diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml
index ba210071f..6a385dad6 100644
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@@ -15,7 +15,7 @@
- 2003-12-09
+ 2003-12-13
2001 - 2003
@@ -24,6 +24,16 @@
+
+ 1.4
+
+ 2003-12-13
+
+ TE
+
+ Corrected formatting problems
+
+
1.3
@@ -802,8 +812,7 @@
Add the following to /etc/shorewall/common
- run_iptables -A icmpdef -p ICMP --icmp-type
- echo-request -j ACCEPT
+ run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
@@ -868,7 +877,8 @@
through settings in
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:
- LOGLIMIT="" LOGBURST=""
+ LOGLIMIT=""
+LOGBURST=""
Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages
@@ -881,12 +891,12 @@
that may be helpful:
http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
- http://home.regit.org/ulogd-php.html
+url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/
+http://www.fireparse.com
+http://cert.uni-stuttgart.de/projects/fwlogwatch
+http://www.logwatch.org
+http://gege.org/iptables
+http://home.regit.org/ulogd-php.html
I personnaly use Logwatch. It emails me a report each day from
my various systems with each report summarizing the logged activity on
@@ -934,10 +944,14 @@
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:
- # # Include the standard common.def file # .
- /etc/shorewall/common.def # # The following rule is non-standard and
- compensates for tardy # DNS replies # run_iptables -A common -p udp
- --sport 53 -mstate --state NEW -j DROP
+ #
+# Include the standard common.def file
+# . /etc/shorewall/common.def
+#
+# The following rule is non-standard and compensates for tardy
+# DNS replies
+#
+run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
The above file is also include in all of my sample
configurations available in the
-
- Example:
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
-
-
-
- Destination MAC address = 00:04:4c:dc:e2:28
-
-
-
- Source MAC address = 00:b0:8e:cf:3c:4c
-
-
-
- Ethernet Frame Type = 08:00 (IP Version 4)
-
-
-
+ ExampleMAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00Destination
+ MAC address = 00:04:4c:dc:e2:28Source
+ MAC address = 00:b0:8e:cf:3c:4cEthernet
+ Frame Type = 08:00 (IP Version 4)
@@ -1351,12 +1350,23 @@
providers that connect a local network (or even a single machine) to
the big Internet.
- ________ +------------+ / | | | +-------------+
- Provider 1 +------- __ | | | / ___/ \_ +------+-------+ +------------+
- | _/ \__ | if1 | / / \ | | | | Local network -----+ Linux router | |
- Internet \_ __/ | | | \__ __/ | if2 | \ \___/ +------+-------+
- +------------+ | | | | \ +-------------+ Provider 2 +------- | | |
- +------------+ \________
+ ________
+ +------------+ /
+ | | |
+ +-------------+ Provider 1 +-------
+ __ | | | /
+ ___/ \_ +------+-------+ +------------+ |
+ _/ \__ | if1 | /
+ / \ | | |
+| Local network -----+ Linux router | | Internet
+ \_ __/ | | |
+ \__ __/ | if2 | \
+ \___/ +------+-------+ +------------+ |
+ | | | \
+ +-------------+ Provider 2 +-------
+ | | |
+ +------------+ \________
+
There are usually two questions given this setup.
@@ -1385,9 +1395,10 @@
These are added in /etc/iproute2/rt_tables. Then you set up routing in
these tables as follows:
- ip route add $P1_NET dev $IF1 src $IP1 table T1 ip
- route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src
- $IP2 table T2 ip route add default via $P2 table T2
+ ip route add $P1_NET dev $IF1 src $IP1 table T1
+ip route add default via $P1 table T1
+ip route add $P2_NET dev $IF2 src $IP2 table T2
+ip route add default via $P2 table T2
Nothing spectacular, just build a route to the gateway and build
a default route via that gateway, as you would do in the case of a
@@ -1401,8 +1412,8 @@
to that neighbour. Note the `src' arguments, they make sure the
right outgoing IP address is chosen.
- ip route add $P1_NET dev $IF1 src $IP1 ip route add
- $P2_NET dev $IF2 src $IP2
+ ip route add $P1_NET dev $IF1 src $IP1
+ip route add $P2_NET dev $IF2 src $IP2
Then, your preference for default route:
@@ -1413,8 +1424,8 @@
a given interface if you already have the corresponding source
address:
- ip rule add from $IP1 table T1 ip rule add from $IP2
- table T2
+ ip rule add from $IP1 table T1
+ip rule add from $IP2 table T2
This set of commands makes sure all answers to traffic coming in
on a particular interface get answered from that interface.
@@ -1423,10 +1434,12 @@
'If $P0_NET is the local network and $IF0 is its
interface, the following additional entries are desirable:
- ip route add $P0_NET dev $IF0 table T1 ip route add
- $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1
- ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1
- table T2 ip route add 127.0.0.0/8 dev lo table T2
+ ip route add $P0_NET dev $IF0 table T1
+ip route add $P2_NET dev $IF2 table T1
+ip route add 127.0.0.0/8 dev lo table T1
+ip route add $P0_NET dev $IF0 table T2
+ip route add $P1_NET dev $IF1 table T2
+ip route add 127.0.0.0/8 dev lo table T2
Now, this is just the very basic setup. It will work for all
@@ -1449,8 +1462,8 @@
is done as follows (once more building on the example in the section
on split-access):
- ip route add default scope global nexthop via $P1 dev
- $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1
+ ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
+ nexthop via $P2 dev $IF2 weight 1
This will balance the routes over both providers. The weight parameters can be tweaked to favor one
@@ -1492,20 +1505,21 @@
Answer: The output you will see
looks something like this:
- /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o:
- init_module: Device or resource busy Hint: insmod errors can be caused
- by incorrect module parameters, including invalid IO or IRQ parameters
- /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
- /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
- /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
- ip_tables failed iptables v1.2.3: can't initialize iptables table
- `nat': iptables who? (do you need to insmod?) Perhaps iptables or
- your kernel needs to be upgraded.
+ /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
+Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
+/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
+/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
+/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
+iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
+Perhaps iptables or your kernel needs to be upgraded.
+
- This is usually cured by the following sequence of commands:
+ This problem is usually corrected through the following sequence
+ of commands
- service ipchains stop chkconfig --delete ipchains rmmod
- ipchains
+ service ipchains stop
+chkconfig --delete ipchains
+rmmod ipchains
Also, be sure to check the errata
for problems concerning the version of iptables (v1.2.3) shipped with
@@ -1527,13 +1541,21 @@
I just installed Shorewall and when I issue the start command, I
see the following:
- Processing /etc/shorewall/params ... Processing
- /etc/shorewall/shorewall.conf ... Starting Shorewall... Loading
- Modules... Initializing... Determining Zones... Zones: net loc
- Validating interfaces file... Validating hosts file... Determining Hosts
- in Zones... Net Zone: eth0:0.0.0.0/0
- Local Zone: eth1:0.0.0.0/0 Deleting
- user chains... Creating input Chains... ...
+ Processing /etc/shorewall/params ...
+Processing /etc/shorewall/shorewall.conf ...
+Starting Shorewall...
+Loading Modules...
+Initializing...
+Determining Zones...
+ Zones: net loc
+Validating interfaces file...
+Validating hosts file...
+Determining Hosts in Zones...
+ Net Zone: eth0:0.0.0.0/0
+ Local Zone: eth1:0.0.0.0/0
+Deleting user chains...
+Creating input Chains...
+...
Why can't Shorewall detect my interfaces properly?
@@ -1856,4 +1878,4 @@
2 Bridging".
-
+
\ No newline at end of file