From c9758d4e1975d744f47a99d30fc39c3f75dcdb4e Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 5 Dec 2006 18:25:40 +0000 Subject: [PATCH] Tweak FAQ git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5056 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/FAQ.xml | 130 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 80 insertions(+), 50 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index a68c583b5..a53543489 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -56,7 +56,7 @@
(FAQ 37) I just installed Shorewall on Debian and the - /etc/shorewall directory is empty!!! + /etc/shorewall directory is almost empty!!! Answer: @@ -71,19 +71,13 @@ If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is - intentional. The released configuration file skeletons may be found on - your system in the directory /etc/shorewall directory is almost empty. + This is intentional. The released configuration file skeletons may be + found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. - - Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf - and /usr/share/doc/shorewall/default-config/modules - to /etc/shorewall even if you do - not modify those files.
@@ -135,6 +129,13 @@ DNAT net loc:192.168.1.5 udp 7777 # PORT DEST. DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> + If you want to forward requests from a particular internet address + ( <address> ): + + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT net:<address> loc:<local IP address>[:<local port>] <protocol> <port #> - + Finally, if you need to forward a range of ports, in the DEST PORT column specify the range as <low-port>:<high-port>. @@ -358,7 +359,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104
- (FAQ 48) How do I Set up Transparent Proxy with + <title>(FAQ 48) How do I Set up Transparent HTTP Proxy with Shorewall? Answer: See That rule only works of course if you have a static external IP address. If you have a dynamic IP address then include this in - /etc/shorewall/params: + /etc/shorewall/params (or your + <export directory>/init file if you are + using Shorewall Lite on the firewall system): ETH0_IP=`find_first_interface_address eth0` @@ -444,8 +447,8 @@ DNAT loc loc:192.168.1.5 tcp www - 130.15 DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP Using this technique, you will want to configure your - DHCP/PPPoE client to automatically restart Shorewall each time that - you get a new IP address. + DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each + time that you get a new IP address. @@ -478,8 +481,8 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 addresses and can be accessed externally and internally using the same address. - If you don't like those solutions and prefer to stupidly route - all Z->Z traffic through your firewall then: + If you don't like those solutions and prefer, incredibly, to + route all Z->Z traffic through your firewall then: @@ -495,7 +498,7 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 Example: - Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24 Address: 192.168.2.254 + Zone: dmz, Interface: eth2, Subnet: 192.168.2.0/24, Address: 192.168.2.254 In /etc/shorewall/interfaces: @@ -510,7 +513,7 @@ dmz eth2 192.168.2.255 routeback #INTERFACE SUBNETS ADDRESS eth2 eth2 192.168.2.254 - Like the idiotic hack in FAQ 2 above, this will make all + Like the silly hack in FAQ 2 above, this will make all dmz->dmz traffic appear to originate on the firewall.
@@ -545,7 +548,9 @@ DNAT loc dmz:192.168.2.4 tcp 80 - 206 If your external IP address is dynamic, then you must do the following: - In /etc/shorewall/params: + In /etc/shorewall/params (or in your + <export directory>/init file if you are + using Shorewall Lite on the firewall system): ETH0_IP=`find_first_interface_address eth0` @@ -762,7 +767,8 @@ to debug/develop the newnat interface. The DNS settings on the local systems are wrong or the user is running a DNS server on the firewall and hasn't enabled UDP and TCP - port 53 from the firewall to the internet. + port 53 from the local net to the firewall or from the firewall to + the internet. @@ -862,9 +868,34 @@ LOGBURST="" http://home.regit.org/ulogd-php.html - I personally use Logwatch. It emails me a report each day from - my various systems with each report summarizing the logged activity on - the corresponding system. + I personally use Logwatch. It emails me a report + each day from my various systems with each report summarizing the + logged activity on the corresponding system. I use the brief report + format; here's a sample: + +
