holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@548 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-15 19:39:23 +00:00
parent 6e7f5cbd4f
commit d282399aa7
32 changed files with 17316 additions and 16681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

599
Shorewall-docs/Documentation.htm
View File

@ -24,6 +24,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1> <h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
</td> </td>
</tr> </tr>
@ -103,8 +104,8 @@ the MAC address (and possibly also the IP address(es)) of devices.<br>
and configures your firewall. This file is installed and configures your firewall. This file is installed
in your init.d directory (/etc/rc.d/init.d ) where it in your init.d directory (/etc/rc.d/init.d ) where it
is renamed <i>shorewall.</i> /etc/shorewall/firewall (/var/lib/shorewall/firewall is renamed <i>shorewall.</i> /etc/shorewall/firewall (/var/lib/shorewall/firewall
in versions 1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 in versions 1.3.2-1.3.8 and /usr/lib/shorewall/firewall in
and later) is a symbolic link to this program.</li> 1.3.9 and later) is a symbolic link to this program.</li>
<li><b> <a href="#NAT">nat</a></b> <li><b> <a href="#NAT">nat</a></b>
-- a parameter file in /etc/shorewall used to define <a -- a parameter file in /etc/shorewall used to define <a
href="#NAT"> static NAT</a> .</li> href="#NAT"> static NAT</a> .</li>
@ -231,8 +232,8 @@ these comments.</li>
<h2><font color="#660066"><a name="Interfaces"></a> </font>/etc/shorewall/interfaces</h2> <h2><font color="#660066"><a name="Interfaces"></a> </font>/etc/shorewall/interfaces</h2>
<p>This file is used to tell the firewall which of your firewall's network <p>This file is used to tell the firewall which of your firewall's network
interfaces are connected to which zone. There will be one interfaces are connected to which zone. There will be
entry in /etc/shorewall/interfaces for each of your interfaces. one entry in /etc/shorewall/interfaces for each of your interfaces.
Columns in an entry are:</p> Columns in an entry are:</p>
<ul> <ul>
@ -241,8 +242,8 @@ in the <a href="#Zones">/etc/shorewall/zones</a> file
or "-". If you specify "-", you must use the <a or "-". If you specify "-", you must use the <a
href="#Hosts"> /etc/shorewall/hosts</a> file to define href="#Hosts"> /etc/shorewall/hosts</a> file to define
the zones accessed via this interface.</li> the zones accessed via this interface.</li>
<li><b> INTERFACE</b> - the name of <li><b> INTERFACE</b> - the name
the interface (examples: eth0, ppp0, ipsec+). Each interface of the interface (examples: eth0, ppp0, ipsec+). Each interface
can be listed on only one record in this file. <font can be listed on only one record in this file. <font
color="#ff0000"><b>D</b><b>O NOT INCLUDE THE LOOPBACK INTERFACE color="#ff0000"><b>D</b><b>O NOT INCLUDE THE LOOPBACK INTERFACE
(lo) IN THIS FILE!!!</b></font></li> (lo) IN THIS FILE!!!</b></font></li>
@ -263,7 +264,13 @@ if you need to specify options for such an interface, enter
</ul> </ul>
</li> </li>
<li><b> OPTIONS</b> - a comma-separated <li><b> OPTIONS</b> - a comma-separated
list of options. Possible options include: list of options. Possible options include:<br>
<br>
<b>routeback </b>(Added in version 1.4.2) - This option causes Shorewall
to set up handling for routing packets that arrive on this interface back
out the same interface. If this option is specified, the ZONE column may not
contain "-".<br>
<p> <b>tcpflags </b>(added in version 1.3.11) - This option causes <p> <b>tcpflags </b>(added in version 1.3.11) - This option causes
Shorewall to make sanity checks on the header flags in TCP packets arriving Shorewall to make sanity checks on the header flags in TCP packets arriving
on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH;
@ -280,14 +287,15 @@ according to the TCP_FLAGS_DISPOSITION option.<br>
an IP address via DHCP or is used by a DHCP server running an IP address via DHCP or is used by a DHCP server running
on the firewall. The firewall will be configured to allow on the firewall. The firewall will be configured to allow
DHCP traffic to and from the interface even when the firewall DHCP traffic to and from the interface even when the firewall
is stopped. You may also wish to use this option if you have a static is stopped. You may also wish to use this option if you have a
IP but you are on a LAN segment that has a lot of Laptops that static IP but you are on a LAN segment that has a lot of Laptops
use DHCP and you select the <b>norfc1918 </b>option (see below).</p> that use DHCP and you select the <b>norfc1918 </b>option (see
below).</p>
<p> <b>norfc1918</b> - Packets arriving on this interface and that <p> <b>norfc1918</b> - Packets arriving on this interface and that
have a source address that is reserved in RFC 1918 or in other have a source address that is reserved in RFC 1918 or in other
RFCs will be dropped after being optionally logged. If <a RFCs will be dropped after being optionally logged. If
href="#Conf">packet mangling is enabled in /etc/shorewall/shorewall.conf</a> <a href="#Conf">packet mangling is enabled in /etc/shorewall/shorewall.conf</a>
, then packets arriving on this interface that have a , then packets arriving on this interface that have a
destination address that is reserved by one of these RFCs will destination address that is reserved by one of these RFCs will
also be logged and dropped.<br> also be logged and dropped.<br>
@ -311,8 +319,8 @@ access to certain addresses from the above list, see <a
will reject any packets incoming on this interface that have will reject any packets incoming on this interface that have
a source address that would be routed outbound through another a source address that would be routed outbound through another
interface on the firewall. <font color="#ff0000">Warning: interface on the firewall. <font color="#ff0000">Warning:
</font>If you specify this option for an interface then the </font>If you specify this option for an interface then
interface must be up prior to starting the firewall.</p> the interface must be up prior to starting the firewall.</p>
<p> <b>dropunclean</b> - Packets from this interface that <p> <b>dropunclean</b> - Packets from this interface that
are selected by the 'unclean' match target in iptables will are selected by the 'unclean' match target in iptables will
@ -354,12 +362,12 @@ causes these connections to be dropped, <a
<p><b>proxyarp </b>(Added in version 1.3.5) - This option causes <p><b>proxyarp </b>(Added in version 1.3.5) - This option causes
Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp
and is used when implementing Proxy ARP and is used when implementing Proxy
Sub-netting as described at ARP Sub-netting as described at
<a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/"> <a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">
http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do <u> http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>. Do
not</u> set this option if you are implementing Proxy <u> not</u> set this option if you are implementing
ARP through entries in <a href="#ProxyArp"> Proxy ARP through entries in <a href="#ProxyArp">
/etc/shorewall/proxyarp</a>.<br> /etc/shorewall/proxyarp</a>.<br>
<br> <br>
<b>maclist</b> (Added in version 1.3.10) <b>maclist</b> (Added in version 1.3.10)
@ -379,8 +387,8 @@ Shorewall to set /proc/sys/net/ipv4/conf/<i>&lt;interface&gt;</i>/proxy_arp
</li> </li>
<li>Don't use <b>dropunclean</b> -- It's broken <li>Don't use <b>dropunclean</b> -- It's broken
in my opinion</li> in my opinion</li>
<li>Use <b>logunclean</b> only when you are trying <li>Use <b>logunclean</b> only when you are
to debug a problem</li> trying to debug a problem</li>
<li>Use <b>dhcp </b>and <b>proxyarp</b> when <li>Use <b>dhcp </b>and <b>proxyarp</b> when
needed.<br> needed.<br>
</li> </li>
@ -493,7 +501,8 @@ those subnetworks.</b><br>
</li> </li>
</ol> </ol>
<b>IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!</b> <b>IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS
FILE!!</b>
<p>Columns in this file are:</p> <p>Columns in this file are:</p>
<ul> <ul>
@ -524,16 +533,20 @@ notation<i> </i>(example - eth2:192.168.2.0/
</ul> </ul>
<blockquote> <blockquote>
<p><b>maclist - </b>Added in version 1.3.10. If specified, connection <p><b>routeback </b>(Added in version 1.4.2) - This option causes Shorewall
requests from the hosts specified in this entry are subject to set up handling for routing packets sent by this host group back back
to <a href="MAC_Validation.html">MAC Verification</a>. This option is to the same group.<b><br>
only valid for ethernet interfaces.<br> <br>
maclist - </b>Added in version 1.3.10. If specified, connection
requests from the hosts specified in this entry are subject to
<a href="MAC_Validation.html">MAC Verification</a>. This option is only
valid for ethernet interfaces.<br>
</p> </p>
</blockquote> </blockquote>
<p>If you don't define any hosts for a zone, the hosts in the zone default <p>If you don't define any hosts for a zone, the hosts in the zone default
to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ...
the interfaces to the zone.</p> are the interfaces to the zone.</p>
<p><b><font size="4" color="#ff0000">Note: </font></b> You probably DON'T <p><b><font size="4" color="#ff0000">Note: </font></b> You probably DON'T
want to specify any hosts for your internet zone since the hosts that want to specify any hosts for your internet zone since the hosts that
@ -616,7 +629,8 @@ only valid for ethernet interfaces.<br>
<p>Example 2:</p> <p>Example 2:</p>
<p>Your local interface is eth1 and you have two groups of local hosts that <p>Your local interface is eth1 and you have two groups of local hosts that
you want to consider as one zone and you want Shorewall to route between them:</p> you want to consider as one zone and you want Shorewall to route between
them:</p>
<ul> <ul>
<li>192.168.1.0/25 </li> <li>192.168.1.0/25 </li>
@ -688,12 +702,12 @@ you want to consider as one zone and you want Shorewall to route between them:</
<p> The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow <p> The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow
you to define nested or overlapping zones. Such overlapping/nested zones you to define nested or overlapping zones. Such overlapping/nested zones
are allowed and Shorewall processes zones in the order that are allowed and Shorewall processes zones in the order
they appear in the /etc/shorewall/zones file. So if you have that they appear in the /etc/shorewall/zones file. So if
nested zones, you want the sub-zone to appear before the super-zone you have nested zones, you want the sub-zone to appear before
and in the case of overlapping zones, the rules that will apply the super-zone and in the case of overlapping zones, the rules
to hosts that belong to both zones is determined by which zone that will apply to hosts that belong to both zones is determined
appears first in /etc/shorewall/zones.</p> by which zone appears first in /etc/shorewall/zones.</p>
<p> Hosts that belong to more than one zone may be managed by the rules <p> Hosts that belong to more than one zone may be managed by the rules
of all of those zones. This is done through use of the special of all of those zones. This is done through use of the special
@ -744,24 +758,24 @@ zone. When this policy is specified, the <b>LOG LEVEL </b>and <b>BURST:LIMIT
<p> Entries in /etc/shorewall/policy have four columns as follows:</p> <p> Entries in /etc/shorewall/policy have four columns as follows:</p>
<ol> <ol>
<li> <b> SOURCE</b> <li> <b>
- The name of a client zone (a zone defined in the <a SOURCE</b> - The name of a client zone (a zone defined in the
href="#Zones"> /etc/shorewall/zones file</a> , the <a href="#Zones"> /etc/shorewall/zones file</a> , the
<a href="#Conf">name of the firewall zone</a> or "all").</li> <a href="#Conf">name of the firewall zone</a> or "all").</li>
<li> <b> DEST</b> <li> <b>
- The name of a destination zone (a zone defined in the <a DEST</b> - The name of a destination zone (a zone defined in
href="#Zones"> /etc/shorewall/zones file</a> , the <a the <a href="#Zones"> /etc/shorewall/zones file</a> , the
href="#Conf">name of the firewall zone</a> or "all"). Shorewall automatically <a href="#Conf">name of the firewall zone</a> or "all"). Shorewall automatically
allows all traffic from the firewall to itself so the <a allows all traffic from the firewall to itself so the <a
href="#Conf">name of the firewall zone</a> cannot appear in both the href="#Conf">name of the firewall zone</a> cannot appear in both the
SOURCE and DEST columns.</li> SOURCE and DEST columns.</li>
<li> <b> POLICY</b> <li> <b>
- The default policy for connection requests from the SOURCE POLICY</b> - The default policy for connection requests from
zone to the DESTINATION zone.</li> the SOURCE zone to the DESTINATION zone.</li>
<li> <b> LOG <li> <b>
LEVEL</b> - Optional. If left empty, no log message is generated LOG LEVEL</b> - Optional. If left empty, no log message is
when the policy is applied. Otherwise, this column should generated when the policy is applied. Otherwise, this column
contain an integer or name indicating a <a should contain an integer or name indicating a <a
href="shorewall_logging.html">syslog level</a>.</li> href="shorewall_logging.html">syslog level</a>.</li>
<li> <b>LIMIT:BURST <li> <b>LIMIT:BURST
</b>- Optional. If left empty, TCP connection requests </b>- Optional. If left empty, TCP connection requests
@ -786,6 +800,7 @@ second and a burst of 40 connections will be tolerated. Connection
</font> </font>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
@ -830,8 +845,8 @@ second and a burst of 40 connections will be tolerated. Connection
local network to hosts on the internet are accepted.</li> local network to hosts on the internet are accepted.</li>
<li>All connection requests originating <li>All connection requests originating
from the internet are ignored and logged at level KERNEL.INFO.</li> from the internet are ignored and logged at level KERNEL.INFO.</li>
<li>All other connection requests are <li>All other connection requests
rejected and logged.</li> are rejected and logged.</li>
</ul> </ul>
@ -886,15 +901,15 @@ rejected and logged.</li>
</blockquote> </blockquote>
<h4><a name="IntraZone"></a>IntraZone Traffic</h4> <h4><a name="IntraZone"></a>IntraZone Traffic</h4>
Shorewall allows a zone to be associated with more than one interface or Shorewall allows a zone to be associated with more than one interface
with multiple networks that interface through a single interface. Beginning or with multiple networks that interface through a single interface. Beginning
with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself
provided that there is no explicit policy governing traffic from that zone provided that there is no explicit policy governing traffic from that zone
to itself (an explicit policy does not specify "all" in either the SOURCE to itself (an explicit policy does not specify "all" in either the SOURCE
or DEST column) and that there are no rules concerning connections from that or DEST column) and that there are no rules concerning connections from that
zone to itself. If there is an explicit policy or if there are one or more zone to itself. If there is an explicit policy or if there are one or more
rules, then traffic within the zone is handled just like traffic between zones rules, then traffic within the zone is handled just like traffic between
is.<br> zones is.<br>
<p>Any time that you have multiple interfaces associated with a single zone, <p>Any time that you have multiple interfaces associated with a single zone,
you should ask yourself if you really want traffic routed between those interfaces. you should ask yourself if you really want traffic routed between those interfaces.
@ -904,8 +919,8 @@ Cases where you might not want that behavior are:<br>
<ol> <ol>
<li>Multiple 'net' interfaces to different ISPs. You don't want to route <li>Multiple 'net' interfaces to different ISPs. You don't want to route
traffic from one ISP to the other through your firewall.</li> traffic from one ISP to the other through your firewall.</li>
<li>Multiple VPN clients. You don't necessarily want them to all be able <li>Multiple VPN clients. You don't necessarily want them to all be
to communicate between themselves using your gateway/router.<br> able to communicate between themselves using your gateway/router.<br>
</li> </li>
</ol> </ol>
@ -1055,8 +1070,8 @@ policy</font></h4>
</blockquote> </blockquote>
<p> The second entry above says that when Sam is the client, connection <p> The second entry above says that when Sam is the client, connection
requests should first be process under rules where the source requests should first be process under rules where the
zone is <b>sam</b> and if there is no match then the connection source zone is <b>sam</b> and if there is no match then the connection
request should be treated under rules where the source zone request should be treated under rules where the source zone
is <b>net</b>. It is important that this policy be listed BEFORE is <b>net</b>. It is important that this policy be listed BEFORE
the next policy (<b>net</b> to <b>all</b>).</p> the next policy (<b>net</b> to <b>all</b>).</p>
@ -1139,8 +1154,8 @@ is <b>net</b>. It is important that this policy be listed BEFORE
with ssh and the connection request will be forwarded to with ssh and the connection request will be forwarded to
192.168.1.3. Like all hosts in the <b>net</b> zone, Sam can 192.168.1.3. Like all hosts in the <b>net</b> zone, Sam can
connect to the firewall's internet interface on TCP port 80 connect to the firewall's internet interface on TCP port 80
and the connection request will be forwarded to 192.168.1.5. The and the connection request will be forwarded to 192.168.1.5.
order of the rules is not significant.</p> The order of the rules is not significant.</p>
<p> <a name="Exclude"></a>Sometimes it is necessary to suppress port forwarding <p> <a name="Exclude"></a>Sometimes it is necessary to suppress port forwarding
for a sub-zone. For example, suppose that all hosts can for a sub-zone. For example, suppose that all hosts can
@ -1312,12 +1327,12 @@ source may be further restricted by adding a colon (":") followed
<li>An interface name - refers to <li>An interface name - refers to
any connection requests arriving on the specified any connection requests arriving on the specified
interface (example loc:eth4). Beginning with Shorwall 1.3.9, the interface (example loc:eth4). Beginning with Shorwall 1.3.9, the
interface name may optionally be followed by a colon (":") and an IP interface name may optionally be followed by a colon (":") and an
address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).</li> IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).</li>
<li>An IP address - refers to a connection <li>An IP address - refers to a
request from the host with the specified address connection request from the host with the specified
(example net:155.186.235.151). If the ACTION is DNAT, this must address (example net:155.186.235.151). If the ACTION is DNAT,
not be a DNS name.</li> this must not be a DNS name.</li>
<li>A MAC Address in <a <li>A MAC Address in <a
href="#MAC">Shorewall format</a>.</li> href="#MAC">Shorewall format</a>.</li>
<li>A subnet - refers to a connection <li>A subnet - refers to a connection
@ -1331,15 +1346,15 @@ not be a DNS name.</li>
described above for SOURCE plus the following two additional described above for SOURCE plus the following two additional
forms: forms:
<ul> <ul>
<li>An IP address followed by a colon <li>An IP address followed by a
and the port <u>number</u> that the server colon and the port <u>number</u> that the
is listening on (service names from /etc/services are not server is listening on (service names from /etc/services are
allowed - example loc:192.168.1.3:80). <br> not allowed - example loc:192.168.1.3:80). <br>
</li> </li>
<li>A single port number (again, service <li>A single port number (again,
names are not allowed) -- this form is only allowed if the service names are not allowed) -- this form is only allowed
ACTION is REDIRECT and refers to a server running on the firewall if the ACTION is REDIRECT and refers to a server running on the
itself and listening on the specified port.</li> firewall itself and listening on the specified port.</li>
</ul> </ul>
Restrictions:<br> Restrictions:<br>
@ -1366,30 +1381,29 @@ an icmp type. If you don't want to specify DEST PORT(S) but need
enter "-" in this column. You may give a list of ports and/or port ranges enter "-" in this column. You may give a list of ports and/or port ranges
separated by commas. Port numbers may be either integers or service separated by commas. Port numbers may be either integers or service
names from /etc/services.</li> names from /etc/services.</li>
<li><b> SOURCE</b> <b>PORTS(S) </b>- <li><b> SOURCE</b> <b>PORTS(S)
May be used to restrict the rule to a particular client </b>- May be used to restrict the rule to a particular
port or port range (a port range is specified as &lt;low port client port or port range (a port range is specified as &lt;low
number&gt;:&lt;high port number&gt;). If you don't want to port number&gt;:&lt;high port number&gt;). If you don't want
restrict client ports but want to specify something in the next column, to restrict client ports but want to specify something in the next
enter "-" in this column. If you wish to specify a list of port column, enter "-" in this column. If you wish to specify a list
number or ranges, separate the list elements with commas (with of port number or ranges, separate the list elements with commas
no embedded white space). Port numbers may be either integers or (with no embedded white space). Port numbers may be either integers
service names from /etc/services.</li> or service names from /etc/services.</li>
<li><b>ORIGINAL DEST</b> - This column <li><b>ORIGINAL DEST</b> - This column
may only be non-empty if the ACTION is DNAT or REDIRECT.<br> may only be non-empty if the ACTION is DNAT or REDIRECT.<br>
<br> <br>
If DNAT or REDIRECT is the ACTION and If DNAT or REDIRECT is the ACTION
the ORIGINAL DEST column is left empty, any connection request and the ORIGINAL DEST column is left empty, any connection
arriving at the firewall from the SOURCE that matches the request arriving at the firewall from the SOURCE that matches
rule will be forwarded or redirected. This works fine for connection the rule will be forwarded or redirected. This works fine
requests arriving from the internet where the firewall has for connection requests arriving from the internet where the
only a single external IP address. When the firewall has multiple firewall has only a single external IP address. When the firewall
external IP addresses or when the SOURCE is other than the internet, has multiple external IP addresses or when the SOURCE is other
there will usually be a desire for the rule to only apply to than the internet, there will usually be a desire for the rule
those connection requests directed to a particular IP address to only apply to those connection requests directed to a particular
(see Example 2 below for another usage). That IP address (or IP address (see Example 2 below for another usage). That IP
a comma-separated list of such addresses) is specified in the address is specified in the ORIGINAL DEST column.<br>
ORIGINAL DEST column.<br>
<br> <br>
The IP address may be optionally followed The IP address may be optionally followed
by ":" and a second IP address. This latter address, if present, by ":" and a second IP address. This latter address, if present,
@ -1406,11 +1420,11 @@ the scope of a rule by incoming interface. <br>
</b>Example: DNAT loc<u>:192.168.1.0/24</u> </b>Example: DNAT loc<u>:192.168.1.0/24</u>
loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3<b><br> loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3<b><br>
<br> <br>
</b>If SNAT is not used (no ":" </b>If SNAT is not used (no
and second IP address), the original source address is ":" and second IP address), the original source address
used. If you want any destination address to match the rule is used. If you want any destination address to match the
but want to specify SNAT, simply use a colon followed by the SNAT rule but want to specify SNAT, simply use a colon followed by the
address.</li> SNAT address.</li>
</ul> </ul>
@ -1722,9 +1736,9 @@ in your DMZ from all zones.<br>
were two DMZ interfaces then the above rule would NOT enable SMTP were two DMZ interfaces then the above rule would NOT enable SMTP
traffic between hosts on these interfaces.<br> traffic between hosts on these interfaces.<br>
</blockquote> </blockquote>
<b>Example 7 (For advanced users running Shorewall version <b>Example 7 (For advanced users running Shorewall
1.3.13 or later). </b>From the internet, you with to forward tcp version 1.3.13 or later). </b>From the internet, you with to forward
port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177
in your DMZ. You also want to allow access from the internet directly in your DMZ. You also want to allow access from the internet directly
to tcp port 25 on 192.0.2.177. <br> to tcp port 25 on 192.0.2.177. <br>
@ -1802,8 +1816,8 @@ to tcp port 25 on 192.0.2.177. <br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
Using "DNAT-" rather than "DNAT" avoids two extra copies Using "DNAT-" rather than "DNAT" avoids two extra
of the third rule from being generated.<br> copies of the third rule from being generated.<br>
<p><a href="ports.htm">Look here for information on other services.</a> <p><a href="ports.htm">Look here for information on other services.</a>
</p> </p>
@ -1836,8 +1850,8 @@ error, the firewall will be safely
<h2><a name="Masq"></a> /etc/shorewall/masq</h2> <h2><a name="Masq"></a> /etc/shorewall/masq</h2>
<p>The /etc/shorewall/masq file is used to define classical IP Masquerading <p>The /etc/shorewall/masq file is used to define classical IP Masquerading
and Source Network Address Translation (SNAT). There is one and Source Network Address Translation (SNAT). There is
entry in the file for each subnet that you want to masquerade. one entry in the file for each subnet that you want to masquerade.
In order to make use of this feature, you must have <a In order to make use of this feature, you must have <a
href="#NatEnabled">NAT enabled</a> .</p> href="#NatEnabled">NAT enabled</a> .</p>
@ -1854,22 +1868,22 @@ set ADD_SNAT_ALIASES=Yes in <a href="#Conf">/etc/shorewall/shorewall.conf</a>
you can cause Shorewall to create an alias <i>label </i>of the form you can cause Shorewall to create an alias <i>label </i>of the form
<i>interfacename:digit </i>(e.g., eth0:0) by placing that label <i>interfacename:digit </i>(e.g., eth0:0) by placing that label
in this column. See example 5 below. Alias labels created in this way in this column. See example 5 below. Alias labels created in this way
allow the alias to be visible to the ipconfig utility. <b>THAT IS THE allow the alias to be visible to the ipconfig utility. <b>THAT IS
ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE
IN YOUR SHOREWALL CONFIGURATION.</b></li> ELSE IN YOUR SHOREWALL CONFIGURATION.</b></li>
<li><b> SUBNET</b> - The subnet that <li><b> SUBNET</b> - The subnet
you want to have masqueraded through the INTERFACE. This that you want to have masqueraded through the INTERFACE.
may be expressed as a single IP address, a subnet or an interface This may be expressed as a single IP address, a subnet or an
name. In the latter instance, the interface must be configured and interface name. In the latter instance, the interface must
started before Shorewall is started as Shorewall will determine be configured and started before Shorewall is started as Shorewall
the subnet based on information obtained from the 'ip' utility. will determine the subnet based on information obtained from
<b><font color="#ff0000">When using Shorewall 1.3.13 or earlier, when the 'ip' utility. <b><font color="#ff0000">When using Shorewall
an interface name is specified, Shorewall will only masquerade traffic 1.3.13 or earlier, when an interface name is specified, Shorewall will
from the first subnetwork on the named interface; if the interface interfaces only masquerade traffic from the first subnetwork on the named interface;
to more that one subnetwork, you will need to add additional entries to if the interface interfaces to more that one subnetwork, you will need
this file for each of those other subnetworks. Beginning with Shorewall to add additional entries to this file for each of those other subnetworks.
1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed Beginning with Shorewall 1.3.14, shorewall will masquerade/SNAT traffic
through the named interface.</font></b><br> from any host that is routed through the named interface.</font></b><br>
<br> <br>
The subnet may be optionally followed The subnet may be optionally followed
by "!' and a comma-separated list of addresses and/or subnets by "!' and a comma-separated list of addresses and/or subnets
@ -1877,11 +1891,11 @@ by "!' and a comma-separated list of addresses and/or subnets
<li><b>ADDRESS</b> - The source address <li><b>ADDRESS</b> - The source address
to be used for outgoing packets. This column is optional and to be used for outgoing packets. This column is optional and
