diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 113151901..8c5898903 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2004-07-14 + 2004-08-01 2001-2004 @@ -65,7 +65,7 @@
- Port Forwarding + Port Forwarding (Port Redirection)
(FAQ 1) I want to forward UDP port 7777 to my my personal PC with diff --git a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml index f7b8493ea..f8805cd95 100644 --- a/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml +++ b/Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml @@ -111,7 +111,7 @@ Device "eth0:0" does not exist. case $1 in eth0) - /sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0 + /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0 ;; esac</programlisting> diff --git a/Shorewall-docs2/bridge.xml b/Shorewall-docs2/bridge.xml index 5bf74780b..388012cb1 100755 --- a/Shorewall-docs2/bridge.xml +++ b/Shorewall-docs2/bridge.xml @@ -15,7 +15,7 @@ </author> </authorgroup> - <pubdate>2004-06-11</pubdate> + <pubdate>2004-07-31</pubdate> <copyright> <year>2004</year> @@ -159,12 +159,11 @@ <para>Unfortunately, Linux distributions don't have good bridge configuration tools and the network configuration GUIs don't detect - the presence of bridge devices. You may refer to <ulink - url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink> - for an example of configuring a three-port bridge at system boot under - <trademark>SuSE</trademark>. Here is an excerpt from a Debian - <filename>/etc/network/interfaces</filename> file for a two-port bridge - with a static IP address:</para> + the presence of bridge devices. You may refer to <ulink url="myfiles.htm">my + configuration files</ulink> for an example of configuring a three-port + bridge at system boot under <trademark>SuSE</trademark>. Here is an + excerpt from a Debian <filename>/etc/network/interfaces</filename> file + for a two-port bridge with a static IP address:</para> <blockquote> <programlisting>auto br0 @@ -294,6 +293,36 @@ exit 0</programlisting> INTERFACES="eth0 eth1" #The physical interfaces to be bridged</programlisting> </blockquote> + <para>Andrzej Szelachowski contributed the following.</para> + + <blockquote> + <programlisting>Here is how I configured bridge in Slackware: + +1) I had to compile bridge-utils (It's not in the standard distribution) +2) I've created rc.bridge in /etc/rc.d: + +######################### +#! /bin/sh + +ifconfig eth0 0.0.0.0 +ifconfig eth1 0.0.0.0 +#ifconfig lo 127.0.0.1 #this line should be uncommented if you don't use rc.inet1 + +brctl addbr most + +brctl addif most eth0 +brctl addif most eth1 + +ifconfig most 192.168.1.31 netmask 255.255.255.0 up +#route add default gw 192.168.1.1 metric 1 #this line should be uncommented if + #you don't use rc.inet1 +######################### + +3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local + +/etc/rc.d/rc.bridge </programlisting> + </blockquote> + <para>Users who successfully configure bridges on other distributions, with static or dynamic IP addresses, are encouraged to send <ulink url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 71c0ca987..afe06e92c 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ </author> </authorgroup> - <pubdate>2004-07-29</pubdate> + <pubdate>2004-07-30</pubdate> <copyright> <year>2001-2004</year> @@ -87,6 +87,22 @@ <section> <title>Problems in Version 2.0 +
+ Shorewall 2.0.3a through 2.0.7 + + + + Entries in the USER/GROUP column of an action file (made from + action.template) may be ignored or cause odd errors. + + + + Corrected in this + firewall script which may be installed in + /usr/share/shorewall/firewall as described above. +
+
Shorewall 2.0.3a through 2.0.4 diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index 5be0104c3..5ff84e8b4 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -15,7 +15,7 @@ - 2004-07-13 + 2004-08-05 2001-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -40,9 +41,9 @@ I use a combination of One-to-one NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you - see here won't apply to your setup so beware of copying parts of - this configuration and expecting them to work for you. What you copy may - or may not work for you. + see here won't apply to your setup so beware of copying parts of this + configuration and expecting them to work for you. What you copy may or + may not work for you. @@ -75,19 +76,21 @@ - I use SNAT through 206.124.146.179 for  my SuSE 9.0 Linux - system Wookie, my Wife's Windows XP system - Tarry, and our  dual-booting (Windows - XP/Mandrake 10.0 Official) laptop Tipper which connects - through the Wireless Access Point (wap) via a Wireless Bridge (wet).While - the distance between the WAP and where I usually use the laptop - isn't very far (25 feet or so), using a WAC11 (CardBus wireless - card) has proved very unsatisfactory (lots of lost connections). By - replacing the WAC11 with the WET11 wireless bridge, I have virtually - eliminated these problems (Being an old radio tinkerer (K7JPV), I was - also able to eliminate the disconnects by hanging a piece of aluminum - foil on the family room wall. Needless to say, my wife Tarry rejected - that as a permanent solution :-). + I use SNAT through 206.124.146.179 for  my SuSE 9.0 Linux + system Wookie, my Wife's Windows XP system + Tarry, and our  dual-booting (Windows XP/SuSE 9.1) + laptop Tipper which connects through the Wireless + Access Point (wap) via a Wireless Bridge (wet). + While the distance between the WAP and where I usually use + the laptop isn't very far (25 feet or so), using a WAC11 (CardBus + wireless card) has proved very unsatisfactory (lots of lost + connections). By replacing the WAC11 with the WET11 wireless + bridge, I have virtually eliminated these problems (Being an old + radio tinkerer (K7JPV), I was also able to eliminate the + disconnects by hanging a piece of aluminum foil on the family room + wall. Needless to say, my wife Tarry rejected that as a permanent + solution :-). + @@ -98,16 +101,17 @@ - The firewall runs on a 256MB PII/233 with Debian Sarge (Testing). + The firewall runs on a 256MB PII/233 with Debian Sarge + (Testing). Wookie and Ursa run Samba and Wookie acts as a WINS server. - The wireless network connects to Wookie's eth2 via a LinkSys - WAP11.  In additional to using the rather weak WEP 40-bit - encryption (64-bit with the 24-bit preamble), I use The wireless network connects to Wookie's eth2 via a LinkSys + WAP11.  In additional to using the rather weak WEP 40-bit encryption + (64-bit with the 24-bit preamble), I use MAC verification. This is still a weak combination and if I lived near a wireless hot spot, I - would probably add IPSEC or something similar to my WiFi->local + would probably add IPSEC or something similar to my WiFi->local connections. The single system in the DMZ (address 206.124.146.177) runs postfix, @@ -132,13 +136,14 @@ in the DMZ. The ethernet interface in the Server is configured with IP address - 206.124.146.177, netmask 255.255.255.0. The server's default gateway - is 206.124.146.254 (Router at my ISP. This is the same default gateway - used by the firewall itself). On the firewall, an entry in my + 206.124.146.177, netmask 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same default gateway used + by the firewall itself). On the firewall, an entry in my /etc/network/interfaces file (see below) adds a host route to 206.124.146.177 through eth1 when that interface is brought up. - Tarry (192.168.1.4) runs a PPTP server for Road Warrior access. + Tarry (192.168.1.4) runs a PPTP server for Road Warrior + access.
