forked from extern/shorewall_code
Update Documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
84cb8c445d
commit
ceaf86f709
@ -17,7 +17,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
<pubdate>2004-08-01</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -65,7 +65,7 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Port Forwarding</title>
|
||||
<title>Port Forwarding (Port Redirection)</title>
|
||||
|
||||
<section id="faq1">
|
||||
<title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with
|
||||
|
@ -111,7 +111,7 @@ Device "eth0:0" does not exist.
|
||||
|
||||
case $1 in
|
||||
eth0)
|
||||
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
|
||||
/sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
|
||||
;;
|
||||
esac</programlisting>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-06-11</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
@ -159,12 +159,11 @@
|
||||
|
||||
<para>Unfortunately, Linux distributions don't have good bridge
|
||||
configuration tools and the network configuration GUIs don't detect
|
||||
the presence of bridge devices. You may refer to <ulink
|
||||
url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink>
|
||||
for an example of configuring a three-port bridge at system boot under
|
||||
<trademark>SuSE</trademark>. Here is an excerpt from a Debian
|
||||
<filename>/etc/network/interfaces</filename> file for a two-port bridge
|
||||
with a static IP address:</para>
|
||||
the presence of bridge devices. You may refer to <ulink url="myfiles.htm">my
|
||||
configuration files</ulink> for an example of configuring a three-port
|
||||
bridge at system boot under <trademark>SuSE</trademark>. Here is an
|
||||
excerpt from a Debian <filename>/etc/network/interfaces</filename> file
|
||||
for a two-port bridge with a static IP address:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>auto br0
|
||||
@ -294,6 +293,36 @@ exit 0</programlisting>
|
||||
INTERFACES="eth0 eth1" #The physical interfaces to be bridged</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Andrzej Szelachowski contributed the following.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>Here is how I configured bridge in Slackware:
|
||||
|
||||
1) I had to compile bridge-utils (It's not in the standard distribution)
|
||||
2) I've created rc.bridge in /etc/rc.d:
|
||||
|
||||
#########################
|
||||
#! /bin/sh
|
||||
|
||||
ifconfig eth0 0.0.0.0
|
||||
ifconfig eth1 0.0.0.0
|
||||
#ifconfig lo 127.0.0.1 #this line should be uncommented if you don't use rc.inet1
|
||||
|
||||
brctl addbr most
|
||||
|
||||
brctl addif most eth0
|
||||
brctl addif most eth1
|
||||
|
||||
ifconfig most 192.168.1.31 netmask 255.255.255.0 up
|
||||
#route add default gw 192.168.1.1 metric 1 #this line should be uncommented if
|
||||
#you don't use rc.inet1
|
||||
#########################
|
||||
|
||||
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
|
||||
|
||||
/etc/rc.d/rc.bridge </programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Users who successfully configure bridges on other distributions,
|
||||
with static or dynamic IP addresses, are encouraged to send <ulink
|
||||
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I
|
||||
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-29</pubdate>
|
||||
<pubdate>2004-07-30</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -87,6 +87,22 @@
|
||||
<section>
|
||||
<title>Problems in Version 2.0</title>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.3a through 2.0.7</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Entries in the USER/GROUP column of an action file (made from
|
||||
action.template) may be ignored or cause odd errors. </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Corrected in <ulink
|
||||
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
|
||||
firewall script</ulink> which may be installed in
|
||||
/usr/share/shorewall/firewall as described above.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 2.0.3a through 2.0.4</title>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-13</pubdate>
|
||||
<pubdate>2004-08-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -40,9 +41,9 @@
|
||||
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
|
||||
which are relevant to a simple configuration with a single public IP
|
||||
address. If you have just a single public IP address, most of what you
|
||||
see here won't apply to your setup so beware of copying parts of
|
||||
this configuration and expecting them to work for you. What you copy may
|
||||
or may not work for you.</para>
|
||||
see here won't apply to your setup so beware of copying parts of this
|
||||
configuration and expecting them to work for you. What you copy may or