if left blank, the current primary IP address of the interface if left blank, the current primary IP address of the interface
in the first column is used. If you have a static IP on that interface, in the first column is used. If you have a static IP on that
listing it here makes processing of output packets a little interface, listing it here makes processing of output packets
less expensive for the firewall. If you specify an address in this column, a little less expensive for the firewall. If you specify an address in
it must be an IP address configured on the INTERFACE or you must have this column, it must be an IP address configured on the INTERFACE or
ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li> you must have ADD_SNAT_ALIASES enabled in <a href="#Conf">/etc/shorewall/shorewall.conf.</a></li>
</ul> </ul>
@ -1978,10 +1992,11 @@ and 192.168.10.45 from
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<b>Example 5 (Shorewall version &gt;= 1.3.14): </b>You have a second <b>Example 5 (Shorewall version &gt;= 1.3.14): </b>You have a
IP address (206.124.146.177) assigned to you and wish to use it for SNAT second IP address (206.124.146.177) assigned to you and wish to use
of the subnet 192.168.12.0/24. You want to give that address the name it for SNAT of the subnet 192.168.12.0/24. You want to give that address
eth0:0. You must have ADD_SNAT_ALIASES=Yes in <a href="#Conf">/etc/shorewall/shorewall.conf</a>.<br> the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in <a
href="#Conf">/etc/shorewall/shorewall.conf</a>.<br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
@ -2036,8 +2051,8 @@ one entry in this file for each
are:</p> are:</p>
<ul> <ul>
<li><b> ADDRESS</b> - address of the <li><b> ADDRESS</b> - address of
system.</li> the system.</li>
<li><b> INTERFACE</b> - the interface <li><b> INTERFACE</b> - the interface
that connects to the system. If the interface is obvious that connects to the system. If the interface is obvious
from the subnetting, you may enter "-" in this column.</li> from the subnetting, you may enter "-" in this column.</li>
@ -2077,18 +2092,20 @@ changing my proxy ARP settings. </b></font></p>
configure your firewall as follows:</p> configure your firewall as follows:</p>
<ul> <ul>
<li>eth0 - 155.186.235.1 (internet connection)</li> <li>eth0 - 155.186.235.1 (internet
connection)</li>
<li>eth1 - 192.168.9.0/24 (masqueraded <li>eth1 - 192.168.9.0/24 (masqueraded
local systems)</li> local systems)</li>
<li>eth2 - 192.168.10.1 (interface to <li>eth2 - 192.168.10.1 (interface
your DMZ)</li> to your DMZ)</li>
</ul> </ul>
<p> In your DMZ, you want to install a Web/FTP server with public address <p> In your DMZ, you want to install a Web/FTP server with public address
155.186.235.4. On the Web server, you subnet just like the 155.186.235.4. On the Web server, you subnet just like
firewall's eth0 and you configure 155.186.235.1 as the default the firewall's eth0 and you configure 155.186.235.1 as the
gateway. In your /etc/shorewall/proxyarp file, you will have:</p> default gateway. In your /etc/shorewall/proxyarp file, you will
have:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -2114,8 +2131,8 @@ your DMZ)</li>
that is smaller than the subnet of your internet interface. that is smaller than the subnet of your internet interface.
See the Proxy ARP Subnet Mini HOWTO (<a See the Proxy ARP Subnet Mini HOWTO (<a
href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>) href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>)
for details. In this case you will want to place "Yes" in for details. In this case you will want to place "Yes"
the HAVEROUTE column.</p> in the HAVEROUTE column.</p>
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and FreeS/Wan <p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and FreeS/Wan
on the same system unless you are prepared to suffer the consequences. on the same system unless you are prepared to suffer the consequences.
@ -2142,8 +2159,8 @@ in the Kernel or in FreeS/Wan. </p>
<p>The /etc/shorewall/nat file is used to define static NAT. There is one <p>The /etc/shorewall/nat file is used to define static NAT. There is one
entry in the file for each static NAT relationship that entry in the file for each static NAT relationship that
you wish to define. In order to make use of this feature, you you wish to define. In order to make use of this feature,
must have <a href="#NatEnabled">NAT enabled</a> .</p> you must have <a href="#NatEnabled">NAT enabled</a> .</p>
<p> <font <p> <font
color="#ff0000"> <b>IMPORTANT: If all you want to do color="#ff0000"> <b>IMPORTANT: If all you want to do
@ -2169,20 +2186,20 @@ the internal systems
<p>Columns in an entry are:</p> <p>Columns in an entry are:</p>
<ul> <ul>
<li><b> EXTERNAL</b> - External IP <li><b> EXTERNAL</b> - External
address - <u>This should NOT be the primary IP address IP address - <u>This should NOT be the primary IP
of the interface named in the next column.</u></li> address of the interface named in the next column.</u></li>
<li><b> INTERFACE</b> - Interface <li><b> INTERFACE</b> - Interface
that you want the EXTERNAL IP address to appear on. Beginning that you want the EXTERNAL IP address to appear on.
with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in Beginning with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes
<a href="#Conf">/etc/shorewall/shorewall.conf</a>,  you can specify an in <a href="#Conf">/etc/shorewall/shorewall.conf</a>,  you can specify
alias label of the form <i>interfacename:digit </i>(e.g., eth0:0) and an alias label of the form <i>interfacename:digit </i>(e.g., eth0:0) and
Shorewall will create the alias with that label. Alias labels created Shorewall will create the alias with that label. Alias labels created
in this way allow the alias to be visible to the ipconfig utility. in this way allow the alias to be visible to the ipconfig utility.
<b>THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT <b>THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT
APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.</b> </li> APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.</b> </li>
<li><b> INTERNAL </b> - Internal IP <li><b> INTERNAL </b> - Internal
address.</li> IP address.</li>
<li><b>ALL <li><b>ALL
INTERFACES</b> INTERFACES</b>
- If Yes - If Yes
@ -2236,30 +2253,32 @@ results in kernel compilation errors.</p>
<p> This file is used to set the following firewall parameters:</p> <p> This file is used to set the following firewall parameters:</p>
<ul> <ul>
<li><b>CLEAR_TC</b> - Added at <li><b>CLEAR_TC</b> - Added
version 1.3.13<br> at version 1.3.13<br>
If this option is set to 'No' then Shorewall won't clear the If this option is set to 'No' then Shorewall won't clear
current traffic control rules during [re]start. This setting is intended the current traffic control rules during [re]start. This setting is
for use by people that prefer to configure traffic shaping when the network intended for use by people that prefer to configure traffic shaping
interfaces come up rather than when the firewall is started. If that when the network interfaces come up rather than when the firewall is
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No
an /etc/shorewall/tcstart file. That way, your traffic shaping rules and do not supply an /etc/shorewall/tcstart file. That way, your traffic
can still use the 'fwmark' classifier based on packet marking defined shaping rules can still use the 'fwmark' classifier based on packet marking
in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.<br> defined in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.<br>
</li> </li>
<li><b>MARK_IN_FORWARD_CHAIN </b>- Added at version 1.3.12<br> <li><b>MARK_IN_FORWARD_CHAIN </b>- Added at version 1.3.12<br>
If your kernel has a FORWARD chain in the mangle table, If your kernel has a FORWARD chain in the mangle
you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified table, you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking
in the <a href="traffic_shaping.htm#tcrules">tcrules file</a> to occur specified in the <a href="traffic_shaping.htm#tcrules">tcrules file</a>
in that chain rather than in the PREROUTING chain. This permits you to occur in that chain rather than in the PREROUTING chain. This
to mark inbound traffic based on its destination address when SNAT permits you to mark inbound traffic based on its destination address
or Masquerading are in use. To determine if your kernel has a FORWARD when SNAT or Masquerading are in use. To determine if your kernel has
chain in the mangle table, use the "/sbin/shorewall show mangle" command; a FORWARD chain in the mangle table, use the "/sbin/shorewall show
if a FORWARD chain is displayed then your kernel will support this mangle" command; if a FORWARD chain is displayed then your kernel
option. If this option is not specified or if it is given the empty value will support this option. If this option is not specified or if it
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.<br> is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.<br>
</li> </li>
<li><b>RFC1918_LOG_LEVEL - </b>Added at version 1.3.12<br> <li><b>RFC1918_LOG_LEVEL - </b>Added at version
1.3.12<br>
This parameter determines the level at which packets This parameter determines the level at which packets
logged under the <a href="Documentation.htm#rfc1918">'norfc1918' logged under the <a href="Documentation.htm#rfc1918">'norfc1918'
mechanism </a> are logged. The value must be a valid <a mechanism </a> are logged. The value must be a valid <a
@ -2285,14 +2304,14 @@ If you don't want to log these packets, set to the empty value
</li> </li>
<li><b>MACLIST_DISPOSITION </b>- Added in Version <li><b>MACLIST_DISPOSITION </b>- Added in Version
1.3.10<br> 1.3.10<br>
Determines the disposition of connections requests Determines the disposition of connections
that fail <a href="MAC_Validation.html">MAC Verification</a> and requests that fail <a href="MAC_Validation.html">MAC Verification</a>
must have the value ACCEPT (accept the connection request anyway), REJECT and must have the value ACCEPT (accept the connection request anyway),
(reject the connection request) or DROP (ignore the connection request). REJECT (reject the connection request) or DROP (ignore the connection
If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") request). If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="")
then MACLIST_DISPOSITION=REJECT is assumed.</li> then MACLIST_DISPOSITION=REJECT is assumed.</li>
<li><b>MACLIST_LOG_LEVEL </b>- Added in Version <li><b>MACLIST_LOG_LEVEL </b>- Added in
1.3.10<br> Version 1.3.10<br>
Determines the <a Determines the <a
href="shorewall_logging.html">syslog level</a> for logging connection href="shorewall_logging.html">syslog level</a> for logging connection
requests that fail <a href="MAC_Validation.html">MAC Verification</a>. requests that fail <a href="MAC_Validation.html">MAC Verification</a>.
@ -2300,16 +2319,17 @@ If you don't want to log these packets, set to the empty value
to log these connection requests, set to the empty value (e.g., to log these connection requests, set to the empty value (e.g.,
MACLIST_LOG_LEVEL="").<br> MACLIST_LOG_LEVEL="").<br>
</li> </li>
<li><b>NEWNOTSYN </b>- Added in Version 1.3.8<br> <li><b>NEWNOTSYN </b>- Added in Version
1.3.8<br>
When set to "Yes" or "yes", Shorewall will When set to "Yes" or "yes", Shorewall will
filter TCP packets that are not part of an established connention filter TCP packets that are not part of an established connention
and that are not SYN packets (SYN flag on - ACK flag off). If set and that are not SYN packets (SYN flag on - ACK flag off). If
to "No", Shorewall will silently drop such packets. If not set set to "No", Shorewall will silently drop such packets. If not
or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No
assumed.<br> is assumed.<br>
<br> <br>
If you have a HA setup with failover to another If you have a HA setup with failover to
firewall, you should have NEWNOTSYN=Yes on both firewalls. another firewall, you should have NEWNOTSYN=Yes on both firewalls.
You should also select NEWNOTSYN=Yes if you have asymmetric routing.<br> You should also select NEWNOTSYN=Yes if you have asymmetric routing.<br>
</li> </li>
<li><b>LOGNEWNOTSYN</b> - Added in Version <li><b>LOGNEWNOTSYN</b> - Added in Version
@ -2317,31 +2337,30 @@ You should also select NEWNOTSYN=Yes if you have asymmetric routing.<
Beginning with version 1.3.6, Shorewall Beginning with version 1.3.6, Shorewall
drops non-SYN TCP packets that are not part of an existing drops non-SYN TCP packets that are not part of an existing
connection. If you would like to log these packets, set connection. If you would like to log these packets, set
LOGNEWNOTSYN to the <a href="shorewall_logging.html">syslog level</a> LOGNEWNOTSYN to the <a href="shorewall_logging.html">syslog
at which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|<br> level</a> at which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|<br>
<br> <br>
<b>Note: </b>Packets logged under this <b>Note: </b>Packets logged under
option are usually the result of broken remote IP stacks this option are usually the result of broken remote IP
rather than the result of any sort of attempt to breach your stacks rather than the result of any sort of attempt to
firewall.</li> breach your firewall.</li>
<li><b>DETECT_DNAT_ADDRS</b> <li><b>DETECT_DNAT_ADDRS</b>
- Added in Version 1.3.4<br> - Added in Version 1.3.4<br>
If set to "Yes" or "yes", Shorewall will detect the IP address(es) If set to "Yes" or "yes", Shorewall will detect the first IP
of the interface(es) to the source zone and will include this address of the interface to the source zone and will include this address
(these) address(es) in DNAT rules as the original destination in DNAT rules as the original destination IP address. If set to "No"
IP address. If set to "No" or "no", Shorewall will not detect this or "no", Shorewall will not detect this address and any destination
(these) address(es) and any destination IP address will match the IP address will match the DNAT rule. If not specified or empty,
DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is "DETECT_DNAT_ADDRS=Yes" is assumed.<br>
assumed.<br>
</li> </li>
<li><b></b><b>MULTIPORT</b> - Added in <li><b></b><b>MULTIPORT</b> - Added
Version 1.3.2<br> in Version 1.3.2<br>
If set to "Yes" or "yes", Shorewall If set to "Yes" or "yes", Shorewall
will use the Netfilter multiport facility. In order to will use the Netfilter multiport facility. In order
use this facility, your kernel must have multiport support to use this facility, your kernel must have multiport
(CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used,
will generate a single rule from each record in the /etc/shorewall/rules Shorewall will generate a single rule from each record in
file that meets these criteria:<br> the /etc/shorewall/rules file that meets these criteria:<br>
<ul> <ul>
<li>No port range(s) specified</li> <li>No port range(s) specified</li>
@ -2354,49 +2373,49 @@ use this facility, your kernel must have multiport support
</li> </li>
<li><b>NAT_BEFORE_RULES</b><br> <li><b>NAT_BEFORE_RULES</b><br>
If set to "No" or "no", port forwarding If set to "No" or "no", port forwarding
rules can override the contents of the <a href="#NAT">/etc/shorewall/nat</a> rules can override the contents of the <a
file. If set to "Yes" or "yes", port forwarding rules cannot href="#NAT">/etc/shorewall/nat</a> file. If set to "Yes" or
override static NAT. If not set or set to an empty value, "yes", port forwarding rules cannot override static NAT.
"Yes" is assumed.</li> If not set or set to an empty value, "Yes" is assumed.</li>
<li><b>FW<br> <li><b>FW<br>
</b>This </b>This
parameter specifies the parameter specifies the
name of the name of the
firewall zone. firewall zone.
If not set or If not set
if set or if
to an empty string, the value set to an empty string, the value
"fw" is assumed.</li> "fw" is assumed.</li>
<li><b>SUBSYSLOCK</b><br> <li><b>SUBSYSLOCK</b><br>
This parameter should be set to This parameter should be set
the name of a file that the firewall should create if to the name of a file that the firewall should create
it starts successfully and remove when it stops. Creating if it starts successfully and remove when it stops. Creating
and removing this file allows Shorewall to work with your distribution's and removing this file allows Shorewall to work with your distribution's
initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall.
For Debian, the value is /var/state/shorewall and in LEAF it For Debian, the value is /var/state/shorewall and in LEAF
is /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall.</li> it is /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall.</li>
<li><b> STATEDIR</b><br> <li><b> STATEDIR</b><br>
This parameter specifies the name This parameter specifies the
of a directory where Shorewall stores state information. name of a directory where Shorewall stores state information.
If the directory doesn't exist when Shorewall starts, it If the directory doesn't exist when Shorewall starts,
will create the directory. Example: STATEDIR=/tmp/shorewall.<br> it will create the directory. Example: STATEDIR=/tmp/shorewall.<br>
<br> <br>
<b>NOTE:</b> If you change the STATEDIR <b>NOTE:</b> If you change the STATEDIR
variable while the firewall is running, create the new variable while the firewall is running, create the new
directory if necessary then copy the contents of the old directory if necessary then copy the contents of the old
directory to the new directory. </li> directory to the new directory. </li>
<li><b>MODULESDIR</b><br> <li><b>MODULESDIR</b><br>
This parameter specifies the directory This parameter specifies the
where your kernel netfilter modules may be found. If directory where your kernel netfilter modules may be
you leave the variable empty, Shorewall will supply the value found. If you leave the variable empty, Shorewall will supply
"/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.</li> the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.</li>
<li><b> LOGRATE </b> and <b> LOGBURST</b><br> <li><b> LOGRATE </b> and <b> LOGBURST</b><br>
These parameters set the match These parameters set the match
rate and initial burst size for logged packets. Please rate and initial burst size for logged packets. Please
see the iptables man page for a description of the behavior see the iptables man page for a description of the behavior
of these parameters (the iptables option --limit is set by LOGRATE of these parameters (the iptables option --limit is set by
and --limit-burst is set by LOGBURST). If both parameters are LOGRATE and --limit-burst is set by LOGBURST). If both parameters
set empty, no rate-limiting will occur.<br> are set empty, no rate-limiting will occur.<br>
<br> <br>
Example:<br> Example:<br>
LOGRATE=10/minute<br> LOGRATE=10/minute<br>
@ -2435,12 +2454,12 @@ If the parameter has a value of "no" or "No" then NAT is
disabled.<br> disabled.<br>
</li> </li>
<li><b> MANGLE_ENABLED</b><br> <li><b> MANGLE_ENABLED</b><br>
This parameter determines if packet This parameter determines if
mangling is enabled. If the parameter has no value or packet mangling is enabled. If the parameter has no
has a value of "Yes" or "yes" than packet mangling is enabled. value or has a value of "Yes" or "yes" than packet mangling
If the parameter has a value of "no" or "No" then packet is enabled. If the parameter has a value of "no" or "No"
mangling is disabled. If packet mangling is disabled, the then packet mangling is disabled. If packet mangling is disabled,
/etc/shorewall/tos file is ignored.<br> the /etc/shorewall/tos file is ignored.<br>
</li> </li>
<li><b> IP_FORWARDING</b><br> <li><b> IP_FORWARDING</b><br>
This parameter determines whether This parameter determines whether
@ -2451,11 +2470,11 @@ mangling is disabled. If packet mangling is disabled, the
will be enabled.<br> will be enabled.<br>
Off or off - packet forwarding Off or off - packet forwarding
will be disabled.<br> will be disabled.<br>
Keep or keep - Shorewall will Keep or keep - Shorewall
neither enable nor disable packet forwarding.<br> will neither enable nor disable packet forwarding.<br>
<br> <br>
If this variable is not set or If this variable is not set
is given an empty value (IP_FORWARD="") then IP_FORWARD=On or is given an empty value (IP_FORWARD="") then IP_FORWARD=On
is assumed.<br> is assumed.<br>
</li> </li>
<li><b>ADD_IP_ALIASES</b><br> <li><b>ADD_IP_ALIASES</b><br>
@ -2470,17 +2489,17 @@ using your distribution's network configuration tools. <b>RESTRICTION:
on an interface.<br> on an interface.<br>
<br> <br>
If this variable is not set or If this variable is not set or
is given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is given an empty value (ADD_IP_ALIASES="") then
is assumed.</li> ADD_IP_ALIASES=Yes is assumed.</li>
<li><b>ADD_SNAT_ALIASES</b><br> <li><b>ADD_SNAT_ALIASES</b><br>
This parameter determines whether Shorewall This parameter determines whether
automatically adds the SNAT <i> ADDRESS </i>in <a Shorewall automatically adds the SNAT <i> ADDRESS
href="#Masq">/etc/shorewall/masq</a>. If the variable is </i>in <a href="#Masq">/etc/shorewall/masq</a>. If the variable
set to "Yes" or "yes" then Shorewall automatically adds these is set to "Yes" or "yes" then Shorewall automatically adds
addresses. If it is set to "No" or "no", you must add these addresses these addresses. If it is set to "No" or "no", you must add these
yourself using your distribution's network configuration tools. addresses yourself using your distribution's network configuration
<b>RESTRICTION: </b>Shorewall can only add addresses to the first subnetwork tools. <b>RESTRICTION: </b>Shorewall can only add addresses
configured on an interface.<br> to the first subnetwork configured on an interface.<br>
<br> <br>
If this variable is not set or If this variable is not set or
is given an empty value (ADD_SNAT_ALIASES="") then is given an empty value (ADD_SNAT_ALIASES="") then
@ -2531,8 +2550,8 @@ TCP RST (tcp only). If you do not assign
assumed.</li> assumed.</li>
<li><b>BLACKLIST_LOGLEVEL</b><br> <li><b>BLACKLIST_LOGLEVEL</b><br>
This paremter This paremter
determines if packets from determines if packets
blacklisted from blacklisted
hosts are hosts are
logged and it logged and it
determines the syslog determines the syslog
@ -2582,9 +2601,9 @@ MSS to PMTU
<h2><a name="modules"></a> /etc/shorewall/modules Configuration</h2> <h2><a name="modules"></a> /etc/shorewall/modules Configuration</h2>
<p>The file /etc/shorewall/modules contains commands for loading the kernel <p>The file /etc/shorewall/modules contains commands for loading the kernel
modules required by Shorewall-defined firewall rules. Shorewall modules required by Shorewall-defined firewall rules.
will source this file during start/restart provided that Shorewall will source this file during start/restart provided
it exists and that the directory specified by the MODULESDIR that it exists and that the directory specified by the MODULESDIR
parameter exists (see <a href="#Conf">/etc/shorewall/shorewall.conf</a> parameter exists (see <a href="#Conf">/etc/shorewall/shorewall.conf</a>
above).</p> above).</p>
@ -2617,8 +2636,8 @@ ip_conntrack).</p>
<p> The function determines if the module named by <i>&lt;modulename&gt; <p> The function determines if the module named by <i>&lt;modulename&gt;
</i> is already loaded and if not then the function determines </i> is already loaded and if not then the function determines
if the ".o" file corresponding to the module exists in the if the ".o" file corresponding to the module exists in
<i>moduledirectory</i>; if so, then the following command the <i>moduledirectory</i>; if so, then the following command
is executed:</p> is executed:</p>
<blockquote> <blockquote>
@ -2647,29 +2666,29 @@ it does, the function assumes that the running configuration supports compress
<p> Entries in the file have the following columns:</p> <p> Entries in the file have the following columns:</p>
<ul> <ul>
<li><b> SOURCE</b> -- The source zone. <li><b> SOURCE</b> -- The source
May be qualified by following the zone name with a colon zone. May be qualified by following the zone name with
(":") and either an IP address, an IP subnet, a MAC address a colon (":") and either an IP address, an IP subnet, a MAC
in <a href="#MAC">Shorewall Format</a> or the name of an address in <a href="#MAC">Shorewall Format</a> or the name
interface. This column may also contain the <a href="#FW">name of of an interface. This column may also contain the <a href="#FW">name
the firewall</a> of the firewall</a>
zone to zone
indicate packets originating on the firewall itself or "all" to to indicate packets originating on the firewall itself or "all"
indicate any source.</li> to indicate any source.</li>
<li><b> DEST</b> -- The destination <li><b> DEST</b> -- The destination
zone. May be qualified by following the zone name with zone. May be qualified by following the zone name with
a colon (":") and either an IP address or an IP subnet. Because a colon (":") and either an IP address or an IP subnet.
packets are marked prior to routing, you may not specify Because packets are marked prior to routing, you may not specify
the name of an interface. This column may also contain "all" the name of an interface. This column may also contain
to indicate any destination.</li> "all" to indicate any destination.</li>
<li><b> PROTOCOL</b> -- The name of <li><b> PROTOCOL</b> -- The name
a protocol in /etc/protocols or the protocol's number.</li> of a protocol in /etc/protocols or the protocol's number.</li>
<li><b> SOURCE PORT(S)</b> -- The <li><b> SOURCE PORT(S)</b> -- The
source port or a port range. For all ports, place a source port or a port range. For all ports, place a
hyphen ("-") in this column.</li> hyphen ("-") in this column.</li>
<li><b> DEST PORT(S)</b> -- The destination <li><b> DEST PORT(S)</b> -- The
port or a port range. To indicate all ports, place a hyphen destination port or a port range. To indicate all ports,
("-") in this column.</li> place a hyphen ("-") in this column.</li>
<li><b> TOS</b> -- The type of service. <li><b> TOS</b> -- The type of service.
Must be one of the following:</li> Must be one of the following:</li>
@ -2806,12 +2825,12 @@ file. </p>
above.</li> above.</li>
<li><b>PROTOCOL</b> - Optional. If specified, <li><b>PROTOCOL</b> - Optional. If specified,
only packets specifying this protocol will be blocked.</li> only packets specifying this protocol will be blocked.</li>
<li><b>PORTS - </b>Optional; may only be <li><b>PORTS - </b>Optional; may only
given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated be given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated
list of port numbers or service names (from /etc/services). If list of port numbers or service names (from /etc/services). If
present, only packets destined for the specified protocol and present, only packets destined for the specified protocol and
one of the listed ports are blocked. When the PROTOCOL is icmp, the one of the listed ports are blocked. When the PROTOCOL is icmp,
PORTS column contains a comma-separated list of ICMP type numbers the PORTS column contains a comma-separated list of ICMP type numbers
or names (see "iptables -h icmp").<br> or names (see "iptables -h icmp").<br>
</li> </li>
@ -2833,15 +2852,16 @@ PORTS column contains a comma-separated list of ICMP type numbers
<ul> <ul>
<li><b>SUBNET</b> - The subnet <li><b>SUBNET</b> - The subnet
using VLSM notation (e.g., 192.168.0.0/16).</li> using VLSM notation (e.g., 192.168.0.0/16).</li>
<li><b>TARGET<i> </i></b>- What <li><b>TARGET<i> </i></b>-
to do with packets to/from the SUBNET: What to do with packets to/from the SUBNET:
<ul> <ul>
<li><b>RETURN</b> - Process <li><b>RETURN</b> - Process
the packet normally thru the rules and policies.</li> the packet normally thru the rules and policies.</li>
<li><b>DROP</b> - Silently <li><b>DROP</b> - Silently
drop the packet.</li> drop the packet.</li>
<li><b>logdrop</b> - Log then <li><b>logdrop</b> - Log
drop the packet -- see the <a href="#Conf">RFC1918_LOG_LEVEL</a> then drop the packet -- see the <a href="#Conf">RFC1918_LOG_LEVEL</a>
parameter above.</li> parameter above.</li>
</ul> </ul>
@ -2856,8 +2876,9 @@ parameter above.</li>
the firewall is stopped. Columns in the file are:</p> the firewall is stopped. Columns in the file are:</p>
<ul> <ul>
<li><b>INTERFACE </b>- The firewall <li><b>INTERFACE </b>- The
interface through which the host(s) comminicate with the firewall.</li> firewall interface through which the host(s) comminicate
with the firewall.</li>
<li><b>HOST(S) </b>- (Optional) <li><b>HOST(S) </b>- (Optional)
- A comma-separated list of IP/Subnet addresses. If not supplied - A comma-separated list of IP/Subnet addresses. If not supplied
or supplied as "-" then 0.0.0.0/0 is assumed.</li> or supplied as "-" then 0.0.0.0/0 is assumed.</li>
@ -2898,7 +2919,7 @@ parameter above.</li>
href="ECN.html">ECN Control Documentation</a>.<br> href="ECN.html">ECN Control Documentation</a>.<br>
<br> <br>
<p><font size="-1"> Updated 4/11/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 5/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -2907,5 +2928,7 @@ parameter above.</li>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