@@ -162,7 +167,7 @@ RFC1918_LOG_LEVEL=$LOG SMURF_LOG_LEVEL= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/ash -SUBSYSLOCK= #I run Debian which doesn't use service locks +SUBSYSLOCK= #I run Debian which doesn't use service locks STATEDIR=/var/state/shorewall MODULESDIR= FW=fw @@ -189,9 +194,9 @@ TCP_FLAGS_DISPOSITION=DROP Params File (Edited)
- MIRRORS=<list of shorewall mirror ip addresses> -NTPSERVERS=<list of the NTP servers I sync with> -TEXAS=<ip address of gateway in Plano> + MIRRORS=<list of shorewall mirror ip addresses> +NTPSERVERS=<list of the NTP servers I sync with> +TEXAS=<ip address of gateway in Plano> LOG=info
@@ -230,7 +235,7 @@ dmz eth1 -
#ZONE HOST(S) OPTIONS -tx              texas:192.168.8.0/22 +tx              texas:192.168.8.0/22 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -284,14 +289,14 @@ eth2 -
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT -fw fw ACCEPT # For testing fw->fw rules +fw fw ACCEPT # For testing fw->fw rules loc net ACCEPT # Allow all net traffic from local net $FW loc ACCEPT # Allow local access from the firewall $FW tx ACCEPT # Allow firewall access to texas loc tx ACCEPT # Allow local net access to texas -loc fw REJECT $LOG # Reject loc->fw and log +loc fw REJECT $LOG # Reject loc->fw and log net all DROP $LOG 10/sec:40 # Rate limit and - # DROP net->all + # DROP net->all all all REJECT $LOG # Reject and log the rest #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -302,16 +307,15 @@ all all REJECT $LOG # Reje
Although most of our internal systems use one-to-one NAT, my - wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) - as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and - visitors with laptops. + wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do + my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors + with laptops. The first entry allows access to the DSL modem and uses features - introduced in Shorewall 2.1.1. The leading plus sign ("+_") - causes the rule to be placed before rules generated by the - /etc/shorewall/nat file below. The double colons ("::") causes - the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf - file above. + introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the + rule to be placed before rules generated by the /etc/shorewall/nat + file below. The double colons ("::") causes the entry to be exempt + from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above. #INTERFACE SUBNET ADDRESS +eth0::192.168.1.1 0.0.0.0/0 192.168.1.254 @@ -344,7 +348,8 @@ eth0:2 eth2 206.124.146.179
- Tunnels File (Shell variable TEXAS set in /etc/shorewall/params) + Tunnels File (Shell variable TEXAS set in + /etc/shorewall/params)
#TYPE ZONE GATEWAY GATEWAY ZONE PORT @@ -369,7 +374,8 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
The $MIRRORS variable expands to a list of approximately 10 IP addresses. So moving these checks into a separate chain reduces the - number of rules that most net->dmz traffic needs to traverse. + number of rules that most net->dmz traffic needs to + traverse. #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT @@ -416,14 +422,15 @@ RejectSMB DropUPnP dropNotSyn DropDNSrep -DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log +DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log #with NTP requests with a source address in 16.0.0.0/8 (address of #its PPTP tunnel to HP).
