forked from extern/shorewall_code
Add recent files to CVS
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@759 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9a51cb0b60
commit
cb3f099ad2
114
STABLE/documentation/Accounting.html
Executable file
114
STABLE/documentation/Accounting.html
Executable file
@ -0,0 +1,114 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Accounting</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall and Traffic
|
||||
Accounting</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
Shorewall Traffic Accounting support was added in Shorewall release
|
||||
1.4.7.<br>
|
||||
<br>
|
||||
Shorewall accounting rules are described in the file
|
||||
/etc/shorewall/accounting. By default, the accounting rules are placed
|
||||
in a chain called "accounting" and can
|
||||
thus be displayed using "shorewall show accounting". All traffic
|
||||
passing into, out of or through the firewall traverses the accounting
|
||||
chain including traffic that will later be rejected by <a
|
||||
href="Documentation.htm#Interfaces">interface options</a> such as
|
||||
"tcpflags" and "maclist". If your kernel doesn't support the connection
|
||||
tracking match extension (Kernel 2.4.21) then some traffic rejected
|
||||
under 'norfc1918' will not traverse the accounting chain.<br>
|
||||
<br>
|
||||
The columns in the accounting file are as follows:<br>
|
||||
<ul>
|
||||
<li><span style="font-weight: bold;">ACTION</span> - What to do when
|
||||
a match is found. Possible values are:</li>
|
||||
<ul>
|
||||
<li>COUNT- Simply count the match and continue trying to
|
||||
match the packet with the following accounting rules</li>
|
||||
<li>DONE- Count the match and don't attempt to match any following
|
||||
accounting rules.</li>
|
||||
<li><<span style="font-style: italic;">chain</span>> - The
|
||||
name of a chain to jump to. Shorewall will create the chain
|
||||
automatically. If the
|
||||
name of the chain is followed by ":COUNT" then a COUNT rule matching
|
||||
this rule will automatically be added to <<span
|
||||
style="font-style: italic;">chain</span>><br>
|
||||
</li>
|
||||
</ul>
|
||||
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
|
||||
chain where the accounting rule is to be added. If empty or "-" then
|
||||
the "accounting" chain is assumed.<br>
|
||||
</li>
|
||||
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
|
||||
The name of an interface, an address
|
||||
(host or net) or an interface name followed by ":" and a host or net
|
||||
address.</li>
|
||||
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
|
||||
Destination Format the same as the SOURCE
|
||||
column.</li>
|
||||
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
|
||||
name (from /etc/protocols) or a protocol
|
||||
number.</li>
|
||||
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
|
||||
Port number. Service name from
|
||||
/etc/services or port number. May only be specified if the protocol is
|
||||
TCP or UDP (6 or 17).</li>
|
||||
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
|
||||
number. Service name from /etc/services
|
||||
or port number. May only be specified if the protocol is TCP or UDP (6
|
||||
or 17).<br>
|
||||
</li>
|
||||
</ul>
|
||||
In all columns except ACTION and CHAIN, the values "-","any" and
|
||||
"all" are treated as wild-cards.<br>
|
||||
<br>
|
||||
The accounting rules are evaluated in the Netfilter 'filter' table.