287
Shorewall-docs/FAQ.htm
View File

@ -33,6 +33,7 @@
<h1>Looking for Step by Step Configuration Instructions? Check out the <a <h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br> href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
</h1> </h1>
<h1>PORT FORWARDING<br> <h1>PORT FORWARDING<br>
</h1> </h1>
@ -83,8 +84,11 @@ the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a>
as 'closed' rather than 'blocked'.</b> Why?</a></p> as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p> of my firewall and it showed 100s of ports as
open!!!!<br>
</a></p>
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter how
I change my rules. </a>
<h1>CONNECTION PROBLEMS</h1> <h1>CONNECTION PROBLEMS</h1>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now <p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
@ -171,30 +175,30 @@ such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
</h1> </h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me and it has an internel web server that allows
to configure/monitor it but as expected if I enable me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also <b> rfc1918 blocking</b> for my eth0 interface, it also
blocks the <b>cable modems web server</b></a>.</p> blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 IP addresses, my ISP's DHCP server has an RFC
address. If I enable RFC 1918 filtering on my external 1918 address. If I enable RFC 1918 filtering on my external
interface, <b>my DHCP client cannot renew its lease</b>.</a></p> interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br> <h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1> </h1>
<b>18.</b> <a href="#faq18">Is there any <b>18.</b> <a href="#faq18">Is there
way to use <b>aliased ip addresses</b> with Shorewall, and any way to use <b>aliased ip addresses</b> with Shorewall,
maintain separate rulesets for different IPs?</a><br> and maintain separate rulesets for different IPs?</a><br>
<h1>MISCELLANEOUS<br> <h1>MISCELLANEOUS<br>
</h1> </h1>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> <b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br> but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br> <br>
<b>20. </b><a href="#faq20">I have <b>20. </b><a href="#faq20">I
just set up a server. <b>Do I have to change Shorewall to have just set up a server. <b>Do I have to change Shorewall
allow access to my server from the internet?</b></a><br> to allow access to my server from the internet?</b></a><br>
<br> <br>
<b>24. </b><a href="#faq24">How can I <b>allow <b>24. </b><a href="#faq24">How can I <b>allow
conections</b> to let's say the ssh port only<b> from specific conections</b> to let's say the ssh port only<b> from specific
@ -205,18 +209,18 @@ IP Addresses</b> on the internet?</a><br>
<hr> <hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've my my personal PC with IP address 192.168.1.5.
looked everywhere and can't find how to do it.</h4> I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a <p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of do port forwarding under Shorewall. The format
a port-forwarding rule to a local system is as follows:</p> of a port-forwarding rule to a local system is as follows:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1" cellspacing="1">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
@ -252,7 +256,7 @@ IP Addresses</b> on the internet?</a><br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1" cellspacing="1">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
@ -287,8 +291,8 @@ IP Addresses</b> on the internet?</a><br>
system:</div> system:</div>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" cellspacing="0"
id="AutoNumber1"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><u><b>ACTION</b></u></td> <td><u><b>ACTION</b></u></td>
@ -317,8 +321,8 @@ IP Addresses</b> on the internet?</a><br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
Finally, if you need to forward a range of ports, in the Finally, if you need to forward a range of ports, in
PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br> the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions <h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4> but it doesn't work</h4>
@ -328,12 +332,12 @@ IP Addresses</b> on the internet?</a><br>
<ul> <ul>
<li>You are trying <li>You are trying
to test from inside your firewall (no, that won't work to test from inside your firewall (no, that won't
-- see <a href="#faq2">FAQ #2</a>).</li> work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more <li>You have a
basic problem with your local system such as an incorrect more basic problem with your local system such as an
default gateway configured (it should be set to the IP address incorrect default gateway configured (it should be set to
of your firewall's internal interface).</li> the IP address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br> <li>Your ISP is blocking that particular port inbound.<br>
</li> </li>
@ -341,8 +345,8 @@ IP Addresses</b> on the internet?</a><br>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4> forwarding</h4>
<b>Answer: </b>To further diagnose <b>Answer: </b>To further
this problem:<br> diagnose this problem:<br>
<ul> <ul>
<li>As root, type "iptables <li>As root, type "iptables
@ -355,29 +359,29 @@ redirected port from an external host.</li>
<li>Locate the appropriate <li>Locate the appropriate
DNAT rule. It will be in a chain called <i>&lt;source DNAT rule. It will be in a chain called <i>&lt;source
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li> zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count in <li>Is the packet count
the first column non-zero? If so, the connection request in the first column non-zero? If so, the connection
is reaching the firewall and is being redirected to the server. request is reaching the firewall and is being redirected
In this case, the problem is usually a missing or incorrect to the server. In this case, the problem is usually a missing
default gateway setting on the server (the server's default or incorrect default gateway setting on the server (the server's
gateway should be the IP address of the firewall's interface default gateway should be the IP address of the firewall's
to the server).</li> interface to the server).</li>
<li>If the packet count is <li>If the packet count
zero:</li> is zero:</li>
<ul> <ul>
<li>the connection request <li>the connection request
is not reaching your server (possibly it is being blocked is not reaching your server (possibly it is being blocked
by your ISP); or</li> by your ISP); or</li>
<li>you are trying to connect <li>you are trying to
to a secondary IP address on your firewall and your rule connect to a secondary IP address on your firewall and
is only redirecting the primary IP address (You need to specify your rule is only redirecting the primary IP address (You need
the secondary IP address in the "ORIG. DEST." column in your to specify the secondary IP address in the "ORIG. DEST." column
DNAT rule); or</li> in your DNAT rule); or</li>
<li>your DNAT rule doesn't <li>your DNAT rule doesn't
match the connection request in some other way. In that match the connection request in some other way. In that
case, you may have to use a packet sniffer such as tcpdump or case, you may have to use a packet sniffer such as tcpdump
ethereal to further diagnose the problem.<br> or ethereal to further diagnose the problem.<br>
</li> </li>
</ul> </ul>
@ -431,14 +435,15 @@ zero:</li>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p> <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul> <ul>
<li>Having an internet-accessible <li>Having an
server in your local network is like raising foxes internet-accessible server in your local network
in the corner of your hen house. If the server is compromised, is like raising foxes in the corner of your hen house. If
there's nothing between that server and your other internal the server is compromised, there's nothing between
systems. For the cost of another NIC and a cross-over cable, that server and your other internal systems. For the cost
you can put your server in a DMZ such that it is isolated of another NIC and a cross-over cable, you can put your
from your local systems - assuming that the Server can be located server in a DMZ such that it is isolated from your local systems
near the Firewall, of course :-)</li> - assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility <li>The accessibility
problem is best solved using <a problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
@ -553,9 +558,9 @@ upgrade to Shorewall 1.4.2 or later.<br>
<div align="left"> <div align="left">
<p align="left">That rule only works of course if you have a static external <p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and IP address. If you have a dynamic IP address
are running Shorewall 1.3.4 or later then include this and are running Shorewall 1.3.4 or later then include
in /etc/shorewall/init:</p> this in /etc/shorewall/init:</p>
</div> </div>
<div align="left"> <div align="left">
@ -611,8 +616,8 @@ upgrade to Shorewall 1.4.2 or later.<br>
<p align="left"><b>Answer: </b>This is another problem that is best solved <p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using the and internal clients to access a NATed host using
host's DNS name.</p> the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from <p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in static NAT to Proxy ARP. That way, the hosts in
@ -623,8 +628,8 @@ upgrade to Shorewall 1.4.2 or later.<br>
Z-&gt;Z traffic through your firewall then:</p> Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br> <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
b) Masquerade Z to b) Masquerade Z
itself.<br> to itself.<br>
<br> <br>
Example:</p> Example:</p>
@ -715,9 +720,9 @@ itself.<br>
<p align="left"><b>Answer: </b>There is an <a <p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting. tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a solution Look <a href="http://linux-igd.sourceforge.net">here</a> for a
for MSN IM but be aware that there are significant security risks solution for MSN IM but be aware that there are significant security
involved with this solution. Also check the Netfilter mailing risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p> </p>
@ -728,13 +733,13 @@ itself.<br>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port always rejects connection requests on TCP port
113 rather than dropping them. This is necessary 113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services that to prevent outgoing connection problems to services
use the 'Auth' mechanism for identifying requesting users. that use the 'Auth' mechanism for identifying requesting
Shorewall also rejects TCP ports 135, 137 and 139 as well users. Shorewall also rejects TCP ports 135, 137 and 139
as UDP ports 137-139. These are ports that are used by Windows as well as UDP ports 137-139. These are ports that are used
(Windows <u>can</u> be configured to use the DCE cell locator by Windows (Windows <u>can</u> be configured to use the DCE cell
on port 135). Rejecting these connection requests rather than locator on port 135). Rejecting these connection requests rather
dropping them cuts down slightly on the amount of Windows chatter than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p> on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably <p align="left">If you are seeing port 80 being 'closed', that's probably
@ -747,9 +752,20 @@ on LAN segments connected to the Firewall. </p>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port back from your firewall then it reports the port
as open. If you want to see which UDP ports are really open, as open. If you want to see which UDP ports are really
temporarily change your net-&gt;all policy to REJECT, restart open, temporarily change your net-&gt;all policy to REJECT,
Shorewall and do the nmap UDP scan again.</p> restart Shorewall and do the nmap UDP scan again.<br>
</p>
<h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
I change my rules. </h4>
I had a rule that allowed telnet from my local network to my firewall; I
removed that rule and restarted Shorewall but my telnet session still works!!!<br>
<br>
<b>Answer: </b> Rules only govern the establishment of new connections.
Once a connection is established through the firewall it will be usable until
disconnected (tcp) or until it times out (other protocols).  If you stop telnet
and try to establish a new session your firerwall will block that attempt.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4> can't ping through the firewall</h4>
@ -759,8 +775,8 @@ on LAN segments connected to the Firewall. </p>
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist. <p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br> <br>
b) Be sure that the b) Be sure that
first command in the file is ". /etc/shorewall/common.def"<br> the first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following c) Add the following
to /etc/shorewall/common </p> to /etc/shorewall/common </p>
@ -769,8 +785,9 @@ on LAN segments connected to the Firewall. </p>
-j ACCEPT<br> -j ACCEPT<br>
</p> </p>
</blockquote> </blockquote>
For a complete description of Shorewall 'ping' For a complete description of Shorewall
management, see <a href="ping.html">this page</a>. 'ping' management, see <a href="ping.html">this page</a>.
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4> and how do I change the destination?</h4>
@ -819,8 +836,8 @@ me a report each day from my various systems with each report
summarizing the logged activity on the corresponding system. summarizing the logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i are <b>flooding the logs</b> with their connect requests. Can
exclude these error messages for this port temporarily from logging i exclude these error messages for this port temporarily from logging
in Shorewall?</h4> in Shorewall?</h4>
Temporarily add the following rule:<br> Temporarily add the following rule:<br>
@ -842,8 +859,8 @@ summarizing the logged activity on the corresponding system.
<b>logunclean</b> option (<a <b>logunclean</b> option (<a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an logged twice, they are corrupted. I solve this problem by using
/etc/shorewall/common file like this:<br> an /etc/shorewall/common file like this:<br>
<blockquote> <blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre> <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
@ -882,9 +899,9 @@ the common.def file in Shorewall 1.4.0 and later.<br>
<p align="left">The 'stop' command is intended to place your firewall into <p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in a safe state whereby only those hosts listed in
/etc/shorewall/routestopped' are activated. If you /etc/shorewall/routestopped' are activated. If
want to totally open up your firewall, you must use the 'shorewall you want to totally open up your firewall, you must use the
clear' command. </p> 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4> I get messages about insmod failing -- what's wrong?</h4>
@ -937,8 +954,8 @@ local zone is defined as all hosts connected through eth1</p>
with?</h4> with?</h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes <p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper the <a
prerequisites</a>.</p> href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
<h4 align="left">11. What Features does it have?</h4> <h4 align="left">11. What Features does it have?</h4>
@ -960,8 +977,8 @@ city where I live</a>) and "Fire<u>wall</u>". The full
is must more commonly used.</p> is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem <h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me and it has an internal web server that allows
to configure/monitor it but as expected if I enable me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet one), rfc1918 blocking for my eth0 interface (the internet one),
it also blocks the cable modems web server.</h4> it also blocks the cable modems web server.</h4>
@ -1066,9 +1083,9 @@ its lease.</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when things with eyes and what those computers will "see" when
are working properly. That aside, the most common causes things are working properly. That aside, the most common
of this problem are:</p> causes of this problem are:</p>
<ol> <ol>
<li> <li>
@ -1104,16 +1121,16 @@ firewall to the internet.</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4> logged?</h4>
<b>Answer: </b>Logging <b>Answer: </b>Logging
occurs out of a number of chains (as indicated in the occurs out of a number of chains (as indicated in
log message) in Shorewall:<br> the log message) in Shorewall:<br>
<ol> <ol>
<li><b>man1918 - </b>The <li><b>man1918 - </b>The
destination address is listed in /etc/shorewall/rfc1918 destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - <li><b>rfc1918</b>
The source address is listed in /etc/shorewall/rfc1918 - The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <li><b>all2&lt;zone&gt;</b>,
@ -1134,17 +1151,17 @@ The source address is listed in /etc/shorewall/rfc1918
- The packet is being logged under the <b>maclist</b> - The packet is being logged under the <b>maclist</b>
<a href="Documentation.htm#Interfaces">interface option</a>.<br> <a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li> </li>
<li><b>logpkt</b> - The <li><b>logpkt</b> -
packet is being logged under the <b>logunclean</b> The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li> <a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The <li><b>badpkt </b>-
packet is being logged under the <b>dropunclean</b> The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as <a href="Documentation.htm#Interfaces">interface option</a>
specified in the <b>LOGUNCLEAN </b>setting in <a as specified in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - <li><b>blacklst</b>
The packet is being logged because the source IP is - The packet is being logged because the source IP
blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li> </a>file.</li>
<li><b>newnotsyn </b>- <li><b>newnotsyn </b>-
The packet is being logged because it is a TCP packet The packet is being logged because it is a TCP packet
@ -1152,11 +1169,11 @@ blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/bla
syn packet. Options affecting the logging of such packets include syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> <li><b>INPUT</b> or
- The packet has a source IP address that isn't in any <b>FORWARD</b> - The packet has a source IP address
of your defined zones ("shorewall check" and look at the that isn't in any of your defined zones ("shorewall check"
printed zone definitions) or the chain is FORWARD and the destination and look at the printed zone definitions) or the chain is FORWARD
IP isn't in any of your defined zones.</li> and the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet <li><b>logflags </b>- The packet
is being logged because it failed the checks implemented is being logged because it failed the checks implemented
by the <b>tcpflags </b><a by the <b>tcpflags </b><a
@ -1166,8 +1183,8 @@ syn packet. Options affecting the logging of such packets include
</ol> </ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different with Shorewall, and maintain separate rulesets for
IPs?</h4> different IPs?</h4>
<b>Answer: </b>Yes. See <a <b>Answer: </b>Yes. See <a
href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>. href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
@ -1196,24 +1213,24 @@ rules for your server.<br>
192.0.2.3 is external on my firewall... 192.0.2.3 is external on my firewall...
172.16.0.0/24 is my internal LAN<br> 172.16.0.0/24 is my internal LAN<br>
<br> <br>
<b>Answer: </b>While most people associate <b>Answer: </b>While most people
the Internet Control Message Protocol (ICMP) with 'ping', associate the Internet Control Message Protocol (ICMP)
ICMP is a key piece of the internet. ICMP is used to report with 'ping', ICMP is a key piece of the internet. ICMP is
problems back to the sender of a packet; this is what is happening used to report problems back to the sender of a packet; this is
here. Unfortunately, where NAT is involved (including SNAT, DNAT what is happening here. Unfortunately, where NAT is involved (including
and Masquerade), there are a lot of broken implementations. That is SNAT, DNAT and Masquerade), there are a lot of broken implementations.
what you are seeing with these messages.<br> That is what you are seeing with these messages.<br>
<br> <br>
Here is my interpretation of what is Here is my interpretation of what
happening -- to confirm this analysis, one would have to is happening -- to confirm this analysis, one would have to
have packet sniffers placed a both ends of the connection.<br> have packet sniffers placed a both ends of the connection.<br>
<br> <br>
Host 172.16.1.10 behind NAT gateway Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your
DNS server tried to send a response (the response information DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a DNS is in the brackets -- note source port 53 which marks this as a
reply). When the response was returned to to 206.124.146.179, it DNS reply). When the response was returned to to 206.124.146.179,
rewrote the destination IP TO 172.16.1.10 and forwarded the packet it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
to 172.16.1.10 who no longer had a connection on UDP port 2857. to 172.16.1.10 who no longer had a connection on UDP port 2857.
This causes a port unreachable (type 3, code 3) to be generated back This causes a port unreachable (type 3, code 3) to be generated back
to 192.0.2.3. As this packet is sent back through 206.124.146.179, to 192.0.2.3. As this packet is sent back through 206.124.146.179,
@ -1221,18 +1238,18 @@ to 192.0.2.3. As this packet is sent back through 206.124.146.179,
but doesn't reset the DST IP in the original DNS response similarly. but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result is appear to be related to anything that was sent. The final result
that the packet gets logged and dropped in the all2all chain. I have is that the packet gets logged and dropped in the all2all chain. I have
also seen cases where the source IP in the ICMP itself isn't set back also seen cases where the source IP in the ICMP itself isn't set back
to the external IP of the remote NAT gateway; that causes your firewall to the external IP of the remote NAT gateway; that causes your firewall
to log and drop the packet out of the rfc1918 chain because the source to log and drop the packet out of the rfc1918 chain because the source
IP is reserved by RFC 1918.<br> IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I I want to <b>run when Shorewall starts.</b> Which file do
put them in?</h4> I put them in?</h4>
You can place these commands in one You can place these commands in
of the <a href="shorewall_extension_scripts.htm">Shorewall Extension one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s) that Scripts</a>. Be sure that you look at the contents of the chain(s) that
you will be modifying with your commands to be sure that the you will be modifying with your commands to be sure that the
commands will do what they are intended. Many iptables commands commands will do what they are intended. Many iptables commands
@ -1245,9 +1262,9 @@ REJECT rule and any rules that you add after that will be ignored.
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4> web site?</h4>
The Shorewall web site is almost font neutral The Shorewall web site is almost font neutral
(it doesn't explicitly specify fonts except on a few pages) so (it doesn't explicitly specify fonts except on a few pages)
the fonts you see are largely the default fonts configured in your so the fonts you see are largely the default fonts configured in
browser. If you don't like them then reconfigure your browser.<br> your browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4> the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
@ -1269,11 +1286,13 @@ by a colon and a list of the host/subnet addresses as a comma-separat
<br> <br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br> <font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br> <br>
<font size="2">Last updated 4/8/2003 - <a <font size="2">Last updated 4/14/2003 - <a
href="support.htm">Tom Eastep</a></font> href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

