holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Updates for Shorewall-2.0.0-Beta2 and aftermath

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1148 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-15 17:29:58 +00:00
parent a44e4a46f8
commit cff939d94e
7 changed files with 77 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall-docs2/Documentation.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-03</pubdate>
<pubdate>2004-02-15</pubdate>
<copyright>
<year>2001-2004</year>
@ -292,8 +292,10 @@
action.template</ulink></term>
<listitem>
<para>files in /etc/shorewall that allow you to define your own
actions for rules in <link linkend="Rules">/etc/shorewall/rules</link>.</para>
<para>files in <filename class="directory">/etc/shorewall</filename>
and <filename class="directory">/usr/share/shorewall</filename>
respectively that allow you to define your own actions for rules in
<filename><link linkend="Rules">/etc/shorewall/rules</link></filename>.</para>
</listitem>
</varlistentry>
@ -301,7 +303,7 @@
<term>actions.std and action.*</term>
<listitem>
<para>files in <filename class="directory">/etc/shorewall</filename>
<para>files in <filename class="directory">/usr/share/shorewall</filename>
that define the actions included as a standard part of Shorewall.</para>
</listitem>
</varlistentry>

2
Shorewall-docs2/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-02-15</pubdate>
<copyright>
<year>2001-2004</year>

49
Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-02-15</pubdate>
<copyright>
<year>2001-2004</year>
@ -238,37 +238,24 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
<example>
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to simply route all requests
between the two subnetworks.</title>
eth1:0 is 192.168.20.254. You simply want your firewall to route
between these two subnetworks.</title>
<variablelist>
<varlistentry>
<term>If you are running Shorewall 1.4.1 or Later</term>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<listitem>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- eth1 192.168.1.255,192.168.20.255</programlisting>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone
</programlisting>
<para>In /etc<filename>/shorewall/hosts</filename>:</para>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<note>
<para>You do NOT need any entry in /etc/shorewall/policy as
Shorewall 1.4.1 and later releases default to allowing
intra-zone traffic.</para>
</note>
</listitem>
</varlistentry>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
log eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">routeback</emphasis> </programlisting>
<varlistentry>
<term>If you are running Shorewall 1.4.0 or earlier</term>
<listitem>
<para>See the Shorewall 1.4 documentation.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
ACCEPT rules for the traffic that you want to permit.</para>
</example>
<example>
@ -278,20 +265,18 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
separate zones and control the access between them (the users of the
systems do not have administrative privileges).</title>
<para>This example applies to Shorewall 1.4.2 and later.</para>
<para>In <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE DISPLAY DESCRIPTION
loc Local Local Zone 1
loc2 Local2 Local Zone 2</programlisting>
<para>In <filename>/etc/shorewall/interfaces</filename>:<note
id="multiple_subnets-ex2-n1"><para>If you are running Shorewall 1.3.10
or earlier then you must specify the <emphasis role="bold">multi</emphasis>
option.</para></note></para>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- eth1 192.168.1.255,192.168.20.255 <xref
linkend="multiple_subnets-ex2-n1" /></programlisting>
- eth1 192.168.1.255,192.168.20.255 </programlisting>
<para>In <filename>/etc/shorewall/hosts</filename>:</para>