|
||||
may not work for you.</para>
|
||||
</caution>
|
||||
|
||||
<caution>
|
||||
@ -75,19 +76,21 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>I use SNAT through 206.124.146.179 for  my SuSE 9.0 Linux
|
||||
system <quote>Wookie</quote>, my Wife's Windows XP system
|
||||
<quote>Tarry</quote>, and our  dual-booting (Windows
|
||||
XP/Mandrake 10.0 Official) laptop <quote>Tipper</quote> which connects
|
||||
through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
|
||||
the distance between the WAP and where I usually use the laptop
|
||||
isn't very far (25 feet or so), using a WAC11 (CardBus wireless
|
||||
card) has proved very unsatisfactory (lots of lost connections). By
|
||||
replacing the WAC11 with the WET11 wireless bridge, I have virtually
|
||||
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
|
||||
also able to eliminate the disconnects by hanging a piece of aluminum
|
||||
foil on the family room wall. Needless to say, my wife Tarry rejected
|
||||
that as a permanent solution :-).</para></note></para>
|
||||
<para>I use SNAT through 206.124.146.179 for my SuSE 9.0 Linux
|
||||
system <quote>Wookie</quote>, my Wife's Windows XP system
|
||||
<quote>Tarry</quote>, and our dual-booting (Windows XP/SuSE 9.1)
|
||||
laptop <quote>Tipper</quote> which connects through the Wireless
|
||||
Access Point (wap) via a Wireless Bridge (wet).<note>
|
||||
<para>While the distance between the WAP and where I usually use
|
||||
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
|
||||
wireless card) has proved very unsatisfactory (lots of lost
|
||||
connections). By replacing the WAC11 with the WET11 wireless
|
||||
bridge, I have virtually eliminated these problems (Being an old
|
||||
radio tinkerer (K7JPV), I was also able to eliminate the
|
||||
disconnects by hanging a piece of aluminum foil on the family room
|
||||
wall. Needless to say, my wife Tarry rejected that as a permanent
|
||||
solution :-).</para>
|
||||
</note></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -98,16 +101,17 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
|
||||
<para>The firewall runs on a 256MB PII/233 with Debian Sarge
|
||||
(Testing).</para>
|
||||
|
||||
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
|
||||
|
||||
<para>The wireless network connects to Wookie's eth2 via a LinkSys
|
||||
WAP11.  In additional to using the rather weak WEP 40-bit
|
||||
encryption (64-bit with the 24-bit preamble), I use <ulink
|
||||
<para>The wireless network connects to Wookie's eth2 via a LinkSys
|
||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
||||
(64-bit with the 24-bit preamble), I use <ulink
|
||||
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
|
||||
combination and if I lived near a wireless <quote>hot spot</quote>, I
|
||||
would probably add IPSEC or something similar to my WiFi->local
|
||||
would probably add IPSEC or something similar to my WiFi->local
|
||||
connections.</para>
|
||||
|
||||
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
@ -132,13 +136,14 @@
|
||||
in the DMZ.</para>
|
||||
|
||||
<para>The ethernet interface in the Server is configured with IP address
|
||||
206.124.146.177, netmask 255.255.255.0. The server's default gateway
|
||||
is 206.124.146.254 (Router at my ISP. This is the same default gateway
|
||||
used by the firewall itself). On the firewall, an entry in my
|
||||
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
|
||||
206.124.146.254 (Router at my ISP. This is the same default gateway used
|
||||
by the firewall itself). On the firewall, an entry in my
|
||||
/etc/network/interfaces file (see below) adds a host route to
|
||||
206.124.146.177 through eth1 when that interface is brought up.</para>
|
||||
|
||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
|
||||
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
|
||||
access.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/network.png" /></para>
|
||||
</section>
|
||||
@ -162,7 +167,7 @@ RFC1918_LOG_LEVEL=$LOG
|
||||
SMURF_LOG_LEVEL=
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SHOREWALL_SHELL=/bin/ash
|
||||
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
||||
SUBSYSLOCK= #I run Debian which doesn't use service locks
|
||||
STATEDIR=/var/state/shorewall
|
||||
MODULESDIR=
|
||||
FW=fw
|
||||
@ -189,9 +194,9 @@ TCP_FLAGS_DISPOSITION=DROP
|
||||
<title>Params File (Edited)</title>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||
NTPSERVERS=<list of the NTP servers I sync with>
|
||||
TEXAS=<ip address of gateway in Plano>
|
||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||
NTPSERVERS=<list of the NTP servers I sync with>
|
||||