94
Shorewall-docs/IPSEC.htm
View File

@ -27,15 +27,16 @@
<h2><font color="#660066">Configuring FreeS/Wan</font></h2> <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a>
that you consult that site for information about confuring FreeS/Wan.  . I highly recommend that you consult that site for information about confuring
FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and <p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences. FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I /etc/shorewall/proxyarp. I haven't had the time to debug this problem so
can't say if it is a bug in the Kernel or in FreeS/Wan. </p> I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following <p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p> (I haven't tried it):</p>
@ -118,9 +119,10 @@ then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br> address should specify the external address of the NAT gateway.<br>
</p> </p>
<p align="left">You need to define a zone for the remote subnet or include <p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created it in your local zone. In this example, we'll assume that you have
a zone called "vpn" to represent the remote subnet.</p> created a zone called "vpn" to represent the remote subnet.</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -231,8 +233,8 @@ a zone called "vpn" to represent the remote host.</p>
</blockquote> </blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2 <p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file but that cannot be determined in advance. In the /etc/shorewall/tunnels
on system A, the following entry should be made:</p> file on system A, the following entry should be made:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -256,7 +258,8 @@ on system A, the following entry should be made:</p>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding <p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p> the peer subnetwork; in other words, the remote gateway is a standalone
system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish <p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br> your "through the tunnel" policy as shown under the first example above.<br>
@ -342,25 +345,76 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored. will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other with the choice of connection being based on X-509 certificates or some
means. Each of these connectioins will utilize a different updown script that other means. Each of these connectioins will utilize a different updown
adds the remote station to the appropriate zone when the connection comes script that adds the remote station to the appropriate zone when the connection
up and that deletes the remote station when the connection comes down. For comes up and that deletes the remote station when the connection comes down.
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of
script will issue the command":<br> the script will issue the command":<br>
<br> <br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br> <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote> </blockquote>
and the 'down' part will:<br> and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote> <blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>ACTION<br>
</b></u></td>
<td valign="top"><u><b>SOURCE<br>
</b></u></td>
<td valign="top"><u><b>DESTINATION<br>
</b></u></td>
<td valign="top"><u><b>PROTOCOL<br>
</b></u></td>
<td valign="top"><u><b>PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>CLIENT<br>
PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br>
</b></u></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above rule.
<p><font size="2">Last updated 10/23/2002 - </font><font size="2"> <p><font size="2">Last updated 5/3//2003 - </font><font size="2"> <a
<a href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

1071
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

88
Shorewall-docs/PPTP.htm
View File

@ -27,23 +27,41 @@
</tbody> </tbody>
</table> </table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
Linux kernel's and pppd. I recommend that you refer to the following URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer
running PoPToP but rather I use the PPTP Server included with XP Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p> <p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul> <ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li> <li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your <li> <a href="#ServerBehind">PPTP Server running behind your Firewall.</a></li>
Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your <li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li> Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li> <li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul> </ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2> <h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall <p>I will try to give you an idea of how to set up a PPTP server on your
system. This isn't a detailed HOWTO but rather an example of how I have set firewall system. This isn't a detailed HOWTO but rather an example of how
up a working PPTP server on my own firewall.</p> I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p> <p>The steps involved are:</p>
@ -95,8 +113,8 @@ to use encryption:</p>
</ul> </ul>
<p>You will need to install the resulting binary on your firewall system. <p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the To do that, I NFS mount my source filesystem and use "make install" from
ppp-2.4.1 directory.</p> the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3> <h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
@ -128,8 +146,8 @@ ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3> <h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is <p>You will need a WINS server (Samba configured to run as a WINS server
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p> is:</p>
<blockquote> <blockquote>
@ -305,7 +323,7 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>net</td> <td>net</td>
<td>eth0</td> <td>eth0</td>
<td>206.124.146.255</td> <td>206.124.146.255</td>
<td>noping,norfc1918</td> <td>norfc1918</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -337,7 +355,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
<tr> <tr>
<td>loc</td> <td>loc</td>
<td>eth2:192.168.1.0/24</td> <td>eth2:192.168.1.0/24</td>
<td>routestopped</td> <td><br>
</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -421,9 +440,10 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 <p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
and later)<br> later)<br>
</b></p> </b></p>
<blockquote> <blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;"> <table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -447,9 +467,11 @@ and later)<br>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><br> <p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p> ppp interface, you probably want:</p>
@ -469,7 +491,7 @@ ppp interface, you probably want:</p>
<td>net</td> <td>net</td>
<td>eth0</td> <td>eth0</td>
<td>206.124.146.255</td> <td>206.124.146.255</td>
<td>noping,norfc1918</td> <td>norfc1918</td>
</tr> </tr>
<tr> <tr>
<td>loc</td> <td>loc</td>
@ -493,8 +515,8 @@ ppp interface, you probably want:</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2> your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules <p>If you have a single external IP address, add the following to your
file:</p> /etc/shorewall/rules file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -589,15 +611,16 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p> loadmodule ip_nat_pptp </p>
</blockquote> </blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2> <h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a <p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.    href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a> my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client /etc/ppp/options file is mostly unchanged from what came with the client (see
(see below).</p> below).</p>
<p>The key elements of this setup are as follows: </p> <p>The key elements of this setup are as follows: </p>
@ -716,6 +739,7 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br> <p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p> </b></p>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="2" border="1" <table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
@ -740,19 +764,22 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this technique <p>I use the combination of interface and hosts file to define the 'cpq'
allows me to distinguish clients of my own PPTP server from arbitrary hosts zone because I also run a PPTP server on my firewall (see above). Using this
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq technique allows me to distinguish clients of my own PPTP server from arbitrary
doesn't use that RFC1918 Class C subnet. </p> hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that <p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN I disable ECN when connecting is that the Compaq tunnel servers don't do
yet and reject the initial TCP connection request if I enable ECN :-( </p> ECN yet and reject the initial TCP connection request if I enable ECN :-(
</p>
<blockquote> <blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br> <p><font face="Courier" size="2">#!/bin/sh<br>
@ -889,10 +916,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
and corresponding ip-up.local </a>from <a and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p> href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 5/15/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> <p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br> <br>
</body> </body>

69
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -25,28 +25,28 @@
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i>
is used to configure network devices. ifconfig introduced the concept of which is used to configure network devices. ifconfig introduced the concept
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and
treats them more or less like real interfaces.<br> ifconfig treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats
addresses on an interface as objects. The ip utility does provide for interaction additional addresses on an interface as objects. The ip utility does provide
with ifconfig in that it allows addresses to be <i>labeled </i>and labels for interaction with ifconfig in that it allows addresses to be <i>labeled
may take the form of ipconfig virtual interfaces.<br> </i>and labels may take the form of ipconfig virtual interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0" Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
is a label for a particular address rather than a device name.<br> "eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
@ -184,12 +184,12 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set Shorewall can create the alias (additional address) for you if you
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
1.3.14, Shorewall can actually create the "label" (virtual interface) so Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
that you can see the created address using ifconfig. In addition to setting so that you can see the created address using ifconfig. In addition to
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
column as follows:<br> the INTERFACE column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -253,12 +253,12 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set Shorewall can create the alias (additional address) for you if you
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
1.3.14, Shorewall can actually create the "label" (virtual interface) so Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
that you can see the created address using ifconfig. In addition to setting so that you can see the created address using ifconfig. In addition to
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
column as follows:<br> the INTERFACE column as follows:<br>
<br> <br>
<blockquote> <blockquote>
@ -293,8 +293,8 @@ file:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you In either case, to create rules that pertain only to this NAT pair,
simply qualify the local zone with the internal IP address.<br> you simply qualify the local zone with the internal IP address.<br>
<br> <br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br> 192.168.1.3.<br>
@ -350,10 +350,10 @@ their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
is 192.168.20.254. You want to simply route all requests between the two eth1:0 is 192.168.20.254. You want to simply route all requests between
subnetworks.<br> the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br> In /etc/shorewall/interfaces:<br>
@ -402,7 +402,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1:192.168.1.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -410,7 +410,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">eth1:192.168.20.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -585,7 +585,7 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1:192.168.1.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -593,7 +593,7 @@ specify the <b>multi</b> option.<br>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top">loc2<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">eth1:192.168.20.0/24<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -607,7 +607,7 @@ specify the <b>multi</b> option.<br>
that you want to permit.<br> that you want to permit.<br>
<br> <br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a <p align="left"><font size="2">Last Updated 5/8/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -618,5 +618,6 @@ that you want to permit.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

67
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -22,8 +22,8 @@
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
@ -37,7 +37,8 @@
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a
href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
@ -47,19 +48,28 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a
href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a
help or Answers to Questions</a><br> href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall
1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
@ -73,9 +83,13 @@ help or Answers to Questions</a><br>
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
target="_top">Washington State, USA</a><br> <li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li> </li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul> </ul>
</li> </li>
@ -83,14 +97,14 @@ help or Answers to Questions</a><br>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a
Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a
from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About <li> <a
the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
@ -101,27 +115,8 @@ Archive</a></li>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><br>
href="http://www.shorewall.net" target="_top"> </a></p> </p>
<br>
</body> </body>
</html> </html>

63
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -11,6 +11,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -21,8 +22,8 @@
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
@ -31,12 +32,13 @@
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="sourceforge_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a
href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
@ -46,7 +48,8 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
@ -56,8 +59,16 @@
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting <li> <a
Help or Answers to Questions</a></li> href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
@ -71,8 +82,11 @@ Help or Answers to Questions</a></li>
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
target="_top">Washington State, USA</a><br> <li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
@ -87,10 +101,10 @@ Archive</a></li>
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li> <a href="quotes.htm">Quotes
from Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
@ -99,27 +113,12 @@ Archive</a></li>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><a
</p> href="http://www.shorewall.net" target="_top"> </a></p>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

142
Shorewall-docs/configuration_file_basics.htm
View File

@ -20,8 +20,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
@ -29,8 +27,8 @@
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
configuration files on a system running Microsoft Windows, you <u>must</u> files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
@ -48,8 +46,8 @@ several firewall parameters.</li>
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall
high-level policy.</li> high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the
on the firewall system.</li> interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones <li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li> in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall <li>/etc/shorewall/masq - directs the firewall
@ -58,8 +56,8 @@ where to use many-to-one (dynamic) Network Address Translation
(SNAT).</li> (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall <li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are <li>/etc/shorewall/rules - defines rules that
exceptions to the overall policies established in /etc/shorewall/policy.</li> are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
@ -90,9 +88,9 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments character a pound sign ("#"). You may also place comments at
at the end of any line, again by delimiting the comment from the end of any line, again by delimiting the comment from the
the rest of the line with a pound sign.</p> rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -109,6 +107,76 @@ the rest of the line with a pound sign.</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p> <p align="left"> </p>
@ -146,8 +214,8 @@ no effect on the firewall's ruleset. </p>
<li>If your startup scripts try to start your firewall <li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br> before starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router <li>Factors totally outside your control (your ISP's
is down for example), can prevent your firewall from starting.</li> router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to <li>You must bring up your network interfaces prior to
starting your firewall.<br> starting your firewall.<br>
</li> </li>
@ -188,10 +256,10 @@ for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can precede
precede the item with "!" to specify the complement of the item. For the item with "!" to specify the complement of the item. For example,
example, !192.168.1.4 means "any host but 192.168.1.4". There must be !192.168.1.4 means "any host but 192.168.1.4". There must be no white space
no white space following the "!".</p> following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -212,8 +280,8 @@ no white space following the "!".</p>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use either
either an integer or a service name from /etc/services. </p> an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
@ -239,7 +307,6 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
@ -247,39 +314,32 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
unique MAC address.<br> MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as In GNU/Linux, MAC addresses are usually written
a series of 6 hex numbers separated by colons. Example:<br> as a series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -313,8 +373,8 @@ the MAC address in the example above would be written "~02-00-08-E3-
and restart</a> commands allow you to specify an alternate configuration and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not in directory need not contain a complete configuration; those files not
the alternate directory will be read from /etc/shorewall.</p> in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
@ -325,19 +385,14 @@ from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
/etc/testconfig restart</b></i> ).</li> restart</b></i> )</li>
</ol> </ol>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
@ -347,5 +402,6 @@ from /etc/shorewall to a separate directory;</li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

29
Shorewall-docs/download.htm
View File

@ -40,8 +40,8 @@ for the configuration that most closely matches your own.<br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the .tgz
.tgz packages below.</p> packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
@ -57,8 +57,8 @@ insserv). If you find that it works in other cases, let <a
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file <li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a copy (you might also want to download the .tgz so you will have a
of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -72,8 +72,8 @@ module (.tgz)</li>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory .rpm will install the documentation in your default document directory which
which can be obtained using the following command:<br> can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
@ -85,8 +85,8 @@ which can be obtained using the following command:<br>
that you have downloaded.</p> that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
@ -149,6 +149,18 @@ IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configurat
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td> href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td> href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr> </tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
@ -182,5 +194,6 @@ IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configurat
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

54
Shorewall-docs/errata.htm
View File

@ -22,6 +22,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
@ -47,21 +48,22 @@ the archive, replace the 'firewall' script in the untarred directory
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you
rename the existing file before copying in the new file.</b></p> may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are
1.3.7c.</font></b><br> running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
@ -91,13 +93,32 @@ iptables</a></b></li>
<h3></h3> <h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable <li>When an 'add' or 'delete' command is executed, a temporary directory
response rather than the more appropriate TCP RST response. This problem created in /tmp is not being removed. This problem may be corrected by installing
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br> <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST response.
This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
@ -143,8 +164,8 @@ RedHat released this buggy iptables in RedHat 7.2.
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I
also built an <a have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
@ -218,9 +239,9 @@ running Shorewall 1.3.7a or later or:</p>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf; or
</li> </li>
<li>if you are running <li>if you are
Shorewall 1.3.6 you may install running Shorewall 1.3.6 you may
<a install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
@ -242,15 +263,12 @@ result in Shorewall being unable to start:<br>
disabled it. The 2.4.19 kernel contains corrected support under a disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 5/11/2003 - <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

80
Shorewall-docs/mailing_list.htm
View File

@ -21,8 +21,8 @@
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle"
align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -36,12 +36,13 @@
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/postfix-white.gif" align="right" border="0" width="124"
height="45" alt="(Postfix Logo)"> height="66" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
@ -52,7 +53,7 @@
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br>    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
@ -66,19 +67,18 @@ Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep <p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p> at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Please note that the mail server at shorewall.net
about list traffic that bounces.</a> Also please note that the mail server checks incoming mail:<br>
at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
@ -86,38 +86,38 @@ at hotmail dot com.</p>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A
record in DNS.</li> or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO
is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist
"for continuous abuse" because it has been my policy to allow HTML in shorewall.net "for continuous abuse" because it has been my policy to
list posts!!<br> allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list list subscribers whose MTAs are bouncing all shorewall.net mail. As
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive one list subscriber wrote to me privately "These e-mail admin's need to
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". get a <i>(explitive deleted)</i> life instead of trying to rid the planet
Nevertheless, to allow subscribers to receive list posts as must as possible, of HTML based e-mail". Nevertheless, to allow subscribers to receive list
I have now configured the list server at shorewall.net to strip all HTML posts as must as possible, I have now configured the list server at shorewall.net
from outgoing posts. This means that HTML-only posts will be bounced by to strip all HTML from outgoing posts. This means that HTML-only posts
the list server.<br> will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your If you find that you are missing an occasional list post,
e-mail admin may be blocking mail whose <i>Received:</i> headers contain your e-mail admin may be blocking mail whose <i>Received:</i> headers
the names of certain ISPs. Again, I believe that such policies hurt more contain the names of certain ISPs. Again, I believe that such policies
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i> hurt more than they help but I'm not prepared to go so far as to start
headers to circumvent those policies.<br> stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -147,8 +147,8 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the
@ -157,9 +157,9 @@ won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by
Firewall (such as the one used on my web site), you may <a Shoreline Firewall (such as the one used on my web site), you
href="Shorewall_CA_html.html">download and install my CA certificate</a> may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's mailing lists or you can use secure access (SSL) and accept the server's
@ -258,10 +258,10 @@ to make this less confusing. To unsubscribe:</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
reminder, or change your subscription options enter your subscription password reminder, or change your subscription options enter
email address:". Enter your email address in the box and your subscription email address:". Enter your email address
click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
@ -285,7 +285,5 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