31
Shorewall-docs2/User_defined_Actions.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-08</pubdate>
<pubdate>2004-02-14</pubdate>
<copyright>
<year>2003-2004</year>
@ -65,9 +65,9 @@
<listitem>
<para>Once you have defined your new action name (ActionName), then copy
/etc/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
/usr/share/shorewall/action.template to <filename>/etc/shorewall/action.ActionName</filename>
(for example, if your new action name is <quote>Foo</quote> then copy
<filename>/etc/shorewall/action.template</filename> to
<filename>/usr/share/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.Foo</filename>).</para>
</listitem>
@ -227,12 +227,23 @@
ACCEPT</programlisting></para>
<para>Beginning with Shorewall 2.0.0-Beta1, Shorewall includes a number of
defined actions. These defined actions are listed in <filename>/etc/shorewall/actions.std</filename>.
To ensure that all of these actions are included in the configuration, the
<filename>/etc/shorewall/actions</filename> file released with Shorewall
contains <quote><command>INCLUDE /etc/shorewall/actions.std</command></quote>.</para>
defined actions. These defined actions are listed in <filename>/usr/share/shorewall/actions.std</filename>.</para>
<para>The <filename>/etc/shorewall/actions.std</filename> file includes the
common actions <quote>Drop</quote> for DROP policies and <quote>Reject</quote>
for REJECT policies.</para>
<para>The <filename>/usr/share/shorewall/actions.std</filename> file
includes the common actions <quote>Drop</quote> for DROP policies and
<quote>Reject</quote> for REJECT policies.</para>
<para><filename>/usr/share/shorewall/actions.std</filename> is processed
before <filename>/etc/shorewall/actions</filename> and if you have any
actions defined with the same name as one in <filename>/usr/share/shorewall/actions.std</filename>,
your version in <filename class="directory">/etc/shorewall</filename> will
be the one used. So if you wish to modify a standard action, simply copy the
associated action file from <filename class="directory">/usr/share/shorewall
</filename>to <filename class="directory">/etc/shorewall and modify</filename>
it to suit your needs. The next <command>shorewall restart</command> will
cause your action to be installed in place of the standard one. In
particular, if you want to modify the common actions <quote>Drop</quote> or
<quote>Reject</quote>, simply copy <filename>action.Drop</filename> or
<filename>Action.Reject</filename> to <filename class="directory">/etc/shorewall</filename>
and modify that copy as desired.</para>
</article>

7
Shorewall-docs2/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-03</pubdate>
<pubdate>2004-02-15</pubdate>
<copyright>
<year>2001-2004</year>
@ -78,8 +78,9 @@
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
and <filename>/etc/shorewall/action.template</filename> - define your own
actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later).</para></listitem><listitem><para><filename>/etc/shorewall/actions.std</filename>
and <filename>/usr/share/shorewall/action.template</filename> - define
your own actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and
later).</para></listitem><listitem><para><filename>/etc/shorewall/actions.std</filename>
- Actions defined by Shorewall. Included using the <link linkend="INCLUDE">INCLUDE
command</link> by <filename>/etc/shorewall/actions</filename>.</para></listitem><listitem><para><filename>/etc/shorewall/actions.*</filename>
- Details of actions defined by Shorewall.</para></listitem></itemizedlist></para>

24
Shorewall-docs2/myfiles.xml
View File

@ -47,7 +47,7 @@
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.0.0-Beta1. It may use features not available in earlier Shorewall
2.0.0-Beta2. It may use features not available in earlier Shorewall
releases.</para>
</caution>
@ -347,18 +347,7 @@ gre net $TEXAS
<blockquote>
<programlisting>#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
Mirrors #Accept traffic from the Shorewall Mirror sites
MyDrop:DROP #My DROP common action
MyReject:REJECT #My REJECT common action
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -379,11 +368,11 @@ ACCEPT $MIRRORS
</section>
<section>
<title>action.MyDrop</title>
<title>/etc/shorewall/action.Drop</title>
<blockquote>
<para>This is my common action for the DROP policy. It is like the
standard <emphasis role="bold">Reject</emphasis> action except that it
standard <emphasis role="bold">Drop</emphasis> action except that it
allows <quote>Ping</quote>.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
@ -399,12 +388,13 @@ DropDNSrep</programlisting>
</section>
<section>
<title>action.MyReject</title>
<title>/etc/shorewall/action.Reject</title>
<blockquote>
<para>This is my common action for the REJECT policy. It is like the
standard <emphasis role="bold">Drop</emphasis> action except that it
allows <quote>Ping</quote>.</para>
standard <emphasis role="bold">Reject</emphasis> action except that it
allows <quote>Ping</quote> and contains one rule that guards against
log flooding by broken software running in my local zone.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP

42
Shorewall-docs2/upgrade_issues.xml
View File

@ -65,7 +65,7 @@
<itemizedlist>
<listitem>
<para> The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
<para>The &#39;dropunclean&#39; and &#39;logunclean&#39; interface
options are no longer supported. If either option is specified in
<filename>/etc/shorewall/interfaces</filename>, a threatening message
will be generated.</para>
@ -73,27 +73,30 @@
<listitem>
<para>The NAT_BEFORE_RULES option has been removed from
<filename>shorewall.conf</filename>. The behavior of Shorewall 2 is as
if NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
now always take precidence over one-to-one NAT specifications.</para>
<filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
rules now always take precidence over one-to-one NAT specifications.</para>
</listitem>
<listitem>
<para>The default value for the ALL INTERFACES column in
/etc/shorewall/nat has changed. In Shorewall 1, if the column was left
empty, a value of &#34;Yes&#34; was assumed. This has been changed so
that a value of &#34;No&#34; is now assumed.</para>
<filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
if the column was left empty, a value of &#34;Yes&#34; was assumed.
This has been changed so that a value of &#34;No&#34; is now assumed.</para>
</listitem>
<listitem>
<para> The following files don&#39;t exist in Shorewall 2: </para>
<para>The following files don&#39;t exist in Shorewall 2.0:</para>
<simplelist>
<member><filename>/etc/shorewall2/common.def</filename></member>
<member><filename>/etc/shorewall/common.def</filename></member>
<member><filename>/etc/shorewall2/common</filename></member>
<member><filename>/etc/shorewall/common</filename></member>
<member><filename>/etc/shorewall2/icmpdef</filename></member>
<member><filename>/etc/shorewall/icmpdef</filename></member>
<member><filename>/etc/shorewall/action.template</filename> (moved
to <filename>/usr/share/shorewall/action.template</filename>)</member>
</simplelist>
<para>The <filename>/etc/shorewall/action</filename> file now allows
@ -101,9 +104,9 @@
particular policy type by following the action name with &#34;:&#34;
and the policy (DROP, REJECT or ACCEPT).</para>
<para>The file /etc/shorewall/actions.std has been added to define
those actions that are released as part of Shorewall 2. In that file
are two actions as follows:</para>
<para>The file /usr/share/shorewall/actions.std has been added to
define those actions that are released as part of Shorewall 2.0 In
that file are two actions as follows:</para>
<simplelist>
<member>Drop:DROP</member>
@ -119,15 +122,12 @@
that &#34;Reject&#34; REJECTs SMB traffic while &#34;Drop&#34;
silently drops such traffic.</para>
<para>As described above, Shorewall2 allows a common action for ACCEPT
<para>As described above, Shorewall allows a common action for ACCEPT
policies but does not specify such an action in the default
configuration.</para>
<para><emphasis role="bold">If you have an existing
/etc/shorewall/actions file then you MUST add &#34;INCLUDE
/etc/shorewall/actions.std&#34; to that file or you must create your
own common actions for DROP and REJECT <ulink
url="myfiles.html#Actions">as I have done in my own setup.</ulink></emphasis></para>
<para>For more information see the <ulink
url="User_defined_Actions.html">User-defined Action Page</ulink>.</para>
</listitem>
<listitem>
@ -136,7 +136,7 @@
file. Similar functionality is now available using user-defined
actions.</para>
<para>Now, action files created by copying <filename>/etc/shorewall/action.template</filename>
<para>Now, action files created by copying <filename>/usr/share/shorewall/action.template</filename>
may now specify a USER and or GROUP name/id in the final column just
like in the rules file (see below). It is thus possible to create
actions that control traffic from a list of users and/or groups.</para>