|
||||
This is the same environment where the 'rules' file rules are evaluated
|
||||
and in this environment, DNAT has already occurred in inbound packets
|
||||
and SNAT has not yet occurred on outbound ones.<br>
|
||||
<br>
|
||||
Accounting rules are not stateful -- each rule only handles traffic in
|
||||
one direction. For example, if eth0 is your internet interface and you
|
||||
have a web
|
||||
server in your DMZ connected to eth1 then to count HTTP traffic in
|
||||
both directions requires two rules: <br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
|
||||
Associating a counter with a chain allows for nice reporting. For
|
||||
example:<br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web:COUNT - eth0 eth1 tcp 80<br> web:COUNT - eth1 eth0 tcp - 80<br> web:COUNT - eth0 eth1 tcp 443<br> web:COUNT - eth1 eth0 tcp - 443<br> DONE web<br></pre>
|
||||
Now "shorewall show web" will give you a breakdown of your web traffic:<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<pre>[root@gateway shorewall]# shorewall show web<br>Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003<br> <br>Counters reset Wed Aug 20 09:48:00 PDT 2003<br> <br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br> 0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br> 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#</pre>
|
||||
</div>
|
||||
Here's a slightly different example:<br>
|
||||
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web - eth0 eth1 tcp 80<br> web - eth1 eth0 tcp - 80<br> web - eth0 eth1 tcp 443<br> web - eth1 eth0 tcp - 443<br><br> COUNT web eth0 eth1<br> COUNT web eth1 eth0<br></pre>
|
||||
Now "shorewall show web" simply gives you a breakdown by input and
|
||||
output:<br>
|
||||
<br>
|
||||
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br><br></pre>
|
||||
<p align="left"><font size="2">Last updated 8/20/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
285
STABLE/documentation/CorpNetwork.htm
Normal file
285
STABLE/documentation/CorpNetwork.htm
Normal file
@ -0,0 +1,285 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
|
||||
<title>Corporate Shorewall Configuration</title>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
|
||||
|
||||
<meta content="FrontPage.Editor.Document" name="ProgId">
|
||||
|
||||
<meta content="none" name="Microsoft Theme">
|
||||
|
||||
<meta content="Graeme Boyle" name="author">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(){return(null);}
|
||||
//--></script>
|
||||
|
||||
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
|
||||
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
|
||||
border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
|
||||
Servers</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<blockquote></blockquote>
|
||||
|
||||
<h1>Corporate Network</h1>
|
||||
|
||||
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
|
||||
color="#ff0000"><b>:</b></font></big></p>
|
||||
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li><b>This configuration is used on a corporate network that has a
|
||||
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
|
||||
release,</b> </li>
|
||||
<li><b>Make sure you know what public IP addresses are currently being
|
||||
used and verify these </b><i>before</i><b> starting.</b> </li>
|
||||
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
|
||||
configuration especially if you have split DNS.</b> </li>
|
||||
<li><b>System names and Internet IP addresses have been changed to protect
|
||||
the innocent.</b> </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
|
||||
uses a combination of Static NAT and Proxy ARP. This is generally not
|
||||
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here
|
||||
won't apply to your setup so beware of copying parts of this configuration
|
||||
and expecting them to work for you. What you copy may or may not work
|
||||
in your configuration.<br>
|
||||
</small></b></big><br>
|
||||
</p>
|
||||
|
||||
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
||||
internet is connected to eth0. The local network is connected via eth1
|
||||
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
|
||||
an IPSec tunnel connecting our offices in Germany to our offices in the
|
||||
US. I host two Microsoft Exchange servers for two different companies behind
|
||||
the firewall hence, the two Exchange servers in the diagram below.</p>
|
||||
|
||||
<p>Summary:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>SNAT for all systems connected to the LAN - Internal addresses
|
||||
10.10.x.x to external address 192.0.18.127. </li>
|
||||
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
|
||||
10.10.1.8 and external address 192.0.18.70. </li>
|
||||
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
|
||||
address 10.10.1.56 and external address 192.0.18.75.<br>
|
||||
</li>
|
||||
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
|
||||
10.10.1.55 and external address 192.0.18.84. </li>
|
||||
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
|
||||
10.10.1.252 and external address 192.0.18.93. </li>
|
||||
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
|
||||
10.10.1.230 and external address 192.0.18.97. </li>
|
||||
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
|
||||
10.10.1.60 and external address 192.0.18.115. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
|
||||
RH8.0.</p>
|
||||
|
||||
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
|
||||
|
||||
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
|
||||
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
|
||||
server is managed through Proxy ARP.</p>
|
||||
|
||||
<p>All administration and publishing is done using ssh/scp. I have X installed
|
||||
on the firewall and the system in the DMZ. X applications tunnel through
|
||||
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
|
||||
the firewall using SSH is restricted to systems in the LAN, DMZ or the
|
||||
system Kaos which is on the Internet and managed by me.</p>
|
||||
|
||||
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
|
||||
src="images/CorpNetwork.gif" width="770" border="0">
|
||||
</p>
|
||||
|
||||
<p></p>
|
||||
|
||||
<p>The Ethernet 0 interface in the Server is configured with IP address
|
||||
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
|
||||
192.0.18.65, the Router connected to my network and the ISP. This is the
|
||||
same default gateway used by the firewall itself. On the firewall, Shorewall
|
||||
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
|
||||
because of the entry in /etc/shorewall/proxyarp (see below). I modified
|
||||
the start, stop and init scripts to include the fixes suggested when having
|
||||
an IPSec tunnel.</p>
|
||||
|
||||
<p><b>Some Mistakes I Made:</b></p>
|
||||
|
||||
<p>Yes, believe it or not, I made some really basic mistakes when building
|
||||
this firewall. Firstly, I had the new firewall setup in parallel with the
|
||||
old firewall so that there was no interruption of service to my users.