- Rules File (The shell variables are set in /etc/shorewall/params) + Rules File (The shell variables are set in + /etc/shorewall/params)
############################################################################################################################################################################### @@ -477,7 +484,7 @@ Mirrors net dmz tcp rsync # # Net to Local # -# When I'm "on the road", the following two rules allow me VPN access back home. +# When I'm "on the road", the following two rules allow me VPN access back home. # DNAT net loc:192.168.1.4 tcp 1723 - DNAT net:!4.3.113.178 loc:192.168.1.4 gre - @@ -510,12 +517,12 @@ ACCEPT dmz net:$POPSERVERS tcp pop3 #ACCEPT dmz net:66.216.26.115 tcp pop3 # # Something is wrong with the FTP connection tracking code or there is some client out there -# that is sending a PORT command which that code doesn't understand. Either way, +# that is sending a PORT command which that code doesn't understand. Either way, # the following works around the problem. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### -# DMZ to Firewall -- ntp & snmp, Silently reject Auth +# DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw udp ntp ntp ACCEPT dmz fw tcp 161,ssh @@ -568,7 +575,8 @@ ACCEPT tx loc:192.168.1.5 all displayed in bold type) add a route to my DSL modem when eth0 is brought up and a route to my DMZ server when eth1 is brought up. It allows me to enter Yes in - the HAVEROUTE column of my Proxy ARP file. + the HAVEROUTE column of my Proxy ARP + file. ... auto auto eth0 @@ -594,13 +602,13 @@ iface eth1 inet static
Bridge (Wookie) Configuration - As mentioned above, Wookie acts as a bridge. It's view of the + As mentioned above, Wookie acts as a bridge. It's view of the network is diagrammed in the following figure. - I've included the files that I used to configure that system -- - some of them are SuSE-specific. + I've included the files that I used to configure that system -- some + of them are SuSE-specific. The configuration on Wookie can be modified to test various bridging features -- otherwise, it serves to isolate the Wireless network from the @@ -681,10 +689,9 @@ WiFi br0:eth2 maclist my bridge/firewall. Squid listens on port 3128. The remaining rules protect the local systems and bridge from - the WiFi network. Note that we don't restrict WiFi→net traffic - since the only directly-accessible system in the net zone is the - firewall (Wookie and the Firewall are connected by a cross-over - cable). + the WiFi network. Note that we don't restrict WiFi→net traffic since + the only directly-accessible system in the net zone is the firewall + (Wookie and the Firewall are connected by a cross-over cable). #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST @@ -758,7 +765,7 @@ br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin do_stop() { - echo "Stopping Bridge" + echo "Stopping Bridge" brctl delbr br0 ip link set eth0 down ip link set eth1 down @@ -767,7 +774,7 @@ do_stop() { do_start() { - echo "Starting Bridge" + echo "Starting Bridge" ip link set eth0 up ip link set eth1 up ip link set eth2 up @@ -777,7 +784,7 @@ do_start() { brctl addif br0 eth2 } -case "$1" in +case "$1" in start) do_start ;; @@ -790,7 +797,7 @@ case "$1" in do_start ;; *) - echo "Usage: $0 {start|stop|restart}" + echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0 @@ -803,16 +810,16 @@ exit 0
This file is SuSE-specific - BOOTPROTO='static' -BROADCAST='192.168.1.255' -IPADDR='192.168.1.3' -NETWORK='192.168.1.0' -NETMASK='255.255.255.0' -REMOTE_IPADDR='' -STARTMODE='onboot' -UNIQUE='3hqH.MjuOqWfSZ+C' -WIRELESS='no' -MTU='' + BOOTPROTO='static' +BROADCAST='192.168.1.255' +IPADDR='192.168.1.3' +NETWORK='192.168.1.0' +NETMASK='255.255.255.0' +REMOTE_IPADDR='' +STARTMODE='onboot' +UNIQUE='3hqH.MjuOqWfSZ+C' +WIRELESS='no' +MTU=''
diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml index a44b253bc..f9d4a5c77 100644 --- a/Shorewall-docs2/ports.xml +++ b/Shorewall-docs2/ports.xml @@ -13,7 +13,7 @@ - 2004-05-28 + 2004-07-31 2001-2002 @@ -54,7 +54,7 @@ zone: #ACTION SOURCE DESTINATION -AllowDNS dmz net +AllowDNS dmz net @@ -107,7 +107,7 @@ ACCEPT dmz net tcp 53 Recursive Resolution means that if the server itself can't resolve the name presented to it, the server will attempt to resolve the - name with the help of other servers. + name with the help of other servers.