TEXAS=<ip address of gateway in Plano>
|
||||
LOG=info</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -230,7 +235,7 @@ dmz eth1 -
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
tx              texas:192.168.8.0/22
|
||||
tx texas:192.168.8.0/22
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -284,14 +289,14 @@ eth2 -
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||
fw fw ACCEPT # For testing fw->fw rules
|
||||
fw fw ACCEPT # For testing fw->fw rules
|
||||
loc net ACCEPT # Allow all net traffic from local net
|
||||
$FW loc ACCEPT # Allow local access from the firewall
|
||||
$FW tx ACCEPT # Allow firewall access to texas
|
||||
loc tx ACCEPT # Allow local net access to texas
|
||||
loc fw REJECT $LOG # Reject loc->fw and log
|
||||
loc fw REJECT $LOG # Reject loc->fw and log
|
||||
net all DROP $LOG 10/sec:40 # Rate limit and
|
||||
# DROP net->all
|
||||
# DROP net->all
|
||||
all all REJECT $LOG # Reject and log the rest
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
@ -302,16 +307,15 @@ all all REJECT $LOG # Reje
|
||||
|
||||
<blockquote>
|
||||
<para>Although most of our internal systems use one-to-one NAT, my
|
||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
|
||||
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
|
||||
visitors with laptops.</para>
|
||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
|
||||
my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
|
||||
with laptops.</para>
|
||||
|
||||
<para>The first entry allows access to the DSL modem and uses features
|
||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_")
|
||||
causes the rule to be placed before rules generated by the
|
||||
/etc/shorewall/nat file below. The double colons ("::") causes
|
||||
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
|
||||
file above.</para>
|
||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
||||
rule to be placed before rules generated by the /etc/shorewall/nat
|
||||
file below. The double colons ("::") causes the entry to be exempt
|
||||
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
@ -344,7 +348,8 @@ eth0:2 eth2 206.124.146.179
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
|
||||
<title>Tunnels File (Shell variable TEXAS set in
|
||||
/etc/shorewall/params)</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
@ -369,7 +374,8 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
|
||||
<blockquote>
|
||||
<para>The $MIRRORS variable expands to a list of approximately 10 IP
|
||||
addresses. So moving these checks into a separate chain reduces the
|
||||
number of rules that most net->dmz traffic needs to traverse.</para>
|
||||
number of rules that most net->dmz traffic needs to
|
||||
traverse.</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
@ -416,14 +422,15 @@ RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
DropDNSrep
|
||||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||||
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
|
||||
#with NTP requests with a source address in 16.0.0.0/8 (address of
|
||||
#its PPTP tunnel to HP).</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
|
||||
<title>Rules File (The shell variables are set in
|
||||
/etc/shorewall/params)</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>###############################################################################################################################################################################
|
||||
@ -477,7 +484,7 @@ Mirrors net dmz tcp rsync
|
||||
#
|
||||
# Net to Local
|
||||
#
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home.
|
||||
#
|
||||
DNAT net loc:192.168.1.4 tcp 1723 -
|
||||
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
|
||||
@ -510,12 +517,12 @@ ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
#ACCEPT dmz net:66.216.26.115 tcp pop3
|
||||
#
|
||||
# Something is wrong with the FTP connection tracking code or there is some client out there
|
||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||
# that is sending a PORT command which that code doesn't understand. Either way,
|
||||
# the following works around the problem.
|
||||
#
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT dmz fw udp ntp ntp
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
@ -568,7 +575,8 @@ ACCEPT tx loc:192.168.1.5 all
|
||||
displayed in <emphasis role="bold">bold type</emphasis>) add a route
|
||||
to my DSL modem when eth0 is brought up and a route to my DMZ server
|
||||
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
|
||||
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
|
||||
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP
|
||||
file</link>.</para>
|
||||
|
||||
<programlisting>...