|
||||
During my out-bound testing, I set up systems on the LAN to utilize the
|
||||
firewall which worked fine. When testing my NAT connections, from the outside,
|
||||
these would fail and I could not understand why. Eventually, I changed
|
||||
the default route on the internal system I was trying to access, to point
|
||||
to the new firewall and "bingo", everything worked as expected. This oversight
|
||||
delayed my deployment by a couple of days not to mention level of frustration
|
||||
it produced. </p>
|
||||
|
||||
<p>Another problem that I encountered was in setting up the Proxyarp system
|
||||
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
|
||||
/etc/shorewall/masq file. Once my file settings were correct, I started
|
||||
verifying that the ARP caches on the firewall, as well as the outside system
|
||||
"kaos", were showing the correct Ethernet MAC address. However, in testing
|
||||
remote access, I could access the system in the DMZ only from the firewall
|
||||
and LAN but not from the Internet. The message I received was "connection
|
||||
denied" on all protocols. What I did not realize was that a "helpful"
|
||||
administrator that had turned on an old system and assigned the same address
|
||||
as the one I was using for Proxyarp without notifying me. How did I work
|
||||
this out. I shutdown the system in the DMZ, rebooted the router and flushed
|
||||
the ARP cache on the firewall and kaos. Then, from kaos, I started pinging
|
||||
that IP address and checked the updated ARP cache and lo-and-behold a
|
||||
different MAC address showed up. High levels of frustration etc., etc.
|
||||
The administrator will <i>not</i> be doing that again! :-)</p>
|
||||
|
||||
<p><b>Lessons Learned:</b></p>
|
||||
|
||||
<ul>
|
||||
<li>Read the documentation. </li>
|
||||
<li>Draw your network topology before starting. </li>
|
||||
<li>Understand what services you are going to allow in and out of the
|
||||
firewall, whether they are TCP or UDP packets and make a note of these
|
||||
port numbers. </li>
|
||||
<li>Try to get quiet time to build the firewall - you need to focus
|
||||
on the job at hand. </li>
|
||||
<li>When asking for assistance, be honest and include as much detail
|
||||
as requested. Don't try and hide IP addresses etc., you will probably
|
||||
screw up the logs and make receiving assistance harder. </li>
|
||||
<li>Read the documentation. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><b>Futures:</b></p>
|
||||
|
||||
<p>This is by no means the final configuration. In the near future, I will
|
||||
be moving more systems from the LAN to the DMZ. I will also be watching
|
||||
the logs for port scan programs etc. but, this should be standard security
|
||||
maintenance.</p>
|
||||
|
||||
<p>Here are copies of my files. I have removed most of the internal documentation
|
||||
for the purpose of this space however, my system still has the original
|
||||
files with all the comments and I highly recommend you do the same.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3>Shorewall.conf</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Zones File</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"><br></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Interfaces File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<p>##############################################################################<br>
|
||||
#ZONE INTERFACE BROADCAST OPTIONS<br>
|
||||
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
|
||||
loc eth1 detect dhcp,routefilter<br>
|
||||
dmz eth2 detect<br>
|
||||
vpn1 ipsec0<br>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
|
||||
</blockquote>
|
||||
|
||||
<h3>Routestopped File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"> </font></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Policy File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Masq File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>NAT File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Proxy ARP File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Tunnels File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Start File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Stop File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Init File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2">Last updated 7/16/2003</font>
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
|
||||
//</script>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
|
||||
Graeme Boyle</a></small><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
203
STABLE/documentation/GenericTunnels.html
Normal file
203
STABLE/documentation/GenericTunnels.html
Normal file
@ -0,0 +1,203 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Generic Tunnels</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
Shorewall includes built-in support for a wide range of VPN solutions.