@@ -303,6 +303,17 @@ ACCEPT <source> <destination> ACCEPT <source> <destination> tcp 443 #Secure HTTP +
+ X/XDMCP + + Assume that the Choser and/or X Server are running at <chooser> + and the Display Manager/X applications are running at <apps>. + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <chooser> <apps> udp 177 #XDMCP +ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9 +
+
Other Source of Port Information diff --git a/Shorewall-docs2/quotes.xml b/Shorewall-docs2/quotes.xml index 1888a9852..55787d156 100644 --- a/Shorewall-docs2/quotes.xml +++ b/Shorewall-docs2/quotes.xml @@ -13,7 +13,7 @@ Eastep - 2004-03-28 + 2004-07-31 2003 @@ -36,6 +36,18 @@
What Users are saying... +
+ AS, Poland + + I want to say that Shorewall documentation is the best + I've ever found on the net. It's helped me a lot in + understanding how network is working. It is the best of breed. It + contains not only Shorewall specific topics with the assumption that all + the rest is well known, but also gives some very useful background + information. Thank you very much for this wonderful piece of work. + +
+
ES, Phoenix AZ, USA diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml index ae7f56c6e..c103901d6 100644 --- a/Shorewall-docs2/shorewall_setup_guide.xml +++ b/Shorewall-docs2/shorewall_setup_guide.xml @@ -15,7 +15,7 @@ - 2004-07-22 + 2004-07-31 2001-2004 @@ -232,7 +232,7 @@ #SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST # LEVEL -fw net ACCEPT +loc net ACCEPT net all DROP info all all REJECT info @@ -2170,12 +2170,14 @@ localhost 86400 IN A 127.0.0.1 firewall 86400 IN A 192.0.2.176 www 86400 IN A 192.0.2.177 ns1 86400 IN A 192.0.2.177 -www 86400 IN A 192.0.2.177 +mail 86400 IN A 192.0.2.178 -gateway 86400 IN A 192.168.201.1 -winken 86400 IN A 192.168.201.2 -blinken 86400 IN A 192.168.201.3 -nod 86400 IN A 192.168.201.4 +gateway 86400 IN A 192.168.201.1 +winken 86400 IN A 192.168.201.2 +blinken 86400 IN A 192.168.201.3 +nod 86400 IN A 192.168.201.4 + +dmz 86400 IN A 192.168.202.1 ext/db.foobar - Forward zone for external clients. diff --git a/Shorewall-docs2/starting_and_stopping_shorewall.xml b/Shorewall-docs2/starting_and_stopping_shorewall.xml index fadcfefac..f97369947 100644 --- a/Shorewall-docs2/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs2/starting_and_stopping_shorewall.xml @@ -5,7 +5,7 @@ - Starting/Stopping and Monitoring the Firewall + Operating Shorewall @@ -15,10 +15,10 @@ - 2004-06-15 + 2004-08-01 - 2001-2004 + 2004 Thomas M. Eastep @@ -34,312 +34,225 @@
- Operating Shorewall + Operational Components - If you have a permanent internet connection such as DSL or Cable, I - recommend that you start the firewall automatically at boot. The installation procedure attempts to set up the - init scripts to start the firewall in run levels 2-5 and stop it in run - levels 1 and 6. If you want to configure your firewall differently from - this default, you can use your distribution's run-level editor. - - - - - Shorewall startup is disabled by default. Once you have - configured your firewall, you can enable startup by removing the - file /etc/shorewall/startup_disabled. Note: - Users of the .deb package must edit /etc/default/shorewall - and set startup=1. - - - - If you use dialup or some flavor of PPP where your IP address - can change arbitrarily, you may want to start the firewall in your - /etc/ppp/ip-up.local script. I recommend just - placing /sbin/shorewall restart in - that script. - - - - - You can manually start and stop Shoreline Firewall using the - /sbin/shorewall shell program. + There are a number of files that comprise the operational components + of Shorewall. - shorewall [ -q ] [ -f ] start - starts the - firewall. It important to understand that when the firewall is in the - Started state there is - no Shorewall Program running. - It rather means that Netfilter has been configured to handle traffic - as described in your Shorewall configuration files. Please refer to - the Shorewall State Diagram as shown at - the bottom of this page for more information. The -q option was added - in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. - Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may - be specified. See the Saved Configurations - section below for details. + /sbin/shorewall ̶ The program that you use + to interact with Shorewall. Normally the root user's PATH includes + /sbin and the program can be run from a shell + prompt by simply typing shorewall followed by a + command. To see a list of supported commands, use the + help command: + + shorewall help + + To get further information about a particular command, follow + help by the command: + + shorewall help start - shorewall stop - stops the firewall; the only - traffic permitted through the firewall is from systems listed in - /etc/shorewall/routestopped (Beginning with - version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf - then in addition, all existing connections are permitted and any new - connections originating from the firewall itself are allowed). + /etc/shorewall ̶ The default directory + where Shorewall looks for configuration files. See the section + entitled Alternate Configuration Directories + for information about how you can direct Shorewall to look in other + directories. - shorewall [ -q ] restart - stops the firewall - (if it is in the Started state) and - then starts it again. The -q option was added in Shorewall 2.0.2 Beta - 1 and reduces the amout of output produced. + /etc/init.d/shorewall (/etc/rc.d/firewall.rc + on Slackware) ̶ The script run by init (the program + responsible for startup and shutdown of your system) to start + Shorewall at boot time and to stop Shorewall at shutdown. - shorewall reset - reset the packet and byte - counters in the firewall + /usr/share/shorewall/firewall ̶ The program + responsible for configuring Netfilter based on your configuration + files. - shorewall clear - remove all rules and chains - installed by Shoreline Firewall. The firewall is wide open - - - - shorewall refresh - refresh the rules - involving the broadcast addresses of firewall interfaces, the black - list, traffic control rules and ECN control rules. - - - - shorewall save - Beginning with Shorewall - 2.0.2 Beta1, this command creates a script which when run will restore - the state of the firewall to its current state. See the Saved Configurations section below for details. - - - - shorewall restore [ <file name> ] - - Runs a script created by the shorewall save - command. See the Saved Configurations - section below for details. - - - - shorewall forget - Added in Shorewall 2.0.2 Beta 1. Removes the - /var/lib/shorewall restore script created by the - shorewall save command. - - - - If you