56
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

25
Shorewall-docs/ping.html
View File

@ -27,6 +27,9 @@
coming in Shorewall version 1.4.0. <br> coming in Shorewall version 1.4.0. <br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br> form:<br>
@ -63,11 +66,12 @@ form:<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2> <h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
a rule in /etc/shoreall/rules of the form:<br> need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -119,8 +123,8 @@ a rule in /etc/shoreall/rules of the form:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
and simple routing.</li> simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
@ -132,8 +136,8 @@ and simple routing.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the <li>If <b>noping</b> is specified for the interface that receives
ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
@ -168,12 +172,12 @@ destination is applied.<br>
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the
is either rejected or simply ignored.</li> request is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
@ -183,5 +187,6 @@ to with an ICMP echo-reply.</li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

47
Shorewall-docs/ports.htm
View File

@ -52,8 +52,8 @@
<p>DNS</p> <p>DNS</p>
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably <p>UDP Port 53. If you are configuring a DNS client, you will probably want
want to open TCP Port 53 as well.<br> to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p> the latter case, be sure that your server is properly configured.</p>
@ -87,6 +87,12 @@ the latter case, be sure that your server is properly configured.</p>
<p> TCP Port 25.</p> <p> TCP Port 25.</p>
</blockquote> </blockquote>
<p>RealPlayer<br>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
<p>POP3</p> <p>POP3</p>
<blockquote> <blockquote>
@ -144,8 +150,8 @@ the latter case, be sure that your server is properly configured.</p>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p> have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before <p>If there is a possibility that these modules might be loaded before Shorewall
Shorewall starts, then you should include the port list in /etc/modules.conf:<br> starts, then you should include the port list in /etc/modules.conf:<br>
</p> </p>
<blockquote> <blockquote>
@ -153,8 +159,25 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
options ip_nat_ftp ports=21,49<br> options ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot<br>
</li>
</ol>
<p> </p>
</blockquote> </blockquote>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p> <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote> <blockquote> </blockquote>
@ -189,13 +212,20 @@ is lots of additional information at
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote> </blockquote>
<p>Didn't find what you are looking for -- have you looked in your own <p>VNC<br>
/etc/services file? </p> </p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a <p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a <p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -203,5 +233,8 @@ is lots of additional information at
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

371
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,11 +2,12 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -15,8 +16,9 @@
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
@ -30,17 +32,20 @@
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br> href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a </font></a><br>
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</h1> </h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p> <p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
@ -54,180 +59,280 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under it
the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program This
is distributed in the hope that it will program is distributed in the hope that
be useful, but WITHOUT ANY WARRANTY; without it will be useful, but WITHOUT ANY WARRANTY;
even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE. See
GNU General Public License for more details.<br> the GNU General Public License for more details.<br>
<br> <br>
You should have You
received a copy of the GNU General Public should have received a copy of the GNU General
License along with this program; if Public License along with this program;
not, write to the Free Software Foundation, if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2><br>
Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<br>
<h2>News</h2> <h2>News</h2>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in HTML format Shorewall presentation to GSLUG</a>. The presentation is in
but was generated from Microsoft PowerPoint and is best viewed using Internet HTML format but was generated from Microsoft PowerPoint and is best viewed
Explorer although Konqueror also seems to work reasonably well. Neither Opera using Internet Explorer (although Konqueror also seems to work reasonably
or Netscape work well to view the presentation.<br> well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view
the presentation.<br>
</blockquote> </blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
<p><b>    Problems Corrected:</b></p>
<p><b> Problems Corrected:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the <b>common</b> <li>TCP connection requests rejected out of the
chain are now properly rejected with TCP RST; previously, some of these <b>common</b> chain are now properly rejected with TCP
requests were rejected with an ICMP port-unreachable response.</li> RST; previously, some of these requests were rejected with an ICMP
<li>'traceroute -I' from behind the firewall previously timed port-unreachable response.</li>
out on the first hop (e.g., to the firewall). This has been worked around.</li> <li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been
worked around.</li>
</ol> </ol>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<p><b> New Features:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies <li>Where an entry in the/etc/shorewall/hosts file
a particular host or network, Shorewall now creates an intermediate chain specifies a particular host or network, Shorewall now creates an intermediate
for handling input from the related zone. This can substantially reduce the chain for handling input from the related zone. This can substantially
number of rules traversed by connections requests from such zones.<br> reduce the number of rules traversed by connections requests from such
zones.<br>
<br> <br>
</li> </li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive <li>Any file may include an INCLUDE directive. An
consists of the word INCLUDE followed by a file name and causes the contents INCLUDE directive consists of the word INCLUDE followed by a file
of the named file to be logically included into the file containing the INCLUDE. name and causes the contents of the named file to be logically included
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall into the file containing the INCLUDE. File names given in an INCLUDE
or in an alternate configuration directory if one has been specified for directive are assumed to reside in /etc/shorewall or in an alternate
the command. <br> configuration directory if one has been specified for the command. <br>
 <br> <br>
   Examples:<br> Examples:<br>
   shorewall/params.mgmt:<br> shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br> MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br> TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br> BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br> ----- end params.mgmt -----<br>
 <br> <br>
 <br> <br>
   shorewall/params:<br> shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br> # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br> [..]<br>
   #######################################<br> #######################################<br>
 <br> <br>
   INCLUDE params.mgmt    <br> INCLUDE params.mgmt <br>
  <br> <br>
   # params unique to this host here<br> # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
   ----- end params -----<br> REMOVE<br>
 <br> ----- end params -----<br>
 <br> <br>
   shorewall/rules.mgmt:<br> <br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br> shorewall/rules.mgmt:<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br> ACCEPT net:$MGMT_SERVERS $FW tcp 22<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br> ACCEPT $FW net:$TIME_SERVERS udp 123<br>
   ----- end rules.mgmt -----<br> ACCEPT $FW net:$BACKUP_SERVERS tcp 22<br>
 <br> ----- end rules.mgmt -----<br>
   shorewall/rules:<br> <br>
   # Shorewall version 1.3 - Rules File<br> shorewall/rules:<br>
   [..]<br> # Shorewall version 1.3 - Rules File<br>
   #######################################<br> [..]<br>
 <br> #######################################<br>
   INCLUDE rules.mgmt     <br> <br>
  <br> INCLUDE rules.mgmt <br>
   # rules unique to this host here<br> <br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br> # rules unique to this host here<br>
   ----- end rules -----<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
 <br> REMOVE<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives ----- end rules -----<br>
are ignored with a warning message.<br> <br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br> <br>
</li> </li>
<li>Routing traffic from an interface back out that interface <li>Routing traffic from an interface back out that
continues to be a problem. While I firmly believe that this should never interface continues to be a problem. While I firmly believe that
happen, people continue to want to do it. To limit the damage that such this should never happen, people continue to want to do it. To limit
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces the damage that such nonsense produces, I have added a new 'routeback'
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When
column may not contain '-'; in other words, 'routeback' can't be used as used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
an option for a multi-zone interface. The 'routeback' option CAN be specified '-'; in other words, 'routeback' can't be used as an option for a multi-zone
however on individual group entries in /etc/shorewall/hosts.<br> interface. The 'routeback' option CAN be specified however on individual
 <br> group entries in /etc/shorewall/hosts.<br>
The 'routeback' option is similar to the old 'multi' option with two <br>
exceptions:<br> The 'routeback' option is similar to the old 'multi' option
 <br> with two exceptions:<br>
   a) The option pertains to a particular zone,interface,address tuple.<br> <br>
 <br> a) The option pertains to a particular zone,interface,address
   b) The option only created infrastructure to pass traffic from (zone,interface,address) tuple.<br>
tuples back to themselves (the 'multi' option affected all (zone,interface,address) <br>
tuples associated with the given 'interface').<br> b) The option only created infrastructure to pass traffic
 <br> from (zone,interface,address) tuples back to themselves (the 'multi'
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information option affected all (zone,interface,address) tuples associated with
about how this new option may affect your configuration.<br> the given 'interface').<br>
<br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<p><b></b></p>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br> <td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font> <font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
@ -238,31 +343,31 @@ exceptions:<br>
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

77
Shorewall-docs/shoreline.htm
View File

@ -6,7 +6,6 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -40,28 +39,28 @@
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a
State University</a> 1967</li> href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers,
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 Incorporated</a> (now part of the <a href="http://www.hp.com">The
- present</li> New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation operating
operating system from the NonStop Enterprise Division of HP. </p> system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as ipchains and developed the scripts which are now collectively known
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
on what I learned from Seattle Firewall, I then designed and Expanding on what I learned from Seattle Firewall, I then designed
wrote Shorewall. </p> and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
@ -71,27 +70,30 @@ I live with my wife Tarry.
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows
Serves as a PPTP server for Road Warrior access. Dual boots <a system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a NIC - My personal Linux System which runs Samba configured
WINS server. This system also has <a as a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
DNS server (Bind 9).</li> (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0  3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
and a DHCP server.</li> 1.4.2  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
- My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li> work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br>
</li>
</ul> </ul>
@ -114,11 +116,16 @@ main work system.</li>
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg"
width="125" height="40" hspace="4"> alt="Protected by Shorewall" width="125" height="40" hspace="4">
</font></p> <a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a <p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
@ -126,5 +133,11 @@ main work system.</li>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

11
Shorewall-docs/shorewall_mirrors.htm
View File

@ -47,6 +47,9 @@ is updated at the same time as the rsync site.</b></p>
(Martinez (Zona Norte - GBA), Argentina)</li> (Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> <li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br> (Washington State, USA)<br>
</li> </li>
@ -59,8 +62,9 @@ is updated at the same time as the rsync site.</b></p>
<li><a target="_blank" <li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" <li> <a
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li> href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank" <li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
@ -75,7 +79,7 @@ is updated at the same time as the rsync site.</b></p>
Search results and the mailing list archives are always fetched from the Search results and the mailing list archives are always fetched from the
site in Washington State.<br> site in Washington State.<br>
<p align="left"><font size="2">Last Updated 3/7/2003 - <a <p align="left"><font size="2">Last Updated 5/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -84,5 +88,6 @@ site in Washington State.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

225
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -22,6 +22,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> Version 4.0</font></h1>
@ -31,8 +32,8 @@
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.<br> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
@ -44,90 +45,27 @@ must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux <li><a href="standalone.htm">Standalone</a>
System (<a href="standalone_fr.html">Version Française</a>)</li> Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> <li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local
(<a href="two-interface_fr.html">Version Française</a>)</li> network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
the steps necessary to set up a firewall where <b>there are multiple Index Below) outlines the steps necessary to set up a firewall
public IP addresses involved or if you want to learn more about where <b>there are multiple public IP addresses involved or
Shorewall than is explained in the single-address guides above.</b></p> if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p>
<ul> <ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a
href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a
href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a
href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul> </ul>
@ -144,20 +82,24 @@ trying to use this documentation directly.</p>
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common <li><a
configuration file features</a> href="configuration_file_basics.htm">Common configuration file
features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li>
<li><a <li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
@ -171,17 +113,18 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
(making a test configuration)</a></li> a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File <li><a href="Documentation.htm">Configuration
Reference Manual</a> File Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
@ -201,40 +144,46 @@ trying to use this documentation directly.</p>
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> </li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host or <li><a href="ECN.html">ECN Disabling by host
subnet</a><br> or subnet</a><br>
</li> </li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension <li><font color="#000099"><a
Scripts</a></font> (How to extend Shorewall without modifying Shorewall href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
code through the use of files in /etc/shorewall -- /etc/shorewall/start, (How to extend Shorewall without modifying Shorewall code through the
/etc/shorewall/stopped, etc.)</li> use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall <li><a
Structure</a></li> href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel <li><font color="#000099"><a
Configuration</a></font></li> href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="MAC_Validation.html">MAC Verification</a><br> <li><a href="MAC_Validation.html">MAC Verification</a><br>
</li> </li>
<li><a href="myfiles.htm">My Shorewall Configuration <li><a href="myfiles.htm">My Shorewall
(How I personally use Shorewall)</a><br> Configuration (How I personally use Shorewall)</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
@ -243,21 +192,79 @@ subnet</a><br>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration
change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static <li><font color="#000099"><a
NAT</a></font></li> href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br> Proxy with Shorewall</a><br>
</li> </li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
@ -265,25 +272,27 @@ Proxy with Shorewall</a><br>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system <li><a href="VPN.htm">IPSEC/PPTP</a> from
behind your firewall to a remote network.</li> a system behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White <li><a
List Creation</a></li> href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 4/112003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 5/03/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