|
||||
If you have need for a tunnel type that does not have explicit support,
|
||||
you can generally describe the tunneling software using "generic
|
||||
tunnels"<br>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
<p align="center"> <img border="0" src="images/TwoNets1.png"
|
||||
width="745" height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.<br>
|
||||
</p>
|
||||
<p align="left">Suppose that you have tunneling software that uses two
|
||||
different protocols:<br>
|
||||
</p>
|
||||
<p align="left">a) TCP port 1071<br>
|
||||
b) GRE (Protocol 47)<br>
|
||||
c) The tunnel interface on system A is "tun0" and the tunnel interface
|
||||
on system B is also "tun0".<br>
|
||||
</p>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>10.255.255.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>generic:tcp:1071<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">generic:47<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">net<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">134.28.54.2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>These entries in /etc/shorewall/tunnels, opens the firewall so that
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47)
|
||||
will be accepted to/from the remote gateway.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>generic:tcp:1071<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">generic:47<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">net<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">134.28.54.2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and start your VPN software on
|
||||
each system. The systems in the two masqueraded subnetworks
|
||||
can now talk to each other</p>
|
||||
<p><font size="2">Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
141
STABLE/documentation/UserSets.html
Normal file
141
STABLE/documentation/UserSets.html
Normal file
@ -0,0 +1,141 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Controlling Traffic by UID/GID</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Controlling Output
|
||||
Traffic by UID/GID<br>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
This capability was added in Shorewall release
|
||||
1.4.7.<br>
|
||||
<br>
|
||||
Netfilter provides the capability to filter packets generated on the
|
||||
firewall system by User Id and/or Group Id. Shorewall provides two
|
||||
separate but related ways to use this Netfilter capability:<br>
|
||||
<ol>
|
||||
<li>Shorewall allows you to
|
||||
define collections of users called "<a href="#UserSet">User Sets</a>"
|
||||
and then to restrict
|
||||
certain rules in /etc/shorewall/rules to a given User Set.</li>
|
||||
<li>Shorewall also allows you to restrict a given <a href="#Rule">rule
|
||||
</a>to a particular user and/or group.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Since only packets created by programs running on the Shorewall box
|
||||
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
|
||||
using either of the facilities.<br>
|
||||
<h2><a name="UserSet"></a>User Sets<br>
|
||||
</h2>
|
||||
Given the way that this facility is implemented in Shorewall, it is not
|
||||
possible to control logging of individual rules using a User Set and
|
||||
logging is rather specified on the User Set itself.<br>
|
||||
<br>
|
||||
User Sets are defined in the /etc/shorewall/usersets file. Columns in
|
||||
that file include:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set. Must be a legal
|
||||
shell
|
||||
identifier of no more than six (6) characters in length.<br>
|
||||
REJECT
|
||||
Log level for connections rejected for this User Set.<br>
|
||||
ACCEPT Log
|
||||
level for connections accepted for this User Set.<br>
|
||||
DROP
|
||||
Log level for connections dropped for this User Set.<br>
|
||||
</div>
|
||||
<br>
|
||||
In the REJECT and ACCEPT columns, if you don't want to specify a value
|
||||
in the column but you want to specify a value in a following column,
|
||||
you may enter "-".<br>
|
||||
<br>
|
||||
Users and/or groups are added to User Sets using the
|