include the keyword debug as the first argument, then a shell - trace of the command is produced as in: - - shorewall debug start 2> /tmp/traceThe - above command would trace the start command and place the - trace information in the file /tmp/trace - - Beginning with version 1.4.7, shorewall can give detailed help about - each of its commands: shorewall help [ command | host | address ]The - shorewall program may also be used to monitor the firewall. - - - - shorewall status - produce a verbose report - about the firewall (iptables -L -n -v) - - - - shorewall show <chain1> [ <chain2> ... - ] - produce a verbose report about the listed chains (iptables - -L chain -n -v) Note: You may only list one chain in the - show command when running Shorewall version 1.4.6 and earlier. Version - 1.4.7 and later allow you to list multiple chains in one command. - - - - shorewall show nat - produce a verbose report - about the nat table (iptables -t nat -L -n -v) - - - - shorewall show tos - produce a verbose report - about the mangle table (iptables -t mangle -L -n -v) - - - - shorewall show log - display the last 20 - packet log entries. - - - - shorewall show connections - displays the IP - connections currently being tracked by the firewall. - - - - shorewall show tc - displays information - about the traffic control/shaping configuration. - - - - shorewall monitor [ <delay> ] - - Continuously display the firewall status, last 20 log entries and nat. - When the log entry display changes, an audible alarm is sounded. The - <delay> indicates the number of seconds - between updates with the default being 10 seconds. - - - - shorewall hits - Produces several reports - about the Shorewall packet log messages in the current log file named - in the LOGFILE variable in /etc/shorewall/shorewall.conf. - - - - shorewall version - Displays the installed - version number. - - - - shorewall check - Performs a cursory - validation of the zones, interfaces, hosts, rules and policy files.The - check command is totally unsuppored - and does not parse and validate the generated iptables commands. Even - though the check command completes successfully, the - configuration may fail to start. Problem reports that complain about - errors that the check command does not detect will not - be accepted.See the recommended way to make configuration - changes described below. - - - - shorewall try <configuration-directory> - [ <timeout> ] - Restart shorewall using the - specified configuration and if an error occurs or if the - <timeout> option is given and the new - configuration has been up for that many seconds then shorewall is - restarted using the standard configuration. - - - - shorewall logwatch (added in version 1.3.2) - - Monitors the LOGFILE and produces an audible alarm when new Shorewall - messages are logged. - - - - Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of - commands for dealing with IP addresses and IP address ranges: - - - - shorewall ipcalc [ <address> <mask> | - <address>/<vlsm> ] - displays the network - address, broadcast address, network in CIDR notation and netmask - corresponding to the input[s]. - - - - shorewall iprange <address1>-<address2> - - Decomposes the specified range of IP addresses into the equivalent - list of network/host addresses - - - - There is a set of commands dealing with dynamic blacklisting: - - - - shorewall drop <ip address list> - - causes packets from the listed IP addresses to be silently dropped by - the firewall. - - - - shorewall reject <ip address list> - - causes packets from the listed IP addresses to be rejected by the - firewall. - - - - shorewall allow <ip address list> - - re-enables receipt of packets from hosts previously blacklisted by a - drop or reject command. - - - - shorewall save [ <file name> ] - save - the dynamic blacklisting configuration so that it will be - automatically restored the next time that the firewall is restarted. - Beginning with Shorewall version 2.0.2 Beta1, this command also - creates a script that can be used to restore the state of the - firewall. See the Saved Configurations - section below for details. - - - - show dynamic - displays the dynamic - blacklisting chain. - - - - Finally, the shorewall program may be - used to dynamically alter the contents of a zone. - - - - shorewall add <interface>[:<host>] - <zone> - Adds the specified interface (and host if - included) to the specified zone. - - - - shorewall delete <interface>[:<host>] - <zone> - Deletes the specified interface (and host - if included) from the specified zone. - - Examples: shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1 - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1 + /usr/share/shorewall/functions ̶ A library + of Bourne Shell functions used by both /sbin/shorewall + and /usr/share/shorewall/firewall.
- Error Handling + Starting, Stopping and Clearing - When shorewall start, shorewall restart - or shorewall refresh encounter an error, the behavior - depends on which version of Shorewall you are running and whether there is - a /var/lib/shorewall/restore script available (see - shorewall save above). + As explained in the Introduction, + Shorewall is not something that runs all of the time in your system. + Nevertheless, for integrating Shorewall into your initialization scripts + it is useful to speak of starting Shorewall and + stopping Shorewall. - If you are running a version of Shorewall earlier than 2.0.2 - Beta 1 then the effect is as if a shorewall stop - command had been run. + Shorewall is started using the shorewall start + command. Once the start command completes successfully, Netfilter is + configured as described in your Shorewall configuration files. If + there is an error during shorewall start, then if + you have a saved configuration then that + configuration is restored. Otherwise, an implicit shorewall + stop is executed. - If you have executed a shorewall save command - without a subsequent shorewall forget, then the - firewall is restored to the state when shorewall save - was executed. + Shorewall is stopped using the shorewall stop + command. + + + The shorewall stop command does not remove + all netfilter rules and open your firewall for all traffic to pass. + It rather places your firewall in a safe state defined by the + contents of your /etc/shorewall/routestopped + file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf. + + + + + If you want to remove all Netfilter rules and open your firewall + for all traffic to pass, use the shorewall clear + command. + + + + If you change your configuration and want to install the + changes, use the shorewall restart command. + + For additional information, see the Shorewall + State Diagram section.