390
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -27,7 +27,7 @@
<p><a href="#Addresses">4.1 IP Addresses</a><br> <p><a href="#Addresses">4.1 IP Addresses</a><br>
<a href="#Subnets">4.2 Subnets</a><br> <a href="#Subnets">4.2 Subnets</a><br>
<a href="#Routing">4.3 Routing</a><br> <a href="#Routing">4.3 Routing</a><br>
<a href="#ARP">4.4 Address Resolution Protocol</a><br> <a href="#ARP">4.4 Address Resolution Protocol (ARP)</a><br>
<a href="#RFC1918">4.5 RFC 1918</a></p> <a href="#RFC1918">4.5 RFC 1918</a></p>
</blockquote> </blockquote>
@ -57,8 +57,8 @@
where a set of public IP addresses must be managed or who want to know where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you the range of possible applications is so broad, the Guide will give
general guidelines and will point you to other resources as necessary.</p> you general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT     If you run LEAF Bering, your Shorewall configuration is NOT
@ -81,9 +81,9 @@ this program:</p>
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system,
must save them as Unix files if your editor supports that option or you you must save them as Unix files if your editor supports that option
must run them through dos2unix before trying to use them with Shorewall. or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p> it with Shorewall.</p>
@ -99,10 +99,10 @@ Version of dos2unix</a></li>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2> <h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory <p>The configuration files for Shorewall are contained in the directory /etc/shorewall
/etc/shorewall -- for most setups, you will only need to deal with a few -- for most setups, you will only need to deal with a few of these as described
of these as described in this guide. Skeleton files are created during the in this guide. Skeleton files are created during the <a
<a href="Install.htm">Shorewall Installation Process</a>.</p> href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
@ -144,9 +144,9 @@ the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p> file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means that to zone names. Zones are entirely what YOU make of them. That means
you should not expect Shorewall to do something special "because this that you should not expect Shorewall to do something special "because
is the internet zone" or "because that is the DMZ".</p> this is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>     Edit the /etc/shorewall/zones file and make any changes necessary.</p>
@ -175,21 +175,21 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<li> Identify the source zone.</li> <li> Identify the source zone.</li>
<li> Identify the destination zone.</li> <li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's <li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do zone is what you want for this client/server pair, you need do nothing
nothing further.</li> further.</li>
<li> If the POLICY is not what you want, then you must <li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li> and the server's zone.</li>
</ol> </ol>
<p> Just because connections of a particular type are allowed from zone A <p> Just because connections of a particular type are allowed from zone
to the firewall and are also allowed from the firewall to zone B <font A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from zone have a proxy running on the firewall that accepts a connection from
A and then establishes its own separate connection from the firewall to zone A and then establishes its own separate connection from the firewall
zone B.</p> to zone B.</p>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that file
@ -241,8 +241,8 @@ zone B.</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network to
the internet</li> the internet</li>
<li>drop (ignore) all connection requests from the internet to <li>drop (ignore) all connection requests from the internet
your firewall or local network and log a message at the <i>info</i> to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li> levels).</li>
<li>reject all other connection requests and log a message at <li>reject all other connection requests and log a message at
@ -265,12 +265,12 @@ to illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p> <p align="left">In this diagram:</p>
<ul> <ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ
used to isolate your internet-accessible servers from your local systems is used to isolate your internet-accessible servers from your local
so that if one of those servers is compromised, you still have the firewall systems so that if one of those servers is compromised, you still have
between the compromised system and your local systems. </li> the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local <li>The Local Zone consists of systems Local 1, Local 2 and
3. </li> Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone. <li>All systems from the ISP outward comprise the Internet Zone.
</li> </li>
@ -308,17 +308,17 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
a <i>cross-over </i> cable).</p> a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
computers will be connected to the same switch (note: If you have only DMZ computers will be connected to the same switch (note: If you have
a single DMZ system, you can connect the firewall directly to the computer only a single DMZ system, you can connect the firewall directly to the
using a <i>cross-over </i> cable).</p> computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same hub </b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect or switch (even for testing). It won't work the way that you expect it
it to and you will end up confused and believing that Linux networking to and you will end up confused and believing that Linux networking doesn't
doesn't work at all.</p> work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p> <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -456,17 +456,17 @@ many times as necessary.</p>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i> <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to IP addresses. You will configure your firewall's external interface to
use one of those addresses permanently and you will then have to decide use one of those addresses permanently and you will then have to decide
how you are going to use the rest of your addresses. Before we tackle that how you are going to use the rest of your addresses. Before we tackle
question though, some background is in order.</p> that question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing, <p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p> you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of addressing <p align="left">The following discussion barely scratches the surface of
and routing. If you are interested in learning more about this subject, addressing and routing. If you are interested in learning more about this
I highly recommend <i>"IP Fundamentals: What Everyone Needs to Know about subject, I highly recommend <i>"IP Fundamentals: What Everyone Needs to
Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
0-13-975483-0.</p> 1999, ISBN 0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3> <h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
@ -504,17 +504,17 @@ Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
of the high order byte of its address so you could look at an IP address of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask and immediately determine the associated <i>netmask</i>. The netmask
is a number that when logically ANDed with an address isolates the <i>network is a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. For number</i>; the remainder of the address is the <i>host number</i>.
example, in the Class C address 192.0.2.14, the network number is hex For example, in the Class C address 192.0.2.14, the network number is
C00002 and the host number is hex 0E.</p> hex C00002 and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross <p align="left">As the internet grew, it became clear that such a gross partitioning
partitioning of the 32-bit address space was going to be very limiting (early of the 32-bit address space was going to be very limiting (early on, large
on, large corporations and universities were assigned their own class A corporations and universities were assigned their own class A network!).
network!). After some false starts, the current technique of <i>subnetting</i> After some false starts, the current technique of <i>subnetting</i> these
these networks into smaller <i>subnetworks</i> evolved; that technique is networks into smaller <i>subnetworks</i> evolved; that technique is referred
referred to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
that you are likely to work with will understand CIDR and Class-based networking you are likely to work with will understand CIDR and Class-based networking
is largely a thing of the past.</p> is largely a thing of the past.</p>
<p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is <p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
@ -637,8 +637,8 @@ are used for the subnet address and subnet broadcast address respectively.
<p align="left">You will notice that the above table also contains a column <p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we can Mask</i> for a network of size <b>n</b>. From the above table, we
derive the following one which is a little easier to use.</p> can derive the following one which is a little easier to use.</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -820,9 +820,9 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b> <p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip' used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is utility also uses this syntax). This simply means that the interface
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds is configured with ip address <b>a.b.c.d</b> and with the netmask that
to VLSM <b>/v</b>.</p> corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p> <p align="left">Example: 192.0.2.65/29</p>
@ -847,17 +847,16 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
how to get to a single host. In the 'netstat' output this can be seen how to get to a single host. In the 'netstat' output this can be seen
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default how to route packets to a subnetwork. The last route is the <i>default route</i>
route</i> and the gateway mentioned in that route is called the <i>default and the gateway mentioned in that route is called the <i>default gateway</i>.</p>
gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>, <p align="left">When the kernel is trying to send a packet to IP address
it starts at the top of the routing table and:</p> <b>A</b>, it starts at the top of the routing table and:</p>
<ul> <ul>
<li> <li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in <p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
the table entry.</p> in the table entry.</p>
</li> </li>
<li> <li>
<p align="left">The result is compared with the 'Destination' value in <p align="left">The result is compared with the 'Destination' value in
@ -869,12 +868,10 @@ the table entry.</p>
<ul> <ul>
<li> <li>
<p align="left">If the 'Gateway' column is non-zero, the packet is <p align="left">If the 'Gateway' column is non-zero, the packet is
sent to the gateway over the interface named in the 'Iface' column.</p> sent to the gateway over the interface named in the 'Iface' column.</p>
</li> </li>
<li> <li>
<p align="left">Otherwise, the packet is sent directly to <b>A </b>over <p align="left">Otherwise, the packet is sent directly to <b>A </b>over
the interface named in the 'iface' column.</p> the interface named in the 'iface' column.</p>
</li> </li>
@ -888,10 +885,10 @@ the table entry.</p>
</ul> </ul>
<p align="left">Since the default route matches any IP address (<b>A</b> land <p align="left">Since the default route matches any IP address (<b>A</b>
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
entries are sent to the <i>default gateway</i> which is usually a router table entries are sent to the <i>default gateway</i> which is usually a
at your ISP.</p> router at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet <p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes to 192.168.1.5. That address clearly doesn't match any of the host routes
@ -903,19 +900,20 @@ at your ISP.</p>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre> <pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote> </blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p> <p>So to route a packet to 192.168.1.5, the packet is sent directly over
eth2.</p>
</div> </div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet <p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think that case. There seems to be a common mis-conception whereby people think
request packets are like salmon and contain a genetic code that is magically that request packets are like salmon and contain a genetic code that
transferred to reply packets so that the replies follow the reverse route is magically transferred to reply packets so that the replies follow
taken by the request. That isn't the case; the replies may take a totally the reverse route taken by the request. That isn't the case; the replies
different route back to the client than was taken by the requests -- they may take a totally different route back to the client than was taken by
are totally independent.</p> the requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3> <h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used. <p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC) Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
@ -930,9 +928,9 @@ are totally independent.</p>
</blockquote> </blockquote>
<div align="left"> <div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes (48 <p align="left">As you can see from the above output, the MAC is 6 bytes
bits) wide. A card's MAC is usually also printed on a label attached to (48 bits) wide. A card's MAC is usually also printed on a label attached
the card itself. </p> to the card itself. </p>
</div> </div>
<div align="left"> <div align="left">
@ -985,10 +983,10 @@ system (including your Windows system) using the 'arp' command:</p>
of us don't deal with these registrars but rather get our IP addresses of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p> from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many Public <p align="left">It's a fact of life that most of us can't afford as many
IP addresses as we have devices to assign them to so we end up making use Public IP addresses as we have devices to assign them to so we end up making
of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
for this purpose:</p> ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -998,8 +996,8 @@ for this purpose:</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses for understandable given that anyone can select any of these addresses
their private use.</p> for their private use.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1010,8 +1008,8 @@ their private use.</p>
<div align="left"> <div align="left">
<ul> <ul>
<li> <li>
<p align="left">As the IPv4 address space becomes depleted, more and more <p align="left">As the IPv4 address space becomes depleted, more and
organizations (including ISPs) are beginning to use RFC 1918 addresses more organizations (including ISPs) are beginning to use RFC 1918 addresses
in their infrastructure. </p> in their infrastructure. </p>
</li> </li>
<li> <li>
@ -1035,9 +1033,10 @@ their private use.</p>
<div align="left"> <div align="left">
<p align="left">The choice of how to set up your network depends primarily <p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities on how many Public IP addresses you have vs. how many addressable
you have in your network. Regardless of how many addresses you have, entities you have in your network. Regardless of how many addresses
your ISP will handle that set of addresses in one of two ways:</p> you have, your ISP will handle that set of addresses in one of two
ways:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1084,13 +1083,13 @@ change them appropriately:<br>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet <p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address - 192.0.2.79 and that your firewall's external IP address is 192.0.2.65.
is 192.0.2.65. Your ISP has also told you that you should use a netmask Your ISP has also told you that you should use a netmask of 255.255.255.0
of 255.255.255.0 (so your /28 is part of a larger /24). With this many (so your /28 is part of a larger /24). With this many IP addresses,
IP addresses, you are able to subnet your /28 into two /29's and set you are able to subnet your /28 into two /29's and set up your network
up your network as shown in the following diagram.</p> as shown in the following diagram.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1100,10 +1099,10 @@ change them appropriately:<br>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local <p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ
be configured to 192.0.2.66 and the default gateway for hosts in the local would be configured to 192.0.2.66 and the default gateway for hosts in
network would be 192.0.2.73.</p> the local network would be 192.0.2.73.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1139,13 +1138,13 @@ of 256 would be justified because of the simplicity of the setup.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of the <p align="left">It is this rather unexpected ARP behavior on the part of
Linux Kernel that prompts the warning earlier in this guide regarding the the Linux Kernel that prompts the warning earlier in this guide regarding
connecting of multiple firewall/router interfaces to the same hub or switch. the connecting of multiple firewall/router interfaces to the same hub
When an ARP request for one of the firewall/router's IP addresses is sent or switch. When an ARP request for one of the firewall/router's IP addresses
by another system connected to the hub/switch, all of the firewall's is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then a interfaces that connect to the hub/switch can respond! It is then
race as to which "here-is" response reaches the sender first.</p> a race as to which "here-is" response reaches the sender first.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1153,22 +1152,22 @@ by another system connected to the hub/switch, all of the firewall's
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you have the above situation but it is non-routed, you <p align="left">If you have the above situation but it is non-routed,
can configure your network exactly as described above with one additional you can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall interfaces twist; simply specify the "proxyarp" option on all three firewall
in the /etc/shorewall/interfaces file.</p> interfaces in the /etc/shorewall/interfaces file.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Most of us don't have the luxury of having enough public IP <p align="left">Most of us don't have the luxury of having enough public
addresses to set up our networks as shown in the preceding example (even IP addresses to set up our networks as shown in the preceding example
if the setup is routed). </p> (even if the setup is routed). </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP <p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to use has assigned you IP addresses 192.0.2.176-180 and has told you to
netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p> use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1200,8 +1199,8 @@ this problem.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Often a combination of these techniques is used. Each of these <p align="left">Often a combination of these techniques is used. Each of
will be discussed in the sections that follow.</p> these will be discussed in the sections that follow.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1212,11 +1211,11 @@ this problem.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC <p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates 1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP addresses rewrites the IP header in the request to use one of your public IP
as the source address. When <b>B</b> responds and the response is received addresses as the source address. When <b>B</b> responds and the response
by the firewall, the firewall changes the destination address back is received by the firewall, the firewall changes the destination address
to the RFC 1918 address of <b>A</b> and forwards the response back to back to the RFC 1918 address of <b>A</b> and forwards the response back
<b>A.</b></p> to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1274,10 +1273,11 @@ local interface).</div>
<div align="left"> <div align="left">
<p align="left">This example used the normal technique of assigning the same <p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have to If you wanted to use a different IP address, you would either have
use your distributions network configuration tools to add that IP address to use your distributions network configuration tools to add that IP
to the external interface or you could set ADD_SNAT_ALIASES=Yes in address to the external interface or you could set ADD_SNAT_ALIASES=Yes
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p> in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1295,8 +1295,8 @@ local interface).</div>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
     Suppose that your daughter wants to run a web server on      Suppose that your daughter wants to run a web server on
her system "Local 3". You could allow connections to the internet her system "Local 3". You could allow connections to the internet to
to her server by adding the following entry in <a her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p> href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div> </div>
@ -1334,15 +1334,15 @@ to her server by adding the following entry in <a
to access your daughter's server, she can connect to <a to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When to 192.168.201.4 (your daughter's system) and forward the request.
your daughter's server responds, the firewall will rewrite the source When your daughter's server responds, the firewall will rewrite the
address back to 192.0.2.176 and send the response back to <b>A.</b></p> source address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This example used the firewall's external IP address for DNAT. <p align="left">This example used the firewall's external IP address for
You can use another of your public IP addresses but Shorewall will not DNAT. You can use another of your public IP addresses but Shorewall will
add that address to the firewall's external interface for you.</p> not add that address to the firewall's external interface for you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1356,8 +1356,8 @@ add that address to the firewall's external interface for you.</p>
<div align="left"> <div align="left">
<ul> <ul>
<li> <li>
<p align="left">A host <b>H </b>behind your firewall is assigned one of <p align="left">A host <b>H </b>behind your firewall is assigned one
your public IP addresses (<b>A)</b> and is assigned the same netmask of your public IP addresses (<b>A)</b> and is assigned the same netmask
<b>(M) </b>as the firewall's external interface. </p> <b>(M) </b>as the firewall's external interface. </p>
</li> </li>
<li> <li>
@ -1365,9 +1365,9 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask
</p> </p>
</li> </li>
<li> <li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address <p align="left">When <b>H</b> issues an ARP "who has" request for an
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
respond (with the MAC if the firewall interface to <b>H</b>). </p> will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li> </li>
</ul> </ul>
@ -1387,8 +1387,8 @@ respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to <div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be sure on the firewall. That address and netmask isn't relevant - just be
it doesn't overlap another subnet that you've defined.</div> sure it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div> <div align="left">  </div>
@ -1442,6 +1442,7 @@ rather than behind it.<br>
(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface (192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
(eth0 in this example) of the firewall.</b></font><br> (eth0 in this example) of the firewall.</b></font><br>
</p> </p>
<div align="left"> </div> <div align="left"> </div>
</div> </div>
@ -1463,26 +1464,27 @@ rather than behind it.<br>
Illustrated, Vol 1</i> reveals that a <br> Illustrated, Vol 1</i> reveals that a <br>
<br> <br>
"gratuitous" ARP packet should cause the ISP's router to refresh their "gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
the MAC address for its own IP; in addition to ensuring that the IP address MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br> isn't a duplicate,...<br>
<br> <br>
"if the host sending the gratuitous ARP has just changed its hardware "if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br> cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br> <br>
Which is, of course, exactly what you want to do when you switch a Which is, of course, exactly what you want to do when you switch
host from being exposed to the Internet to behind Shorewall using proxy a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br> Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br> <br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly     <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br> proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br>
<br> <br>
Stevens goes on to mention that not all systems respond correctly Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the to gratuitous ARPs, but googling for "arping -U" seems to support the idea
idea that it works most of the time.<br> that it works most of the time.<br>
<br> <br>
</li> </li>
<li>You can call your ISP and ask them to purge the stale ARP <li>You can call your ISP and ask them to purge the stale ARP
@ -1518,11 +1520,11 @@ cache entry but many either can't or won't purge individual entries.</li>
<div align="left"> <div align="left">
<p align="left">Notice that the source MAC address in the echo request is <p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this different from the destination MAC address in the echo reply!! In
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
was the MAC address of DMZ 1. In other words, the gateway's ARP cache 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
still associates 192.0.2.177 with the NIC in DMZ 1 rather than with gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
the firewall's eth0.</p> 1 rather than with the firewall's eth0.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1533,9 +1535,9 @@ the firewall's eth0.</p>
<p align="left">With static NAT, you assign local systems RFC 1918 addresses <p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination Translation) occurs and on incoming connections DNAT (Destination Network
Network Address Translation) occurs. Let's go back to our earlier example Address Translation) occurs. Let's go back to our earlier example involving
involving your daughter's web server running on system Local 3.</p> your daughter's web server running on system Local 3.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1574,8 +1576,8 @@ connections. This is done with the following entry in /etc/shorewall/masq:
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Suppose now that you have decided to give your daughter her     Suppose now that you have decided to give your daughter
own IP address (192.0.2.179) for both inbound and outbound connections. her own IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <a You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p> href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div> </div>
@ -1816,8 +1818,8 @@ way to allow connection requests through your firewall is to use ACCEPT
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would need <p align="left">If you run a public DNS server on 192.0.2.177, you would
to add the following rules:</p> need to add the following rules:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1949,10 +1951,10 @@ way to allow connection requests through your firewall is to use ACCEPT
</div> </div>
<div align="left"> <div align="left">
<p align="left">The above discussion reflects my personal preference for using <p align="left">The above discussion reflects my personal preference for
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
prefer to use NAT only in cases where a system that is part of an RFC 1918 I prefer to use NAT only in cases where a system that is part of an RFC
subnet needs to have it's own public IP. </p> 1918 subnet needs to have it's own public IP. </p>
</div> </div>
<div align="left"> <div align="left">
@ -1960,20 +1962,21 @@ subnet needs to have it's own public IP.
height="13"> height="13">
    If you haven't already, it would be a good idea to browse     If you haven't already, it would be a good idea to browse
through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
just to see if there is anything there that might be of interest. You just to see if there is anything there that might be of interest.
might also want to look at the other configuration files that you You might also want to look at the other configuration files that
haven't touched yet just to get a feel for the other things that Shorewall you haven't touched yet just to get a feel for the other things that
can do.</p> Shorewall can do.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">In case you haven't been keeping score, here's the final set <p align="left">In case you haven't been keeping score, here's the final
of configuration files for our sample network. Only those that were modified set of configuration files for our sample network. Only those that were
from the original installation are shown.</p> modified from the original installation are shown.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very site-specific).</p> <p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</p>
</div> </div>
<div align="left"> <div align="left">
@ -2353,21 +2356,21 @@ can do.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in this <p align="left">Given the collection of RFC 1918 and public addresses in
setup, it only makes sense to have separate internal and external DNS this setup, it only makes sense to have separate internal and external
servers. You can combine the two into a single BIND 9 server using <i>Views. DNS servers. You can combine the two into a single BIND 9 server using
</i> If you are not interested in Bind 9 views, you can <a <i>Views. </i> If you are not interested in Bind 9 views, you can <a
href="#StartingAndStopping">go to the next section</a>.</p> href="#StartingAndStopping">go to the next section</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two <p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the DMZ systems named www.foobar.net and mail.foobar.net and you want
three local systems named "winken.foobar.net, blinken.foobar.net and the three local systems named "winken.foobar.net, blinken.foobar.net
nod.foobar.net. You want your firewall to be known as firewall.foobar.net and nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and it's interface to the local network to be know as gateway.foobar.net externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server and its interface to the dmz as dmz.foobar.net. Let's have the DNS
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p> server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div> </div>
<div align="left"> <div align="left">
@ -2493,8 +2496,8 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped,
is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -2504,23 +2507,23 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    Edit the /etc/shorewall/routestopped file and configure those     Edit the /etc/shorewall/routestopped file and configure
systems that you want to be able to access the firewall when it is those systems that you want to be able to access the firewall when
stopped.</p> it is stopped.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i> an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 3/21/2003 - <a <p align="left"><font size="2">Last updated 5/3/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
@ -2535,5 +2538,6 @@ stopped.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

263
Shorewall-docs/sourceforge_index.htm
View File

@ -2,11 +2,12 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -15,8 +16,9 @@
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
@ -25,11 +27,9 @@
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><br> size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff"> <a target="_top" href="1.3/index.html"><font
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br> color="#ffffff"> </font></a><a target="_top"
<a target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small>Shorewall
1.2 Site here<br>
</small></small></small></font></a> </small></small></small></font></a>
</h1> </h1>
@ -45,105 +45,145 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td
width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on a dedicated (iptables) based firewall that can be used on
firewall system, a multi-function gateway/router/server a dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p> or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under it
the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program This
is distributed in the hope that it will program is distributed in the hope that
be useful, but WITHOUT ANY WARRANTY; without it will be useful, but WITHOUT ANY WARRANTY;
even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE.
GNU General Public License for more details.<br> See the GNU General Public License for more details.<br>
<br> <br>
You should You
have received a copy of the GNU General should have received a copy of the GNU
Public License along with this program; General Public License along with
if not, write to the Free Software Foundation, this program; if not, write to the Free Software
Inc., 675 Mass Ave, Cambridge, MA 02139, Foundation, Inc., 675 Mass Ave, Cambridge,
USA</p> MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> <h2>Getting Started with Shorewall</h2>
</a>Jacques New to Shorewall? Start by selecting the <a
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
on a floppy, CD or compact flash) distribution match your environment and follow the step by step instructions.<br>
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm" <blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is best is in HTML format but was generated from Microsoft PowerPoint and is
viewed using Internet Explorer although Konqueror also seems to work reasonably best viewed using Internet Explorer (although Konqueror also seems to
well. Neither Opera or Netscape work well to view the presentation.</blockquote> work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img <p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
<p><b>    Problems Corrected:</b></p> <p><b>    Problems Corrected:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the <b>common</b> <li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these requests chain are now properly rejected with TCP RST; previously, some of these
were rejected with an ICMP port-unreachable response.</li> requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed <li>'traceroute -I' from behind the firewall previously
out on the first hop (e.g., to the firewall). This has been worked around.</li> timed out on the first hop (e.g., to the firewall). This has been worked
around.</li>
</ol> </ol>
</blockquote> </blockquote>
<p><b>    New Features:</b></p> <p><b>    New Features:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies <li>Where an entry in the/etc/shorewall/hosts file
a particular host or network, Shorewall now creates an intermediate chain specifies a particular host or network, Shorewall now creates an intermediate
for handling input from the related zone. This can substantially reduce chain for handling input from the related zone. This can substantially
the number of rules traversed by connections requests from such zones.<br> reduce the number of rules traversed by connections requests from such
zones.<br>
<br> <br>
</li> </li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive <li>Any file may include an INCLUDE directive. An
consists of the word INCLUDE followed by a file name and causes the contents INCLUDE directive consists of the word INCLUDE followed by a file name
of the named file to be logically included into the file containing the and causes the contents of the named file to be logically included into
INCLUDE. File names given in an INCLUDE directive are assumed to reside the file containing the INCLUDE. File names given in an INCLUDE directive
in /etc/shorewall or in an alternate configuration directory if one has are assumed to reside in /etc/shorewall or in an alternate configuration
been specified for the command. <br> directory if one has been specified for the command. <br>
 <br>  <br>
   Examples:<br>    Examples:<br>
   shorewall/params.mgmt:<br>    shorewall/params.mgmt:<br>
@ -179,47 +219,69 @@ been specified for the command. <br>
   INCLUDE rules.mgmt     <br>    INCLUDE rules.mgmt     <br>
  <br>   <br>
   # rules unique to this host here<br>    # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
   ----- end rules -----<br>    ----- end rules -----<br>
 <br>  <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives INCLUDE's may be nested to a level of 3 -- further nested
are ignored with a warning message.<br> INCLUDE directives are ignored with a warning message.<br>
<br> <br>
</li> </li>
<li>Routing traffic from an interface back out that interface <li>Routing traffic from an interface back out that
continues to be a problem. While I firmly believe that this should never interface continues to be a problem. While I firmly believe that this
happen, people continue to want to do it. To limit the damage that such should never happen, people continue to want to do it. To limit the
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces damage that such nonsense produces, I have added a new 'routeback' option
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
column may not contain '-'; in other words, 'routeback' can't be used as /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
an option for a multi-zone interface. The 'routeback' option CAN be specified other words, 'routeback' can't be used as an option for a multi-zone
however on individual group entries in /etc/shorewall/hosts.<br> interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
 <br>  <br>
The 'routeback' option is similar to the old 'multi' option with two The 'routeback' option is similar to the old 'multi' option
exceptions:<br> with two exceptions:<br>
 <br>  <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>    a) The option pertains to a particular zone,interface,address
tuple.<br>
 <br>  <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)    b) The option only created infrastructure to pass traffic
tuples back to themselves (the 'multi' option affected all (zone,interface,address) from (zone,interface,address) tuples back to themselves (the 'multi'
tuples associated with the given 'interface').<br> option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
 <br>  <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
about how this new option may affect your configuration.<br> for information about how this new option may affect your configuration.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the
recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -227,20 +289,52 @@ exceptions:<br>
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br> <td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
@ -254,29 +348,30 @@ exceptions:<br>
<td <td
width="100%" style="margin-top: 1px;"> width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/10/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

86
Shorewall-docs/standalone.htm
View File

@ -45,28 +45,29 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on if this package is installed by the presence of an <b>ip</b> program
your firewall system. As root, you can use the 'which' command to check on your firewall system. As root, you can use the 'which' command to
for this program:</p> check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself <p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk, you copy a configuration file from your Windows hard drive to a floppy
you must run dos2unix against the copy before using it with Shorewall.</p> disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
of dos2unix</a></li> Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
@ -77,21 +78,21 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of /etc/shorewall -- for simple setups, you only need to deal with a few
these as described in this guide. After you have <a of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
to /etc/shorewall (they will replace files with the same names that were (they will replace files with the same names that were placed in /etc/shorewall
placed in /etc/shorewall during Shorewall installation)</b>.</p> during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one set of <i>zones.</i> In the one-interface sample configuration, only
zone is defined:</p> one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -132,8 +133,8 @@ placed in /etc/shorewall during Shorewall installation)</b>.</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has <p>The /etc/shorewall/policy file included with the one-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -191,21 +192,21 @@ your firewall</li>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol "Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
a <b>ppp0</b>. If you connect via a regular modem, your External Interface Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
will also be <b>ppp0</b>. If you connect using ISDN, your external interface External Interface will also be <b>ppp0</b>. If you connect using ISDN,
will be<b> ippp0.</b></p> your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that
external interface is <b>eth0</b>. If your configuration is different, the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that
specified for the interface. Some hints:</p> are specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
@ -214,8 +215,8 @@ your firewall</li>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the
list. </p> option list. </p>
</li> </li>
</ul> </ul>
@ -234,8 +235,8 @@ your firewall</li>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs destination address is reserved by RFC 1918. In some cases though,
are assigning these addresses then using <i>Network Address Translation ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -284,8 +285,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on <p align="left">Example - You want to run a Web Server and a POP3 Server
your firewall system:</p> on your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -333,8 +334,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you
shell access to your firewall from the internet, use SSH:</p> want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -395,8 +396,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped,
is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -406,8 +407,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
@ -427,5 +428,6 @@ Thomas M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

104
Shorewall-docs/standalone_fr.html
View File

@ -30,24 +30,24 @@
<h2 align="center">Version 2.0.1 Française</h2> <h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
exacte du texte, mais plutôt à en faire une version française intelligible traduction exacte du texte, mais plutôt à en faire une version française
par tous (et par moi). Les termes techniques sont la plupart du temps conservés intelligible par tous (et par moi). Les termes techniques sont la plupart
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver du temps conservés sous leur forme originale et mis entre parenthèses car
dans le reste des documentations ainsi que dans les fichiers de configuration. vous pouvez les retrouver dans le reste des documentations ainsi que dans
N?hésitez pas à me contacter afin d?améliorer ce document <a les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son (merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
formidable outil et sa disponibilité)</i><i>.</i></small></p> Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse) <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
utilisation la plus courante :</p> la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
@ -57,8 +57,8 @@ rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
@ -73,11 +73,11 @@ la configuration sont recommand
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option devez les sauver comme des fichiers Unix si votre éditeur supporte cette
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. option sinon vous devez les faire passer par dos2unix avant d'essayer de
De la même manière, si vous copiez un fichier de configuration depuis votre les utiliser. De la même manière, si vous copiez un fichier de configuration
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
copie avant de l'utiliser avec Shorewall.</p> sur la copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
@ -95,18 +95,18 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant (Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p> installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p> instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique <i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
interface, une seule zone est définie :</p> une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -126,15 +126,15 @@ interface, une seule zone est d
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
<ul> <ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone <li>Vous exprimez les politiques par défaut pour les connexions d'une
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -143,11 +143,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première Si aucune des règles dans ce fichier ne correspondent, alors la première politique
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
politique est REJECT ou DROP la requête est alors comparée par rapport aux est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p> a les politiques suivantes :</p>
@ -198,8 +197,8 @@ a les politiques suivantes :</p>
Ces politiques vont : Ces politiques vont :
<ol> <ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li> <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
votre firewall</li> vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li> de cette politique).</li>
@ -223,8 +222,8 @@ sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre L'exemple de configuration de Shorewall pour une interface suppose que
interface externe est <b>eth0</b>. Si votre configuration est différente, votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p> spécifiées pour l'interface. Quelques astuces :</p>
@ -248,8 +247,8 @@ de la liste d'option. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p> pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -310,8 +309,8 @@ vers votre firewall, le format g
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
serveur POP3 sur votre système de firewall :</p> POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
@ -417,16 +416,16 @@ d
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système La <a href="Install.htm">procédure d'installation </a> configure votre
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9 système pour lancer Shorewall au boot du système, mais au début avec la version
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br> paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
@ -441,10 +440,10 @@ de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
@ -465,5 +464,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