+ --------------------- iptables firewall Begin ------------------------ + + Dropped 111 packets on interface eth0 + From 58.20.162.142 - 5 packets to tcp(1080) + From 62.163.19.50 - 1 packet to udp(6348) + From 66.111.45.60 - 9 packets to tcp(192) + From 69.31.82.50 - 18 packets to tcp(3128) + From 72.232.183.102 - 2 packets to tcp(3128) + From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506) + From 128.48.51.209 - 5 packets to tcp(143) + From 164.77.223.150 - 12 packets to tcp(873) + From 165.233.109.23 - 8 packets to tcp(22) + From 202.99.172.175 - 4 packets to udp(2,4081) + From 206.59.41.101 - 2 packets to tcp(5900) + From 217.91.30.224 - 24 packets to tcp(873) + From 218.87.47.114 - 6 packets to tcp(3128) + From 220.110.219.234 - 4 packets to tcp(22) + From 220.133.116.173 - 5 packets to tcp(3128) + + ---------------------- iptables firewall End ------------------------- +
@@ -1136,9 +1167,10 @@ DROP net fw udp 10619 /etc/shorewall/hosts. - In Shorewall 3.3.3 and later versions, such packets may also - be logged out of a <zone>2all chain or the all2all - chain. + In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in + shorewall.conf, such + packets may also be logged out of a <zone>2all chain or the + all2all chain. @@ -1150,8 +1182,10 @@ DROP net fw udp 10619 your defined zones(shorewall[-lite] show zones and look at the printed zone definitions). - In Shorewall 3.3.3 and later versions, such packets may also - be logged out of the fw2all chain or the all2all chain. + In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in + shorewall.conf, such + packets may also be logged out of the fw2all chain or the all2all + chain. @@ -1357,8 +1391,8 @@ modprobe: Can't locate module iptable_raw different ISPs. How do I set this up in Shorewall? Answer: See this article on Shorewall and - Routing. + url="MultiISP.html">this article on Shorewall and Multiple + ISPs.
@@ -1428,10 +1462,6 @@ Perhaps iptables or your kernel needs to be upgraded. chkconfig --delete ipchains rmmod ipchains - Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) shipped with - RH7.2. -
(FAQ 8a) When I try to start Shorewall on RedHat I get a message referring me to FAQ #8 @@ -1497,13 +1527,13 @@ Creating input Chains...
- (FAQ 34) How can I speed up start (restart)? + (FAQ 34) How can I speed up Shorewall start (restart)? Answer:Using a light-weight shell - such as ash can dramatically decrease the time - required to start or restart Shorewall. See the SHOREWALL_SHELL - variable in ash or dash can + dramatically decrease the time required to start or restart + Shorewall. See the SHOREWALL_SHELL variable in shorewall.conf . Use a fast terminal emulator -- in particular the KDE konsole @@ -1637,8 +1667,7 @@ iptables: Invalid argument Netfilter modules loaded. How do I avoid that? Answer: Copy - /usr/share/shorewall/modules (or - /usr/share/shorewall/xmodules if appropriate) to + /usr/share/shorewall[-lite]/modules to /etc/shorewall/modules and modify the copy to include only the modules that you need.
@@ -2047,7 +2076,7 @@ eth0 eth1 # eth1 = interface to local netwo Shorewall Lite 3.2.2 - Shorewall Lite 3.2.3 + Shorewall Lite 3.2.3 and later @@ -2089,7 +2118,8 @@ eth0 eth1 # eth1 = interface to local netwo - Shorewall 3.2.3 + Shorewall 3.2.3 and + later P1 @@ -2241,12 +2271,12 @@ REJECT fw net:216.239.39.99 allGiven that parsing the payload of individual packets doesn't always work because the application-level data stream can be split across packets in arbitrary ways. This is one of the weaknesses of the 'string match' - Netfilter extension available in Patch-O-Matic-ng. The only sure way to - filter on packet content is to proxy the connections in question -- in - the case of HTTP, this means running something like Squid. Proxying allows the - proxy process to assemble complete application-level messages which can - then be accurately parsed and decisions can be made based on the + Netfilter extension available in later Linux kernel releases. The only + sure way to filter on packet content is to proxy the connections in + question -- in the case of HTTP, this means running something like + Squid. Proxying allows + the proxy process to assemble complete application-level messages which + can then be accurately parsed and decisions can be made based on the result.
@@ -2296,7 +2326,7 @@ gateway:~# $FW loc ACCEPT loc $FW ACCEPT - You can also delete any ACCEPT rules from $FW->loc and + You should also delete any ACCEPT rules from $FW->loc and loc->$FW since those rules are redundant with the above policies.