- Alternate Configurations + Tracing Command Execution - The shorewall start, shorewall restart, + If you include the word trace as + the first parameter to an /sbin/shorewall command + that transfers control to /usr/share/shorewall/firewall, + execution of the latter program will be traced to STDERR. + + + Tracing <command>shorewall start</command> + + To trace the execution of shorewall start and + write the trace to the file /tmp/trace, you would + enter:shorewall trace start 2> /tmp/trace + +
+ +
+ Having Shorewall Start Automatically at Boot Time + + The .rpm, .deb and .tgz all try to configure your startup scripts so + that Shorewall will start automatically at boot time. If you are using the + install.sh script from the .tgz and it cannot determine + how to configure automatic startup, a message to that effect will be + displayed. You will need to consult your distribution's documentation + to see how to integrate the /etc/init.d/shorewall + script into the distribution's startup mechanism.Shorewall + startup is disabled by default. Once you have configured your firewall, + you can enable startup by removing the file /etc/shorewall/startup_disabled. + Note: Users of the .deb package must edit /etc/default/shorewall + and set startup=1.If you + use dialup or some flavor of PPP where your IP address can change + arbitrarily, you may want to start the firewall in your + /etc/ppp/ip-up.local script. I recommend just placing + /sbin/shorewall restart in that script. +
+ +
+ Saving a Working Configuration for Error Recovery and Fast Startup + + Once you have Shorewall working the way that you want it to, you can + use shorewall save to save the + commands necessary to recreate that configuration in a + restore script. + + In its simplest form, the save command is just: + + shorewall save + + That command creates the default restore script, + /var/lib/shorewall/restore. The default may be + changed using the RESTOREFILE option in /etc/shorewall/shorewall.conf. A + different file name may also be specified in the specified in the + save command: + + shorewall save <filename> + + Where <filename> is a simple file name + (no slashes). + + Once created, the default restore script serves several useful + purposes: + + + + If you change your configuration and there is an error when you + try to restart Shorewall, the restore script will be run to restore + your firewall to working order. + + + + Bootup is faster. The -f option of the start command (e.g., + shorewall -f start) causes Shorewall to look for + the default restore script and if it exists, the script is run. This + is much faster than starting Shorewall using the normal mechanism of + reading the configuration files and running iptables + dozens or even hundreds of times. /etc/init.d/shorewall + (/etc/rc.d/firewall.rc) uses the -f option when + it is processing a request to start Shorewall. + + + + The shorewall restore command can be used at + any time to quickly configure the firewall. + + shorewall restore [ <filename> ] + + If no <filename> is given, the + default restore script is used. Otherwise, the script + /var/lib/shorewall/<filename> is used. + + + + The ability to have multiple restore scripts means that you can save + different Shorewall firewall configurations and switch between them + quickly using the restore command. + + Restore scripts may be removed using the shorewall forget + command: + + shorewall forget [ <filename> ] + + If no <filename> is given, the default + restore script is removed. Otherwise, /var/lib/shorewall/<filename> + is removed (of course, you can also use the Linux rm + command from the shell prompt to remove these files). +
+ +
+ Alternate Configuration Directories + + As explained above, Shorewall normally looks for configuration files + in the directory /etc/shorewall. + The shorewall start, shorewall restart, shorewall check, and shorewall try commands - allow you to specify which Shorewall configuration to use: + allow you to specify a different directory for Shorewall to check before + looking in /etc/shorewall: shorewall [ -c <configuration-directory> ] {start|restart|check} shorewall try <configuration-directory> [ <timeout> ] @@ -354,6 +267,11 @@ recommend the following: + + If you haven't saved the current working configuration, do + so using shorewall save. + + mkdir /etc/test @@ -376,20 +294,20 @@ - /sbin/shorewall try ./ + shorewall try ./ If the configuration starts but doesn't work, just shorewall restart to restore the old configuration. If the new configuration fails to start, the try command will - automatically start the old one for you. + automatically restore your configuration. When the new configuration works then just: - cp * /etc/shorewall + cp -f * /etc/shorewall @@ -399,66 +317,390 @@ rm -rf /etc/test + + + shorewall save +
-
- Saved Configurations +
+ Command Reference - Beginning with Shorewall 2.0.2 Beta 1, Shorewall is integrated with - the iptables-save/iptables-restore programs through - saved configurations. A saved configuration is a - shell script that when executed will restore the firewall state to match - what it was when the script was created. Because of the way in which saved - configurations are used, they are also referred to using the term - restore script. + + + add - - - The shorewall save command creates a restore - script. - + + shorewall add <interface>[:<host>] + <zone> - - The shorewall restore command executes a - restore script. - + Adds a host or subnet to a dynamic zone usually used with + VPN's. - - The shorewall forget command deleted a - restore script. - + Example: shorewall add ipsec0:192.0.2.24 vpn1 - - The -f option of the shorewall - start command causes a restore script to be executed if it - exists. - - + adds the address 192.0.2.24 from interface ipsec0 to the zone + vpn1. + + - In Shorewall 2.0.2, the name of the restore script is fixed: - /var/lib/shorewall/restore. Beginning with Shorewall - 2.0.3 Beta 1, multiple restore scripts are permitted in /var/lib/shorewall. + + allow - - - The shorewall save, shorewall - restore and shorewall forget commands are - extended to allow you to specify a simple file name (one not - containing embedded slashes). The fiile name specifies the name of a - restore script in /var/lib/shorewall. - + + shorewall allow <address> ... - - A RESTOREFILE option has been added to shorewall.conf. - This variable may contain a simple file name that designates