|
||||
auto auto eth0
|
||||
@ -594,13 +602,13 @@ iface eth1 inet static
|
||||
<section>
|
||||
<title>Bridge (Wookie) Configuration</title>
|
||||
|
||||
<para>As mentioned above, Wookie acts as a bridge. It's view of the
|
||||
<para>As mentioned above, Wookie acts as a bridge. It's view of the
|
||||
network is diagrammed in the following figure.</para>
|
||||
|
||||
<graphic fileref="images/network1.png" />
|
||||
|
||||
<para>I've included the files that I used to configure that system --
|
||||
some of them are SuSE-specific.</para>
|
||||
<para>I've included the files that I used to configure that system -- some
|
||||
of them are SuSE-specific.</para>
|
||||
|
||||
<para>The configuration on Wookie can be modified to test various bridging
|
||||
features -- otherwise, it serves to isolate the Wireless network from the
|
||||
@ -681,10 +689,9 @@ WiFi br0:eth2 maclist
|
||||
my bridge/firewall. Squid listens on port 3128.</para>
|
||||
|
||||
<para>The remaining rules protect the local systems and bridge from
|
||||
the WiFi network. Note that we don't restrict WiFi→net traffic
|
||||
since the only directly-accessible system in the net zone is the
|
||||
firewall (Wookie and the Firewall are connected by a cross-over
|
||||
cable).</para>
|
||||
the WiFi network. Note that we don't restrict WiFi→net traffic since
|
||||
the only directly-accessible system in the net zone is the firewall
|
||||
(Wookie and the Firewall are connected by a cross-over cable).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT PORT(S) DEST
|
||||
@ -758,7 +765,7 @@ br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
|
||||
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
|
||||
|
||||
do_stop() {
|
||||
echo "Stopping Bridge"
|
||||
echo "Stopping Bridge"
|
||||
brctl delbr br0
|
||||
ip link set eth0 down
|
||||
ip link set eth1 down
|
||||
@ -767,7 +774,7 @@ do_stop() {
|
||||
|
||||
do_start() {
|
||||
|
||||
echo "Starting Bridge"
|
||||
echo "Starting Bridge"
|
||||
ip link set eth0 up
|
||||
ip link set eth1 up
|
||||
ip link set eth2 up
|
||||
@ -777,7 +784,7 @@ do_start() {
|
||||
brctl addif br0 eth2
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
case "$1" in
|
||||
start)
|
||||
do_start
|
||||
;;
|
||||
@ -790,7 +797,7 @@ case "$1" in
|
||||
do_start
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
echo "Usage: $0 {start|stop|restart}"
|
||||
exit 1
|
||||
esac
|
||||
exit 0</programlisting>
|
||||
@ -803,16 +810,16 @@ exit 0</programlisting>
|
||||
<blockquote>
|
||||
<para>This file is SuSE-specific</para>
|
||||
|
||||
<programlisting>BOOTPROTO='static'
|
||||
BROADCAST='192.168.1.255'
|
||||
IPADDR='192.168.1.3'
|
||||
NETWORK='192.168.1.0'
|
||||
NETMASK='255.255.255.0'
|
||||
REMOTE_IPADDR=''
|
||||
STARTMODE='onboot'
|
||||
UNIQUE='3hqH.MjuOqWfSZ+C'
|
||||
WIRELESS='no'
|
||||
MTU=''</programlisting>
|
||||
<programlisting>BOOTPROTO='static'
|
||||
BROADCAST='192.168.1.255'
|
||||
IPADDR='192.168.1.3'
|
||||
NETWORK='192.168.1.0'
|
||||
NETMASK='255.255.255.0'
|
||||
REMOTE_IPADDR=''
|
||||
STARTMODE='onboot'
|
||||
UNIQUE='3hqH.MjuOqWfSZ+C'
|
||||
WIRELESS='no'
|
||||
MTU=''</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-28</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2002</year>
|
||||
@ -54,7 +54,7 @@
|
||||
zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION
|
||||
AllowDNS dmz net</programlisting>
|
||||
AllowDNS dmz net</programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -107,7 +107,7 @@ ACCEPT dmz net tcp 53</programlisting>
|
||||
<note>
|
||||
<para>Recursive Resolution means that if the server itself can't
|
||||
resolve the name presented to it, the server will attempt to resolve the
|
||||
name with the help of other servers. </para>
|
||||
name with the help of other servers.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
@ -303,6 +303,17 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 443 #Secure HTTP</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>X/XDMCP</title>
|
||||
|
||||
<para>Assume that the Choser and/or X Server are running at <<emphasis>chooser</emphasis>>
|
||||
and the Display Manager/X applications are running at <<emphasis>apps</emphasis>>.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP
|
||||
ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Other Source of Port Information</title>
