings on the local systems are wrong or the user is
running a DNS server on the firewall and hasn't enabled UDP and TCP
- port 53 from the firewall to the internet.
+ port 53 from the local net to the firewall or from the firewall to
+ the internet.
@@ -862,9 +868,34 @@ LOGBURST=""
http://home.regit.org/ulogd-php.html
- I personally use Logwatch. It emails me a report each day from
- my various systems with each report summarizing the logged activity on
- the corresponding system.
+ I personally use Logwatch. It emails me a report
+ each day from my various systems with each report summarizing the
+ logged activity on the corresponding system. I use the brief report
+ format; here's a sample:
+
+
+ --------------------- iptables firewall Begin ------------------------
+
+ Dropped 111 packets on interface eth0
+ From 58.20.162.142 - 5 packets to tcp(1080)
+ From 62.163.19.50 - 1 packet to udp(6348)
+ From 66.111.45.60 - 9 packets to tcp(192)
+ From 69.31.82.50 - 18 packets to tcp(3128)
+ From 72.232.183.102 - 2 packets to tcp(3128)
+ From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506)
+ From 128.48.51.209 - 5 packets to tcp(143)
+ From 164.77.223.150 - 12 packets to tcp(873)
+ From 165.233.109.23 - 8 packets to tcp(22)
+ From 202.99.172.175 - 4 packets to udp(2,4081)
+ From 206.59.41.101 - 2 packets to tcp(5900)
+ From 217.91.30.224 - 24 packets to tcp(873)
+ From 218.87.47.114 - 6 packets to tcp(3128)
+ From 220.110.219.234 - 4 packets to tcp(22)
+ From 220.133.116.173 - 5 packets to tcp(3128)
+
+ ---------------------- iptables firewall End -------------------------
+
@@ -1136,9 +1167,10 @@ DROP net fw udp 10619
/etc/shorewall/hosts.
- In Shorewall 3.3.3 and later versions, such packets may also
- be logged out of a <zone>2all chain or the all2all
- chain.
+ In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
+ shorewall.conf, such
+ packets may also be logged out of a <zone>2all chain or the
+ all2all chain.
@@ -1150,8 +1182,10 @@ DROP net fw udp 10619
your defined zones(shorewall[-lite] show zones
and look at the printed zone definitions).
- In Shorewall 3.3.3 and later versions, such packets may also
- be logged out of the fw2all chain or the all2all chain.
+ In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
+ shorewall.conf, such
+ packets may also be logged out of the fw2all chain or the all2all
+ chain.
@@ -1357,8 +1391,8 @@ modprobe: Can't locate module iptable_raw
different ISPs. How do I set this up in Shorewall?
Answer: See this article on Shorewall and
- Routing.
+ url="MultiISP.html">this article on Shorewall and Multiple
+ ISPs.
@@ -1428,10 +1462,6 @@ Perhaps iptables or your kernel needs to be upgraded.
chkconfig --delete ipchains
rmmod ipchains
- Also, be sure to check the errata
- for problems concerning the version of iptables (v1.2.3) shipped with
- RH7.2.
-
(FAQ 8a) When I try to start Shorewall on RedHat I get a
message referring me to FAQ #8
@@ -1497,13 +1527,13 @@ Creating input Chains...
- (FAQ 34) How can I speed up start (restart)?
+ (FAQ 34) How can I speed up Shorewall start (restart)?
Answer:Using a light-weight shell
- such as ash can dramatically decrease the time
- required to start or restart Shorewall. See the SHOREWALL_SHELL
- variable in ash or dash can
+ dramatically decrease the time required to start or restart
+ Shorewall. See the SHOREWALL_SHELL variable in shorewall.conf .
Use a fast terminal emulator -- in particular the KDE konsole
@@ -1637,8 +1667,7 @@ iptables: Invalid argument
Netfilter modules loaded. How do I avoid that?
Answer: Copy
- /usr/share/shorewall/modules (or
- /usr/share/shorewall/xmodules if appropriate) to
+ /usr/share/shorewall[-lite]/modules to
/etc/shorewall/modules and modify the copy to
include only the modules that you need.
@@ -2047,7 +2076,7 @@ eth0 eth1 # eth1 = interface to local netwo
Shorewall Lite 3.2.2
- Shorewall Lite 3.2.3
+ Shorewall Lite 3.2.3 and later
@@ -2089,7 +2118,8 @@ eth0 eth1 # eth1 = interface to local netwo
- Shorewall 3.2.3
+ Shorewall 3.2.3 and
+ later
P1
@@ -2241,12 +2271,12 @@ REJECT fw net:216.239.39.99 allGiven that
parsing the payload of individual packets doesn't always work because
the application-level data stream can be split across packets in
arbitrary ways. This is one of the weaknesses of the 'string match'
- Netfilter extension available in Patch-O-Matic-ng. The only sure way to
- filter on packet content is to proxy the connections in question -- in
- the case of HTTP, this means running something like Squid. Proxying allows the
- proxy process to assemble complete application-level messages which can
- then be accurately parsed and decisions can be made based on the
+ Netfilter extension available in later Linux kernel releases. The only
+ sure way to filter on packet content is to proxy the connections in
+ question -- in the case of HTTP, this means running something like
+ Squid. Proxying allows
+ the proxy process to assemble complete application-level messages which
+ can then be accurately parsed and decisions can be made based on the
result.
@@ -2296,7 +2326,7 @@ gateway:~#
$FW loc ACCEPT
loc $FW ACCEPT
- You can also delete any ACCEPT rules from $FW->loc and
+ You should also delete any ACCEPT rules from $FW->loc and
loc->$FW since those rules are redundant with the above
policies.