the - default restore script when the command doesn't specify one. To - maintain backward compatibility with Shorewall 2.0.2, if RESTOREFILE - is not set or is set to the empty value (RESTOREFILE=""), then - the default value is restore. - - + Re-enables receipt of packets from hosts previously + blacklisted by a drop or reject command. + + Shorewall allow, drop, rejct and save implement dynamic + blacklisting. + + + + + check + + + shorewall [ -c <configuration-directory> ] + check + + Performs a cursory validation of the zones, interfaces, hosts, + rules and policy files. Use this if you are unsure of any edits you + have made to the shorewall configuration. See above for a recommended way to make + changes. + + + + + clear + + + shorewall clear + + Clear will remove all rules and chains installed by Shorewall. + The firewall is then wide open and unprotected. Existing connections + are untouched. Clear is often used to see if the firewall is causing + connection problems. + + + + + delete + + + shorewall delete <interface>[:<host>] + <zone> + + Deletes the specified interface (and host if included) from + the specified zone. + + Example: + + shorewall delete ipsec0:192.0.2.24 vpn1 + + deletes the address 192.0.2.24 from interface ipsec0 from zone + vpn1 + + + + + drop + + + shorewall drop <address> ... + + Causes packets from the specified <address> + to be ignored + + + + + forget + + + shorewall forget [ <filename> ] + + Deletes /var/lib/shorewall/<filename>. + If no <filename> is given then the file + specified by RESTOREFILE in /etc/shorewall/shorewall.conf + is removed. + + + + + help + + + shorewall help [<command> | host | address ] + + Display helpful information about the shorewall commands. + + + + + hits + + + hits + + Produces several reports about the Shorewall packet log + messages in the current log file specified by the LOGFILE option in + /etc/shorewall/shorewall.conf. + + + + + ipcalc + + + shorewall ipcalc [ <address> <mask> | + <address>/<vlsm> ] + + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the input[s]. + + Example: + + ipcalc 192.168.1.0/24 + + + + + iprange + + + shorewall iprange + <address1>-<address2> + + Iprange decomposes the specified range of IP addresses into + the equivalent list of network/host addresses. + + + + + logwatch + + + shorewall logwatch [<refresh interval>] + + Monitors the log file specified by theLOGFILE option in /etc/shorewall/shorewall.conf + and produces an audible alarm when new Shorewall messages are + logged. + + + + + monitor + + + shorewall [-x] monitor [<refresh_interval>] + + Continuously display the firewall status, last 20 log entries + and nat. When the log entry display changes, an audible alarm is + sounded. + + When -x is given, that option is also passed to iptables to + display actual packet and byte counts. + + + + + refresh + + + shorewall refresh: [ -q ] refresh + + The rules involving the broadcast addresses of firewall + interfaces, the black list, traffic control rules and ECN control + rules are recreated to reflect any changes made to your + configuration files. Existing connections are untouched If -q is + specified, less detain is displayed making it easier to spot + warnings. + + + + + reject + + + shorewall reject <address> ... + + Causes packets from the specified <address>s + to be rejected + + + + + reset + + + shorewall reset + + All the packet and byte counters in the firewall are reset. + + + + + restart + + + shorewall [ -q ] [ -c + <configuration-directory> ] restart + + Restart is similar to shorewall stop + followed by shorewall start. Existing connections + are maintained. If -q is specified, less detail is displayed making + it easier to spot warnings + + + + + restore + + + shorewall [ -q ] restore [ <filename> ] + + Restore Shorewall to a state saved using the + shorewall save command Existing connections are + maintained. The <filename> names a + restore file in /var/lib/shorewall + created using shorewall save; if no <filename> + is given then Shorewall will be restored from the file specified by + the RESTOREFILE option in /etc/shorewall/shorewall.conf. + + + + + save + + + shorewall save [ <filename> ] + + The dynamic data is stored in /var/lib/shorewall/save. The + state of the firewall is stored in /var/lib/shorewall/<filename> + for use by the shorewall restore and + shorewall -f start commands. If <filename> + is not given then the state is saved in the file specified by the + RESTOREFILE option in /etc/shorewall/shorewall.conf. + + + + + show + + + shorewall [ -x ] show [ <chain> [ + <chain> ...] |classifiers|connections|log|nat|tc|tos] + + shorewall [ -x ] show <chain> [ + <chain> ... ] - produce a verbose report about + the Netfilter chain(s). (iptables -L chain -n -v) + + shorewall [ -x ] show nat - produce a + verbose report about the nat table. (iptables -t nat -L -n + -v) + + shorewall [ -x ] show tos - produce a + verbose report about the mangle table. (iptables -t mangle + -L -n -v) + + shorewall show log - display the last 20 + packet log entries. + + shorewall show connections - displays the + IP connections currently being tracked by the firewall. + + shorewall show classifiers - displays + information about the traffic control/shaping classifiers. + + shorewall show tc - displays information + about the traffic control/shaping configuration. + + When -x is given, that option is also passed to iptables to + display actual packet and byte counts. + + + + + start + + + shorewall [ -q ] [ -f ] [ -c + <configuration-directory> ] start + + Start shorewall. Existing connections through shorewall + managed interfaces are untouched. New connections will be allowed + only if they are allowed by the firewall rules or policies. If -q is + specified, less detail is displayed making it easier to spot + warnings If -f is specified, the saved configuration specified by + the RESTOREFILE option in /etc/shorewall/shorewall.conf + will be restored if that saved configuration exists + + + + + stop + + + shorewall stop + + Stops the firewall. All existing connections, except those + listed in /etc/shorewall/routestopped + or permitted by the ADMINISABSENTMINDED option in /etc/shorewall/shorewall.conf, + are taken down. The only new traffic permitted through the firewall + is from systems listed in /etc/shorewall/routestopped + or by ADMINISABSENTMINDED. + + + + + status + + + shorewall [ -x ] status + + Produce a verbose report about the firewall. + + When -x is given, that option is also passed to iptables to + display actual packet and byte counts. + + + + + try + + + shorewall try <configuration-directory> [ + <timeout> ] + + Restart shorewall using the specified configuration. If an + error occurs during the restart, then another shorewall restart is + performed using the default configuration. If a timeout is specified + then the restart is always performed after the timeout occurs and + uses the default configuration. + + When restarting using the default configuration, if the + default restore script (as specified by the RESTOREFILE setting in + /etc/shorewall/shorewall.conf) + exists. then that script is used. + + + + + version + + + shorewall version + + Show the current shorewall version + + +