|
||||
|
||||
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2004-03-28</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -36,6 +36,18 @@
|
||||
<section>
|
||||
<title>What Users are saying...</title>
|
||||
|
||||
<blockquote>
|
||||
<attribution>AS, Poland</attribution>
|
||||
|
||||
<para><emphasis>I want to say that Shorewall documentation is the best
|
||||
I've ever found on the net. It's helped me a lot in
|
||||
understanding how network is working. It is the best of breed. It
|
||||
contains not only Shorewall specific topics with the assumption that all
|
||||
the rest is well known, but also gives some very useful background
|
||||
information. Thank you very much for this wonderful piece of work.
|
||||
</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<attribution>ES, Phoenix AZ, USA</attribution>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-22</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -232,7 +232,7 @@
|
||||
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
fw net ACCEPT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
|
||||
@ -2170,12 +2170,14 @@ localhost 86400 IN A 127.0.0.1
|
||||
firewall 86400 IN A 192.0.2.176
|
||||
www 86400 IN A 192.0.2.177
|
||||
ns1 86400 IN A 192.0.2.177
|
||||
www 86400 IN A 192.0.2.177
|
||||
mail 86400 IN A 192.0.2.178
|
||||
|
||||
gateway 86400 IN A 192.168.201.1
|
||||
winken 86400 IN A 192.168.201.2
|
||||
blinken 86400 IN A 192.168.201.3
|
||||
nod 86400 IN A 192.168.201.4</programlisting>
|
||||
gateway 86400 IN A 192.168.201.1
|
||||
winken 86400 IN A 192.168.201.2
|
||||
blinken 86400 IN A 192.168.201.3
|
||||
nod 86400 IN A 192.168.201.4
|
||||
|
||||
dmz 86400 IN A 192.168.202.1</programlisting>
|
||||
|
||||
<para><filename>ext/db.foobar </filename>- Forward zone for external
|
||||
clients.</para>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-25</pubdate>
|
||||
<pubdate>2004-07-29</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -78,7 +78,7 @@
|
||||
<title>Problem Reporting Guidelines</title>
|
||||
|
||||
<note>
|
||||
<para>Shorewall versions earlier that 1.3.0 are no longer supported.</para>
|
||||
<para>Shorewall versions earlier that 1.4.0 are no longer supported.</para>
|
||||
</note>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title></title>
|
||||
<title>Operating Shorewall</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-MM-DD</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
<pubdate>2004-07-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2004</year>
|
||||
@ -169,12 +169,12 @@
|
||||
and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
|
||||
if you do not modify those files.</para></warning></para>
|
||||
|
||||
<para>After you have installed Shorewall, download the three-interface
|
||||
sample, un-tar it (<command>tar <option>-zxvf</option>
|
||||
<filename>three-interfaces.tgz</filename></command>) and and copy the
|
||||
files to <filename>/etc/shorewall</filename> (the files will replace files
|
||||
with the same names that were placed in <filename>/etc/shorewall</filename>
|
||||
when Shorewall was installed).</para>
|
||||
<para>After you have installed Shorewall, download the <ulink
|
||||
url="http://shorewall.net/pub/shorewall/Samples">three-interface sample</ulink>,
|
||||
un-tar it (<command>tar <option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
|
||||
and and copy the files to <filename>/etc/shorewall</filename> (the files
|
||||
will replace files with the same names that were placed in
|
||||
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
actual file on your system -- each file contains detailed configuration
|
||||
@ -372,13 +372,10 @@ fw net ACCEPT</programlisting>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
<para>If you specify <emphasis>norfc1918</emphasis> for your external
|
||||
<para>If you specify <emphasis>nobogons</emphasis> for your external
|
||||
interface, you will want to check the <ulink url="errata.htm">Shorewall
|
||||
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
|
||||
file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
|
||||
to <filename>/etc/shorewall/rfc1918</filename> then <ulink
|
||||
url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
|
||||
file as I do</ulink>.</para>
|
||||
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/bogons