215
Shorewall-docs/support.htm
View File

@ -17,6 +17,7 @@
<tr> <tr>
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
@ -28,28 +29,31 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are
of sources of Shorewall information. Please try these before you a number of sources of Shorewall information. Please try these before
post. you post.
<ul> <ul>
<li>More than half of the questions <li>Shorewall versions earlier
posted on the support list have answers directly accessible from that 1.3.0 are no longer supported.<br>
the <a href="shorewall_quickstart_guide.htm#Documentation">Documentation </li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has solutions
to more than 20 common problems. </li>
<li> The <li> The
<a href="FAQ.htm">FAQ</a> has solutions to more than 20 common <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
problems. </li> Information contains a number of tips to help
<li> The <a you solve common problems. </li>
href="troubleshoot.htm">Troubleshooting</a> Information contains <li> The
a number of tips to help you solve common problems. <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
</li> to download updated components. </li>
<li> The <a <li> The Site
href="errata.htm"> Errata</a> has links to download updated and Mailing List Archives search facility can locate documents
components. </li> and posts about similar problems: </li>
<li> The Site and
Mailing List Archives search facility can locate documents and
posts about similar problems: </li>
</ul> </ul>
@ -78,16 +82,17 @@ posts about similar problems: </li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" value="htdig"><input </font><input type="hidden" name="config"
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing value="htdig"><input type="hidden" name="restrict" value=""><font
List Archives: size="-1"> Include Mailing List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"><br> value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
@ -95,27 +100,30 @@ posts about similar problems: </li>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what
in your message. Do not leave out any information that appears is posted in your message. Do not leave out any information
to be correct, or was mentioned in a previous post. There have that appears to be correct, or was mentioned in a previous
been countless posts by people who were sure that some part of post. There have been countless posts by people who were sure
their configuration was correct when it actually contained a small that some part of their configuration was correct when it actually
error. We tend to be skeptics where detail is lacking.<br> contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking <li>Please keep in mind that you're
for <strong>free</strong> technical support. Any help we asking for <strong>free</strong> technical support.
offer is an act of generosity, not an obligation. Try to make it Any help we offer is an act of generosity, not an obligation.
easy for us to help you. Follow good, courteous practices in writing Try to make it easy for us to help you. Follow good, courteous
and formatting your e-mail. Provide details that we need if you expect practices in writing and formatting your e-mail. Provide details that
good answers. <em>Exact quoting </em> of error messages, log entries, we need if you expect good answers. <em>Exact quoting </em> of
command output, and other output is better than a paraphrase or summary.<br> error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please <li>
don't describe your environment and then ask us to send Please don't describe your environment and then ask us
you custom configuration files. We're here to answer to send you custom configuration files. We're here
your questions but we can't do your job for you.<br> to answer your questions but we can't do your
job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
@ -126,17 +134,19 @@ you custom configuration files. We're here to answer
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are <li>the exact version of Shorewall
running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall
version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are
running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
@ -147,7 +157,8 @@ you custom configuration files. We're here to answer
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr
show<br>
<br> <br>
</b></font></li> </b></font></li>
@ -156,15 +167,16 @@ you custom configuration files. We're here to answer
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route
show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li>If your kernel is modularized,
output from<br> the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
</li> </li>
@ -183,8 +195,8 @@ you custom configuration files. We're here to answer
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; 3.<b><font color="#009900"> /sbin/shorewall status
/tmp/status.txt</font></b><br> &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
@ -193,47 +205,48 @@ you custom configuration files. We're here to answer
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, <li>If you installed Shorewall using one of the QuickStart
please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using the
installation of Shorewall, please say so.<br> Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As a <li>As
general matter, please <strong>do not edit the diagnostic information</strong> a general matter, please <strong>do not edit the diagnostic
in an attempt to conceal your IP address, netmask, nameserver information</strong> in an attempt to conceal your IP address,
addresses, domain name, etc. These aren't secrets, and concealing netmask, nameserver addresses, domain name, etc. These aren't
them often misleads us (and 80% of the time, a hacker could derive them secrets, and concealing them often misleads us (and 80% of the time,
anyway from information contained in the SMTP headers of your post).<br> a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include you exercise the function that is giving you problems? If so,
the message(s) in your post along with a copy of your /etc/shorewall/interfaces include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration
(especially the /etc/shorewall/hosts file if you have files (especially the /etc/shorewall/hosts file if
modified that file) that you think are relevant. If you have modified that file) that you think are relevant.
you include /etc/shorewall/rules, please include /etc/shorewall/policy If you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="troubleshoot.htm">Troubleshooting</a> section for (See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post <li><b>The list server limits posts to 120kb so don't
GIFs of your network layout, etc. to the Mailing post GIFs of your network layout, etc. to
List -- your post will be rejected.</b></li> the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
@ -250,59 +263,57 @@ rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian I think that blocking all HTML is
way to control spam and that the ultimate losers here are not a Draconian way to control spam and that the ultimate losers
the spammers but the list subscribers whose MTAs are bouncing here are not the spammers but the list subscribers whose MTAs
all shorewall.net mail. As one list subscriber wrote to me privately are bouncing all shorewall.net mail. As one list subscriber wrote
"These e-mail admin's need to get a <i>(expletive deleted)</i> life to me privately "These e-mail admin's need to get a <i>(expletive
instead of trying to rid the planet of HTML based e-mail". Nevertheless, deleted)</i> life instead of trying to rid the planet of HTML based
to allow subscribers to receive list posts as must as possible, I e-mail". Nevertheless, to allow subscribers to receive list posts
have now configured the list server at shorewall.net to strip all HTML as must as possible, I have now configured the list server at shorewall.net
from outgoing posts.<br> to strip all HTML from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote> <b>If you have a <u>quick</u> question about
capabilities or where to find something, you may use the</b> <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <u><b>DO NOT POST THE OUTPUT OF "shorewall status" TO THE FORUM;
I WON'T LOOK AT IT.</b></u> <b>If you need to supply "shorewall status"
output, use the appropriate mailing list below.</b><br>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a
Users mailing list</a>.</span></h4> href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF Multi Network Firewall (MNF) and you have not purchased an
license from MandrakeSoft then you can post non MNF-specific Shorewall MNF license from MandrakeSoft then you can post non MNF-specific
questions to the </b><a Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or the <a list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a list</a> .</p>
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br> <p> To Subscribe to the mailing list go to <a
To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 5/12/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

215
Shorewall-docs/three-interface.htm
View File

@ -55,9 +55,9 @@ local network.</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b>
on your firewall system. As root, you can use the 'which' command to program on your firewall system. As root, you can use the 'which'
check for this program:</p> command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -74,15 +74,16 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly, or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy if you copy a configuration file from your Windows hard drive to a
disk, you must run dos2unix against the copy before using it with Shorewall.</p> floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
@ -91,17 +92,17 @@ tell if this package is installed by the presence of an <b>ip</b> program
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a /etc/shorewall -- for simple setups, you will only need to deal with
few of these as described in this guide. After you have <a a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same the files to /etc/shorewall (the files will replace files with the
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p> same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration
and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration, set of <i>zones.</i> In the three-interface sample configuration,
@ -235,8 +236,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and     At this point, edit your /etc/shorewall/policy file
make any changes that you wish.</p> and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
@ -245,9 +246,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
</p> </p>
<p align="left">The firewall has three network interfaces. Where Internet <p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External
will be the ethernet adapter that is connected to that "Modem" (e.g., Interface</i> will be the ethernet adapter that is connected to
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -262,22 +263,22 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only computers will be connected to the same switch (note: If you have
a single local system, you can connect the firewall directly to the only a single local system, you can connect the firewall directly to
computer using a <i>cross-over </i> cable).</p> the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the only a single DMZ system, you can connect the firewall directly to
computer using a <i>cross-over </i> cable).</p> the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same </b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect hub or switch (even for testing). It won't work the way that you
it to and you will end up confused and believing that Shorewall doesn't expect it to and you will end up confused and believing that Shorewall
work at all.</p> doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
@ -285,18 +286,19 @@ hub or switch (even for testing). It won't work the way that you expect
that the external interface is <b>eth0, </b>the local interface is that the external interface is <b>eth0, </b>the local interface is
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list file accordingly. While you are there, you may wish to review the
of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-".
</p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from
option list. </p> the option list. </p>
</li> </li>
</ul> </ul>
@ -306,14 +308,14 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
your connection when you dial in (standard modem) or establish your PPP establishing your connection when you dial in (standard modem) or establish
connection. In rare cases, your ISP may assign you a<i> static</i> IP your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
address; that means that you configure your firewall's external interface IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access the is assigned, it will be shared by all of your systems when you access
Internet. You will have to assign your own addresses for your internal network the Internet. You will have to assign your own addresses for your internal
(the local and DMZ Interfaces on your firewall plus your other computers). network (the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left"> <div align="left">
@ -323,8 +325,8 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    Before starting Shorewall, you should look at the IP     Before starting Shorewall, you should look at the
address of your external interface and if it is one of the above IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p> interface's entry in /etc/shorewall/interfaces.</p>
</div> </div>
@ -333,14 +335,14 @@ interface's entry in /etc/shorewall/interfaces.</p>
<p align="left">You will want to assign your local addresses from one <i> <p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from by "/24". The "24" refers to the number of consecutive "1" bits
the left of the subnet mask. </p> from the left of the subnet mask. </p>
</div> </div>
<div align="left"> <div align="left">
@ -390,18 +392,18 @@ example) or the last usable address (10.10.10.254).</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (Local Computers 1 &amp; 2) should     Your local computers (Local Computers 1 &amp; 2)
be configured with their<i> default gateway</i> set to the IP address should be configured with their<i> default gateway</i> set to the
of the firewall's internal interface and your DMZ computers ( DMZ IP address of the firewall's internal interface and your DMZ computers
Computers 1 &amp; 2) should be configured with their default gateway ( DMZ Computers 1 &amp; 2) should be configured with their default
set to the IP address of the firewall's DMZ interface.   </p> gateway set to the IP address of the firewall's DMZ interface.   </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas What Everyone Needs to Know about Addressing &amp; Routing",</i>
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -417,33 +419,33 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 your external interface an RFC 1918 address. If that address is in the
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
local network and if it is in the 10.10.11.0/24 subnet then you will need subnet for your local network and if it is in the 10.10.11.0/24 subnet then
to select a different RFC 1918 subnet for your DMZ.</b><br> you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
</p> </p>
<p align="left">IP Masquerading (SNAT)</p> <p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When
of your local systems (let's assume local computer 1) sends a connection one of your local systems (let's assume local computer 1) sends a
request to an internet host, the firewall must perform <i>Network Address connection request to an internet host, the firewall must perform
Translation </i>(NAT). The firewall rewrites the source address in the <i>Network Address Translation </i>(NAT). The firewall rewrites the
packet to be the address of the firewall's external interface; in other source address in the packet to be the address of the firewall's external
words, the firewall makes it look as if the firewall itself is initiating interface; in other words, the firewall makes it look as if the firewall
the connection.  This is necessary so that the destination host will itself is initiating the connection.  This is necessary so that the
be able to route return packets back to the firewall (remember that destination host will be able to route return packets back to the firewall
packets whose destination address is reserved by RFC 1918 can't be routed (remember that packets whose destination address is reserved by RFC
accross the internet). When the firewall receives a return packet, it 1918 can't be routed accross the internet). When the firewall receives
rewrites the destination address back to 10.10.10.1 and forwards the a return packet, it rewrites the destination address back to 10.10.10.1
packet on to local computer 1. </p> and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to
IP Masquerading</i> and you will also see the term <i>Source Network Address as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Translation </i>(SNAT) used. Shorewall follows the convention used with Address Translation </i>(SNAT) used. Shorewall follows the convention used
Netfilter:</p> with Netfilter:</p>
<ul> <ul>
<li> <li>
@ -465,8 +467,8 @@ packet on to local computer 1. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, your     If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
you do not need to modify the file provided with the sample. Otherwise, then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p> edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
@ -481,8 +483,8 @@ your static IP in column 3 makes <br>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change file to ensure that the following are set correctly; if they are not,
them appropriately:<br> change them appropriately:<br>
</p> </p>
<ul> <ul>
@ -496,12 +498,12 @@ your static IP in column 3 makes <br>
<p align="left">One of your goals will be to run one or more servers on your <p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them. is not possible for clients on the internet to connect directly to
It is rather necessary for those clients to address their connection them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your address of your server and forwards the packet to that server. When
server responds, the firewall automatically performs SNAT to rewrite your server responds, the firewall automatically performs SNAT to
the source address in the response.</p> rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -538,8 +540,8 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
</table> </table>
</blockquote> </blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be <p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
the same as <i>&lt;port&gt;</i>.</p> be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming <p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p> TCP port 80 to that system:</p>
@ -621,8 +623,8 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote> </blockquote>
<p>If you want to be able to access your server from the local network using <p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can your external address, then if you have a static external IP you
replace the loc-&gt;dmz rule above with:</p> can replace the loc-&gt;dmz rule above with:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -703,10 +705,10 @@ servers. </p>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will will be automatically configured (e.g., the /etc/resolv.conf file
be written). Alternatively, your ISP may have given you the IP address will be written). Alternatively, your ISP may have given you the IP
of a pair of DNS <i> name servers</i> for you to manually configure as address of a pair of DNS <i> name servers</i> for you to manually configure
your primary and secondary name servers. It is <u>your</u> responsibility as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one to configure the resolver in your internal systems. You can take one
of two approaches:</p> of two approaches:</p>
@ -724,16 +726,16 @@ servers. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
server (which also requires the 'bind' RPM) and for Bering users, name server (which also requires the 'bind' RPM) and for Bering
there is dnscache.lrp. If you take this approach, you configure your users, there is dnscache.lrp. If you take this approach, you configure
internal systems to use the caching name server as their primary (and your internal systems to use the caching name server as their primary
only) name server. You use the internal IP address of the firewall (10.10.10.254 (and only) name server. You use the internal IP address of the firewall
in the example above) for the name server address if you choose to (10.10.10.254 in the example above) for the name server address if
run the name server on your firewall. To allow your local systems to you choose to run the name server on your firewall. To allow your local
talk to your caching name server, you must open port 53 (both UDP systems to talk to your caching name server, you must open port 53
and TCP) from the local network to the server; you do that by adding (both UDP and TCP) from the local network to the server; you do that
the rules in /etc/shorewall/rules. </p> by adding the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -900,8 +902,8 @@ the rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing removed if you commented out the line in /etc/shorewall/policy
all connections from the firewall to the internet.</p> allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1041,8 +1043,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1178,9 +1180,9 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> create an <i><a href="configuration_file_basics.htm#Configs">alternate
and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1205,5 +1207,6 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

276
Shorewall-docs/three-interface_fr.html
View File

@ -32,14 +32,14 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française traduction exacte du texte, mais plutôt à en faire une version française intelligible
intelligible par tous (et par moi). Les termes techniques sont la plupart par tous (et par moi). Les termes techniques sont la plupart du temps conservés
du temps conservés sous leur forme originale et mis entre parenthèses car sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
vous pouvez les retrouver dans le reste des documentations ainsi que dans dans le reste des documentations ainsi que dans les fichiers de configuration.
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer N?hésitez pas à me contacter afin d?améliorer ce document <a
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p> son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br> <p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau Mettre en place un système linux en tant que firewall pour un petit réseau
@ -66,17 +66,17 @@ RTC, ...</li>
height="635"> height="635">
</p> </p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
pouvez voir si le paquet est installé en vérifiant la présence du programme Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant vous familiariser avec ce qu'il va se passer, et de revenir au début en
le changements dans votre configuration. Les points où, les changements dans effectuant le changements dans votre configuration. Les points où, les changements
la configuration sont recommandées, sont signalés par une <img dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> border="0" src="images/BD21298_.gif" width="13" height="13">
</p> </p>
@ -85,14 +85,14 @@ la configuration sont recommand
devez les sauver comme des fichiers Unix si votre éditeur offre cette option devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser. sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
avant de l'utiliser avec Shorewall.</p> copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -104,11 +104,11 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p> nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de <p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,8 +144,8 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p> <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone - <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p> - par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
@ -161,10 +161,11 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique Si aucune des règles dans ce fichier ne correspondent, alors la première
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues politique est REJECT ou DROP la requête est alors comparée par rapport aux
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p> sample a les politiques suivantes :</p>
@ -262,14 +263,14 @@ que vous d
</p> </p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion <p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur (non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris votre interface extérieure sera aussi ppp0. Si votre connexion passe par
(ISDN), votre interface extérieure sera ippp0<b>.</b></p> Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -284,24 +285,24 @@ un <i>c
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet <p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez appartenant à la DMZ seront connectés à ce même switch (note : si vous
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
firewall par un <i>câble croisé</i>).</p> au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub </b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas
ce soit shorewall qui ne marche pas.</p> que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que L'exemple de configuration de Shorewall pour trois interfaces suppose
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère, </b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
spécifiées pour les interfaces. Quelques trucs :</p> options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul> <ul>
<li> <li>
@ -309,9 +310,9 @@ sp
remplacer le "detect" dans la seconde colonne par un "-". </p> remplacer le "detect" dans la seconde colonne par un "-". </p>
</li> </li>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
d'option. </p> liste d'option. </p>
</li> </li>
</ul> </ul>
@ -323,14 +324,15 @@ sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address). Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre (modem standard) ou établissez votre connexion PPP. Dans de rares cas ,
provider peu vous assigner une adresse statique (staticIP address); cela signifie votre provider peu vous assigner une adresse statique (staticIP address);
que vous configurez votre interface externe sur votre firewall afin d'utiliser cela signifie que vous configurez votre interface externe sur votre firewall
cette adresse de manière permanente. Une fois votre adresse externe assignée, afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
devrez assigner vos propres adresses à votre réseau local (votre interface à Internet. Vous devrez assigner vos propres adresses à votre réseau local
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve (votre interface interne sur le firewall ainsi que les autres ordinateurs).
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p> La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -351,12 +353,12 @@ sous-r
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255 réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i> est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain en utilisant la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par InterDomain Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie suivie par "/24". Le "24" se réfère au nombre de bits "1" consécutifs dans
gauche du masque de sous-réseau. </p> la partie gauche du masque de sous-réseau. </p>
</div> </div>
<div align="left"> <div align="left">
@ -391,17 +393,17 @@ gauche du masque de sous-r
</div> </div>
<div align="left"> <div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première <p align="left">Il est de convention d'assigner à l'interface interne la
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent) première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
ou la dernière utilisable (10.10.10.254).</p> précédent) ou la dernière utilisable (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les <p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors ils peuvent communiquer directement. Pour communiquer avec des systèmes
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
(routeur).</p> le gateway (routeur).</p>
</div> </div>
<div align="left"> <div align="left">
@ -410,15 +412,15 @@ du sous-r
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant être configurés avec leur passerelle par défaut (<i>default gateway)</i>
sur l'adresse IP de l'interface DMZ du firewall. </p> pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div> </div>
<p align="left">Cette courte description ne fait que survoler les concepts <p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: What l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A. What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre <p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
réseau comme montrer ci-dessous :</p> réseau comme montrer ci-dessous :</p>
@ -436,22 +438,23 @@ en local sera 10.10.10.254.</p>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées <p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918. les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
remplace par l'adresse de l'interface externe du firewall; en d'autres mots, et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
le firewall fait croire que c'est lui même qui initie la connexion. Ceci mots, le firewall fait croire que c'est lui même qui initie la connexion.
est nécessaire afin que l'hôte de destination soit capable de renvoyer les Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés de destination, une adresse réservée par la RFC 1918 ne pourront pas être
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p> 1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP <p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
Masquerading mais vous verrez aussi le terme de Source Network Address Translation l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p> Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul> <ul>
<li> <li>
@ -480,8 +483,8 @@ le fichier fourni avec l'exemple. Dans le cas contraire,
Si votre IP externe est statique, vous pouvez la mettre dans la troisième Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des mettre votre IP statique dans la troisième colonne permet un traitement
paquets sortant un peu plus efficace.<br> des paquets sortant un peu plus efficace.<br>
</p> </p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -504,9 +507,10 @@ faite les changements n
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur, de connexion au firewall qui ré écrit l'adresse de destination de votre
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p> le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -531,7 +535,8 @@ est :</p>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td> <td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td> <td><i>&lt;port&gt;</i></td>
<td> <br> <td> <br>
@ -595,8 +600,9 @@ local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a href="http://w.x.y.z:5000"> sur le port 5000 (c.a.d., connectez vous à <a
http://w.x.y.z:5000</a> où w.x.y.z est votre IP externe).</li> href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li>
</ul> </ul>
@ -629,10 +635,10 @@ http://w.x.y.z:5000</a> o
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis <p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
le réseau local en utilisant votre adresse externe, et si vous avez une adresse depuis le réseau local en utilisant votre adresse externe, et si vous avez
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
par :</p> précédente par :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -703,8 +709,8 @@ les
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse <p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p> A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -712,22 +718,22 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur <p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
a été écrit). Il arrive que votre provider vous donne une paire d'adresse fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
IP pour les DNS (name servers) afin que vous configuriez manuellement votre donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
serveur de nom primaire et secondaire. La manière dont le DNS est configuré manuellement votre serveur de nom primaire et secondaire. La manière dont
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une le DNS est configuré sur votre firewall est de votre responsabilité. Vous
de ses deux façons :</p> pouvez procéder d'une de ses deux façons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser <p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les les noms de serveurs de votre provider. Si votre fournisseur vous donne
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
web, vous pouvez configurer votre système interne afin de les utiliser. Si site web, vous pouvez configurer votre système interne afin de les utiliser.
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p> "nameserver" dans ce fichier. </p>
</li> </li>
<li> <li>
@ -737,13 +743,14 @@ votre firewall -- les noms des serveurs sont donn
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul votre système interne pour utiliser le firewall lui même comme étant le
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall seul serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom
de faire tourner le serveur de nom sur votre firewall. Pour permettre à vos si vous décidez de faire tourner le serveur de nom sur votre firewall. Pour
systèmes locaux de discuter avec votre serveur cache de nom, vous devez ouvrir permettre à vos systèmes locaux de discuter avec votre serveur cache de
le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous ferez nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le
ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. </p> réseau local; vous ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules.
</p>
</li> </li>
</ul> </ul>
@ -1080,9 +1087,9 @@ particuli
<div align="left"> <div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet <p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login depuis ou vers l'Internet car il utilise du texte en clair (même pour le
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
depuis Internet, utilisez SSH :</p> firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
@ -1130,12 +1137,12 @@ d
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre système La <a href="Install.htm">procédure d'installation</a> configure votre
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9 système pour lancer Shorewall au boot du système, mais au début avec la
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
avec que la configuration soit finie. Une fois que vous en avez fini avec lancer Shorewall avec que la configuration soit finie. Une fois que vous
la configuration du firewall, vous pouvez permettre le lancement de Shorewall en avez fini avec la configuration du firewall, vous pouvez permettre le
en supprimant le fichier /etc/shorewall/startup_disabled.<br> lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer <p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
@ -1145,8 +1152,8 @@ en supprimant le fichier /etc/shorewall/startup_disabled.<br>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall <p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
routage est autorisé sur les hôtes qui possèdent une entrée dans <a le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
@ -1164,10 +1171,10 @@ d'h
</div> </div>
<div align="left"> <div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet, <p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée) pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1201,5 +1208,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