@@ -573,16 +815,4 @@
- - - Revision History - - 1.102004-05-14TEUpdate - "try" syntax in the alternate configuration section to include [ - <timeout> ]1.92004-05-03TEShorewall - 2.0.21.3-1.82004-01-04TEDocbook - standards1.22003-12-31TEAdded - clarification about "Started State"1.12003-12-29TEInitial - Docbook conversion - \ No newline at end of file diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml index 57e1ef3d4..741585fe8 100644 --- a/Shorewall-docs2/support.xml +++ b/Shorewall-docs2/support.xml @@ -15,7 +15,7 @@ - 2004-07-25 + 2004-07-29 2001-2004 @@ -78,7 +78,7 @@ Problem Reporting Guidelines - Shorewall versions earlier that 1.3.0 are no longer supported. + Shorewall versions earlier that 1.4.0 are no longer supported. diff --git a/Shorewall-docs2/template.xml b/Shorewall-docs2/template.xml index 8420b7ab8..cb9f18754 100644 --- a/Shorewall-docs2/template.xml +++ b/Shorewall-docs2/template.xml @@ -5,7 +5,7 @@ - + Operating Shorewall @@ -15,7 +15,7 @@ - 2004-MM-DD + 2004-07-31 2004 diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index 4807b22a4..f6575ca64 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2004-07-14 + 2004-07-31 2002-2004 @@ -169,12 +169,12 @@ and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify those files. - After you have installed Shorewall, download the three-interface - sample, un-tar it (tar - three-interfaces.tgz) and and copy the - files to /etc/shorewall (the files will replace files - with the same names that were placed in /etc/shorewall - when Shorewall was installed). + After you have installed Shorewall, download the three-interface sample, + un-tar it (tar three-interfaces.tgz) + and and copy the files to /etc/shorewall (the files + will replace files with the same names that were placed in + /etc/shorewall when Shorewall was installed). As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration @@ -372,13 +372,10 @@ fw net ACCEPT - If you specify norfc1918 for your external + If you specify nobogons for your external interface, you will want to check the Shorewall - Errata periodically for updates to the /usr/share/shorewall/rfc1918 - file. Alternatively, you can copy /usr/share/shorewall/rfc1918 - to /etc/shorewall/rfc1918 then strip down your /etc/shorewall/rfc1918 - file as I do. + Errata periodically for updates to the /usr/share/shorewall/bogons + file.
diff --git a/Shorewall-docs2/traffic_shaping.xml b/Shorewall-docs2/traffic_shaping.xml index fc97ce7d4..8a855b997 100644 --- a/Shorewall-docs2/traffic_shaping.xml +++ b/Shorewall-docs2/traffic_shaping.xml @@ -15,7 +15,7 @@ - 2004-07-14 + 2004-08-05 2001-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -40,8 +41,8 @@ management itself but it does contain some facilities to intergrate with traffic shaping/control solutions. In order to use traffic shaping with Shorewall, it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, - version 0.3.0 or later or Linux Advanced Routing and Shaping + HOWTO, version 0.3.0 or later or The Traffic Control HOWTO. It is also necessary to be running Linux Kernel 2.4.18 or later. Shorewall traffic shaping support consists of the following: @@ -63,14 +64,15 @@ /etc/shorewall/tcrules - A file where you can specify firewall marking of packets. The firewall mark - value may be used to classify packets for traffic shaping/control. + value may be used to classify packets for traffic + shaping/control. /etc/shorewall/tcstart - A - user-supplied file that is sourced by Shorewall during shorewall - start and which you can use to define your traffic shaping - disciplines and classes. I have provided a shorewall start and which you can use to define your + traffic shaping disciplines and classes. I have provided a sample that does table-driven CBQ shaping but if you read the traffic shaping sections of the HOWTO mentioned above, you can probably code your own @@ -93,17 +95,18 @@ README). WARNING: If you use use Masquerading or SNAT (i.e., you only have one external IP address) then listing internal hosts in the NOPRIOHOSTSRC variable in the - wshaper[.htb] script won't work. Traffic shaping occurs after SNAT - has already been applied so when traffic shaping happens, all outbound + wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has + already been applied so when traffic shaping happens, all outbound traffic will have as a source address the IP addresss of your - firewall's external interface. + firewall's external interface. /etc/shorewall/tcclear - A user-supplied file that is sourced by Shorewall when it is clearing - traffic shaping. This file is normally not required as Shorewall's - method of clearing qdisc and filter definitions is pretty general. + traffic shaping. This file is normally not required as Shorewall's + method of clearing qdisc and filter definitions is pretty + general. @@ -161,7 +164,7 @@
Kernel Configuration - This screen shot show how I've configured QoS in my Kernel:This screen shot show how I've configured QoS in my Kernel:
@@ -233,7 +236,8 @@ generating the output is running under the effective user and/or group. It may contain : - [<user name or number>]:[<group name or number>] + [<user name or number>]:[<group name or + number>] The colon is optionnal when specifying only a user. @@ -303,7 +307,8 @@ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1 echo Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit -run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10 +run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5 +run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10 run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5 echo Enabled PFIFO on Second Level Classes