|
||||
file</filename>.</para>
|
||||
</tip>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-14</pubdate>
|
||||
<pubdate>2004-08-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -40,8 +41,8 @@
|
||||
management itself but it does contain some facilities to intergrate with
|
||||
traffic shaping/control solutions. In order to use traffic shaping with
|
||||
Shorewall, it is essential that you get a copy of the <ulink
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
|
||||
version 0.3.0 or later or <ulink
|
||||
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
|
||||
HOWTO</ulink>, version 0.3.0 or later or <ulink
|
||||
url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
|
||||
HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
|
||||
later. Shorewall traffic shaping support consists of the following:</para>
|
||||
@ -63,14 +64,15 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">/etc/shorewall/tcrules</emphasis> - A file
|
||||
where you can specify firewall marking of packets. The firewall mark
|
||||
value may be used to classify packets for traffic shaping/control.</para>
|
||||
value may be used to classify packets for traffic
|
||||
shaping/control.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">/etc/shorewall/tcstart </emphasis>- A
|
||||
user-supplied file that is sourced by Shorewall during <quote>shorewall
|
||||
start</quote> and which you can use to define your traffic shaping
|
||||
disciplines and classes. I have provided a <ulink
|
||||
user-supplied file that is sourced by Shorewall during
|
||||
<quote>shorewall start</quote> and which you can use to define your
|
||||
traffic shaping disciplines and classes. I have provided a <ulink
|
||||
url="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</ulink> that
|
||||
does table-driven CBQ shaping but if you read the traffic shaping
|
||||
sections of the HOWTO mentioned above, you can probably code your own
|
||||
@ -93,17 +95,18 @@
|
||||
README). <emphasis role="bold">WARNING</emphasis>: If you use use
|
||||
Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the
|
||||
wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
|
||||
has already been applied so when traffic shaping happens, all outbound
|
||||
wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has
|
||||
already been applied so when traffic shaping happens, all outbound
|
||||
traffic will have as a source address the IP addresss of your
|
||||
firewall's external interface.</para>
|
||||
firewall's external interface.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">/etc/shorewall/tcclear</emphasis> - A
|
||||
user-supplied file that is sourced by Shorewall when it is clearing
|
||||
traffic shaping. This file is normally not required as Shorewall's
|
||||
method of clearing qdisc and filter definitions is pretty general.</para>
|
||||
traffic shaping. This file is normally not required as Shorewall's
|
||||
method of clearing qdisc and filter definitions is pretty
|
||||
general.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -161,7 +164,7 @@
|
||||
<section>
|
||||
<title>Kernel Configuration</title>
|
||||
|
||||
<para>This screen shot show how I've configured QoS in my Kernel:<graphic
|
||||
<para>This screen shot show how I've configured QoS in my Kernel:<graphic
|
||||
align="center" fileref="images/QoS.png" /></para>
|
||||
</section>
|
||||
|
||||
@ -233,7 +236,8 @@
|
||||
generating the output is running under the effective user and/or
|
||||
group. It may contain :</para>
|
||||
|
||||
<para>[<user name or number>]:[<group name or number>]</para>
|
||||
<para>[<user name or number>]:[<group name or
|
||||
number>]</para>
|
||||
|
||||
<para>The colon is optionnal when specifying only a user.</para>
|
||||
|
||||
@ -303,7 +307,8 @@ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit
|
||||
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
|
||||
echo <quote> Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit</quote>
|
||||
|
||||
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
|
||||
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
|
||||
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
|
||||
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
|
||||
echo <quote> Enabled PFIFO on Second Level Classes</quote>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user