||||
/etc/shorewall/users file. Columns in that file are:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set defined in
|
||||
/etc/shorewall/usersets.<br>
|
||||
USER
|
||||
The name of a user defined on the system or a user number.<br>
|
||||
GROUP
|
||||
The name of a group defined on the system or a number.<br>
|
||||
</div>
|
||||
<p align="left">Only one of the USER and GROUP
|
||||
column needs to be non-empty. If you wish to specify a GROUP but not a
|
||||
USER, enter "-" in the user column.<br>
|
||||
</p>
|
||||
<p align="left">If both USER and GROUP are
|
||||
specified then only programs running under that USER:GROUP pair will
|
||||
match rules specifying the User Set named in the USERSET column.<br>
|
||||
</p>
|
||||
<p align="left">Once a user set has been defined, its name may be
|
||||
placed in the USER SET column of the /etc/shorewall/rules file. <span
|
||||
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
|
||||
</span></span>When
|
||||
the name of a user set is given in the USER SET column, you may not
|
||||
include a log level in the ACTION column; logging of such rules is
|
||||
governed solely by the user set's definition in the
|
||||
/etc/shorewall/userset file.
|
||||
</p>
|
||||
<p align="left">Example: You want members of the
|
||||
'admin' group and 'root' to be able to use ssh on the firewall to
|
||||
connect to local systems. You want to log all connections accepted for
|
||||
these users using syslog at the 'info' level.<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET REJECT ACCEPT DROP<br>admins - info<br></pre>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET USER GROUP<br>admins - admin<br>admins root<br></pre>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules<br>
|
||||
</div>
|
||||
<pre style="margin-left: 80px;">#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 22 - - - admins<br></pre>
|
||||
<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
|
||||
group<br>
|
||||
</h2>
|
||||
In cases where you may want to restrict a rule to a particular user
|
||||
and/or group, the USER SET column in the rules file may be specified as:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">[ <<span style="font-style: italic;">user
|
||||
name or number</span>> ] : [ <<span style="font-style: italic;">group
|
||||
name or number</span>> ]<br>
|
||||
<div style="text-align: left;"><br>
|
||||
</div>
|
||||
</div>
|
||||
When a user and/or group name is given in the USER SET column, it is OK
|
||||
to specify a log level in the ACTION column. <br>
|
||||
<br>
|
||||
Example: You want user <span style="font-style: italic;">mail </span>to
|
||||
be able to send email from the firewall to the local net zone<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
|
||||
the ":" in the USER SET column entry).<br>
|
||||
<pre>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 25 - - - mail:</pre>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 9/19/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
</body>
|
||||
</html>
|
BIN
STABLE/documentation/images/CorpNetwork.gif
Normal file
BIN
STABLE/documentation/images/CorpNetwork.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 48 KiB |
BIN
STABLE/documentation/images/Logo3.png
Executable file
BIN
STABLE/documentation/images/Logo3.png
Executable file
Binary file not shown.
BIN
STABLE/documentation/images/Tom.jpg
Executable file
BIN
STABLE/documentation/images/Tom.jpg
Executable file
Binary file not shown.
After Width: | Height: | Size: 39 KiB |
BIN
STABLE/documentation/images/penquin_in_blue_racer_sm2.gif
Executable file
BIN
STABLE/documentation/images/penquin_in_blue_racer_sm2.gif
Executable file
Binary file not shown.
After Width: | Height: | Size: 6.4 KiB |
BIN
STABLE/documentation/images/razor.gif
Normal file
BIN
STABLE/documentation/images/razor.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 4.9 KiB |
2524
STABLE/documentation/shorewall_setup_guide_fr.htm
Normal file
2524
STABLE/documentation/shorewall_setup_guide_fr.htm
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user