69
Shorewall-docs/troubleshoot.htm
View File

@ -18,7 +18,6 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle">
@ -50,9 +49,8 @@
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you <li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it where the error message you saw is generated -- If you are using Shorewall
will not be near the end of the log because after startup errors, Shorewall 1.4.0 or later, you should find the message near the end of the log.</li>
goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the <li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li> <a href="support.htm">support page</a>.</li>
@ -73,13 +71,12 @@
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is actually
actually an ill-conceived network setup. Here are several popular snafus: an ill-conceived network setup. Here are several popular snafus: </p>
</p>
<ul> <ul>
<li>Port Forwarding where client and server are in <li>Port Forwarding where client and server are
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the <li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that external subnet, thinking that Shorewall will suddenly believe that
the system is in the 'net' zone.</li> the system is in the 'net' zone.</li>
@ -114,16 +111,14 @@ the event that you forget to remove them later.</p>
<p align="left">LOGRATE=""<br> <p align="left">LOGRATE=""<br>
LOGBURST=""</p> LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being <p align="left">This way, you will see all of the log messages being generated
generated (be sure to restart shorewall after clearing these variables).</p> (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p> <p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font> </font>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
@ -151,8 +146,8 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
</p> </p>
<h3 align="left">'Ping' Problems?</h3> <h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping Either can't ping when you think you should be able to or are able to
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br> href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
@ -160,27 +155,26 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT <li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that: or FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that <li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected to <li>the source and destination hosts are both connected
the same interface and you don't have a policy or rule for the to the same interface and you don't have a policy or rule for
source zone to or from the destination zone.</li> the source zone to or from the destination zone.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want type 8 ("ping") requests to be sent between zones. If you want pings
pings to be allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination
icmp    echo-request<br> zone&gt;    icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you The ramifications of this can be subtle. For example, if
have the following in /etc/shorewall/nat:<br> you have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
@ -190,20 +184,20 @@ and the zone containing 10.1.1.2, the ping requests will be dropped.
<li>If you specify "routefilter" for an interface, that <li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li> interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems <li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to usually need to be configured with their default gateway set to the
the IP address of their nearest firewall interface. One often overlooked IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So routing between them must be set up <u>in both directions.</u> So when
when setting up routing between <b>A</b> and<b> B</b>, be sure to setting up routing between <b>A</b> and<b> B</b>, be sure to verify
verify that the route from <b>B</b> back to <b>A</b> is defined.</li> that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have <li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is <li>Shorewall requires the "ip" program. That program
generally included in the "iproute" package which should be included is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -219,15 +213,12 @@ add all external addresses to be use with NAT unless you have set <a
<p>See the<a href="support.htm"> support page.<br> <p>See the<a href="support.htm"> support page.<br>
</a></p> </a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p> <p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

272
Shorewall-docs/two-interface.htm
View File

@ -30,8 +30,8 @@
</table> </table>
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and is a fairly straight-forward task if you understand the basics
follow the documentation.</p> and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
@ -59,8 +59,8 @@ local network.</li>
</b></p> </b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake <p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use Internet Connection Sharing is strange and is apt to confuse you if you
the rest of this documentation (it has two local zones; "loc" and "masq" use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -70,37 +70,37 @@ instructions in this Guide.</b><br>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b>
on your firewall system. As root, you can use the 'which' command program on your firewall system. As root, you can use the 'which'
to check for this program:</p> command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself <p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your
changes. Points at which configuration changes are recommended are configuration changes. Points at which configuration changes are
flagged with <img border="0" src="images/BD21298_.gif" width="13" recommended are flagged with <img border="0"
height="13"> src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are . Configuration notes that are unique to LEAF/Bering are
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
height="36"> width="49" height="36">
</p> </p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows
you must save them as Unix files if your editor supports that option system, you must save them as Unix files if your editor supports
or you must run them through dos2unix before trying to use them. Similarly, that option or you must run them through dos2unix before trying to
if you copy a configuration file from your Windows hard drive to a use them. Similarly, if you copy a configuration file from your Windows
floppy disk, you must run dos2unix against the copy before using it with hard drive to a floppy disk, you must run dos2unix against the copy
Shorewall.</p> before using it with Shorewall.</p>
<ul> <ul>
<li><a <li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li> dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
@ -112,18 +112,17 @@ Shorewall.</p>
directory /etc/shorewall -- for simple setups, you will only need to directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
the files to /etc/shorewall (these files will replace files with /etc/shorewall (these files will replace files with the same name).</b></p>
the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration file on your system -- each file contains detailed configuration
instructions and default entries.</p> instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, the set of <i>zones.</i> In the two-interface sample configuration,
following zone names are used:</p> the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -154,23 +153,23 @@ instructions and default entries.</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from <li>You express your default policy for connections
one zone to another zone in the<a from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in <li>You define exceptions to those default policies
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or that matches the request is applied. If that policy is REJECT
DROP  the request is first checked against the rules in /etc/shorewall/common or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has <p>The /etc/shorewall/policy file included with the two-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -250,8 +249,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make     At this point, edit your /etc/shorewall/policy and
any changes that you wish.</p> make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2> <h2 align="left">Network Interfaces</h2>
@ -259,9 +258,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635"> height="635">
</p> </p>
<p align="left">The firewall has two network interfaces. Where Internet <p align="left">The firewall has two network interfaces. Where Internet connectivity
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> is through a cable or DSL "Modem", the <i>External Interface</i> will be
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -277,9 +276,9 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other (eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you have computers will be connected to the same hub/switch (note: If you
only a single internal system, you can connect the firewall directly have only a single internal system, you can connect the firewall
to the computer using a <i>cross-over </i> cable).</p> directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
@ -292,8 +291,8 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes     The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have to is <b>eth1</b>. If your configuration is different, you will have
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
@ -314,17 +313,18 @@ the option list. </p>
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
a single <i> Public</i> IP address. This address may be assigned via you a single <i> Public</i> IP address. This address may be assigned
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
establishing your connection when you dial in (standard modem) or establish of establishing your connection when you dial in (standard modem) or
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> establish your PPP connection. In rare cases, your ISP may assign you
IP address; that means that you configure your firewall's external interface a<i> static</i> IP address; that means that you configure your firewall's
to use that address permanently.<i> </i>However your external address external interface to use that address permanently.<i> </i>However
is assigned, it will be shared by all of your systems when you access the your external address is assigned, it will be shared by all of your systems
Internet. You will have to assign your own addresses in your internal when you access the Internet. You will have to assign your own addresses
network (the Internal Interface on your firewall plus your other computers). in your internal network (the Internal Interface on your firewall plus
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -334,18 +334,18 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    Before starting Shorewall, you should look at the     Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above IP address of your external interface and if it is one of the
ranges, you should remove the 'norfc1918' option from the external above ranges, you should remove the 'norfc1918' option from the
interface's entry in /etc/shorewall/interfaces.</p> external interface's entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">You will want to assign your addresses from the same <i> <p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed </i>(CIDR) notation</a> with consists of the subnet address followed
@ -400,17 +400,17 @@ bits from the left of the subnet mask. </p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (computer 1 and computer 2 in     Your local computers (computer 1 and computer 2
the above diagram) should be configured with their<i> default gateway</i> in the above diagram) should be configured with their<i> default
to be the IP address of the firewall's internal interface.<i>      gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p> </i> </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP
What Everyone Needs to Know about Addressing &amp; Routing",</i> Fundamentals: What Everyone Needs to Know about Addressing &amp;
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -424,23 +424,23 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign     <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 assign your external interface an RFC 1918 address. If that address is
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
local network.</b><br> 1918 subnet for your local network.</b><br>
</p> </p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers
forward packets which have an RFC-1918 destination address. When one don't forward packets which have an RFC-1918 destination address.
of your local systems (let's assume computer 1) sends a connection When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address request to an internet host, the firewall must perform <i>Network
Translation </i>(NAT). The firewall rewrites the source address in Address Translation </i>(NAT). The firewall rewrites the source address
the packet to be the address of the firewall's external interface; in in the packet to be the address of the firewall's external interface;
other words, the firewall makes it look as if the firewall itself is in other words, the firewall makes it look as if the firewall itself
initiating the connection.  This is necessary so that the destination is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response be routed across the internet so the remote host can't address its response
@ -448,10 +448,10 @@ initiating the connection.
the destination address back to 10.10.10.1 and forwards the packet on the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p> to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to
IP Masquerading</i> but you will also see the term <i>Source Network Address as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Translation </i>(SNAT) used. Shorewall follows the convention used with Address Translation </i>(SNAT) used. Shorewall follows the convention used
Netfilter:</p> with Netfilter:</p>
<ul> <ul>
<li> <li>
@ -468,8 +468,9 @@ to computer 1. </p>
</ul> </ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with <p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading entries in the /etc/shorewall/masq file. You will normally use
if your external IP is dynamic and SNAT if the IP is static.</p> Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
@ -505,12 +506,12 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly to it is not possible for clients on the internet to connect directly
them. It is rather necessary for those clients to address their connection to them. It is rather necessary for those clients to address their
requests to the firewall who rewrites the destination address to the connection requests to the firewall who rewrites the destination address
address of your server and forwards the packet to that server. When to the address of your server and forwards the packet to that server.
your server responds, the firewall automatically performs SNAT to rewrite When your server responds, the firewall automatically performs SNAT
the source address in the response.</p> to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -581,13 +582,13 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul> <ul>
<li>You must test the above rule from a client outside <li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on of your local network (i.e., don't test from a browser running
computers 1 or 2 or on the firewall). If you want to be able to on computers 1 or 2 or on the firewall). If you want to be able
access your web server using the IP address of your external interface, to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to
80. If you have problems connecting to your web server, try the port 80. If you have problems connecting to your web server, try
following rule and try connecting to port 5000.</li> the following rule and try connecting to port 5000.</li>
</ul> </ul>
@ -619,29 +620,30 @@ following rule and try connecting to port 5000.</li>
</blockquote> </blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"> <p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any     At this point, modify /etc/shorewall/rules to add
DNAT rules that you require.</p> any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS)
will be automatically configured (e.g., the /etc/resolv.conf file resolver will be automatically configured (e.g., the /etc/resolv.conf
will be written). Alternatively, your ISP may have given you the IP file will be written). Alternatively, your ISP may have given you
address of a pair of DNS <i> name servers</i> for you to manually configure the IP address of a pair of DNS <i> name servers</i> for you to manually
as your primary and secondary name servers. Regardless of how DNS gets configure as your primary and secondary name servers. Regardless of
configured on your firewall, it is <u>your</u> responsibility to configure how DNS gets configured on your firewall, it is <u>your</u> responsibility
the resolver in your internal systems. You can take one of two approaches:</p> to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can
your internal systems to use those addresses. If that information configure your internal systems to use those addresses. If that
isn't available, look in /etc/resolv.conf on your firewall system information isn't available, look in /etc/resolv.conf on your firewall
-- the name servers are given in "nameserver" records in that file. system -- the name servers are given in "nameserver" records in that
</p> file. </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -652,10 +654,10 @@ as your primary and secondary name servers. Regardless of how DNS gets
is dnscache.lrp. If you take this approach, you configure your internal is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254 server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your in the example above) for the name server address. To allow your local
local systems to talk to your caching name server, you must open port systems to talk to your caching name server, you must open port 53
53 (both UDP and TCP) from the local network to the firewall; you (both UDP and TCP) from the local network to the firewall; you do
do that by adding the following rules in /etc/shorewall/rules. </p> that by adding the following rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -744,8 +746,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing removed if you uncommented the line in /etc/shorewall/policy
all connections from the firewall to the internet.</p> allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -821,8 +823,7 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server on your firewall <p align="left">Example - You want to run a Web Server on your firewall system:</p>
system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -876,8 +877,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -974,8 +975,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you won't try to start Shorewall before configuration is complete. Once
have completed configuration of your firewall, you can enable Shorewall you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br> startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
@ -991,27 +992,27 @@ delete other connections as required.</p>
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from command. If you want to totally remove any trace of Shorewall
your Netfilter configuration, use "shorewall clear".</p> from your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is routing to/from <b>eth1 </b>(the local network) when Shorewall
stopped. If your local network isn't connected to <b>eth1</b> or if you is stopped. If your local network isn't connected to <b>eth1</b> or
wish to enable access to/from other hosts, change /etc/shorewall/routestopped if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless
have added an entry for the IP address that you are connected from you have added an entry for the IP address that you are connected
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
@ -1025,5 +1026,6 @@ configuration</a></i> and test it using the <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

184
Shorewall-docs/two-interface_fr.html
View File

@ -39,11 +39,11 @@
<p align="left"><br> <p align="left"><br>
<small><i><u>Notes du traducteur</u> :<br> <small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou mon Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne me mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
&agrave; en faire une version fran&ccedil;aise intelligible par tous (et plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
par moi). Les termes techniques sont la plupart du temps conserv&eacute;s par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
@ -57,8 +57,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p> les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p> son utilisation la plus courante :</p>
<ul> <ul>
@ -91,8 +91,8 @@ guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i> <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant </i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
Sous root, utilisez la commande 'which' pour rechercher le programme :</p> root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -107,8 +107,8 @@ par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
<p><img src="images/j0213519.gif" name="Image3" align="bottom" <p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0"> width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
si votre &eacute;diteur offre cette option sinon vous devez les faire passer votre &eacute;diteur offre cette option sinon vous devez les faire passer
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re, par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
@ -134,12 +134,11 @@ of dos2unix</a> </p>
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans &nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>, dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
t&eacute;l&eacute; chargez<b> le <a Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
sample</a>, un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
vers /etc/shorewall (ces fichiers remplaceront les fichiers de m&ecirc;me (ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
nom).</b></p>
<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers, <p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
@ -205,11 +204,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te <p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules. est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p> r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface) <p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p> a les politiques suivantes:</p>
@ -292,9 +291,9 @@ a les politiques suivantes:</p>
</dd> </dd>
</dl> </dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante <blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote> la ligne.</blockquote>
<a name="AutoNumber31"></a> <a name="AutoNumber31"></a>
<dl> <dl>
@ -409,8 +408,8 @@ pas que ce soit shorewall qui ne marche pas.</p>
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>. suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence. <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence.
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
qui sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p> sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
<ul> <ul>
<li> <li>
@ -432,17 +431,17 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i> address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau &agrave; Internet. Vous devrez assigner vos propres adresses dans votre
local (votre interface interne sur le firewall &nbsp;ainsi que les autres r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
address ranges) &agrave; cette fin :</p> d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -456,11 +455,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau <p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer (<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
sous-r&eacute;seau est d&eacute;crit en utilisant <a est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -523,16 +522,16 @@ des paquets &agrave; travers le gateway (routeur).</p>
<p align="left"><img src="images/BD21298_1.gif" name="Image11" <p align="left"><img src="images/BD21298_1.gif" name="Image11"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 2 &nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle 2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
interne du firewall.</p> l'interface interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more regarding subnetting and routing. If you are interested in learning more about
about IP addressing and routing, I highly recommend <i>"IP Fundamentals: IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A. Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> 1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute; <p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p> votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
@ -548,8 +547,8 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont <p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>. par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
@ -558,22 +557,22 @@ le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, 1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
vers l'ordinateur 1. </p> l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est <p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;. terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p> Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe.
externe. </p> </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
@ -593,22 +592,22 @@ SNAT si elle est statique.</p>
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>, &nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par colonne par le nom de votre interface externe, et la seconde colonne par le
le nom de votre interface interne.</p> nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14" <p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre &nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez, dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br> colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br> <br>
<img src="images/BD21298_.gif" name="Image15" align="bottom" width="13" <img src="images/BD21298_.gif" name="Image15" align="bottom"
height="13" border="0"> width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez que &nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez
votre fichier de configuration shorewall.conf contient bien les valeurs suivantes, que votre fichier de configuration shorewall.conf contient bien les valeurs
si elles n'y sont pas faite les changements n&eacute;cessaires:</p> suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<ul> <ul>
<li> <li>
@ -633,8 +632,8 @@ applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
dans la r&eacute;ponse.</p> dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i> <p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p> port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding <p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p> dans /etc/shorewall/rules est:</p>
@ -761,8 +760,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<li> <li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 (c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou
ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall, &agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p> regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li> </li>
@ -850,9 +849,9 @@ proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne <p align="left">Vous pouvez configurer votre syst&egrave;me interne pour
pour utiliser les noms de serveurs de votre provider. Si votre fournisseur utiliser les noms de serveurs de votre provider. Si votre fournisseur vous
vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin
de les utiliser. Si cette information n' est pas disponible, regardez dans de les utiliser. Si cette information n' est pas disponible, regardez dans
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s /etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s
@ -1039,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; <p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
toutes les connexions depuis le firewall vers Internet.</p> connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p> <p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a> <a name="AutoNumber45"></a>
@ -1103,12 +1102,11 @@ toutes les connexions depuis le firewall vers Internet.</p>
</dl> </dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un <p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
r&eacute;seau local.</p> local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre <p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
:</p>
<a name="AutoNumber46"></a> <a name="AutoNumber46"></a>
<dl> <dl>
<dd> <dd>
@ -1249,15 +1247,15 @@ firewall :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter <p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p> configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application <p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p> particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre <p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p> sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a> <a name="AutoNumber48"></a>
@ -1333,8 +1331,8 @@ est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p> le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p> paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall <p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;, start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1347,11 +1345,10 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20" <p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez &nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave; <p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop" votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1376,5 +1373,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

144
Shorewall-docs/upgrade_issues.htm
View File

@ -35,16 +35,21 @@
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running.<br> currently running.<br>
</p> </p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers <p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
be a host address) accessed through a particular interface.<br> a host address) accessed through a particular interface.<br>
</p> </p>
<p>Examples:<br> <p>Examples:<br>
    <br>     <br>
    eth0:0.0.0.0/0<br>     eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>     eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>     eth3:192.0.2.123<br>
</p> </p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
<h3> </h3> <h3> </h3>
@ -52,36 +57,36 @@ be a host address) accessed through a particular interface.<br>
There are some cases where you may want to handle traffic from a particular There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous, group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br> there are two cases covered in this documentation where it can occur:<br>
<ol> <ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li> <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent <li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li> proxy in your local zone.</a></li>
</ol> </ol>
If you have either of these cases, you will want to review the current documentation If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br> and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same <li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself zone is accepted by default. Previously, traffic from a zone to itself was
was treated just like any other traffic; any matching rules were applied treated just like any other traffic; any matching rules were applied followed
followed by enforcement of the appropriate policy. With 1.4.1 and later by enforcement of the appropriate policy. With 1.4.1 and later versions,
versions, unless you have explicit rules for traffic from Z to Z or you unless you have explicit rules for traffic from Z to Z or you have an explicit
have an explicit Z to Z policy (where "Z" is some zone) then traffic between Z to Z policy (where "Z" is some zone) then traffic between the groups
the groups in zone Z will be accepted. If you do have one or more explicit in zone Z will be accepted. If you do have one or more explicit rules for
rules for Z to Z or if you have an explicit Z to Z policy then the behavior Z to Z or if you have an explicit Z to Z policy then the behavior is as it
is as it was in prior versions.</li> was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
two interfaces to the same zone, that policy can be removed and traffic between two interfaces to the same zone, that policy can be removed and
between the interfaces will traverse fewer rules than previously.</li> traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li> rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has <li>If you are currently relying on a implicit policy (one that has
@ -94,45 +99,11 @@ between the interfaces will traverse fewer rules than previously.</li>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules <li> Sometimes, you want two separate zones on one interface but you
to deal with traffic from a given group back to itself. The <i>multi</i> don't want Shorewall to set up any infrastructure to handle traffic between
interface option is no longer available so if you want to route traffic between them. </li>
two subnetworks on the same interface then either:</li>
</ul> </ul>
<blockquote>Example:<br>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
@ -140,13 +111,24 @@ want Shorewall to set up any infrastructure to handle traffic between them.
involved in any traffic between these two zones. Beginning with Shorewall involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle 1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br> traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction.  and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br> package ('ip' utility).</b><br>
@ -179,10 +161,11 @@ are entries for the zone in both files.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li> no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is <li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
<li value="6">Late-arriving DNS replies are now dropped by default; ALLOWRELATED=Yes.</li>
there is no need for your own /etc/shorewall/common file simply to avoid <li value="6">Late-arriving DNS replies are now dropped by
logging these packets.</li> default; there is no need for your own /etc/shorewall/common file simply
to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file <li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li> have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
@ -205,8 +188,8 @@ have been moved to /usr/share/shorewall.</li>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported. <li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same  Shorewall will generate rules for sending packets back out the same interface
interface that they arrived on in two cases:</li> that they arrived on in two cases:</li>
</ul> </ul>
@ -219,11 +202,11 @@ not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone
or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same word. Exception: if the source zone and destination zone are the same then
then the rule must be explicit - it must name the zone in both the SOURCE the rule must be explicit - it must name the zone in both the SOURCE and
and DESTINATION columns.</li> DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
@ -282,11 +265,11 @@ follows:<br>
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf used (If the option is not set in your /etc/shorewall/shorewall.conf then
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the old
old handling indefinitely so I urge current users to migrate to using handling indefinitely so I urge current users to migrate to using the
the new handling as soon as possible. See the <a href="ping.html">'Ping' new handling as soon as possible. See the <a href="ping.html">'Ping' handling
handling documentation</a> for details.<br> documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
@ -315,8 +298,8 @@ handling documentation</a> for details.<br>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this rules in their /etc/shorewall/icmpdef file (creating this file
file if necessary):</p> if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -328,8 +311,8 @@ file if necessary):</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p> <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a <li>Be sure you have
backup -- you will need to transcribe a backup -- you will need to transcribe
any Shorewall configuration changes any Shorewall configuration changes
that you have made to the new configuration.</li> that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
@ -357,8 +340,8 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions
and 1.3.7</p> 1.3.6 and 1.3.7</p>
<ol> <ol>
<li> <li>
@ -426,12 +409,13 @@ symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 4/13/2003 - <a href="support.htm">Tom
</p> Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>